"Why Me?" The Question You Shouldn't Be Asking...

I spent some time over the weekend helping a friend whose business was hit with a?#ransomware?attack. He was beside himself with stress, rightfully so. Luckily we could get him back in operation without too much negative impact. He runs a tiny business with 3 employees, and everything they have is backed up in the cloud. So not an end of days scenario, but a problem that caused him and his family and employees angst, stress, rage, and a feeling of failure. It sucks to watch someone go through that.

But as we were doing what we could to get him back up and operational, he asked the question I hate to hear. "Why us?" He asked with a tear in his eye. "Why not?" I responded. The look on his face was shocked and hurt that I could be so unsympathetic to his plight. Immediately the rage button activated, and his anger over the situation came out. "Thanks, Chase, that's really helpful. Here I am, watching my business bleed out, and you are taking the bad guys' side." Now the younger me always liked a good fight, ok I still do, but I have finally outgrown my childish side (ok, somewhat), and after choking back my immediate knee-jerk response, I thought it was time to remind my buddy, "why" this happened.

"You aren't special. Remember the twenty times I chatted about some basic things you needed to do to be safer online, and you always nodded your head but never actually did anything about it? Do you recall me telling you your users didn't need powerful computers with?#powershell?enabled? Can you recall when we discussed setting up?#remotebrowserisolation?and?#mfa?for your users (instead of?#phishing?#training)? That's why this happened, jackass. Your business isn't special. You have connections to other valuable networks and relationships that can be exploited for?#bec?activities. The bad guys you mentioned have zero problems hammering you simply because you exist. You are the low-hanging fruit, the slow gazelle, and the lions finally caught your scent. I am here to help, but you deserve this. You earned it by not moving on to your security controls sooner. If you are looking for someone to pat your back and tell you it's not your fault, that ain't me." My words seemed to hit him like a freight train.

Thankfully, he had moved to a backup system that kept most of his valuable IP in the cloud, and because he had a minimal user base, the account restoration took a few hours. The rest of our collaboration was less friendly, sadly. We can be helpful and supportive to one another, but it's not helping to lie to our family and friends and not tell them the truth. It sucks when someone holds the mirror up in front of you and reminds you that you chose the fate you are now facing.

The bill comes due in?#cybersecurity?one way or another; sooner or later, the bell tolls for thee. Everyone pays in one way or another; that payment doesn't have to be expensive if we do things smartly. If, and that's a big if, you focus on the realities of the threat space and tailor defenses to remove the?#adversaries?ability to be successful you can keep the costs down and employ solutions that are based on the threat, not on pontificating and marketing. Other tools, technologies, and tactics are valuable, but not all neat tools are always necessary. And many certainly aren't needed now. The basics matter most, first. Everything else comes later.?

Tomorrow is too late. You and I aren't unique. If we are the prey on the?#cyber?Serengeti and the predators have our scent, then it's only a matter of time. The best way to avoid winding up as a picked carcass is to stay ahead of the herd and be the more challenging target.

Don't ask "why me" when a?#cyberattack?happens. Ask, "Why not me." The bad guys asked that exact question right before they came at you.