The Four Truths of Cybercrime: Lessons from Former Special Agent Scott Augenbaum

The Four Truths of Cybercrime: Lessons from Former Special Agent Scott Augenbaum

I recently had the pleasure of interviewing Scott Augenbaum, a retired FBI Supervisory Special Agent. We have a similar background, having both worked in law enforcement and intelligence,  so we could have talked all day about cybercrime, organizational defense, and leading through crises. Here is a summary of our conversation:

Scott spent his 30-year career focused on cybercrime investigations. After joining the FBI in 1988, he went on to become a Special Agent, working on computer crime cases in New York and Washington, D.C. He was later the head of the Computer Intrusion/Counterintelligence Squad in Nashville. Since retiring in 2018, he has become an author, speaker, and trainer, focusing on educating businesses and individuals on cybercrime prevention. In our conversation, he discussed his “CyberSecure Mindset" philosophy and outlined his "four truths of cybercrime."

The “CyberSecure Mindset"

The “CyberSecure Mindset" is a philosophy that reframes cybersecurity, shifting  the focus from  purely technical challenges to  human-centric ones. Based on his experience interviewing over 1,000 victims of cybercrime, he found that a vast majority of incidents could have been prevented by people taking simple, non-technical actions.

This mindset emphasizes that:

• Security is a human issue, not a technology issue. Cybercriminals often bypass even the best firewalls and security software by exploiting human behaviour through social engineering, phishing, and other psychological tactics..
• Proactive behavior is key. It's about empowering every individual—from the CEO to the front-line employee—to be a first line of defense. This requires being vigilant, skeptical, and educated about common threats.
• Knowledge is the best defense. The "CyberSecure Mindset" doesn't require expensive new products. Instead, it relies on teaching people practical, easy-to-implement steps like using multi-factor authentication, being cautious of unsolicited emails, and understanding the value of their data.

In short, a "CyberSecure Mindset" means consciously thinking about security in all digital interactions and making informed decisions to protect yourself and your organization from the most common and preventable cyber threats.

Four Truths of Cybercrime

1. Nobody ever expects to be a victim. Victims are always caught off guard, with many believing they're too small or unimportant to be targeted.
2. Getting your money or data back is nearly impossible. Once a cybercriminal steals your assets, law enforcement, even the FBI, has no "magic wand" to retrieve them. This is especially true for ransomware attacks.
3. The bad guys won't get caught. The majority of cybercriminals are located overseas, often in countries with limited cooperation with international law enforcement, making prosecution incredibly difficult.
4. Most cybercrime is preventable. Augenbaum states that a significant number of cyber incidents he investigated could have been stopped if the victims had a few key pieces of knowledge and education. This underscores the need for a "cyber secure mindset" in every employee.

Reflecting back on the “CyberSecure Mindset" and the Four Truths of Cybercrime, we ended our discussion pointing to a few key tips for CISOs and cybersecurity leaders looking to defend their organizations. 

Key Takeaways for CISOs

• Focus on the Human Element: Most cybercrime, up to 90% even, could be prevented if humans did the right thing at the right time. CISOs must shift their focus from solely acquiring new security products to investing in their employees' cybersecurity training and readiness. 
• Proactive Preparation is Paramount: It's not a matter of if a breach will happen, but when. CISOs must proactively prepare for a cyberattack. This involves more than just having a plan on paper; it requires regularly running simulations and tabletop exercises. These exercises test the incident response plan in a realistic, no-fault environment, revealing gaps in communication, roles, and procedures before a real crisis hits.
• Prove Your Preparedness with Data: CISOs must demonstrate the effectiveness of their security programs. This means moving beyond a simple checklist and providing data and metrics that prove the organization is prepared. This could include metrics on the reduction in software vulnerabilities, the number of employees who engaged with security programs, or the time it takes to contain a simulated incident. Using data also helps the CISO justify security investments and show the board a clear return on investment.
• The "Stuff" is Valuable: Cybercriminals don't care about a company's size; they want access to its "stuff," which includes intellectual property and sensitive data. This makes every organization, no matter how small, a potential target that must be prepared for an attack.

‍