I was at a book launch last night for a new release on how casinos can protect themselves in today’s world—where hackers and attorneys are both looking for a payout. As I made my way through the event, I ran into a CFO from one of the most well-known casino chains in Las Vegas. You’d recognize the name immediately. 

As we talked, he brought up something that stuck with me. 

A couple of months ago, we ran a penetration test on his organization. We got in—social engineering, phishing, the usual stuff. But the real question isn’t if a hacker can get in. It’s what happens next. 

We moved laterally, escalated access, and landed on multiple machines—including his. When we sat down for the readout, we handed him a list of every employee’s Social Security number, birth date, and payroll records. 

He was stunned. 

“But our payroll system is in the cloud,” he said. 

It was. But his browser had cached the data. His downloads folder had unprotected payroll records sitting there. And once an attacker is on your machine, that data is theirs. 

Here’s why that matters: They had data loss prevention (DLP) tools, but those tools weren’t watching downloads. They weren’t scanning what employees were saving locally. 

If your company isn’t actively protecting downloaded files, you’re leaving sensitive data wide open. The fix? Stop storing critical data in downloads. And if you do, make sure it’s labeled and protected immediately. If your business isn’t classifying data, that’s a huge problem—one that your IT team needs to address immediately. 

Is Cyber Insurance Worth It? Only If You Read the Fine Print. 

The second thing this CFO shared was his hesitation about cyber insurance. 

“I’m not sure it’s even worth buying if I don’t know the claim will be paid out,” he said. 

I hear this all the time. And here’s the reality: If you don’t read your policy, you’ll probably struggle to get your claim approved. 

But if you understand your commitments, gather evidence that you’re meeting them, and document everything, your chances of getting paid go up significantly. 

Even more important? That same evidence protects you from lawsuits. 

Because when a breach happens, no one sees you as the unlucky victim. They see you as the idiot who didn’t protect their data. 

No evidence = no defense. 

The takeaway? Read your policy. Gather evidence that you’re following it. And stop assuming that because your data is in the cloud, it’s secure. Hackers know where to find your weak spots—make sure you do too.