Gambling with data security

Two of the largest casino owners in Las Vegas – MGM Resorts and Caesars Entertainment – were hit by cyber attacks. Details of the attacks remain sketchy, but it is suspected that MGM’s hotel reservations system and Caesars’ customer database were both compromised. MGM’s IT systems were offline for 10 days, severely impacting its ability to manage resort services including guest bedroom access. Meanwhile it has been reported that Caesars Entertainment took the decision to pay, at least in part, the ransom demanded in order to secure the data.

Indications are that the MGM attack was down to a simple piece of social engineering. It once again highlights the importance of careful use of social media by individuals, but also for companies to ensure that there are appropriate checks in place when employees contact central services such as IT helpdesks, human resources and finance, to validate that the person making contact is who they say they are. These checks need to strike a fine balance between being sufficiently easy for employees to manage, but sufficiently complex for anyone who isn’t the employee to be unable to pass. The same is true to give confidence to employees that if they are being contacted by the IT helpdesk, they know it’s genuine.

It's also important to consider that the vast majority of businesses would be unable to survive if their IT systems were offline for 10 days. Having a clear disaster recovery or back-up plan is imperative to ensure that service continuity is maintained. Lastly, payment of ransom is something most cyber security experts advise against, as there are no guarantees it will prevent your data being leaked or wiped, and often makes further attacks more likely.

As if further proof were needed that no one is safe from cyber attacks, even the International Criminal Court in The Hague has been a victim of a security breach this month (though understandably it is saying very little about what happened, given the sensitive nature of its work).

Supply chain strikes again

Following the Police Service of Northern Ireland data breach noted in last month’s round-up, this month Greater Manchester Police (GMP) confirmed that the personal details relating to thousands of police officers had been stolen in an attack on the company that supplies the force with identity cards. While other forces have not come forward it is thought that GMP is not the only police force affected, with some government departments also potentially impacted.

Up to 300 independent retailers may also have been affected by a cyber attack on IT supplier Swan Retail last month. As a provider of a range of business-critical software to small retail businesses, it is yet another example of hackers seeking to target key suppliers in order to maximise the impact of their work. The impact of this attack has been very real, leaving business owners struggling to manage stock or accept payments.

It is hard to overstate the importance of understanding how much of your data suppliers are holding, and having an awareness of the controls they have in place to reduce the risk or potential impact of a cyber attack, as well as the steps you can take, as a customer, to reduce your exposure to cyber risk.

LLM and AI security

As part of ICAEW’s recently released guidance on Generative AI, we have explored the cyber security concerns that large language models (LLMs) can present to organisations. This draws on recent NCSC blog posts exploring some of the risks associated with AI security and the use of LLMs, such as prompt injection, and manipulation of training data known as ‘data poisoning’.

Training data manipulation is not a new phenomenon; back in 2016 Microsoft hit the headlines after releasing, and then very rapidly withdrawing, its Tay chatbot after it was hijacked by extremist groups and encouraged to post inflammatory material. The same principles still apply. With LLMs, it is very easy to seed incorrect or offensive information in the training datasets. This can easily be done inadvertently if the data used to train an LLM isn’t sufficiently cleansed and managed. Likewise, prompt injection is also not dissimilar to code injection attacks that have posed risks for public-facing databases for decades, where a carefully constructed instruction to an LLM can bring down an entire AI model.

Lurking in the shadows

Another useful piece of recent guidance from NCSC relates to ‘Shadow IT’. These are assets that are used in an organisation and are connected to an organisation’s network, but are not managed as an asset of the organisation. Therefore, they may not be compliant with IT policies. Such IT assets can encompass a wide range of types of devices, including personal IT equipment, Internet of Things devices or even unsanctioned cloud services such as personal storage accounts and messaging services. Shadow IT can cause significant problems for an organisation, as they provide more routes for criminals to gain access to systems and data, and more routes for information to leak out of the organisation.

The NCSC guidance covers a number of tips for how to mitigate the risks of Shadow IT, many of which revolve around ensuring that the organisation’s approved IT systems and services meet the needs of its employees, thereby reducing the need for staff to utilise unapproved solutions.

Got an interesting cyber story for us? Email techfac@icaew.com.