ERP Risk Advisor’s CEO comments on MGM’s Cyber Attack on 9/15/23in Blog Article by Kacey Vandesteeg
Our CEO, Jeff Hare, CPA CIA CISA comments on the MGM cyberattack:
Sadly, we see another significant, and successful cyberattack with MGM Resorts being the latest victim. What we understand from the information available, is the breach could have a material impact on the company’s financial results. This is the first major corporate breach since the SEC guidance on cyber risk which was published in late July. [See reference article here]
We also know that MGM had a breach in 2020 leading to the leak of personal information of more than 10 million customers. Given this is the second breach in three years, this is the type of event that could undermine investor’s confidence in the security of MGM’s systems and related controls. The breach could have been the result of management not having fully identified the risks having led to the 2020 breach or potentially by not having taken corrective actions needed to prevent and detect breaches.
We see similar risks with organizations implementing ERP/HCM Cloud today. There are significant cyber risks associated in these categories:
- Lack of multi-factor authentication,
- Not properly securing service and integration accounts,
- Incomplete logging of data and retention of logs,
- Unauthorized access to web services, APIs, and other significant privileges
- Unrestricted access to query data
These risks are posed not just by their internal users, but also by other categories of users such as: system integrators, managed service organizations, suppliers, and customers.
Unfortunately, management often ignores cyber risks in SaaS application because they believe the hosting provider (Oracle, SAP, Workday, etc.) has ‘secured the perimeter’ and has inoculated their organization from ransomware and other risks. Given SaaS applications are internet facing, properly securing key configurations (SSO, MFA, Passwords, Logins, etc.), and privileged access for SaaS applications IS the responsibility of management. The MGM breach should be a wakeup call to all organizations that their risk assessment needs to look at ALL risks.
The MGM breach should be a wakeup call to all organizations that their risk assessment needs to look at ALL risks.
Given the cybersecurity industry is primarily concerned with securing the perimeter and lacks the domain expertise in the way these SaaS applications are configured and implemented, to date, CISOs have few options to turn to for outside assistance.
ERP Risk Advisors and partners of ours have developed a comprehensive risk assessment related to cyber risk for Oracle ERP/HCM Cloud and related technologies. Contact us for more information at firstname.lastname@example.org.