Here’s the brutal truth: It doesn’t matter how much your organization spends on the latest cybersecurity hardware, software, training, and staff or whether it has segregated its most essential systems from the rest. If your mission-critical systems are digital and connected in some form or fashion to the internet (even if you think they aren’t, it’s highly likely they are), they can never be made fully safe. Period.
This matters because digital, connected systems now permeate virtually every sector of the U.S. economy, and the sophistication and activity of adversaries — most notably nation-states, criminal syndicates, and terrorist groups — have increased enormously in recent years. Witness the attacks in the United States on Atlanta’s municipal government and on a data network shared by four operators of natural-gas pipelines, the theft of data from Equifax, and the global WannaCry and NotPetya malware attacks. In many of the most notorious incidents of recent years, the breached companies thought they had strong cyber defenses.