There’s a gulf in the levels of cyber-hack preparedness among Southern Nevada businesses.
An iconic city for hospitality and gaming, the industry titans on and near the Strip are investing big dollars in cybersecurity teams.
The Las Vegas Sands Corp., MGM Resorts International and Caesars Entertainment “have tremendously great cybersecurity teams because they know the threat is real,” said Troy Wilkinson, founder and CEO of Las Vegas-based Axiom Cyber Solutions.
The Iranian government was behind a Las Vegas Sands hack in February 2014, which compromised customer and employee data — including credit card information, driver’s license numbers and Social Security numbers — according to James Clapper, the director of national intelligence, who outed Iran to the Senate Armed Services Committee in February.
The Trump Hotel Collection, including Trump International in Las Vegas, as recently as this past April was the victim of its second cyberattack in six months, according to CNN. Affinity Gaming was also a cyberattack victim in 2014, the Review-Journal reported.
But what many smaller Southern Nevada businesses fail to realize is that they’re just as much at risk — putting local customer data at risk as well, Wilkinson said.
A “HEAD-IN-THE-SAND” APPROACH
According to the Verizon 2013 Data Breach Investigations Report, small and midsize businesses suffer data breaches more often than larger firms.
A November survey by Nationwide found that 79 percent of U.S. business owners with fewer than 300 employees have no cyberattack response plan in place. When asked why not, 46 percent said they think their current software is secure enough, and 40 percent said they do not think their company will be affected by a cyberattack.
“Small and medium businesses … in Southern Nevada are behind the times on getting themselves knowledgeable about what threats are out there,” Wilkinson said, adding that it’s a national trend for U.S. companies to take the “head in the sand approach” to cybersecurity.
The Las Vegas Metro Chamber of Commerce is holding a cybersecurity education event for business leaders July 29. It will feature a panel of security experts, including Ari Schwartz, the former White House senior director of cybersecurity.
“We’re hearing a lot of folks saying, ‘I know it’s a threat, but how do I address it? What do I need to do?’” said Paul Moradkhan, vice president of government affairs for the chamber.
He said a number of businesses have expressed concern about protection of payment systems, internet security and network security.
FROM KNOWING TO DOING
Jeff Grace, CEO of Las Vegas-based information technology service company NetEffect, said when his company takes on new Southern Nevada clients, “many times the very basic things have not been covered, like a really good data backup plan, a really good, up-to-date firewall, patched machines.”
Wilkinson agrees that aside from first acknowledging that no business is hack immune, a hardware firewall, “something that protects you from the bad traffic coming and and going out,” is the first step.
A firewall, for example, is one of many layers of security to avoid ransomware, which is one of the top threats to businesses.
Ransomware, which is a malicious software that hackers use to encrypt a company’s data and then hold it hostage for a ransom in bitcoin, accounted for $325 million in damages since its discovery in January 2015, according to a November Cyber Threat Alliance report. Ransomware is on track to become a billion-dollar business in 2016.
Employee education is also key, Wilkinson and Grace said.
One of the common hacks is called “phishing,” in which a hacker or scammer sends a well designed email imitating the CEO to a company accountant, asking to wire money to a company vendor.
According to the Verizon 2016 Data Breach Investigations Report, there were 9,576 phishing incidents in 2015, 916 of which reported a breach of data.
These types of breaches can easily be avoided by a communication protocol set up within a company to verify such requests.
It all comes down to “educating people (employees across departments) to use common sense, to not be afraid to ask questions, and to not be afraid to be a little bit suspicious,” Grace said.
Although it may seem like common sense, the “actually doing it” part isn’t always there, he said.
“I guess it really comes down to a sense of urgency about it. It’s one of those things that’s easily ignored until all of a sudden it becomes a giant, immediate issue. We find that the best and most engaged clients around IT security are the ones who have had some kind of a problem or breach,” Grace said.
Although investing in IT is another company expense, it can save thousands of dollars and even secure a company’s longevity: 60 percent of small businesses go out of business within six months, according to the National Small Business Association.
The Better Business Bureau found the cost of the average data breach to small business was $36,000 in 2014.
“There aren’t very many small businesses that can not only handle the financial loss but also the loss of reputation,” said Shannon Wilkinson, president of Axiom Cyber Solutions.
“If you do have a breach there are regulations and laws that you have to disclose the breach and let your customers know that you’ve been breached, and provide protection to them. So, if you have 500 customers then you have to provide identity protection to those 500 customers, and it can add up really quickly,” she said.
Contact Nicole Raz at firstname.lastname@example.org or 702-380-4512. Find @JournalistNikki on Twitter.