MGM was completely taken offline this week. Multiple casinos and hotels down, slot machines unable to pay out. It’s one of the biggest cybersecurity messes that has been made public (they can’t hide it!)

Caesers reportedly was in a similar spot, but they paid up instead.

It seems like most people don’t take us cybersecurity pros seriously when we say this can happen. I don’t know how much MGM would have had to pay but:

• Their operational losses this week will be through the roof
• The costs to investigate and repair will be incredible
• The lost revenue between hotel cancellations — which are forced to offer for free — and lost gambling revenue must be huge
• The reputational losses will be long-lasting. How many MGM customers will stay at Caesars going forward just to avoid the potential hassle of working with MGM?

Of course, for MGM this on $13bn of annual revenue, so would this matter to a smaller business?

Yes. Small businesses will typically have a higher ransom or recovery cost as a proportion of revenue.

The ultimate gamble is, is it less costly to go through a cybersecurity incident or defend against one? And if the incident is less costly, is it still worth it?