In 2024, a total $16.6 billion in losses due to cybercrime was reported to the FBI’s Internet Crime Complaint Center. In its annual Internet Crime Report released this year, the center also found that the top three cyber crimes in 2024 were phishing and spoofing, extortion and personal data breaches.
The Sun sat down with David Rounds, CEO of Las Vegas-based IT company NetEffect, to talk about the most common threats to cybersecurity in Las Vegas and beyond, and how to protect against them.
Why is cybersecurity, just very broadly, so important in this day and age?
When I started this company in 2001, Las Vegas, in my humble opinion, was probably five years behind the technology. So it was a long road, and I really hoped to help our small businesses in Las Vegas accelerate the adoption of technology to make them more competitive in the market. And it was a lot different back then. It was simple viruses that came in through emails, and someone clicked on something and did something funny in your machine.
And 24 years later, it’s evolved significantly. I mean, everyone’s data is at risk. In fact, your data is probably already out on the dark web. You just may not know it. And so, as the business has evolved and our community’s evolved, and of course, cybersecurity has evolved, it’s become critically important now to protect your data, protect your own personal data, the business data. It’s a digital necessity now.
How has the cybersecurity sector evolved over the years, particularly right now with the rapid emergence and growth of artificial intelligence?
It’s exponentially evolving. Once you add AI into it, it totally opens a whole new cornucopia of information. I mean, AI is supposed to have some protections in place. That’s still evolving. It’s the “zero day vulnerabilities,” is what they call that. And bad actors are finding these, and it takes a while for them to be discovered or to be acknowledged, and you can literally just have an email show up in your inbox and have something take over your machine using AI, as opposed to you having to click on something or open something, or enter your credentials. That’s scary.
And AI can write viruses and do all sorts of things that are in the background. So user education is important, and consumer education — your end users, if you’re in a business — is hugely important. But the landscape is changing so quickly, especially with the emergence of the AI technologies, that it’s just hard to even keep up for any cybersecurity company that has that expertise — and that’s what they do for a living.
Can you elaborate on some examples of common threats to data privacy?
Ninety-five percent of all incursions into a network start with a user’s email. It’s a phishing attack, or spear phishing attack. So it’s not related down to just the consumer or end user. I mean, that’s where it starts. But it affects the consumer, small-, medium-sized businesses and large businesses.
Las Vegas casinos have faced cyberattacks in recent years. How is Las Vegas unique when we talk about cybersecurity?
If you look back when we started, Vegas was far behind the technology compared to the rest of the business communities. And now, with these new megaresorts, they’re deploying all sorts of technology, as far as advertising management and people tracking and crowd tracking, to figure out where things are working.
The player tracking systems — they’re all gathering information. So bad actors in cyber, they target where they can get the biggest bang for the buck. What I mean by that is, where can I get the most information that they could use to get money, or use it to get money in a different way?
Las Vegas itself, it’s a treasure trove, for two major reasons. One is the amount of construction that we have going on for the construction companies. And the other is the amount of private information that casinos harbor. They have to be spending millions of dollars to protect their consumers, to protect their information, because two or three pieces of information is all that these bad actors need in order to go out and send an email out to one of those people and then try to get their credentials so they can get into their banks, or they can get into other things along those lines. So it’s where the money is.
Construction companies — we have a lot of those here in town. Construction companies, because of the nature of their business, they’re dealing with large sums of money, and not all of it’s profit, but they’re moving money back and forth between vendors and contractors and general contractors. There’s large sums of money, and let’s face it, they’re amazing at what they do, but that’s not the most technologically advanced industry. So they’re a big target. They’re probably not putting as much money into cybersecurity, and they have large-dollar funds that they can move.
So why Vegas? Well, they have a full database in several locations across multiple casinos, for example, where they can get hundreds and thousands of people’s private information across the United States. And each one of those is potential money for them, but it also is a jump-off point to get more information.
What are some of your go-to tips and tricks for people to combat cyberattacks?
The best time to secure your data, whether you’re a business or consumer, was yesterday. The second best time is today. You must take active steps, and you don’t need to be an expert to protect yourself. The best thing is to have complex passwords and different passwords for different types — at least different types of logins. For example, you don’t want to use your social media password on the same thing as your banking passwords.
The best thing is to use a password manager of some sort and have all your passwords different and randomized and very complex. But now there’s this huge move towards pass keys, which is passwordless passwords, where you’re using different types of authentication on your device, whether pictures or fingerprints or biometrics or some sort like that.
So, take advantage of those new advancements in security like that. Multifactor — you’ve heard it as MFA or 2FA: Use that on everything you can. As far as businesses, I would say, make sure you have good endpoint protection in place.
User security awareness training, simulated phishing testing in your environment where you’re training your end users on this — it’s good for them personally and it protects your business. Keeping your employees trained and making sure that they’re following their training and they’re doing well on testings and stuff.
It’s really expensive for small businesses to do. It is probably one of the best defenses, but you have to have layered protections. And that’s basically teaching them how to identify spear phishing and phishing emails.
Make sure your machines are updated, whether you’re a consumer or a business. Daily, there is new vulnerabilities coming out that require updates. So patch your machines, make sure you have good endpoint security in place. People might know endpoint security as antivirus software. That’s the old way of saying it. Now it’s endpoint detection and endpoint security.
And back up your data. And your backup should be something that’s not available to be changed. It’s called being immutable.
Do you have anything else to add?
One of the misconceptions out there is that small-, medium-sized businesses and consumers are like, “Well, I don’t need to worry about this. They’re only going after the big ones.” I wholeheartedly disagree.
What you hear about in the news is about the big ones, because it’s newsworthy. But the reality of it is, the easier targets are the small-, medium-sized businesses and the consumers. If, by using AI and automation, as a bad actor, I can get 50 people to give me $100 or by sending out a couple emails, or I have to spend hours and hours and hours and hours trying to figure out a way into a big company network — they’re going to go for the low-hanging fruit.
So while you may only hear about large incursions or large data breaches in big-name companies, small-name businesses are a much bigger attack vector. Consumers, not so much, but they pay the price. But small-, medium-sized businesses are the bigger risk.