Some chilling words

By James D. Ratley, CFE

jim-ratley-80x80.jpgFrom the President and CEO

Data breach! Stomachs churn, blood pressures rise and knees quiver when organizations hear those two words.

On Dec. 18, 2014, Brian Krebs was the bearer of bad news when he broke the story that credit and debit card accounts stolen in a massive data breach at Target had been flooding underground black markets. The next day, Target confirmed to Krebs, the author of, that cybercriminals had stolen more than 40 million debit and credit cards from the retailer's stores throughout the U.S.

Management at Home Depot, Kmart, P.F. Chang's and many others also reached for the Pepto-Bismol when Krebs revealed that they were data breach victims, too.

Why do these huge breaches keep happening? Well, first of all, the largest ones make the splashiest news, no doubt. But any organization that's connected to the Internet is at risk. Cybercriminals can creep into companies via outside vendors (like the Target breach), email attachments, bogus websites or some adept social engineering.

"Stolen credentials and passwords, in particular, are some of the most intractable problems in cybersecurity today," Krebs, an award-winning investigative journalist, says in the cover article. "It's bad enough that many banks do not even offer their customers the ability to authenticate themselves with anything more than a user name and password which, when phished, lost or stolen, can be used to impersonate that person. However, the lack of two-factor authentication within organizations for employees with access to sensitive customer and employer data is a recipe for disaster."

Krebs says that most companies spend "ridiculous percentages" of their security budgets on hardware, software and services that alert them when suspicious activity occurs on their networks that might indicate breaches. "Unfortunately, these systems generate so much noise and false alarms that it becomes a challenge whittling down the alerts to a few that you really need to read and act on," Krebs says. "This is a constant struggle because organizations are producing lots more data each day, and more devices are being added that generate alerts."

Read Krebs' interview so you can help your organizations (plus family and friends) protect themselves against breaches and data theft. Better yet, come to the 26th Annual ACFE Global Fraud Conference June 14-19 in Baltimore, Maryland, to hear Krebs, a keynoter speaker, in person.

I'm looking forward to seeing all of you as we compare notes on the latest fraud-fighting techniques. See you in Baltimore!

James D. Ratley, CFE, President and CEO of the Association of Certified Fraud Examiners, can be reached at:

The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to