The ransomware attack against the MGM Casinos has dominated the cybersecurity news over the last few days. As of now, the multi-day outage was among the most expensive attacks on a casino ever and among the most costly cyber attacks.
MGM’s steadfast refusal to pay a ransom to free its systems from the attack stands out in the saga. Now that the public side of the incident has passed, let us look at the considerations management and the board faced when making that call.
“Never Pay Criminals”
Popular culture has slightly changed the phrase into “Never Negotiate with Terrorists.” However, the US government applies the principle to all hostage situations. The issue behind paying up is that criminals will assume you are willing to pay repeatedly. Thus, you make yourself a juicy target.
Accepting the losses changes the risk calculation for the other side. The attackers now face all the risk of discovery and prosecution by law enforcement without any money or returns.
Loss of Revenue Due to Ransomware
The substantial loss of revenue is the biggest concern after an attack. The longer the outage lasted, the longer the business impact. Consequently, the upper echelon must consider the impact on the business strategy.
However, not only the loss of revenue during the outage needs to be considered. With a cyberattack like that, future income might also be at stake. Customers will notice the outage, go to competitors, and might discover they like it more. Likewise, they might question whether some software hides within the gambling software and slot machines that influence the chances.
Reputational Risks of Ransomware Incidents
The reputational damage considerably influences future revenue. If the customers believe MGM didn’t handle the incident well, it might have a long-term business impact.
In theory, communication plans should exist to reassure customers and partners. We will see in the coming month how well they work.
Response time for fighting Ransomware
The last consideration when dealing with ransomware is how long it will take to purge it from the system. Backups and cold standby systems can replace the compromised systems in short order. However, if it is unclear how long attackers have been inside the system, it might require careful checks to ensure you don’t just reopen the door.
Learning for the Next Ransomware Attack
Moral and learning opportunities are another consideration to take into account. After a successful incident of this scale, the mood in the cybersecurity and IT teams would be low. Fighting back and freeing yourself of the enemy gives the experts a cause to rally around and, once completed, a final victory.
Ending the situation on a high note will also encourage the teams to take the lessons learned sessions seriously. After all, it will have taken considerable time and energy to solve instead of a simple swipe of the credit card.
Thus, the fightback might positively impact short and long-term readiness.
High Risk – Hard Choice when standing up to Ransomware
For many companies, a multi-day outage seems like the world’s end. Yet, paying up and unlocking the wallet to deal with the issue can also be problematic. From the reputation of being susceptible to blackmail to losing consumer trust, businesses cannot solve all problems by paying with paying criminals.
Ultimately, it will always be a difficult decision for management and boards on how to proceed. Yet, the danger of repeated attacks and a culture of solving problems with a credit card will undoubtedly increase the risk of repeated incidents.