The fact that the Iranian government successfully targeted a Las Vegas gaming company and Russians tried to manipulate the U.S. election system should have significant implications for all businesses, a leading U.S. terrorism expert warned last week.
Counter-terrorism specialist Reid Sawyer, a senior vice president of credit, political and security risks with risk consultancy JLT, said every company executive needs to understand that cyber risk is a global issue.
“What I mean is the geography is irrelevant these days. Doesn’t matter if it’s coming from Russia, Ukraine or China, or from a criminal organization in the United States,” Sawyer told attendees of the American Bankers Association’s (ABA) Payments Forum.
Criminals and foreign governments are targeting all industries, including the gaming and hospitality industry.
Gaming’s most high profiled cyberattack occurred in February 2014, when the Iranian government was behind an attack on Las Vegas Sands’ computer systems and stole credit card data, social security numbers and drivers’ license numbers.
Sawyer said that cyber espionage — both state-based and criminal actors — poses significant risks that must be understood across the breadth of an organization. He described it as the new battlefield in terms of business risk.
“We need to stop talking about cyber risk in terms of cyber,” Sawyer said. “Cyber is just a means to get into your organization … to disrupt business to consumer or business to business activities, or disrupt your overall organization.”
When you put it in those terms, Sawyer said, “it is no longer a cyber risk, it is a business risk.”
He added that most businesses fail to understand the risks to their organizations, even though they have cyber directives. Sawyer criticized businesses for only looking at replacement costs.
“It’s a completely insufficient way to look at it,” Sawyer said. “You need to understand the financial risks. Why aren’t we talking about the P&L (profit and loss) risks or your earnings per share?”
He added that if you flip the way a company views the risk, then “you can recognize the problem in a different way.”
Sawyer was the keynote speaker on Thursday at the ABA’s inaugural Payments Forum, a two-day conference exploring the future of financial transactions in Washington, D.C.
“The greatest cyber threat we face is from our own actors,” Sawyer said. “John Podesta here in Washington clicked on malware and opened up the DNC’s (Democratic National Committee) emails.”
The DNC cyberattacks took place in 2015 and 2016, in which computer hackers infiltrated the DNC computer network, leading to a data breach. Cybersecurity experts say the espionage was the work of Russian intelligence agencies.
The attack allowed internal communications to stream into public view during the 2016 presidential election between former Secretary of State Hillary Clinton and current President Donald Trump.
Sawyer said the majority of cyber breaches come from willing or unwilling employees within corporations.
The gaming business and casino regulators have already acknowledged that the industry faces a mounting cybersecurity challenge.
In July 2016, the Hard Rock Hotel & Casino in Las Vegas suffered a second data breach which provided hackers with access to payment card data, including name, card number, expiration date and internal verification codes. Hard Rock faced a similar breach in May 2015.
The Las Vegas Sands-owned Venetian and Palazzo in Las Vegas and Sands Bethlehem in Pennsylvania were hit be a significant cyberattack in 2014, which was later linked to the Iranian government.
The FireKeepers and Four Winds tribal casinos in Michigan, as well as the Peppermill Casino in Reno, Nevada, and Casino Rama in Ontario, Canada, have also all been victims of cyber crimes.
The attacks range from malware software being placed on a payment card system, to email viruses being opened by employees that infect a company’s computer system.
Both New Jersey and Massachusetts have increased their cybersecurity rules, with New Jersey now requiring casinos’ heads of information security to be afforded the same level of responsibility as heads of audit or other departments.
In terms of cyber threats, Sawyer urged companies to move from the notion of whether they are appropriately protected to asking: “What is the enemy doing to us?”
“We don’t get that this is a business risk,” Sawyer said, citing an EY survey that found 68 percent of company executives would not change their IT spending if the supplier was breached.
Sawyer also said he was shocked at the amount of commercial espionage activity.
“The FBI will tell you the activity we are seeing from state to commercial is exceeding our ability to respond to it,” Sawyer told some 200 attendees during his 45-minute presentation.
“What we are seeing now is private warfare. States are no longer seeing state to state warfare as a legitimate target.”
He said that the government believes they can attack U.S. businesses with the idea “of destruction or damage.”
“That does far more damage to the U.S. in the long run,” Sawyer said. “It is the economy that is being targeted.”
Sawyer cited Iran’s response to Stuxnet, a computer worm that destroyed centrifuges inside the country’s Natanz uranium enrichment site. The cyberattack plan also targeted Iran’s air defenses, communications systems and key parts of its power grid.
“Iran’s response wasn’t against the Pentagon … it was against 50 financial institutions in the United States,” Sawyer said. “Data integrity is the payments industry’s greatest risk.”