People really should get competent cyber security help, and at least follow industry best practices. But they won't because it costs "too much money" and causes "too much extra work". And I've seen it go beyond what most people would think is reasonable - there's a consulting company that it takes 45 minutes to turn on the laptop and log in because of all the security steps and network layers needed. It's impossible to get files on and off except (for some reason) via facebook and sharepoint. This place is probably pretty ransomware resilient, and I'd agree difficult to hack. But it costs all of their employees 45 minutes every day to get started and any time they need to reboot or lose the Internet for any reason with their laptop. They're paying something like a 15% productivity hit.
Most people and places won't burn employee time like that, but this is why they get hacked, and honestly - all that security still is pretty vulnerable if facebook is involved IMO. You can't leave a "weak spot" - because that is your security level - your weakest spot.
What's worse is you can't really do anything secured like you used to - Windows and MacOS both basically require the Internet for near constant patches, forget about the software *on* the computers. You're actively fighting Microsoft to lock stuff down, yet most software is developed for Microsoft, so you're kind of over a barrel. If you've got the will, skilled employees, and time, you can implement less well known software or home made software on a locked down Linux stack, but now you've got the problems of your software probably not being the most securely written - not that the commercial products are necessarily better - but you do get the economy of scale for getting bugs found, patched and deployed.
The other issue is almost no one prioritizes security in development - saying you made a big security push or implemented something like SELinux or AppLocker really only sounds interesting to a very small group of CyberSecurity people - and no customers are beating down your door about it unless it's reactive to a current problem. But a new feature or version or theme? All the money comes in. This leads to the horrible idea of Minimum Viable Product where it's basically a PoC sold as soon as it "runs", forget about looking for bugs or doing anything secure.
www.vox.com
