No company is immune from cyberattacks 

Caesars Entertainment and MGM Resorts, mega-casino enterprises based in Nevada, both recently endured cyberattacks that continue to disrupt corporate operations.  

For anyone who has been to Nevada casinos, security is at the highest level. Closed circuit cameras are ubiquitous, as are security personnel circulating throughout the casino — and for good reason. There are millions of dollars flowing around and through the enterprise.  

Patrons certainly want to feel safe, which supports casinos’ goal to attract and retain customers. Casinos must also protect their assets. The perception of any risk (beyond the gambling that occurs in the casino pit) could upend the trust that customers place in the casino.  

Yet cyber systems are far more difficult to protect than physical systems.  

Protecting physical systems requires threats to be identified, detected and, when necessary, intercepted. There are numerous devices available to keep an eye on physical locations that facilitate deterrence, response and recovery. The key is access control, which typically requires some type of identification authentication process. The Transportation Security Administration (TSA) is keenly aware of this, charged to protect the nation’s air system. They are responsible for processing around 2.5 million people on average every day through airport security checkpoints. 

REAL IDs are a step in this direction for access to government buildings and facilities, including airport security checkpoints. Unfortunately, the date when REAL IDs will be the standard for identification validation for such facilities keeps getting pushed forward, with the new deadline now set for May 7, 2025. It is reasonable to expect even more delays to the REAL ID requirement, which was first put forward with the REAL ID Act back in 2005.  

Cyberattacks pose an entirely different threat. Though they do not involve weapons like guns or explosives that may be used in physical attacks, or theft of physical items, cyberattacks have enormous power to disrupt the operation of systems and compromise data. Such attacks have significant financial and service implications.  

At the core of cyber systems is data, the fuel that drives cyber operations. Some of the most disruptive cyberattacks are ransomware, when cybercriminals infiltrate a cyber system and effectively hold the organization hostage until they pay the requisite ransom to decrypt the organization’s cyber system and data. The response is either to pay the ransom demanded, which can run in the millions of dollars, or use existing system backups to rebuild the system and restore lost data.  

If the ransom is paid, there is no guarantee that the full system and data will be recovered. If the system must be rebuilt, the time to undertake such a process can take days, or even weeks to regain full functionality.   

In some cases, cyberattacks can bring an entity down to the point beyond recovery. For example, Lincoln College’s cyber infrastructure was infiltrated in December 2021. The extent of the attack, coupled with the limited resources available to respond during the COVID pandemic, led to the school’s closing.  

Every industry is vulnerable to cyberattacks because every industry must employ extensive cyber systems to operate and remain competitive. This includes the financial and banking industries, the retail industry, education and transportation systems, to name just a few.  

The cybersecurity industry has now grown, with around $150 billion spent worldwide in 2021. Its sole purpose is to protect against cyberattacks and ensure that organizations remain operational and protect valuable data. Funds spent on such efforts are essentially a tax paid to protect against bad actors in the cyber world.  

Every cyber system can be a target of cyberattacks. There were over 1 billion ransomware attempts made worldwide in 2021 and 2022 combined. The good news is that 90 percent of such attacks resulted in no losses to the organizations targeted. This attests to the effectiveness of cybersecurity. It is also indicative of the persistent threat posed by cyberattacks.  

What occurred with Caesars Entertainment and MGM Resorts illustrates that all industries, especially those with deep pockets, are vulnerable targets. The only effective defense is ongoing vigilance and awareness that every cyber system is being tested every day, and that one lapse in lowering one’s guard can lead to significant financial implications and lost trust.  

Sheldon H. Jacobson, Ph.D., is a professor of Computer Science at the University of Illinois at Urbana-Champaign. He applies his expertise in data-driven risk-based decision-making to evaluate and inform public policy. He has studied aviation security for over 25 years, providing the technical foundations for risk-based security that informed the design of TSA PreCheck.