The hidden truth a former FBI agent wants everyone to hear

Originally published in the   

Why most cyber-attacks are preventable and why denial keeps fueling them

Scott Augenbaum spent thirty years in the Federal Bureau of Investigation chasing criminals most of us will never see and dealing with victims most of us never expected to become. After decades of watching families lose their savings and businesses crumble because of a single click he has reached a startling conclusion

Cyber security is not a technology problem. It is a people problem. And in his view almost ninety percent of the incidents he saw never had to happen in the first place

From file clerk to cybercrime veteran

Augenbaum did not grow up dreaming of a badge and a gun. He describes himself as a kid with undiagnosed attention challenges who scraped through high school with an average in the low seventies and barely held a two-point three grade point average in community college.

His mother changed everything when she submitted an application for a file clerk job for Scott with the FBI in New York City. In 1988 at the age of twenty he started at the very bottom of the organization pulling files and supporting agents who were doing the work on the front lines.

The job gave him something school never had structure and purpose. While working full time he went back to school at night eventually finishing a bachelor’s degree with a three-point seven average and beginning a master’s degree in finance and technology at Fordham University.

Wall Street was supposed to be his future. Instead, a mentor named Bob urged him to apply during a rare FBI hiring window in 1994. Augenbaum entered the academy at Quantico which he describes as the most challenging experience of his life and the first real time he had to step far outside his comfort zone. He passed and became a special agent.

From there his career followed the rise of cybercrime itself. He started in Syracuse, New York working traditional investigations and cross border cases with Canadian partners at the Ontario Provincial Police and the Royal Canadian Mounted Police. In those years he still saw himself mostly as someone who put bad people who did bad things to good people in jail

Then the internet arrived for real.

Watching the threat evolve in real time

In 1997 he was handed his first internet case not because he was a seasoned cyber expert but because he was the only agent in the office who knew how to use America Online. At that time simply having an AOL subscription counted as advanced computer skills.

A year later he became the designated agent for the National Infrastructure Protection Center in his office, a precursor to the Department of Homeland Security. The focus was not stolen credit cards or hacked social accounts. It was preventing hostile foreign governments from damaging power grids, financial systems and other critical infrastructure.

This was not considered glamorous work. While his colleagues chased bank robbers and fugitives, he was dealing mostly with thrill seekers and amateurs poking at networks for fun or status. Cyber did not yet seem like an existential threat.

September eleven changed that. National security was rewired overnight. Counterterrorism became the top priority, counterintelligence followed and preventing cyber-attacks moved quickly into the third spot. In 2002 the FBI created a dedicated Cyber Division at its headquarters in Washington and brought Augenbaum to help build it.

The mandate was blunt. In a world where anyone with a computer and a connection could be an adversary the bureau needed a national cyber strategy, people in embassies overseas and task forces in every field office. Friends joked that the cyber problem would be solved by 2006. Instead, it was only getting started.

From 2007 to 2010, Augenbaum watched state sponsored espionage surge. Chinese actors were probing and stealing intellectual property across the American economy. Russian and Iranian activity grew. The clean lines between spies and criminals started to blur.

By the mid two thousands, he was warning companies about ransomware and business email compromise years before they became household terms. As banks hardened their defenses, criminals shifted focus from institutions to customers. They stopped robbing banks he says and started robbing bank customers.

The four truths of cyber security

After thousands of cases and victim interviews Augenbaum distilled his experience into what he calls the Four Truths of Cyber Security. They are simple but they drive his work today.

Truth one is the victim mindset. Almost no one he met ever believed they would be targeted. He heard the same lines again and again. Why would anyone want to target us? We do not have anything worth stealing. He heard it from small charities and from public companies worth billions. Denial was universal until the money vanished, or the systems went dark

Truth two is the irreversibility of damage. Once an incident happens there is no magic wand. Consultants and law enforcement can help contain an incident and investigate but money wired to an overseas account is usually gone. Stolen data and reputations are almost impossible to fully restore.

Truth three is the difficulty of international enforcement. Many of the worst actors operate from countries that do not co-operate with western law enforcement. Grand jury subpoenas mean nothing in Moscow or parts of China. New organized crime groups have sprung up in regions of Southeast Asia and West Africa further complicating arrests and prosecutions. The neat line that once separated national security threats from organized crime has blurred into a single messy ecosystem.

Truth four is the one he calls his epiphany. Most cybercrime in his view is preventable. Looking back, he believes that nearly ninety percent of the cases he worked could have been avoided if the eventual victims had been armed with just a handful of basic pieces of information and had changed a few day-to-day behaviours. That realization is what drives his work today

When training becomes a comfort blanket

If cybercrime is mostly preventable, why does it keep rising? For Augenbaum the answer is uncomfortable; starting with how organizations treat cyber security itself.

One of the big problems he argues is that we have tried to solve a people issue with technology. Companies invest in tools but underinvest in changing behaviour.

Awareness programs are a prime example. Many companies buy off the shelf training modules or run annual videos that employees click through while distracted. The goal is to satisfy regulators or auditors not to change anyone's mindset. It becomes what he calls check the box security.

He points out that if this training worked, he would not have a career being hired by large firms to help fix their mindset. Instead, he is still brought in after disasters to speak to boards and employees who thought the annual video and a phishing simulator were enough.

There is also a deeper organizational psychology at play. Cyber security is too often seen as a cost center not a strategic investment. Security leaders are constantly told to do more with less, especially outside sectors like financial services where regulation is strict, and budgets are bigger.

At the same time the average tenure of many senior leaders is only three to five years. When your horizon is that short it is easier to focus on the next quarter earnings than on long term resilience. No one wants to be the executive who slowed down a project in the name of security even if that delay would have prevented a breach later.

The real front line is the end user

Ask Augenbaum what truly worries him today and he will not start by talking about sophisticated zero-day exploits. He will talk about social engineering.

In his words social engineering is the number one tool in the cybercriminal tool belt. And it is far bigger than fraudulent emails. Attacks now arrive via text messages, phone calls, malicious QR codes, infected pop ups, web adverts and ever more convincing social media account takeovers.

At the core the goal is simply to get a user to hand over a username and password or approve an action without thinking. The dark web is flooded with stolen credentials. Many victims still rely on a single weak password reused across multiple services and fail to enable two factor authentication even when it is free and easy to turn on.

That is why he is alarmed but not surprised by the rise of generative artificial intelligence. In his view AI does not change the fundamentals of cybercrime. It just makes the old tricks faster, cheaper and more convincing. Criminals can use it to craft better lures, mimic writing styles and scale the kind of personalized attacks that once required significant effort.

The barrier to entry for attackers has never been lower. The tools to destroy a small business he says are available free or at low cost online. You no longer need to be a technical genius to cause real damage.

A mission built on prevention, not fear

Augenbaum retired from the FBI in 2018 on his fiftieth birthday. Instead of fading quietly into private consulting he has set himself a public goal to help one million people in the next five years.

He sees himself as an advocate for victims in a system that often cannot help them. Police services are overwhelmed, and cross border jurisdictional issues make many investigations difficult or impossible. For the average small business owner or retiree whose savings just vanished there is rarely closure.

To reach people before they get that call from the bank, he now spends his time speaking to companies appearing in media and posting regular educational videos on platforms such as LinkedIn. His message is not built on fear or on selling another tool. It is a call for ordinary people and leaders to take simple practical steps and to internalize the idea that they personally are targets whether they like it or not.

The fundamentals he insists have barely changed in fifteen years. Use strong and unique passwords. Turn on multifactor authentication everywhere it is available. Slow down and verify requests for money or sensitive information through a second channel. Treat unsolicited messages, phone calls and pop ups with suspicion. Protect your personal accounts with the same seriousness you expect at work.

None of this is glamorous. But in a world where criminals can reach across borders with a few keystrokes it is the difference between reading about the latest breach in the news and starring in the next headline yourself.

For business leaders the lesson from Scott Augenbaum's career is stark. Technology spending alone will not save you. Culture awareness and clear habits at every level of the organization are the real front line. The choice is to invest in those now or to pay much more later when an attacker exploits the very human belief that it will never happen here.

You can connect to Scott here.