Blog
← Back to Blog
April 05, 2018 general

Two Years of the Blog: What We Got Right, What We Got Wrong

Business milestone celebration Team reflection and milestone

Two years ago today, we published our first blog post about the Hollywood Presbyterian ransomware attack. Since then, we've written about Yahoo's 3 billion accounts, WannaCry shutting down hospitals, NotPetya causing $10 billion in damage, Equifax losing half the country's Social Security numbers, and Facebook's data being harvested for political targeting.

It's been a lot. Let's take stock.

What We Got Right

Ransomware Got Much, Much Worse

In April 2016, we said ransomware would become the defining threat to healthcare. That turned out to be an understatement. WannaCry and NotPetya went beyond what anyone predicted. Ransomware evolved from a nuisance into a global weapon. Every warning we issued about backups, patching, and network segmentation was validated in the most dramatic way possible.

Patching Is the #1 Defense

We said it in our first post. We've said it in dozens since. The three most destructive attacks of 2017 (WannaCry, NotPetya, and Equifax) all exploited known, patched vulnerabilities. The patches existed. They weren't applied. Patching remains the single most effective defense against the most common attack vectors.

Two-Factor Authentication Matters

We've been pushing 2FA since mid-2016. In two years, not a single practice we work with that has implemented 2FA on email has experienced an account compromise. The evidence is overwhelming.

Supply Chain Risk Is Real

We warned about vendor security after the Panama Papers. NotPetya confirmed it spectacularly: a compromised software update was the initial infection vector. Your security is only as strong as your weakest vendor.

What We Got Wrong

We Underestimated the Scale

We thought breaches would get worse. We didn't think they'd get "3 billion Yahoo accounts" worse or "every Intel processor ever made" worse. The scope of 2017's events exceeded even pessimistic predictions.

We Overestimated the Speed of Adoption

We assumed that after WannaCry and Equifax, practices would rush to implement security improvements. Some did. Many didn't. The gap between knowing what to do and actually doing it remains frustratingly wide.

We Didn't Predict the Cover-Up Problem

Uber hiding a breach for a year. Yahoo's delayed disclosures. Equifax's bungled response. We focused on technical threats and didn't give enough attention to the organizational failures that make breaches worse: delayed disclosure, inadequate response, and corporate cover-ups.

What We've Learned About Writing This Blog

Real events resonate. When we tie advice to actual incidents, people pay attention. Abstract security tips get filed away. "Here's what happened to this hospital" creates action.

Repetition is necessary. We've written about two-factor authentication, backups, and patching more times than we can count. People need to hear things multiple times before they act. That's not failure. That's how behavior change works.

Simple beats complex. Our most-read posts aren't the technical deep dives. They're the practical guides: "Here's what to do." Actionable, specific, and simple.

Year Three

GDPR takes effect next month. Privacy regulation is coming to the US. Cloud adoption is accelerating. AI is becoming a factor in both attack and defense. The landscape keeps shifting, and we'll keep writing about it.

Thank you for reading. Here's to year three.