HITT- Cybersecurity April 2, 2024
Transcript
Introduction to Cybersecurity Importance
Is always such an important topic, and, it’s one that, you know, in the news every single day, it inspires a lot of fear, but, actually, it should put our advisers in a really great position to help their their customers and their clients.
Absolutely. We’re still seeing a huge amount of things happen. So what we wanted to do is give you a little bit of statistics around cybersecurity awareness and then tell you a few of the the breaches that have happened and how they were caused and then some of the actionable things that we as Telarus can do to help your customers.
Statistics on Cybersecurity Threats
So I wanted to start out and and say, you know, from a statistical standpoint, there’s three hundred and thirty nine billion emails that get sent out worldwide every day. And you heard us talk about this on our call with Patrick, about a month ago. Yeah. Eighty five percent are are either spam or malicious.
Now most of them are spam according to everything that we get, but still a lot of those are faking and tricking employees to click on them. You know? And then you go into Gartner, and it’s Gartner says that we only make employees spend forty nine minutes a year doing cybersecurity awareness training. And if you ask most of your clients how often they they do cybersecurity awareness training, you know, they’re not doing it as as fully and as accurately as they could be, and the tools that they have might not be as good as they would like.
So it’s always challenging. Then when you think about eighty eight percent of all breaches are still caused by humans according to just last year’s statistics, which was up eight percent, that’s, you know, earth shattering. You know, if you if you look at the amount of tax that we’re seeing daily, there’s three point eight million attacks just today. And if you break that down, there’s a hundred fifty eight thousand per hour, two two thousand six hundred per minute, and then forty four every second.
And a breach in the United States is happening every fourteen seconds. So, Jeff, when we start to think about some of those statistics, you know, you sat in this role before. How hard is it to be a security person today and doing this with a lean staff?
Challenges Faced by Security Personnel
What are you what are some of the things you need?
Jason, it’s extremely it can be extremely frustrating. Right?
Because the reality is whenever we have a staff that is on a computer eight, nine, ten hours a day, email, social media, all of that is just a constant barrage of attacks, really. I did a check the other day, and I get about two hundred and forty, phishing emails a week, either work work wise, not so much, but on my personal emails.
So, you know, they’re constantly they’re constantly working. You’ve heard me say this a thousand times. You know? The bad guys don’t work Monday through Friday and take weekends and holidays off. It’s twenty four hour a day job.
And the reality about the phishing emails is that it’s tried and true. Why you know, I have people ask me all the time, why do people send these phishing emails? They’re they’re they’re stupid. And, yes, a lot of them are.
But the reality is they work. There’s always somebody that’s gonna click that malicious link. They’re going to, you know, I always joke about I don’t worry about the people over in the Ukraine or in China or North Korea. I worry more about Betty over in accounts payable who just clickety click click clicks on everything because, by golly, she’s gonna get that free Starbucks card.
So it’s, it’s it’s it’s it can be very frustrating. And whenever you look at that stat on that second bullet point where we’ve got, you know, two thousand eighty work hours in a year and only forty nine minutes of that are are spent.
In any kind of awareness training, it’s it’s incredibly frustrating for someone that is trying to lead a security, you know, of a of an organization to get it to people that this is important to not only you personally, but to the organization as a whole.
You can, and and we’ll be talking about this later with Ryan, but the majority of of these attacks really are we’re just trying to harvest credentials. I want your username and password.
You can have every protection in the world on your infrastructure.
But guess what? If I’ve got your username and your password, I’m you, essentially, and that is going to allow me to do things that some stranger can’t necessarily do because they’d be caught.
Impact of Phishing Emails
So let me ask you something. So one of the the best phishing simulations that I ever, witnessed was Fortune one thousand customer, and I mentioned this before, did a, phishing attack on all their employees, five thousand employees, and they basically said, listen. We never thought we’d see this day come. Unfortunately, we’re closing our doors.
Please click on the link below so we can send you your last paycheck.
Effectiveness of Phishing Simulations
And ninety percent of the employees clicked on it. Then they sent they waited a day. They sent out another email that said, hey.
Listen. That was, you know, going after April fools yesterday. That was, something where we actually got compromised, but we’re trying to make payroll the next three days so we could be reported. Please click on the link below and fill out all all of your information so we can send you your paycheck.
And ninety eight percent of the people clicked on it. So one, I wanna hear, is that effective? And, two, do we see leaders in the security space wanting to do and attack that that malicious because they’re worried that everyone will click on it or expose them as an organization. You know, where’s the balance there?
Yeah. I mean, it it it there’s a fine balance. Right?
But I’ve always said, if if anybody that’s listening and knows me, they know that I always say I am never gonna sacrifice security for the sake of convenience. Right? And a lot of folks don’t want to do phishing campaigns. They don’t wanna test their staff because there’s a there’s a few things that they’re afraid of.
Number one, they’re going to take away from productivity. Number two, they’re worried about embarrassing or, making someone feel stupid within the organization. And my experience over thirty five years of doing this is the the number one offenders of phishing attacks, nine times out of ten, and I’ll argue with anybody on this, is typically someone in the c suite. I did a phishing campaign once upon a time.
The first person to, to hit was my COO.
And he was angry, that the link wasn’t working.
And then when he found out it was a simulation, he got really mad because I was trying to fool him. And it’s like, I’m I’m not trying to fool you. I’m trying to protect you.
You know, I’ve got a stat in front of me is that because phishing is such an effective method for getting into a a company, into an organization, infrastructure, what have you.
Prevention Methods and Breach Examples
There are, so many people that are doing, doing this, that seventy one percent of all attacks or all all incidents security incidents, in twenty twenty three were through phishing just because it’s easy. I do a presentation where I can create a phishing email that looks beautiful within about two minutes, right, and send it out. And once I have all those credentials harvested, then I can carry on different attacks that way.
So it it’s it’s bad. And and when we talk about the forty nine minutes annually of training, that’s not just your normal employees, your line staff. That should include your executives, your board members. Right. Top to bottom. Right?
I completely agree.
We’ll advance the slide, and so we’ll continue on.
What we wanna do is is show you some of the other really interesting statistics. You know, threat actors, used phishing links to do a majority of all their attacks, you know, in two thousand twenty three.
What I was just saying was I mean, that’s a that’s a real stat.
That just came out last week.
And then, you know, know before and we’ll get you some of those statistics. I saw something in the chat. We’ll we’ll tell you who, gave us a lot of these statistics. But, you know, nobody nobody four indicated that the average phishing click rate is is still at thirty two percent.
You know, that was two thousand twenty two, but it’s it’s only going up, which is, you know and we’re focused more on that cybersecurity awareness training than we have in the past. Now after completing cybersecurity awareness training, we typically see a reduction, but then the rates start to go back up because we don’t continue to do it. And so, you know, Jeff, what are you seeing? Is it is it being adopted quarterly? Is it being adopted biannually?
Is it enough what we’re doing? And and employees don’t wanna do it. It’s you know, they have other things to do that are more important. Right?
You know, it’s one of those things where I’m very big into the educational aspects of cybersecurity. That’s that’s what I do. I tell people I just educate. Right?
Challenges with Cybersecurity Training Adoption
But it it’s one of those things where if you’ve got an organization, like I said, there’s, what, two thousand eighty hours in a typical work year. Right?
And you’re spending an hour a year, forty seven minutes a year talking about this. And the problem is that we get into a training mode where it’s annual training. Right? Where it’s not just cybersecurity. It’s safety. It’s it’s it’s all of that. How to use this tool, how to use that tool regardless of industry.
And the reality is a lot of people just glaze over and they check a box. I’ve gotta go to training, so this is what I do. I used to work for the federal government, and it was mandated that we do one, you know, annual training every year. And there was all of those different trainings that we didn’t care about.
We had to be there. Right? I didn’t care about how to safely use some cleaning chemical because I never did that. And a lot of people don’t think that cybersecurity is their job.
Cybersecurity, that’s the IT people. That’s the that’s the CISO. That’s that’s those folks. It’s not me. They’re there to do this. Well, the reality of cybersecurity is everyone’s responsibility because it’s an organizational problem, not an IT problem.
Responsibility for Cybersecurity
So, Jeff, walk us through a couple of breaches that happened in the last six months. How did they happen? How impact were they, and could they have been prevented with strong cybersecurity awareness training?
Well, I’ve always said that the the more prepared you are, I always try to build what I call healthy paranoia. Right? Where anytime you get an email that looks suspicious, ask. Don’t be afraid to ask. Don’t just click on, well, that’s from the CEO, so I’ve gotta I’ve gotta I’ve gotta do this. Right?
It it’s it’s so easy to, use social engineering. Social engineering by way of email, by way of of what we call phone pretest pretesting, where we call someone and say, hey. This is, my name is, Mike. I’m with, IT. We see a little problem with your account, and we’re gonna need to deal with that.
Is now a good time? Can I can I do that? I was in a, seminar not long ago, and there was a gentleman that was it was a fascinating session.
And it was called how to rob a bank over the phone. And this guy did social engineering via email, via phone pretexting, and he actually had audio files of his attack. And he had the IT director on the phone, and I heard this firsthand, where he actually he actually had the IT director installing his malware on all of the servers in the bank.
The next day, this guy, this this attacker, he was a good guy. He was a white hat.
Actually, went to the bank. They were having a birthday party for one of the tellers. They invited him in. Come on in. Have a piece of cake. And he’s he’s got a full run of the place. Right?
So the reality is that human beings are trusting. Right? If you if you know, most people think that the, the hacker, for lack of a better term, the bad guy, is wearing a gray hoodie and mirrored aviators and sitting in a dark room like Matrix or or whatever.
The reality is bad guys don’t look like that. They they can look like me where I walk in and I smile. Maybe I’ll bring a cup of coffee and a and a and a rose to the receptionist.
You know, I’ve got full run of your place because how can I be a bad guy?
Look at you know, I’m wearing a suit. I’m looking nice. I’m I’m very personable with you, and I’ve got a meeting. I’ve got a very important meeting with and I’ve done my research. I know the names of everyone in your organization. I know the IT guy. I may be wearing a an outfit from, you know, some some IT company that may or may not be an outsourced organization to your organization.
I’m in. Right? So what we see a lot of times is people are hitting help desks. Right?
They’re gonna call help desk. They’re gonna call, individuals and just say, I’m having problems with my password. Can you reset it for me? Right?
Yeah. What’s your username? And they’ll do it. And that’s what they, that’s how they get in.
The the other thing we talk about, multifactor authentication being a deterrent, and it is by far and large. The more protections you have, the better. But people get just overwhelmed with MFA requests. We call it MFA bombing, right, where you just get over and over.
You get and before you know it, the IT guy at the end of the you know, he’s it’s two o’clock in the morning. He’s trying to get some sleep because he’s been working for sixteen hours.
He just says yes.
Right?
Boom. I’m in. Right?
So if if you look at what’s going on in the, you know, in the casinos I’m actually heading to Las Vegas for a for a meeting here in just a few minutes.
But the big hack in Las Vegas, that was purely due to someone doing some, pretexting with the help desk.
That happens over and over. Just open any any news site, right, and see what’s going on. Well, it was done through a phishing attack. That’s typically the way they start. And the reason we get so many of these is because it works.
And the bad guys are always getting creative. Right? They’re running this like organized crime.
Hey. I got these credentials by doing this. How many times have you gotten an email or a text, which is called smishing, by the way. There’s all kinds of all kinds of stupid terms out there, but get a tax from Bank of America.
Your account has been, put on hold because of suspicious activity. My my dear father-in-law lives with me. He’s eighty five years old, and he had to have an iPhone a couple years ago. God help me.
Typically, two, three times a week, he comes to me with his phone. Hey. I got a problem here. And it will be a text saying your Netflix account has been put on hold. Please verify.
I’m like, Pete, you don’t have a Netflix account, or Wells Fargo’s after him. You you don’t have a Wells Fargo account. Right? So, you know, if you send out thousands and thousands and thousands of these attacks, someone is going to bite.
Someone is going to hit on it. And with security folks, we you know, I I always talk about you know, I’m a baseball guy, so it’s always a baseball analogy. Think of a think of a catcher on a professional baseball team, and he digs, you know, hundreds and hundreds of of of wild pitches out of the dirt. Right?
But he lets one go to the backstop.
He’s a goat. He’s a he’s he’s a he’s a doofus. Right? And he needs to be sent down to the minor leagues. That’s the way it is with us. Right? We can stop hundreds and hundreds and hundreds of thousands of of attacks.
Nobody really knows. But if we let one through, then we should be fired. Right? The bad guys, they only have to be right once.
We have to be right every time. So that’s why training is important, and that and that’s why I talk about building this this healthy paranoia. When you get that email, don’t feel bad about calling the help desk or calling your security person or the IT person, sending it over. Right?
And we have solutions in place that, actually, there’s a there’s a button on if you’re using Outlook, there’s a button, report phishing. Right? It’ll go. It’ll be checked out, and you’ll get a response back.
No. It’s good. Or thank you. This is bad. I do it all the time, right, where I’ll see something suspicious.
I’ll send it over, and and, you know, our our our great, IT team here at Telarus will hey. Thanks for sending that in. It looks good. No no problem.
Right? I also have tools where I can run through emails and and say, yeah. No. Just delete it.
Right? So that’s a that’s a roundabout way answering your question, Jason.
Thank you. I appreciate that. Go ahead and go to the next slide, Leila. So we’re gonna, just run through a couple of these. You wanna go through the effectiveness here, Jeff, and then we’ll open it up to questions?
Effectiveness and Continuous Nature of Cybersecurity Training
Yeah. I mean, you already mentioned it. You know, we’re reducing risk by up to fifty percent. Right?
But this has gotta be concurrent or it’s gotta be continuous. Right? This is not a one and done. Keep it on people’s minds.
Keep it on the forefront of folks whenever they’re, whenever they see those suspicious emails. Hey. I remember from training that this is how they do, they do things.
You know, there’s a lot of folks that are required to do awareness training. Right? There’s compliances that that require you to do that.
And if you have cybersecurity insurance, that’s one of the controls that you have to have in place. And if you make a claim, let’s say you get compromised and you make a claim, it’s not as easy as it used to be where you just say you do security awareness training. You have to prove it. And if you did not do security awareness training for your entire staff and you made a claim, you’re not going to get any kind of payout because of that.
And if you look records, you know, the cost of breaches is, you know, for a for a standard you know, I’ve always I’ve always said that, you know, a social a Social Security number on the on the dark web, for instance, can net you maybe a quarter, twenty five cents. Right?
Medical records, on the other hand, can get up to a thousand dollars per record on the dark web. And there’s reasons for that. Right? And it’s a it’s a case of cost benefit analysis. Right? It’s not going to cost near as much to train your staff, to be aware, to understand that if you have a question, ask. Then clicking that bad link, getting compromised, you know, ransomware comes through bad emails, credential harvesting comes through bad emails.
It should be an ongoing thing. And on this next slide, you’ll see some of the ways to implement that security training is, you know, make it part of that overall structure. Know let your employees know that we’re not trying to fool you. We’re not trying to make you feel stupid or look stupid.
Gamify it. I’ve always done this where I’ve pitted, you know, departments against each other to try to win a a token, a prize. You get the you know, I I actually had a trophy made once upon a time that had a big fish on top of it. It was for a bass tournament.
But the people that got fished, hey. Guess what? You gotta put that trophy on your desk and keep it there until the next round. Right?
Make sure the entire organization is aware. And one of the key elements of this is make sure that you have the support of the executive team. So every time the executive team, you know, that c suite, whoever that may be, has an all hands meeting or a town hall, make sure that they bring this up and say, hey. I want you to understand that this is important to our organization.
So take it seriously. We at Telarus, we are very used to, we have to take training once a quarter. We get phishing emails all the time. If you click that malicious link, either by accident or it just looked good, it looked real, you’re taken to a training site, and it’ll tell you this you got fish. And this is what happened. This is how you how you got fish, and this is how to protect yourself.
That’s great. Doug, why don’t we open it up to some questions?
Can do. Great, presentation, the two of you as always.
You know, we joke a little bit as we go through this about the, the different ways that we can approach this.
But, as you mentioned so effectively at the presentation’s beginning, this is a significant and potentially devastating problem for companies. We had a number of people asking where are some of these statistics from, how can they view these and update them to some extent for their own presentations?
Where’s a good place to go for sourcing on this?
Yeah. We can provide, you know, we we try to source a lot of our stuff through Gartner and Forbes.
But we’re also looking at some of the suppliers out there like the NoviForce who are doing this, to to most of customers in in our industry.
And then, you know, there’s other reports that are coming out.
We’re You know, You know, I usually spend the first hour of every day watching, seeing what’s going on out there.
So I have a lot of websites. One of them is the Hacker News.
Just like it sounds. The Hacker News dot com is one. Cybersecurity Dive is another one. And they they they gather these resources. They gather these statistics, and and it just shows how important it is to have various controls in place, not just security awareness training or, spam control, but, you know, multiple things. And this is what’s happening in the world.
And every day, the list grows bigger and bigger and bigger. So we also have Stickley on security is a good one, that that we use, where Jim Stickley does a you know, he’ll do video training, right, talking about things that are real world to people that may not just affect an organization, but affects us personally, like those phishing emails from a bank, those phishing emails from Amazon or Netflix. Right? They may not have a an organizational impact, but they can. If you’re if you’re not protecting your organization, you’re probably not protecting your own personal information as well.
And these statistics are a great way to position in front of partners and for partners to position in front of customers. I was just listening to a recent, you know, panel discussion, and they were talking about cybersecurity awareness training, and they were talking about how many emails were getting sent out. And, you know, that forty nine minutes is all we’re making employees spend a year. Is that something that is consistent with your organization?
Are you worried about an attack coming from some of your employees? You know, those are things that we can help you with. And and I I had that with an eight billion dollar company, and he said, absolutely. Super terrified super terrified and would love to see if there’s better thing tools out there than the ones that I’m using today because we can’t afford to have a breach like that happen.
So what are the questions?
Ironically, I suppose many of the, opportunities that we have to chat about cybersecurity involve very large scale solutions, sometimes potentially expensive solutions that are determined to stop hacking, stop some of the outside maliciousness that comes in. But ironically, in my mind, this employee awareness training and stopping those potential accidents that come from within is generally very inexpensive.
Absolutely.
It seems like a great place to start for companies that may not yet have fleshed out or be able to afford a more comprehensive plan. Is that true?
Absolutely, Doug. One of the things that that you know, I’m mister analogy. Right? So if you want somebody to to keep from breaking into your house, there’s some very easy things to do.
Leave your porch lights on. Get a good deadbolt. Right? You don’t have to put iron bars on all your windows and hire security guards to patrol the perimeter.
Right?
Because the bad guys are gonna see that, and and the reality is a lot of them are very lazy, and they wanna go to the the path of least resistance. So if you’ve got your lights on and they see you’ve got a good deadbolt on your on your doors and your windows are locked, they’re gonna go to the next place that’s dark with the door wide open. Right? So security awareness training, if they try to do a a phishing attack on an organization and they get no bites, then they’re gonna move to the next organization and try that. If you’ve got a good, a good plan in place to train your staff, your folks are aware, they’ve got that healthy paranoia, that that’s half the battle. And you’re exactly right, Doug, that this is one of the first steps that you can make in building that cyber resilience in your organization.
That’s that’s that’s quite cost effective. It’s it’s easily implemented.
It is not expensive, but it starts the it starts the questioning with our our advisors and their clients of what more can we do. Okay. We’ve got an awareness, training program in place. What’s next? What can we do next? And then we can expand the conversation to multiple cybersecurity controls across the organization.
We can do, know before through about twenty of our providers. And and in order to get a cyber insurance policy or renew your policy this year, you have to have a strong cybersecurity awareness practice in place. You know, I wanted to reiterate that you need lots of layers of security in place. There are things that are gonna get through, and people are gonna click on things, and that’s why we need to make sure that we have a lot of layers to help identify something that did get through so we can see it on that first day and get rid of it. But cybersecurity is not a cost savings.
You can’t just do an ROI.
It’s it’s a cost prevention.
And that cost prevention will save you money in the long run because if you get compromised and you’re down and your customers can’t buy, your employees can’t do their job, what’s the ramifications there? So everything that Jeff said, but you can get all of these cybersecurity awareness trainings through a lot of different providers in our portfolio.
That’s a great point. James Nichols asked a question that I’ve never heard come up on these discussions before, and I wanna explore it just a little bit. He’s talking about, are there companies that do security awareness training in Spanish? And it led my thoughts down a little bit of a different road.
So many times the awareness training that we do has to do with, look for things that are grammatically incorrect, look for things that have obvious misspellings, look at things that don’t use, you know, certain types of expressions correctly.
Now that’s in English.
Do these same sorts of rules apply to employees who may not speak English, but who do business in different languages.
We absolutely do, Doug.
I I know there’s multiple language packages available for different things. And and, you know, we keep saying no before in Stickley. There’s other, there’s other packages that are out there, but I did one for a, an organization that was looking for it in Japanese, and we were able to solve for that problem. So so, yes, your standard languages, you know, if you have a you know, we probably cannot do it in Swahili, but, you know, Spanish, French, things of that nature, absolutely, we can. And, you know, just as a just as a reminder for folks, if you have questions on this, contact us, and and let us know because this is a this is a good opportunity for those of you that have not sold cybersecurity in the past and are looking for that foot in the door, if you will.
This is an excellent way to start the conversation with the right people at the organizations that you’re working with.
And because I’ve got the two of you here, I’m gonna tie this into, Mark Hoffman’s question a little bit. He talks about outfitting clients with various cybersecurity defenses, tactics, and so forth.
But then there seems to be a relaxation that takes place, and you don’t hear as much about security awareness sometimes after the big cybersecurity defense has been put in. Can you ever let down your guard, and how important is that after the fact?
Do not let down your guard. If you know me, and I know a lot of the folks that are on this call today, you know me as the guy that I always say trust no one. Right? There’s there’s the adage of trust but verify.
I don’t even do that. I just trust no one. Right? So it’s a constant it’s a constant thing that needs to be, put in place in an organization.
And that’s why I always talk about the, healthy paranoia. Right? I wanna build that into an organization of every email I get that just doesn’t feel right. Doesn’t there’s something about it because trust your gut.
You’ve got to have that within an organization to stay, you know, to stay in that in that mindset of somebody’s trying to attack me. Right? We talk about white zone, yellow, orange zone, and red zone. I’m a former law enforcement guy.
White zone is where most people are, where they’re just kinda think about someone walking down the sidewalk in a in a city, la la la la la, looking at the tall buildings, dragging their purse on the sidewalk, paying zero attention. Right? That’s where most of us are, and bad guys are there. Orange zone is more of a think of a police officer that is aware but not, you know, not head on a swivel.
Red zone is going to be think of a think of a soldier in a hot zone with head on a swivel, and every shadow is a bad thing. Right? We wanna we don’t wanna be in that red zone all the time, but we don’t wanna necessarily be in that white zone. We wanna be somewhere between white and orange, right, where we know that the bad guys are there.
Not every person is a bad guy. We don’t have to make the assumption that just because you sent me an email, it’s a phishing attack. But we want to be prepared for when that does happen. What do we do?
How do we how do we deal with it? What happens if I click that link? Who do I what do I do? Who do I call?
And build that into your organization to where folks know if they do do that, they’re not gonna get fired immediately. Right? Report it.
Follow your company policy. If your company does not have policies, get with us, and we will help that that organization to get those policies in place, help you build out a good cyber resilience plan, so you don’t have to deal with that every day where people are, oops. I clicked that link six weeks ago. Right? And I didn’t tell anybody because I was embarrassed.
So you you you’ve got you’ve gotta you gotta keep it at front of mind for folks because this is our this is how we make money. Right? As an organization, we all use computers. I started in this game when very few people had a computer on their desk. Now we have them in our pockets. Right?
And it is a constant, constant Jason, you wanted to chime in here too.
Yeah. I wanted to say, you know, I know we wanna get to Ryan and and some of the identity and access management.
One last question I saw from David was, around Jeff, how do you overcome some objections when IT decision makers say we’re we’re fine in that matter, or they say, hey. We’re using Google.
So we we don’t have to worry about that.
Well, I mean, it’s it’s just like anything else. You know, you can you can you can have the argument with folks. But I I tell people what at the end of the day, the business decision is yours to make. Right? This is risk management.
Are you comfortable enough in your position with the organization that you feel that you are not at risk? This is a risk that you’re willing to accept, and just just move on with your with your life.
I cannot make that decision for you. Jason cannot make the decision for you. It is it is your business decision to make. However, my job back in the back in the day when I was in the chair as that CISO, was to make the recommendations and say, this is a risk.
Now I am advising you to take care of this risk, to mitigate the risk, not necessarily accept it, mitigate the risk. And if you don’t, then this is what could happen, and you are responsible because you have made the business decision not to, not to deal with it, to essentially bury your head in the sand. So I’m gonna need you to sign this paper. So whenever that happens, you’re not gonna hold me responsible for