Who’s really to blame in a cybersecurity attack?

Computer

Oops – Todd just clicked on a link in his work email that he thought was from a trusted source, asking for him to reset his password. Todd doesn't know it yet, but he's just fallen victim to a phishing attack and now his entire organization could be at risk. Todd’s story isn’t new: according to a recent Verizon report, 96% of social engineering attacks — malicious activities accomplished through human interactions, like phishing — are delivered by email.

But when it comes to these cybersecurity attacks, who is accountable? In most cases, we all need to be. (Rest assured we can 100% blame the attackers.)

Oren Falkowitz

Accountability when it comes to cybersecurity was the topic of discussion with Area 1 Security’s Oren J. Falkowitz, who joined UTO’s Timothy Summers for the August 2021 installment of Innov8: A Speaker Series.

Let’s go phishing

Even while more organizations are adopting business communication tools like Slack, Falkowitz said that email is now being used more than ever. “Email is the single largest business application in the world today,” said Falkowitz. “And it will not die, ever.”

When it comes to phishing, Falkowitz shared that there are three ways to be a victim of a cybersecurity attack via email:

  • Downloading a file
  • Clicking on links
  • Authentic attacks (thinking the email is from a specific person or organization that you know and trust)

Each year, the most relevant, popular and searched organizations have their brand spoofed and used in phishing attacks. So who topped the list this year? According to Area 1 Security’s Perfect Phishing Bracket 2021, new companies like the World Health Organization (WHO) were added to the list — which makes sense, and all the more worrisome, given the global pandemic. 

It seems easy enough to avoid those items and not get phished, right? Unfortunately, Falkowitz said it’s complicated because hackers work hard to understand what you will click on. “Cyber attacks are really about authenticity – either personal authenticity, like you think it's from your boss, or it has some sort of visual acuity to it, so it looks like it's from Bank of America,” said Falkowitz. “Humans aren't able to easily discern that.”

And because of that level of authenticity, it’s difficult to put blame on attack victims, like Todd, for clicking a link or downloading a file that they thought was genuine. 

Building an informed company culture is so important

When these cyber attacks do take place, Falkowitz explains that it's important to have a healthy organizational culture, as opposed to leadership that points a finger at a specific individual. “It's a culture issue,” said Falkowitz. “It's about the mission that your CEO or president or Chancellor is on, and the people that they've put in charge of security.” 

Falkowitz added that education programs are important for employees to be more knowledgeable, but leadership must recognize and be understanding that because hackers are so sneaky, training isn’t going to necessarily prevent the next attack.

Size doesn’t matter

Falkowitz explains that no matter if you’re a billion-dollar corporation or a mom-and-pop shop, cyber attacks hurt everyone, and might argue that smaller organizations are hit the hardest. “I've seen K-12 schools, religious organizations,nonprofits or small businesses get hit with a $25,000 attack, not $100 million dollars, and it's crippling,” said Falkowitz. “They don't have extra money in the budget. They don't have the ability to trace it down around the world...The impacts are hurting the smaller companies at a far drastic rate, and it's just often not talked about.”

Watch the entire Innov8 conversation with Falkowitz now: