Blog
← Back to Blog
April 05, 2019 general

Three Years of the Blog: A Cybersecurity Time Capsule

Three year business milestone Team milestone and reflection

Three years ago today, we published our first blog post about a hospital that paid $17,000 in Bitcoin to ransomware attackers. At the time, it felt extraordinary. Today, a $17,000 ransom wouldn't even make the news.

In three years, we've covered: two Yahoo breaches (3 billion accounts), WannaCry (200,000+ infections in 150 countries), NotPetya ($10 billion in damages), Equifax (147 million SSNs), Cambridge Analytica (87 million Facebook profiles harvested), Marriott (500 million guest records), Meltdown/Spectre (every processor on the planet), and GDPR (the most comprehensive privacy regulation in history).

The cybersecurity landscape is unrecognizable from April 2016.

What's Changed in Three Years

Scale

In 2016, a breach affecting millions was shocking. Now, breaches affecting hundreds of millions barely sustain a news cycle. The Yahoo 3-billion-account revelation would have been unfathomable in 2016. By 2018, it was historical context.

Sophistication

Ransomware evolved from simple file encryption to self-spreading worms (WannaCry) to destructive wipers disguised as ransomware (NotPetya). Supply chain attacks went from theoretical to devastating. Nation-state tools leaked to the public and powered the worst attacks we've seen.

Regulation

GDPR transformed global data privacy. CCPA is coming in California. Privacy regulation has gone from voluntary guidelines to enforceable law with serious financial penalties. The regulatory landscape in 2019 bears no resemblance to 2016.

Awareness

The good news: everyone knows cybersecurity matters. Practice owners, office managers, front desk staff. The threats are understood. The gap is no longer awareness. It's implementation.

What Hasn't Changed

Three things remain stubbornly consistent:

  1. Patching prevents most attacks. The top attacks of each year exploited known, patched vulnerabilities. This has been true every year since we started writing.
  2. People are the weakest link. Phishing, social engineering, and credential theft remain the primary attack vectors. Technology can't fully solve a human problem.
  3. Backups save businesses. Every ransomware story has the same resolution: practices with good backups recover, practices without them suffer.

Year Four

What's coming: ransomware targeting managed service providers (hitting hundreds of businesses through a single compromise), increased cloud security challenges as migration accelerates, AI being used in both attack and defense, and the continued expansion of privacy regulation.

We'll keep writing. Three years of evidence shows that informed practices are safer practices. Thank you for reading.