Krebs Says Organizations Spend Money on Cybersecurity Weaponry but not Enough on Soldiers

Brian Krebs says companies fight cybercrime with too many tanks and not enough tank drivers. “Organizations spend ridiculous amounts of money on cybersecurity weaponry and then drop like two guys or gals on the ground to man all this weaponry that they have,” he says.

Krebs, an investigative journalist and author of the blog,, spoke at the Tuesday morning General Session after receiving the ACFE Guardian Award. The award is presented annually to “a journalist whose determination, perseverance and commitment to the truth has contributed significantly to the fight against fraud.”

He says that organizations’ inertia and inaction are main contributors to cybercrime. “I would describe this as an overall … lack of urgency to own the issue of cybersecurity at the highest levels of organizations.

“In far too many of these breach cases the forensic investigation reveals after the fact that the breached company had all the indicators that the company was compromised — positively screaming at them,” Krebs, a former Washington Post reporter, says. “But the organization didn’t have enough people to help them interpret what all these technological tools that they installed and paid millions of dollars for were trying to tell them about the security and integrity of their networks and their data.”

Krebs says that organizations just treat the symptoms of cybercrime and not the root issues. “The trouble with the non-symptomatic stuff is that it’s not terribly sexy. It’s boring, humdrum stuff like patching software and servers and visioning backups and encrypting data and segmenting your networks so that the whole ship doesn’t go down when you get a leak in one compartment,” he says.

“Most states have laws on the books that mandate when organizations have a data breach they need to tell their customers or consumers whose information they lost and they have to notify them,” he says. “People are getting notified, but that’s part of the problem. Lots of people are getting inured to these notifications because everybody is getting hacked.”

Krebs says he would like to see a new requirement that says that not only organizations have to tell people they got hacked but they have to tell them how they got hacked. “It’s a shame that we don’t have these notifications because only attackers benefit when organizations can’t learn from each other’s mistakes,” he says.

Krebs says that when organizations lose data in breaches they buy credit-monitoring services for all victims. “Whoopee. That’s great. The way these services work, they don’t protect bad guys from stealing your data … or identity. … I would like to see more organizations when they have a breach to freeze their [victims’] credit. … It’s the only thing that blocks people from using your identity data to create new accounts in your name.”

Regardless of the latest data breaches, he told attendees that their data is already “out there” and has been for sale for many years. “If crooks want to get your information, if they want to apply for new credit in your name or ruin your identity, they can do it very easily.

“We all have a role in fighting cybercrime,” he says. “But at a personal level that sounds like a trite thing to say because people who say it don’t offer details on the real pain and cost that we incur to ourselves, our friends and family when we fail to take cybersecurity seriously.”

Krebs directed attendees to these items in his blog: “The Scrap Value of a Hacked PC, Revisited,” and “The Value of a Hacked Email.”