Blog

It's not the threats that bring us down. It's the vulnerabilities.

We often talk about new threats. It sounds wise, modern and proactive. Artificial intelligence, deepfakes, autonomous attacks, next-generation fraud. But to be honest, that's rarely where I find the most unsettling truth. It's usually simpler than that. What still brings down organisations is often not the futuristic, but the predictable: a fake login, a stolen account, a stressed person, a hectic day. ENISA's threat landscape for 2025 still highlights phishing as the dominant initial attack vector, and Verizon shows that stolen credentials remain a key intrusion path.
This matters because it says something bigger than "phishing still exists". It shows that many organisations still carry the same old vulnerabilities from ten years ago, now in faster systems, across more channels, and under greater pressure. Threats have become more scalable. Humans have not become less human.
Robert Willborg

Co-founder and Chief Security Officer at OneMore Secure.

We tend to focus on the threat and miss the crack in the wall

I believe many organisations start in the wrong place. They ask: what threats are out there? That's a reasonable question, but not enough. The tougher question is: what vulnerabilities in our own practices allow even old attacks to still work against us? That difference is crucial.

If an employee can be tricked into handing over their details, it's not just a phishing problem. It's a vulnerability in how we build trust, design verification, and how much decision-making burden we place on someone in the middle of their workday. If an account can be abused after compromise, it's not just an identity issue. It's a shortcoming in our ability to detect, revoke, isolate, and recover quickly enough. NIST defines cyber resilience as the ability to anticipate, withstand, recover from, and adapt to disruptions, attacks, or compromises so that business objectives can still be met.

That's why I much prefer to talk aboutvulnerabilities and capabilitiesrather than abstract risk terms that everyone nods at but few can truly manage. Risk easily becomes a fog. Vulnerability can be pointed to. Capability can be practiced, measured and improved.

The digital human isn't broken. They're just tired.

There is a persistent tendency in cybersecurity to treat misclicks, stress and errors in judgement as individual failings. I think that's a convenient way to avoid seeing the system fault.

Today's digital worker operates in a constant storm of notifications, meetings, chats, emails, multi-factor prompts, document sharing and micro-decisions. To build security as if every person can always pause, analyse, verify and choose perfectly is like building an airport where everything depends on every traveller spotting where security checks fail. That doesn't build resilience. That builds queues, mistakes and false order.

The UK National Cyber Security Centre's guidance is wise on this point. They recommend layered protection against phishing that explicitly strengthens organisational resilience while disturbing users' productivity as little as possible. This is an important principle: security should not just exist, it should be manageable.

Old attacks work because many defend the surface, not the capability

This is where I think much security work still goes astray. Organisations protect the inbox, the firewall, the endpoint, and policy documents. That's not unimportant. But attackers often bypass these by attacking the decision instead. A familiar brand. A credible tone. A message that smells routine. A stressed moment when the brain is already running on reserve power.

It's like having strong perimeter security around the house but leaving the patio door open every time someone hears the word "urgent". Then it doesn't help that the door is technically security rated.

Verizon's DBIR 2025 continues to show how central identity and human-targeted attacks are, and ENISA's threat landscape shows these attacks are not fringe phenomena but core to the actual intrusion picture. This makes the question business-critical: not "do we have controls?", but "do our controls work when an ordinary person has an ordinary bad day?"

Vulnerability is not weakness. It's the address of improvement.

I believe many organisations still avoid the word vulnerability because it feels uncomfortable. They prefer to talk about risk levels, maturity, or exposure. But vulnerability is actually a much more useful term. It shows where something can fail. It can be investigated. It can be tested. It can be fixed.

And most importantly:it can be linked to capability.

Capability is the opposite of security theatre. Capability is someone spotting the anomaly quickly. Capability is revoking the session. Capability is shutting down access without the whole business collapsing. Capability is giving people support at the right moment instead of blame afterwards.

CISA's guidance on phishing-resistant multi-factor authentication illustrates this well. The point isn't to add friction for its own sake, but to eliminate known vulnerabilities in authentication flows that attackers continue to exploit.

What we need to measure isn't how much we've done, but what we can withstand

This might be my most important point.

Many organisations measure activity. How many have completed training. How many policies exist. How many controls are "in place". But that says surprisingly little about what the organisation can actually handle when something goes wrong.

I think we need to start addressing questions that hurt a little more:

· How quickly do we detect a fake flow?

· How quickly can we revoke a compromised session?

· How quickly can we limit the damage?

· How quickly can we keep delivering what must work?

Only then does cybersecurity start to resemble business capability rather than document management. And that fits perfectly with NIST's view on resilience: not perfect protection, but the ability to continue meeting objectives even in an attacked environment.

Conclusion: what brings us down is often not the new, but the unhealed

I believe many organisations look for the next big threat because it feels more strategic than admitting old failings. But often the truth lies there. Not in the exotic, but in the unhealed.

The most dangerous attacks are often those so familiar we've almost stopped respecting them. They slip in like cold air through a crack in the window. Not dramatic. Not cinematic. Just long enough to make the damage real.

That's why I argue we need to change our language. Less fascination with the newsworthiness of threats. More honesty about our vulnerabilities. Less focus on showing controls. More focus on building capability. Because ultimately it's not the new threats that expose us.

It's our old vulnerabilities

So make vulnerabilities visible, point out where people, processes and identity flows fail. Build capability before theatre and measure detection, limitation, revocation and recovery. Reduce the human burden by letting protection carry more of the weight at risk moments.

Sources

ENISA.ENISA Threat Landscape 2025. The report analyses 4,875 incidents between 1 July 2024 and 30 June 2025.

Verizon.2025 Data Breach Investigations Report. The report continues to show the importance of stolen credentials and the human factor in breaches.

NIST CSRC.Cyber resiliency – Glossary. Defines cyber resilience as the ability to anticipate, withstand, recover from, and adapt.

UK National Cyber Security Centre.Phishing attacks: defending your organisation. Guidance on layered protection against phishing with minimal impact on productivity.

Robert Willborg

What digital sovereignty really means

Sovereignty is not geographical. It's control.

Robert Willborg

From an economy of uncertainty to trust

A story about an industry that lost its way.

Robert Willborg

Airworthiness for the digital society

NIS2 wants us to fly safely, not fill in paperwork.

Robert Willborg

EU Data Act

When the EU builds "emergency exits" in your data corridors (and no one has read the signs yet).
Go to blog page