At last count, more than 200,000 victims in 150 countries have been hit with the weaponized WannaCry ransomware worm. In the United Kingdom, the National Health Service was hit hard by the worm, potentially threatening patients\u2019 lives.Haven\u2019t we had enough? It\u2019s time to stop pretending that lukewarm, poorly executed security measures are really doing something about the problem. Good computer security solutions exist that will absolutely diminish cybercrime. We just have to recognize and apply them.We should already have been doing this for decades, but the criticality of the internet and the coming IoT era make the need for stronger solutions more urgent than ever. As Bruce Schneier says in my recently released book, \u201cHacking the Hacker,, IoT represents a tectonic shift in security:It\u2019s one thing when a spreadsheet has a vulnerability and crashes or gets compromised. It\u2019s something else when it\u2019s your car. Weak computer security will kill people. It changes everything! I testified in Congress last month about this topic. I said now is the time for getting serious. Playtime is over. We need to regulate. Lives are at stake! We cannot accept the same level of crap software full of bugs. But the industry isn\u2019t prepared to take it seriously, and it has to. How can the people working on better securing cars actually do that when we\u2019ve never been able to stop hackers and vulnerabilities in the past? Something has to change. It will change.Meanwhile, we\u2019re still waiting for substantive action. For example, President Trump\u2019s\u00a0cybersecurity executive order may seem like a step in the right direction, but it\u2019s filled with much of the same language and broad focus that doomed previous initiatives. Until we have defined tactical requirements with specific accountability, not much will change. We already have enough frameworks and policies to shake a stick at.\u00a0So what can you do to significantly diminish the risk of computer crime? Start with these straightforward objectives:1. Take security seriouslySure, everyone claims to take computer security seriously, but that just isn\u2019t true in most companies. In reality, operational considerations almost always win out and computer security is treated as a necessary, expensive evil that everyone knows will not work. It isn\u2019t that computer security can\u2019t work\u2014it can. But If you want to succeed, you have to admit that what you are doing right now is not working, figure out why, and start focusing on the right things.\u00a02. Use your data to drive defensesUnderstand how your company is currently being broken into (social engineering, unpatched software, malware, etc.), which is usually predictive of how it will be broken into in the near future. Consider not just the number of incidents, but also damage impacts. Your company may have detected many attempts to implant malware, for example, but ends up suffering the largest monetary losses from social engineering.Figure out your biggest causative agents of how badness gets into your environment and use that as your starting point. The amazing thing is that your data will often contradict not only your personally held beliefs, but also go against the most beloved computer security canons that everyone believes are true even when they really aren\u2019t.3. Use whitelistingIt\u2019s time for every company to implement strict application control whitelisting, which will only allow predefined and integrity-verified applications to run. Application control is not easy to implement\u2014it takes time, testing, and resources. But ultimately, you need to bite the bullet and do it.I guarantee you application-control whitelisting will become commonplace in the near future. Every day you procrastinate about starting a whitelisting initiative, the less you can legitimately consider yourself serious about computer security. Luckily, many OS vendors, including Microsoft (using AppLocker and Device Guard), have long bundled application control applications with the OS. Plus, there are dozens of application control programs to choose from, including Lumension, McAfee, and Carbon Black.Application control can\u2019t stop all hacks, but it\u2019s the single best thing you can do to significantly reduce the risk of successful attacks by malicious hackers.4. Improve patchingIn my entire career, I\u2019ve never come across a fully patched computer. Some critical patch is always missing.For three decades, unpatched software vulnerabilities have been either the No. 1 or No. 2 way hackers and malware break in, so I find it stunning that the world doesn\u2019t do a better job at it. Even if you think you\u2019re doing a pretty good job at patching, you probably aren\u2019t. You want to do a perfect job\u2014and be able to back that up with data.5. Roll out more and better social engineering trainingSocial engineering, whether via phishing emails, sketchy webpages, or some other trick, is right up there with software vulnerabilities as an avenue for malicious hacking. Serious hacking jobs generally involve social engineering in some capacity. It\u2019s a top risk. Treat it like one.6. Get Rid of PasswordsLastly, if you get rid of passwords and replace them with some sort of two-factor authentication, you\u2019ll make social engineering and phishing attempts less successful\u2014at least, those that involve stealing and reusing logon passwords. Remember that long, complex, and frequently changed passwords are probably not helping you as much as you think.