• But a lot of this is simply board members and C-Suite not allocating enough dollars for proper hardware, software, and strongly knowledgeable minds to implement good security.

    The stolen data was encrypted, so all the hackers were doing was stopping business from being run. With that being said, if you think it’s just about ‘implementing good security’ I think you’re out of depth when it comes to just how large of an attack vector it is and how sophisticated the attacks can be. We’re talking about an industry where people are willing to cough up millions of dollars to recover data in some cases, meaning that it attracts some of the best talent in the world to coordinate attacks and the attacks can be extremely sophisticated.

    • Sure. Allow me to give you a little background about my area, from personal experience a hundred years ago in the industry: security by obscurity was the standard, a CTO had zero experience with anything computer related, beyond powering his on and pecking out emails, was not interested in learning about (let alone learning any) current or new technology, coding, or security related. The sysad couldn’t code a lick, depended on an online scanner for malware removal (and it was a persistent problem), and did absolutely zero auditing, wondering why the better team members stayed long enough for a reference and ran screaming. This was the worst, but not by much, company I worked for in the industry in a very wealthy area. I’m sure things have changed over the years, but from friends in the industry, not by much. They still stay long enough for the reference of official experience, then end up moving companies, or the better ones go on to self-employme t, often contacting for the same companies, at 4x the hourly rate, because it’s still cheaper than getting sued by by clients or the government.

      The weird thing is, I’m about to try to re-enter the industry, personal and industry issues aside, at a later point in the year.