Reporter who wrote about Target breach says well-trained staff is best defense against cyberattacks

The only thing standing between a Fortune 500 company and a multimillion-dollar data breach is most likely not a malware detection tool or some other fancy software. It's a human.

Brian Krebs, the cybercrime journalist who first broke the story of Target Corp.'s 2013 data breach, stressed the importance of security professionals when he delivered the keynote lecture Tuesday at the Secure360 Twin Cities Conference. "There's no substitute for the human," he said.

About 1,500 professionals are registered for Secure360, which takes place through Wednesday at the RiverCentre in St. Paul. The conference, which includes a panel on security measures for major events, is in its 11th year and is produced by the Upper Midwest Security Alliance.

In a world where "it seems like everyone's mom has lost my data," Krebs didn't sugarcoat the severity of issues across the security landscape and how the last line of defense for a business is its staff, specifically the high-demand workers whose expertise can help detect and analyze cyber threats.

The Target breach, in which cyberthieves gained access to 40 million customer debit and credit card accounts, serves as a lesson for other companies, Krebs said. Despite the fact that the Minneapolis-based retailer invested more money than most companies in cybersecurity, it "didn't have the butts in the seats" to help analyze the scope of the issues when it was first alerted there was a problem, he said. Businesses are still learning many of these lessons the hard way.

Since the breach, Target has beefed up its cybersecurity staff with new hires, including Brad Maiorino, the retailer's first chief information security officer. It also opened a "cyber fusion center" in its headquarters that brings together many of the company's various security teams in one office where they monitor potential threats around the clock.

"As bad as things are … they are going to get a lot worse," Krebs said, adding that breaches would become more costly and more complicated.

The average cost for each lost or stolen record containing sensitive information is $217 for companies in the United States, according to a 2015 report by the Ponemon Institute, sponsored by IBM, on the cost of data breaches. The total average cost paid by organizations is $6.5 million.

There are several underlying issues that have led to the abundance of data breaches, Krebs said. For one, companies are almost blindly dependent on technology, which leaves them vulnerable to attacks.

There also is a dearth of security professionals. Oftentimes, businesses don't have enough people who are dedicated to data security, and the staff they do have are not given enough administrative power to be effective, Krebs said.

In addition, there are plenty of "security companies" that are only selling the idea of security and are providing duplicative services instead of the true help that companies need.

Krebs, who blogs at KrebsOnSecurity.com, gave several examples of schemes he recently noticed in the cybercrime underground. Phishing is alive and well, he said. Some recent breaches he has seen have started with CEO fraud attacks in which criminals pretend to be executives sending messages from spoofed e-mails to staff to get employee tax information.

There has been an explosion in sales of stolen data, which "has never been cheaper," he said. Street criminals can purchase stolen credit card information for $10 to $15 and then use that information to buy thousands of dollars' worth of electronics and other items that they can then sell.

Hackers have started to realize they will get more money from selling the stolen data back to the attacked companies than selling it to criminals.

Staff writer Kavita Kumar contributed to this report.

Nicole Norfleet • 612-673-4495

Twitter: @nicolenorfleet