What we can learn from the 2023 MGM Cybersecurity attacks
KPIs, Scorecards….and Kindness
Achieving compliance with a particular process, in an information security standard selected by management, would best be demonstrated by key performance indicators. A key performance indicator (KPI) indicates how well a process is progressing, according to expectations. Another definition for a key performance indicator, is a measure that determines how well the process is performing, in enabling the goal to be reached (ISACA).
In September 2023, MGM was the victim of a cyber-attack that cost the company $100MM in revenue and impacted their third-quarter results. As of February 2024, US state and federal regulators are now probing the attack.
The poor guy who answered that phone call….
When we go through a crisis, many of us, myself included, are quick to look for someone to blame. Definitely being careful not to look in the mirror, and blame ourselves, but someone else.
I want to suggest something different from blame and shame (which is unfortunately, for better or for worse, a very natural human reaction).
Root cause
Why do you go into work? Why do you log on in the morning? Is it because you truly love your job? I hope so! That’s a wonderful feeling to enjoy what you do!
And, the reality for many of us is, it’s a paycheque. It pays our bills. And we rely on the money from our jobs, to live our lives.
So how exactly do we get that paycheque?
For many of us, that paycheque is in part, driven by our scorecard.
Key Performance Indicators
From what I understand, many operations teams, especially if they are client-facing, have metrics for their scorecard, that is based on time. How quickly you resolve a client call, client complaint etc.
I do not know the full details surrounding that fateful MGM phone call to the help desk, but I do have an inkling for how that employees was likely getting paid. What his motivation was to do his job.
And it was probably something along the lines of how quickly he could resolve a call. In fact, him and his colleagues were likely being timed per call. And then those metrics were being splashed across a team leaderboard. A dashboard. With the winner being the one who could resolve the most calls in the least amount of time.
It wasn’t based on security-conscious metrics. Validating the user was not prioritized over giving the ‘user’ what they wanted.
This article is not blaming or shaming operations, or the business, or anyone.
It’s about pointing out almost all of us go into work for a reason, beyond loving our jobs. And if our motivation is our scorecard, and if that scorecard is built in such a way that we don’t need to pay attention to user validation if it takes away from paying attention to length of time to resolution, then…we’re going to speed things along to make sure we get our money at the end of the day.
So, what if we change the scorecard?
Change it from time-orientation to user validation?
Why would we do this?
If you just lost $100MM from your third-quarter results in one day, it might be something worth considering.
The MGM attacks happened almost wholly as a result of social engineering. Someone was lured into giving away secure and confidential information.
So not only is cybersecurity awareness and training important for business (and operations) employees, so is rethinking scorecards and how we make our money.
PROSCI has an article on Metrics for Measuring Change Management. This article focuses on people change management (and not ITIL or ITSM). And one point Andrew Horlick nicely makes is this:
Having a common definition of success for your project or initiative is a critical prerequisite to measuring change management effectiveness. Defining success takes place at project initiation or earlier, and includes identifying the project’s objectives (what the project will achieve) and the organizational benefits (what the organization will gain).
If we want to change our scorecards to become more security conscious, then first you need an agreed-to understanding of what success looks like. In the case of MGM, maybe it sounds like ‘Not losing $100MM to a ransomware attack’. Identifying the objectives might be ‘Change scorecards to be more security-conscious and less time-oriented, in order to motivate employees differently and prevent such a loss.’. Organizational benefits might be ‘Increasing, rather than losing, ROI each quarter, due to preventative measures’.
To sum up. This article is about root cause, not shaming or blaming. It’s about being kind to all those who get impacted by a cyber-attack. Trust me, the way things are going, I’m sure all of us at some point will be impacted, either directly or indirectly by such attacks.
So be kind, try to look past the immediate disaster and chaos, and look for the root cause of the situation, and how we can make things better from there.
Happy kindness.