This edition of the Impact! Podcast is brought to you by ERI. ERI has a mission to protect people, the planet, and your privacy. It is the largest fully-integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States and maybe even the world. For more information on how ERI can help your business properly dispose of outdated electronic hardware devices, please visit eridirect.com.
John Shegerian: Welcome to another edition of the Impact! Podcast. I’m John Shegerian and I’m so honored and excited to have my friend on today. He is Scott Augenbaum. Welcome to the Impact! Podcast, Scott.
Scott Augenbaum: John, it’s great to be here. It’s great to reconnect with an old friend from New York City.
John: New York. We got Brooklyn and Queens in the house today.
Scott: Yes, a little rivalry going on over there but now, I’m a Nashville guy, Tennessee guy and you’re a–
John: California boy.
Scott: –California guy.
John: I’m a California boy but you know, for our listeners out there, this is your first exposure to Scott. Scott is very humble but a unique human being. He is an ex-FBI agent and not only an agent but a special agent in the Cyber Division of the FBI. He is really one of the formal cybersecurity experts in the world and he has written a book called The Secret to Cybersecurity. Today, Scott is going to be sharing a little bit of what he does on a regular basis, on a day-to-day basis, but also talking a little bit about his book and how people can engage with Scott to either safeguard themselves or safeguard the organization they work with. Scott, we’re so honored to have you on today because the impact you’re making in a world that consistently becomes more unsafe and I don’t know, some of your colleagues from the FBI recently came out with an article that was well published that said during this coronavirus tragedy, cybercrimes are up four times from the previous period. That is a scary statistic but why your work, your knowledge, and your expertise are more needed than ever before. Thank you for being here today. Go ahead, Scott, talk a little bit about what you do. You’re an expert and I want you to talk.
Scott: It is so good to be here today, John. You know when I hear what I do, I just kind of smile a bit. If you would have called me 32 years ago, that I’d be retired from the FBI, a cybersecurity expert, I would have said no way. I mean, raised in New York by a single parent, didn’t do very well in community college but my mom was so happy I graduated. She found a simple servant’s job with me with the FBI at 1988 as a file clerk for the FBI making $5.50 an hour. Do you know what she said to me? She said, “Look, Scott”, she goes, “This is great”, she goes, “You’re going to get healthcare for life and you’re going to have a pension”, and I said, “Mom, I’m going to get a cool-looking jacket and stuff.” I become an agent in ’94 and if you’d ask me to describe the role of an FBI agent in 1994, I would say it was so simple and easy. Bad people did bad things to good people in my area of responsibility. From that time, I got transferred up from New York City to Syracuse and I worked with state and local cops and we put bad guys in jail who would do bad things. What a fun and exciting job for a 27-year-old kid from Brooklyn, New York. I got a badge, a bulletproof vest, a car with lights and sirens, and I get to play with my friends. I got into cybercrime because I was the first guy in the office to have a home computer and the only reason I got a home computer is because of Windows ’95. Do you remember how difficult it was, John, before Windows ’95? Do you remember the days of DOS?
Scott: And was it easy to use DOS?
Scott: Maybe for you with NYU–
John: Not for me, don’t worry.
Scott: –but not for me.
John: Not from a kid from Queens. No, it wasn’t.
Scott: Yes and so I became the cyber guy and it wasn’t a fun and sexy job to have because as they were arresting bank robbers and fugitives, I was chasing high school kids, college kids, and kids by the name of Mafia Boy who is hacking into the Pentagon and just all the stuff. When I got promoted to Washington DC in 2003 in the Cyber Division of the FBI because the FBI developed a Cyber Division to deal with this emerging threat, a lot of my friends made fun of me and they said, “You were committing career suicide because in the next three years, the FBI is gonna arrest all the teenage hackers and the cybercrime problems are going to go away”. John, let me ask you how do you think that’s working out for any of us today?
John: Let me just say whoever made that prediction, they were slightly off. They were a little bit more than slightly off.
Scott: Yes, I’m not going to mention him by name but he knows his name. I’m going to tell him to listen to this definitely. I got to Nashville in 2007 and one of the things that I did was I started making contact with all the big companies in town:, the Vanderbilt, the Nissan, the tractor supply. We’re the Silicon Valley of healthcare. I’m responsible for FedEx and international paper doting the relationship and the liaison to share information and we built this bridge with the private sector to be able to collaborate because the private sector is on the tip of the sphere. By the time we got involved, it’s too late and it brings back to what you said earlier. The FBI, we just reported that because of the COVID-19, cybercriming complaints have been up 400% but what baffles my mind about that, John, is in 2015, there was a report from cybercrime magazine that the cybercrime problem was a three trillion-dollar problem and by 2021, it was going up to a six trillion-dollar problem. That was before COVID-19 and every day, we hear about it in the news. We read about it. Identity theft. 57 million Americans rant somewhere every single day. Companies’ crown jewels are being held hostage. We’re looking at the business scene now compromised which is social engineering at its finest. A 30 billion dollar fraud that it’s all least so much and here’s the unfair part about it, for most people, they hear that, they get scared, and they get upset because it seems that no matter what we do, the problem keeps getting worse. I’m sure you’re seeing that every day with your clients and your partners.
John: Right. Hundred percent.
Scott: At that point in time, we have that going on. The cybercrime problem is going on but here’s something else, we keep spending more money on keeping ourselves safe and the problem keeps getting worse. So, let me ask you. What does that mean when we spend money to prevent bad things from happening but bad things keep happening? What does that mean to you?
John: They’re going to keep happening and that they’re winning. That there’s a pot of gold. I saw a number, you correct me if I’m wrong, that this year alone, six trillion dollars is going to be done by the bad guys, by the threat actors, and if that’s the case, Scott, isn’t that really turning on its head that really, crime does pay? Crime does pay.
Scott: Well, it’s sad but when we get back to my other point, you’re so right. The thing that frustrates me is we’re spending money to be safe and crime pays. That is something that anyone can empathize with.
John: Hundred percent.
Scott: In my opinion, it means we’re not doing it right.
John: Oh, no. That’s why I was so excited to have you on today because having an expert, a special agent who has done this as a career and is really one of the premier experts right now in the world on this is so important because our listeners, there’s a void out there, they don’t understand how to access the right solutions, how to protect themselves, their families or their organizations and/or the organizations they work within. That’s why having you here today is so important and also, getting this book that I’m holding in my hand and I’ve read already, into the hands of our readers. The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime is by Scott and to learn more about Scott, you could go to his website or his LinkedIn but how his website looks is www.scott, then there’s an e there, and then his last name, Augenbaum, a-u-g-e-n-b-a-u-m.com. scotteaugenbaum.com. So, talk a little bit about the over a thousand victimizations that you’ve dealt with over the years and what are some of the common threads of these victimizations, of these crimes, that you could share with our listeners in terms of looking for common themes to try to prevent themselves from getting caught up in?
Scott: Okay, here’s the bottom line: in my career and after I retired about two and a half years ago, I had the opportunity to interact with close to a thousand victims and most of them were in person. I mean, when people were victimized, I would go out and I would talk to them. It kind of broke my heart because they all had commonalities. It was almost like groundhogs day. It was almost the same day, day in, and day out. Here’s what the four commonalities that I call The Four Truths to Cybersecurity. The first truth is none of my victims ever expected to be a victim. They all went like this, “I don’t have anything that anybody wants. Why would anybody target me?”, and I would hear this from small businesses, nonprofit organizations, religious organizations, and in Nashville, very much healthcare centric. Five hundred healthcare companies. So, I would sit down with an organization and I would say, “Are you worried about this problem?”, and they’d go, “No”, and I’d go, “Why not?”, “Because we’re a small company”, and I would say, “Well, define small for me”, and they would say, “Well, we only have 10,000 records”, and I’m like, “Woah, don’t you need to keep those safe?” I had an organization tell me that they weren’t concerned because they only were a half a billion-dollar company. Now, compared to a ten billion-dollar company, a half a billion-dollar company is a small company and then they said, “Look, we’re not a publicly-traded company. We don’t have anything to worry about”. So then, I would go talk to publicly-traded companies and I would talk to these companies that were traded on the Nasdaq and they would say to me, “Why are you here? We’re not on the New York stock exchange. Why would anyone want to target us?”. I’d be like, “Okay”, and then I would go talk to companies that were on the New York stock exchange and the best response I ever received was one company said, “We’re a 5.8 billion dollar company and the bad guys are only targeting organizations that have ten billion dollars and above”, and you know, John, us New York guys, we have a very, very difficult time of filtering things but it took every ounce of energy that I had to say to them, “Where are you getting your information from? People magazine? The bad guys do not care who you are. They want access to your stuff and every organization has different stuff. I mean, even think about it, within your organization, you have marketing. What happens if the bad guys take over your marketing platform and send messages out?” That’s what happened with the NFL Twitter hacks. I’ve seen bad guys get into payroll accounts and they would compromise these payroll accounts, put in the username, put in the bank account routing information of these mule accounts and then on a Monday, when everyone is supposed to get paid, all the paid checks get diverted to another account. I would see HR platforms and companies don’t know what they need to protect. So, when I’m going out and doing proactive talks, I’d get out to companies all the time and part of what I do now is trying to change their behavior and change their culture. I believe if you can teach them how to be safe at home, then they’re going to bring that to work and that’s kind of why I wrote the book because if you go like this, “Hey, we’re going to bring in retired FBI agent, Scott Augenbaum, to talk about cybercrime because it’s part of HIPAA compliance, the PCI compliance, the stocks compliance”, nobody cares. However, if you bring me in to talk about how to stay safe at home and not be one of the 50 million identity theft victims, and I’m telling these stories, then people can take that and bring it to the home. So, I want you to think about this, John, in your organization. You don’t even have to answer me. Think about what you have which is your crown jewels. Forget about money. It could be your intellectual property, it could be your brand, your reputation, it could be your HR records, it could be your banking and finance, it could be your sales force–
John: Or clients’ data.
Scott: Yes, your clients’ data. All that stuff and your e-mail too because if the bad guys compromise your e-mail, they’re going to send an e-mail out from you to one of your clients. They’re going to read all your e-mails and they’re going to direct this individual to send money. So, think about whatever is the worst thing in the world that the bad guys have stolen. You don’t have to tell me. Now, I want you to think about this and now, I’m going to tell you the second truth to cybersecurity. When the bad guys steal your stuff and you contact law enforcement, we’ll not get it back for you. Hate to say it. When stuff is gone, it’s gone and I brought this up one day at a conference and this is when I was with the FBI and there was a Senior Executive there and he said to me, he goes, “Did you just tell the American public that we, the FBI, don’t get their stuff back?”, and I kind of have that Brooklyn Tourettes for sarcasm, I just can’t help myself and I said to him, “What, do you think these people are that dumb?”, and he looked at me with that really harsh look and I started to smile and I said, “Office Personal Management, 21.5 million records stolen by the Chinese government. We have Blue Cross, Blue Shield– which is Anthem– also 80 million records. Home Depot, Target, JP Morgan, Sony, Equifax, Marriott, the list goes on and on. Let me ask you. Is there any chance in the world that law enforcement can get those records back?”
John: Doesn’t sound like it.
Scott: No, you can’t, and even if you get it back and the business e-mail compromised which I’ve touched 150 million dollars worth of losses. When the bad guys get into your e-mail account and direct you to send money out, it’s impossible to get back. In my career, I like to joke if there is a hall of fame for FBI agents, I want to go to the hall of fame for getting money back because I stopped five wired transfers from going overseas and no, not because I was an expert, because I was lucky and it was the right place at the right time. I want to go to the hall of fame but if I was a baseball team, do you know what my record would be?
John: What’s that?
Scott: Five wins, 17,000 losses, and I’m a Hall of Famer.
John: Those are stark statistics but it’s the truth and that’s what this show is about–bringing the truth to our listeners so they can learn something about some topic that most people really don’t understand, most people are scared of.
Scott: Knowing this is so important.
John: Right. It’s so important and if cybercrime is going up as you said during COVID-19 or other times of great distraction, what happens next? Getting your voice out there and for our listeners out there that are interested in Scott’s great book, the name of it is The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime. I’ve read it and I work in this field. If you’re a CEO or CTO or an IT Director or Board Member, not only should you get a copy of this book but you should contact Scott, have him come in, do a seminar, do one of his things whatever his things are. I don’t work for Scott but I’m just telling you because I know how much of a void there is in corporate America or other organizations, governmental America, to these issues about software and hardware and how risky things are right now. Scott is an expert and he is out there for you. You could go to his website www.scotteaugenbaum.com to learn more about Scott, how to book him, how to buy his book, also on Amazon.com and other great places you could buy books. Scott, talk a little bit about number three. When stuff is gone, it’s gone, that’s number two, Number three. Tell all our listeners what your number three truth is.
Scott: We’re both from New York so if you take something from us, you should be punished, right? Those are New York rules.
John: Those are New York rules.
Scott: That’s what we grew up with. Yes, but here is the third truth. The chances of putting the bad guys in jail are even harder than getting your money back. Why is that? Crime used to be a local problem. No longer are cybercriminals– They’re all located outside of the US. They are located over in China. They are located over in West Africa. They are located over in Iran and when I’m doing these live seminars, I usually will have 500 people in front of me and I go, “Ladies and gentlemen, I’m going to tell you something today that I couldn’t confirm with you when I’m with the FBI but I want everyone to sit down and understand”, and I said, “I’m going to confirm for you today that the Russians have been hacking us”, and usually, I get these sarcastic looks and I’m going to explain why I have the badge that I can say that because in 2008, I was going around telling the financial services sector that Russian organized crime was the number one threat to the financial services sector in 2008. How many years ago was that?
Scott: Twelve. So, do you think I have the right to go out and be sarcastic about this? Things have not changed at all. Let’s think about this. What have we talked about so far? We talked about the bad guys steal your stuff, you’re not getting it back, the law enforcement is not putting the bad guys in jail and that paints a really really upsetting picture for a lot of people. People get angry and I’ve had people call me out when I say these and they look at me and they go, “What the heck have you done for a living if you, the FBI, can’t get our stuff back and we can’t put people in jail?”, and then I just look at them and I go, “So, you’re angry and I’m depressed”, and that just usually gets them angrier which is part of the act and I go, “You want to know what I’m depressed about?”, and this is one thing and this is the last truth to cybersecurity. This is what’s worth listening to. Ninety percent of what I dealt with in my career could have been prevented by understanding the motivation of the threat actors, having an awareness campaign, and locking down everything with all your remote access with two-factor authentication. If my victims– and there were thousands of them– would have done that, if I could have had a time machine and went back in time and told them what I know now, I’m hoping I could have prevented a lot of more victimizations. That is why I wrote the book to lay out the simple steps because what we’re talking about now isn’t complicated. I focused on six or seven really key elements of what people need to do before you send money and that’s the most important thing out here because when a big enterprise suffers a breach, it’s going to be okay for the company. Maybe bad things will happen, but it broke my heart time and time again when I’d have to deal with a small business that lost their entire payroll account, or a senior citizen who lost their life savings, or a nonprofit organization that clicked on one link in an email and everything that they worked for was destroyed. It was never the right moment for me to put my arm around the victim and say, “Well if you just would have done this, it wouldn’t have happened.” That’s why today, I live my life is kind of almost a passion project where I share what I’ve learned. I share my experiences with large organizations and they usually come to me and they go, “Well, we got this great firewall. We got this endpoint solution”, and I’m like, “Hey, listen. You’re doing these seven things”, I go, “I didn’t invent any of this.” You know, when you say expert, I wasn’t an expert. I was a good listener. I listened to what the victims told me, I correlated it, and I put it together in a very, very simple plan and that’s why it’s called The Secret to Cybersecurity because when you read it, there is no secret. It’s doing the hygiene. It’s knowing that email is the number one attack vector. It’s making sure we think before we click, making sure we think before we act, it’s making sure we have strong robust passwords, we’re not using the same password for mission-critical platforms. We take a deep dive in identifying what are the crown jewels within the organization and then we show you how you secure it. The best part about it is when I do these talks, I go to individuals. I go, “How much money you have to go out and spend to keep your shop safe?”, and the answer really isn’t a lot. So my goal is to teach organizations how not to be the next victim without them really spending money. By showing them and reinforcing what the fundamentals are. Am I saying we don’t spend money? Of course not but I don’t care what you spend your money on. If you don’t do what I tell you to do for free, you’re going to be a victim.
John: Right, so really, what you do, how you spend your professional life now is preventing organizations from becoming the next cybercrime victim. That’s really your main mission and motivation now when you go and do your live seminars at organizations all across the United States.
Scott: Yes, and some of the best things that I get right now is when somebody hits me up on LinkedIn and they’ve heard me speak and they went like this, “I heard you speak and I did what you said. Wow, I’m going to be so much safer.” They didn’t even have to buy my book and it just makes me feel so good.
John: That’s awesome. You know, Scott, when we look at what goes on in the media now, I saw yesterday Easyjet just had a huge breach and I thought 9 million or so of their customers’ information was exposed. We have, of course, lived through many other big brands over the years getting breached– Aquafax, Home Depot– and these are huge organizations where normally are the clients then, their constituents, and other stakeholders put at risk when there’s a breach but leadership of these organizations lose their jobs. This is really your prevention methodology and teaching in your live seminars. You’re there not only to protect all the stakeholders. The stakeholders include upper management who if they don’t take the actions that you’re sharing with them and lead them to, could actually lose their jobs and we’ve seen it time and time again.
Scott: Even worse about that, when it comes to small businesses and non-profit organizations, besides losing their jobs we’re talking about companies closing. We’re talking about people losing their livelihoods, especially in this time of COVID-19.
John: That’s a great point.
Scott: That’s really the point is, on my side, it’s the prevention side. I kind of had the opportunity to go out and work for companies and now, I just find it so much more fulfilling to do what I love to do which is sharing my experiences. I feel very blessed that I have a great pension and even during this time of COVID-19, I’ve reinvented myself. I’ve been doing some webinars and stuff which I find very, very difficult because I like to bounce around the room and do a hundreds, a thousand steps while I’m doing the talk and it’s just trying to figure that out. But here’s the bottom line, even though this COVID-19 is going on to cybercriminals are still looking at ways to exploit us. So I want everyone here to realize right now that if you get an email and it looks like it’s coming from the IRS and it’s saying, “Hey, there’s been a problem with your economic stimulus check, please click here.” Stop, become a human firewall. What are some other ways? What if you immediately get an email that appears to be coming from the director of HR and it says that, “Hey, we want to announce there’s a town hall meeting. There’s gonna be a series of layoffs.”, and this is what happens when companies aren’t securing their emails with two-factor authentication. The bad guys are getting in.
We have to teach people that email is the number one attack vector and the bad guys are sending this email just trying to get us to click on links. Especially in social media, people are posting articles and that is all getting you to click on stuff.
John: Besides the trend of this massive tragedy that we’re all going through COVID-19, we are gonna get to the other side of it. There’s going to be a new normal. But the danger continues to grow. But let’s talk about another trend out there that has come to America since May of 2018. In May of 2018, Scott, GDPR regulations were passed in the EU and they have greatly affected what’s happening in America because the US Government, of course, the federal government, like everything else we do here in America, we look at the EU or other parts of the world. Let’s say we’re in America, we could do something bigger and better. There’s seven or eight forms of national GDPR legislation that were put in for approval. They haven’t passed yet but once we get through COVID-19, one of them will pass and become the law of the land on a national basis. What we’ve also seen happen with the privacy rules and GDPR’s effect on the United States, is states now, are passing their own version of privacy regulations and GDPR. You have 22 states that have put in some form of legislation that will get passed as predicted by the end of this year. All 50 states will pass something by the end of 2021 and already 4 states including New York and California have already passed their own version. So the laws of privacy and data protection are tightening now more than ever both on the localized basis, federal basis, and an international basis. The rules around privacy are tightening. Now, if I was a macroeconomic whiz kid, I would say this trend has to be pushing people into your arms at a higher velocity more than ever because, as the news tightens, that means organizations are going to be held liable now for their constituents and stakeholders’ privacy and data more than ever. How has that affected what you do because you are still the expert that you are and there’s still a huge void of information on how these organizations are supposed to protect their constituents data and privacy?
Scott: That is an incredible challenge of organizations. There’s massive things about privacy and I sit down with C-suites all the time. It just goes back to that exercise. What do we need to protect and where is it? All of a sudden when I discovered that the head of marketing has a Microsoft Excel spreadsheet that contains all the customers’ names, dates of birth, and addresses to send a personalized birthday card, you know what that is? It’s PII and it’s sitting out here in probably her personal Gmail account. Companies just don’t know how to process that information and one of the trends that I see right now, which is a very unfortunate trend is companies are spending a lot of money on reactive services. I have a lot of friends. I have friends who work for Kroll, they’re the gold standard of intrusion response and they are so busy during this time. That it’s not even funny and the phone’s ringing off the hook because the majority of their issues are account compromise. Which means the bad guys are able to get in and they steal username and password of the CEO. They log in remotely to the CEO’s email account and now, what is your email hooked up to today that it wasn’t hooked up to years ago which hooked up to your one drive. Now, what do you think a law firm keeps in their one drive? Legal records. Another, what do you think a healthcare company keeps? Their healthcare records. They’re telling me– and a lot of other people are– that 85% of the intrusion response work is being caused by an account compromise which to me could easily be prevented. We’re not talking and we didn’t even need to have this discussion. The other 10% is really complicated. Keeping your network secure and having firewalls and knowing what’s on your network and end point solutions is so important. However, an account compromise which makes up a majority of today’s data breaches can easily be prevented and that’s leaving these organizations wide open to class action lawsuits, GDPR fines. I mean, let’s just think about what happened to Marriott? How are the company’s going to deal with that? It’s kind of the challenges because here’s what I see. From your listener’s point of view, there’s a fog. Where do I start? Because if you have a thousand different companies and they’re all telling you buy this, do this, get a pen test, get a risk assessment, buy an important solution, buy a firewall, get block chain, get artificial intelligence. People don’t know where to start and I’m telling them if 90% of what I dealt with in my career could have been prevented by learning what I teach in my book, go get a copy of the book and start there. Don’t go over there and try to over complicate this because it’s the high geniuses. What did they tell us about COVID 19? What’s the most effective way to get with this? Wash your hands.
John: Wash your hands.
Scott: Wash your hands.
John: Cover your mouth when you cough. Real hygiene 101.
Scott: Then after you wash your hands you know what to do?
John: What’s that?
Scott: You bring your bottle of hand sanitizer and you leave it in the car, okay? Then when you’re done, you do it until your hands turn raw. It’s the same thing. That’s why people aren’t talking about what I’m doing because if you are an organization and I know you deal with consulting company, what’s the goal of a consulting company? To get you on the hook which I’m not throwing stones at the consultants, well yes, I guess I kind of am. You know, they are coming in and they are moving in. I’m just saying, “Look.” One individual asked me, he said, “Are you a consultant?” I go, “No, I’m a speaker trainer.” He goes, “What’s the difference?”, and I kind of laughed and I said, “I guess I’m more expensive than a consultant.” However, I’m not gonna spend more than 6 hours with you. Eight hours of just a happy [inaudible] dinner and I go, “We’re gonna do a series of talks and we are gonna talk to your CEO and provide that high-level briefing to the CEO and the C-suite.”, because information security does not start with the technology department. It’s starts with the business owners because they hold the data. If you can teach them how to be safe at home, they’re going to be safe at work. You do an all employees conference and then I sit down with organizations, I scratch test their intrusion response plans which they spend tons of money on, and I go, “When do you call the FBI or the secret service?”, and then before they give me an answer I cut them off, I go like this “Hi. I’m with the FBI. Here’s your data. Let’s start the exercise.” Then they go, “What do you mean?” I go, “In most standard breaches, it’s us, law enforcement who tells you that you have a problem. How do you handle that?”, and then, I tell them that this is the closer for me as I say this sarcastically. I said, “Then I give you the best to all in the world.” They go, “What’s that?” I go, “I leave and I never call you again.” Honestly, I’m not here to make friends with these companies. I’ve sat with CEOs and I’ve told them that they were out of their mind if they didn’t want to do what I told them to do. They were so taken back, and they’re like “Well, no one’s ever said that to me before.”, and I said, “No one’s told you the truth.” If you don’t want to do what I tell you to do, I will give you the name of my best friend who works intrusion response, Matt Don. Call him 24 hours a day, seven days a week, bother him at home but mention my name and he’ll take 10% off your five, six, or seven figure engagement which you will pay when you have a problem. Then, he’ll kick me back 25%. Then I go, “I’m former FBI, I can’t take say kick back.” In the information security world we call it referral fee and then I go, “Or you can do what I told you to do for free which is just do this.”
John: Many times you’re saving these guys’ jobs, these people’s jobs, the CEOs that you’re consulting. For our listeners who just joined us, we’re so lucky to have today Scott Augenbaum. He’s a cyber security expert, ex special agent with the FBI, he’s written a book The Secret Of Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime. You can buy this on Amazon. It will be the highest [inaudible] you’ve ever gone. If you’re a CFO, a CTO, a CEO, an IT Director, or board member of an organization that you’re trying to protect, that your fiduciary for. Scott, you can also find him on his website www.scotte– is his middle initial–scotteaugenbaum– a-u-g-e-n-b-a-u-m.com. Scott, I know you have some great stories that we could talk for hours but I do want you to share before we say good bye. There’s an importance in companies buying software tools to protect their organizations and there’s tons of great companies out there like Palantir, Cyberark, Fireeye, and the list goes long. All these great unicorns and I’m not here to promote or knock any of them. I’m sure they all have a place out there. But, one of the dirty little secrets, as you were referring to earlier about an end points is the hardware. The hardware that contains data. That if misappropriated or handled the wrong way when they come to the end of life or given access to the wrong people in an organization could spell disaster. I know you have a great story about hardware. Can you share that with our listeners? I want you to share that story with our listeners today.
Scott: Oh, sure. I mean, here’s one of the things that we don’t think about. What do we do with our stuff? Give it away. Now, companies give it away. Now, I remember getting a lead that came in because there was a computer that was found in the Middle East in the hands of a– let’s just say he was a guy who wasn’t a good guy in the Middle East about a decade ago and he was using this laptop and the Department of Defense analyzed the laptop and they saw that it belong to a guy who lived in my area. I got a lead– but from the Department of Defense sent the lead to the FBI, “Hey, go out and track this down.”, because how the heck does this guy who lives here– How does his laptop get in the hands of a bad guy who’s doing bad things.
Scott: We ended up tracking it down and we found out that this guy work for a pretty large organization and we knew the chief information security officer whose job is nothing more to protect the network. His job isn’t disposal of hardware. So what did the organization do? They donated their old laptops to this company that kind of said, ‘Hey, don’t worry. We’ll make sure everything is wiped clean and everything like that.” What ended up happening is they donated it to some company, that company took it and obviously, that information– we don’t know how because they didn’t keep records. That was the crazy thing. They were like, “Hey we donated it to 15 or 20 different organizations and they ended up doing it to somebody else.”, and then those things were obviously purchased, taken overseas, and they got in the hands of a bad guy. Now, let’s think about this. You know, at the end of the day for whoever is the legal council at this company– and this is what I wanna tell as your guide to our listeners out here. Think about if this is your organization, what is it going to do to your brand if one of the computers that you gave away– and I’m not saying don’t give computers away and do good things– but that computer gets traced back because there was data on that computer and there was corporate information. We’re not even talking about that. We’re talking about the fact that the bad guy was using the computer but there was still corporate data on it that led us to track down to the user and there were fax, figures, spreadsheets, and everything like that that were buried deeper on the computer that the bomb thrower had, or I should say bomb maker.
John: Right. You and I know this is happening both on a federal level with government assets from the DOD and other parts of government. This is happening on a corporate and also on other organizations, municipality, and non-profit level. Now that the people have to take care of so foreign– as you said phishing attacks, spear phishing attacks with emails and all the other kind of stuff and other types of preventative software. But their end points, their hardware also has to be destroyed the right way in order to continue to protect that organization. Your book is full of facts, full of information. Again, for our listeners out there, he’s Scott Augenbaum. You can find him on LinkedIn and you can also find him on his website www.scotteaugenbaum.com with an “e” as his middle initial. The name of his book is The Secret To Cybersecurity: A Simple Plan to Protect Your Family and Business to Cybercrime. If I were you, if I was a CFO, CTO, CEO, or board member, I’d hire Scott bring, bring him in, read his book. He’ll prevent your organization from becoming the next cybercrime victim. Scott, you’re making a huge impact in making the world a better place. I’m so grateful for what you do and for your time today. Thank you for joining us on the Impact! Podcast.
Scott: John, thank you so much. I have a couple of books here that were sent to me. For the first five people who listened today, go connect with me on LinkedIn and ask me one good question. As you can tell, I’m very shy and I don’t like to talk so we can continue this conversation. Hit me up on LinkedIn and I will gladly send you– first five people– send you a copy of my book. John, it was such a pleasure to talk to you and I hope to get out to California really soon and see you in person and we can–
John: Yes, here or Nashville, which is another great city and I love Nashville so I’ll be there have a great excuse to visit you in Nashville or I will host you here in Fresno, California with all the hospitality on the planet.
Scott: Oh. Excellent. Well, thank you so much and to everyone be safe during this crazy time.