The only thing standing between a Fortune 500 company and a multimillion-dollar data breach is most likely not a malware detection tool or some other fancy software. It's a human.
Brian Krebs, the cybercrime journalist who first broke the story of Target Corp.'s 2013 data breach, stressed the importance of security professionals when he delivered the keynote lecture Tuesday at the Secure360 Twin Cities Conference. "There's no substitute for the human," he said.
About 1,500 professionals are registered for Secure360, which takes place through Wednesday at the RiverCentre in St. Paul. The conference, which includes a panel on security measures for major events, is in its 11th year and is produced by the Upper Midwest Security Alliance.
In a world where "it seems like everyone's mom has lost my data," Krebs didn't sugarcoat the severity of issues across the security landscape and how the last line of defense for a business is its staff, specifically the high-demand workers whose expertise can help detect and analyze cyber threats.
The Target breach, in which cyberthieves gained access to 40 million customer debit and credit card accounts, serves as a lesson for other companies, Krebs said. Despite the fact that the Minneapolis-based retailer invested more money than most companies in cybersecurity, it "didn't have the butts in the seats" to help analyze the scope of the issues when it was first alerted there was a problem, he said. Businesses are still learning many of these lessons the hard way.
Since the breach, Target has beefed up its cybersecurity staff with new hires, including Brad Maiorino, the retailer's first chief information security officer. It also opened a "cyber fusion center" in its headquarters that brings together many of the company's various security teams in one office where they monitor potential threats around the clock.
"As bad as things are … they are going to get a lot worse," Krebs said, adding that breaches would become more costly and more complicated.
The average cost for each lost or stolen record containing sensitive information is $217 for companies in the United States, according to a 2015 report by the Ponemon Institute, sponsored by IBM, on the cost of data breaches. The total average cost paid by organizations is $6.5 million.