Retired FBI Agent Cybercrimes Division Talks Cyber Security

FBI Cyber Security

I recently attended an IT industry conference where the topics were understandably cyber security heavy.  One of the speakers that stuck out to me was Scott Augenbaum.  Scott is a retired FBI agent that worked in the cybercrimes division for the last 20 years and has recently retired.  A few things from his address stuck out to me that I wanted to share.

Myth #1 – Law Enforcement Will Save the Day

Scott presented 3 different myths.  The first is that law enforcement will save the day.  He laid out what I thought was a bleak landscape of his job in cybercrimes.  The short version is that it’s very difficult to catch these guys, and even more difficult to effectively prosecute them.

Not that Scott never put away any bad guys.  He did indeed.  He was just upfront about the fact that gathering enough evidence of what happened to prosecute a security breach is very difficult.  The evidence that does exist is frequently tainted or destroyed by the companies own efforts to get their network functional again, and sometimes by paid recovery companies.

Even if they can recover evidence, it can be very difficult to tie it back to a specific individual or organization.  They are very good at covering their tracks and maintaining anonymity. 

So please don’t believe that if you get swindled online, or if your company gets breached that the FBI will be able to catch the bad guys.  Even if they do, recovery of your data or money is questionable at best.

Myth #2 – My Bank Is FDIC Insured and I Will Get My Money Back

Scott essentially said that it’s rare that anybody gets their money back.  He also made it clear that the FDIC doesn’t insure losses from cyber security breaches.  CFR commented on this in a recent article.

“Contrary to what many people believe, the Federal Deposit Insurance Corporation (FDIC) doesn’t reimburse banks for fraud perpetrated against accounts. The FDIC only insures your account against the failure and collapse of the bank. As the FDIC explains, most banks have private insurance for fraud loss. The reason they carry this insurance is that Regulation E under the Electronic Funds Transfer Act makes them responsible for the losses.

Unfortunately, Regulation E only applies to consumer bank accounts, not those of small businesses and banks are pushing back against an expectation that they will reimburse small business-related losses.”

So to reiterate, the bank is insured by the FDIC against failure, and not fraud or cybercrime.

Myth #3 – We Just Bought ____ So We Are Ok

There is always a shiny new tool for cyber security that claims to be the cure for all woes.  Scott was quick to point out that he has never seen any product, no matter how fantastic, that could prevent every breach.  He also pointed out that most cybercrimes could be prevented through security basics.  There is value in advanced solutions for security, but only if you’ve done all the basics first.

There is not a silver bullet for IT security.  A layered approach is best.  Employee training is also a key element that will help keep you safe.

A Few Truths

Scott also shared a few truths with us that he had observed over his career that can be instructive.

  1. None of his victims expected to be a victim.  They didn’t think they fit the victim profile for cybercrime.  This doesn’t stop the bad guys.
  2. The chances of getting your money back are very low.
  3. The bad guys rarely get put in jail.
  4. Most cybercrime could have been prevented.

While all of this may seem bleak, especially from a former FBI agent that spent his career trying to catch the bad guys, there is hope.  It lies in that last truth.  Most cybercrime could have been prevented.

Scott identified that many of the attacks that were effective for bad actors were not some amazing, sophisticated hack.  They were bad guys that found a company that had RDP (Remote Desktop Protocol) open to the world, and other simple entry points. The good news with that is that it can easily be prevented with the proper solutions and professionals.  i.t.NOW is that team, and we stand ready to help.  If after reading this, you have questions about your current cyber security posture we would love to help.  Give us a call today for a free evaluation.