Data Breach: Two Words You Don't Want to Hear
/LETTER FROM THE PRESIDENT
Data breach! Stomachs churn, blood pressures rise and knees quiver when organizations hear those two words.
On Dec. 18, 2014, Brian Krebs was the bearer of bad news when he broke the story that credit and debit card accounts stolen in a massive data breach at Target had been flooding underground black markets. The next day, Target confirmed to Krebs, the author of KrebsOnSecurity.com, that cybercriminals had stolen more than 40 million debit and credit cards from the retailer's stores throughout the U.S.
Management at Home Depot, Kmart, P.F. Chang's and many others also reached for the Pepto-Bismol when Krebs revealed that they were data breach victims, too.
Why do these huge breaches keep happening? Well, first of all, the largest ones make the splashiest news, no doubt. But any organization that's connected to the Internet is at risk. Cybercriminals can creep into companies via outside vendors (like the Target breach), email attachments, bogus websites or some adept social engineering.
"Stolen credentials and passwords, in particular, are some of the most intractable problems in cybersecurity today," Krebs, an award-winning investigative journalist, says in the cover article of the March/April issue of Fraud Magazine. "It's bad enough that many banks do not even offer their customers the ability to authenticate themselves with anything more than a user name and password which, when phished, lost or stolen, can be used to impersonate that person. However, the lack of two-factor authentication within organizations for employees with access to sensitive customer and employer data is a recipe for disaster."
Krebs says that most companies spend "ridiculous percentages" of their security budgets on hardware, software and services that alert them when suspicious activity occurs on their networks that might indicate breaches. "Unfortunately, these systems generate so much noise and false alarms that it becomes a challenge whittling down the alerts to a few that you really need to read and act on," Krebs says. "This is a constant struggle because organizations are producing lots more data each day, and more devices are being added that generate alerts."
Read Krebs' interview so you can help your organizations (plus family and friends) protect themselves against breaches and data theft. Better yet, come to the 26th Annual ACFE Global Fraud Conference, June 14-19 in Baltimore, Maryland, to hear Krebs, a keynoter speaker, in person.
I'm looking forward to seeing all of you as we compare notes on the latest fraud-fighting techniques. See you in Baltimore!