NASHVILLE — Former FBI cybersecurity specialist Scott Augenbaum had a stark message to small-business owners, including dry cleaners, during a recent National Federation of Independent Business (NFIB) webinar: The cybercrime problem is getting worse, and small businesses are increasingly in the crosshairs.
Augenbaum, author of “The Secret to Cybersecurity,” is a cybersecurity expert and former supervisory special agent at FBI headquarters in Washington in the cybercrime fraud unit. He was responsible for managing the FBI Cyber Task Force and Intellectual Property rights programs. He later transferred to Nashville, Tennessee, where he managed the FBI Memphis division computer intrusion counterintelligence squad.
“I’m going to take you out of your comfort zone today,” Augenbaum warns his audience. “I’m going to make you feel a little hopeless, but I’m not here to scare you. I am here to share with you that there is hope. It’s not an endless battle.”
To begin, he lists four “Truths” to cybersecurity:
- First Truth — No business is too small to be targeted
- Second Truth — Law enforcement can’t fix the problem after the fact
- Third Truth — Cybercriminals are rarely caught or prosecuted
- Fourth Truth — Most cybercrimes are preventable
The Growing Problem
The scope of the cybercrime threat has expanded dramatically in recent years. When Augenbaum was still with the FBI in 2016, cybercrime was already a $3 trillion problem. By 2021, that number had doubled to $6 trillion. And, according to Statista, by 2026, that number is estimated to be $11.36 trillion.
The reason for such a jump? Augenbaum says the COVID-19 pandemic accelerated this growth by creating more opportunities for cybercriminals as businesses shifted to remote operations.
“COVID shut down so many of our businesses but created so many opportunities for the cybercriminals, because the cybercriminals were able to gain remote access to platforms,” he says. “And all the cybercriminals need is a stolen username and password to make your life absolutely miserable.”
As larger organizations invest heavily in cybersecurity, criminals are increasingly targeting smaller businesses.
“As large organizations are starting to buckle down and throw hundreds of millions of dollars at the problem, the cybercriminals look for targets of opportunity, and are starting to go down on the food chain,” he says.
According to Augenbaum, the traditional approach to cybersecurity isn’t working. Despite businesses spending more on security measures each year, the problem continues to worsen. He believes this is because technical solutions alone can’t prevent the primary way cybercriminals succeed: human error.
“Almost 90% of cyberattacks are caused by human error or behavior,” he says. “When I’m going out and I’m talking to companies, I’m telling employees, and you as individuals who own businesses, that you play a huge role in preventing cybercrime victimization.”
One of the most dangerous misconceptions that small-business owners have is believing they’re too small to be targeted: “If you have a business and you have a bank account, or you’re an individual and you have a bank account, you’re a target,” Augenbaum says.
He encountered this mindset repeatedly during his FBI career, including from a veterinary practice that ultimately was destroyed by a cyberattack.
“I had a small veterinarian who went out of business saying, ‘I can’t believe anybody would want to target us. We’re a veterinarian office,’” he recalls. “We also had a small doctor’s office go out of business because the cybercriminals got ransomware.”
For dry cleaners and other small businesses, the risks are significant because every modern business is essentially a technology company.
“It doesn’t matter who you are. You have very sensitive information belonging to your customers,” Augenbaum says. “You have email that the bad guys want to get into. You have credit card information. You have access to bank accounts.”
The Threat is in the Mail
Email systems are particularly vulnerable and valuable targets.
“If you have email and you don’t have the two-factor authentication, these cybercriminals are going to get into your email account and read all of your emails,” Augenbaum says.
Two-factor authentication (2FA) is a security process that requires users to provide two distinct forms of identification to verify their identity before gaining access to an account or system. Typically, the first factor is something that the user knows, such as a password, and the second factor is something the user has, such as a smartphone app that generates a one-time code or a biometric feature like a fingerprint.
Once criminals access a company’s email, they can often access connected systems like file storage, customer databases and financial information. The damage can be devastating.
“It takes a lifetime to build a brand, and it really does not take long for the brand to get destroyed,” he says.
The threat isn’t theoretical. Augenbaum shared an example of a small business that lost its entire payroll when cybercriminals accessed its third-party payroll platform. The criminals changed all employee bank account information to accounts they controlled. By the time the company discovered the theft, the money was gone.
“What would happen to your organization if none of your employees got paid?” he asks. “And it could have been a very simple fix. The company wasn’t using two-factor authentication on one of their mission-critical platforms.”
Augenbaum believes that the message is clear: No business is too small to be targeted, and the consequences of an attack can be catastrophic. However, he stresses that there is hope. Most attacks can be prevented by understanding the threats and implementing basic security measures.
Come back Thursday, when we’ll explore why traditional law enforcement can’t solve the cybercrime problem after the fact, and why prevention is essential for small-business survival.
Have a question or comment? E-mail our editor Dave Davis at [email protected].
