MGM and Caesars were following widely regarded best practices when it came to cybersecurity, right down to running vulnerability tests and cyberattack simulations, as The Nevada Independent reports. Gus Fritschie, senior vice president of cybersecurity firm Bulletproof, told the newspaper the fact that they were hacked anyway “just goes to show you that anybody is vulnerable.”

At a webinar sponsored by Bulletproof parent company Gaming Laboratories International, Fritschie recommended making security training and education a bigger priority. He noted that human beings are still organizations’ most vulnerable point.

With class-action lawsuits flying, both MGM and Caesars will have their work cut out to shore up their reputations for safeguarding customer information, gaming industry consultant Brendan Bussmann reportedly said.

Among cybersecurity experts, Caesars is generally thought to have paid a multi-million-dollar ransom. Stephanie Benoit-Kurtz, a cybersecurity consultant on the faculty at the University of Phoenix College of Business and Information Technology, reportedly said that the amount of ransoms will probably increase and such princely sums will embolden hackers to launch more attacks.

Meanwhile, KonBriefing now counts more than 2,000 organizations and at least 60 million people who were impacted by the MOVEit hack.

Marc Bleicher, chief technology officer at Surefire Cyber, told PlanAdviser that the hack “is a great lesson” about the importance of vetting third-party service providers. “I tell all my clients to treat any third-party service or product provider as an extension of your team and apply the same information and security standards that you would internally to assess whether they’re the right vendor for you.”

Mario Paez, national cyber risk leader at Marsh McLennan Agency, told PlanAdviser that he recommends running cyberattack simulations. What failed to prevent breaches at MGM and Caesars could still help others guard against future attacks.