The goal of tribes is simple when it comes to cybersecurity — not to become the next breach by hackers that can shut down their casinos, be subject to ransomware, and make headlines. Toward that end, the human element, rather than technology, is the biggest vulnerability tribes face.
The 4th Annual Tribal Cybersecurity Summit, put on by TribalHub and held Thursday, spread that message.
Cybersecurity is a business risk that can cost companies stiff damages to their finances and reputations. Both happened to MGM Resorts International last fall, according to Mike Miller, CISO with Appalachia Technologies.
“Every single day, some of us go to sleep stressing about what can happen to the organization if there’s a breach,” Miller said. “But others out there don’t lose sleep over a breach, because they have a feeling it might not happen. The truth is, it’s not a case of if but when. We have to be prepared, because (cyberattacks) can take away from the growth of an organization.”
No silver bullet will make a company secure from hackers, Miller said. There’s compliance, but that’s not security.
Security is about understanding the threats and trends and using intelligence to reduce vulnerability.
The themes that emerged from 2023 include social engineering, cloud consciousness, third-party relationships, vulnerabilities, and under-the-radar exploitations.
“Social engineering never gets enough time,” Miller said. “Every year, the majority of breaches come from social engineering. It’s so leveraged, because we’re human. We’re nice people and vulnerable and tend to let the person in the door, even if we can’t see their badge.”
Social engineering happens when someone calls and says they’re from tech support and needs access to a computer to do updates. It’s also when employees get an email from a corporate executive saying there’s a change in the dress-code policy and they click on that message.
“It’s not going away. As long as we have human beings, we’ll be socially engineered,” Miller said. “We spend millions of dollars on appliances and software to protect our perimeter, but we need to strengthen our human firewall.”
That was echoed by Steven Nino, CIO of the Soboba Band of Luiseno Indians, who gave the closing keynote address at the conference. He said his tribe faces a wide range of threats with its casino, golf course, gas station, and government services.
“One element that’s missed in cybersecurity discussions with all of the great technology and tools and programs is the human element,” Nino said. “That’s one of the biggest vulnerabilities in a cybersecurity program. You can create all the bells and whistles and great firewalls, but the human piece is probably the most critical in the whole puzzle.”
According to Miller, over the last five to 10 years, servers, data closets, and even some data centers are disappearing, due to migration to the cloud. Because IT tends not to involve the cybersecurity team as they’re building out on the cloud, there’s a lack of oversight over that migration.
“Maybe we’re leaving certain things open and accessible and not configuring them right,” Miller said. “These bad actors know about and are leveraging it.”
From 2022 to 2023, there was a 110% increase in cloud-conscious cases in which those bad actors got access to the cloud and leveraged it to exploit a party. In the same period, there was a 60% increase in cases where a bad actor infiltrated the cloud, but was unable to get leverage from it.
Many companies and tribes don’t think about third-party exploitation and that’s dangerous, if due diligence isn’t done, Miller said. There may not be accountability for third parties logging into a customer’s system. In addition, other systems are vulnerable, simply because they aren’t monitored and aren’t considered a threat to cyberattacks.
While those are the 2023 themes, more and different threats are coming in 2024 and beyond, leading off with artificial intelligence, Miller said.
“AI is being used both for good and for malicious intent. Generative AI and deep fakes are happening, so we need to ensure we’re careful what we put in with AI as well,” Miller said. “We know the 2024 election is going to have some issues, but we’ll see more attacks on the human element.”
Miller called on companies and tribes to install and maintain a strong cybersecurity culture and strengthen the “human firewall” with training and fostering an open environment. If someone clicks on a suspicious email, don’t make them think they’re the problem; rather, use it as a learning lesson, he said.
TribalHub CEO Mike Day said the use of fear of what’s going to happen has driven cybersecurity discussions in the past, but that’s changed over the last couple of years and is now more about shared risk.
“Fearmongering is not the best approach anymore,” Miller said. “It’s almost not needed. You can’t afford every tool under the sun for cybersecurity. You have to assume certain risks in your organizations. You ask, what are the risks, how can we balance them out, and what realistically can we do for a budget? Again, all the best tools in the world are only as good as the human factor in the middle of them.”