Chances are you\u2019ve seen a similar image over the past several months.\u00a0 Either on internal systems (hopefully not) or within the countless blogs, news stories and industry journals that bombard us every day with ominous warnings and dire consequences.\u00a0 It is, of course, ransomware. And while it (and media coverage of it) has dominated the cybersecurity world for the last several years, it\u2019s not new. \u00a0Also, not new are the fundamental security building-blocks necessary to mitigate its impact or the fact that it represents a cyber risk.What does seem new is the incredible amount of singular focus on these incidents around the \u2018cyber watercooler\u2019 that drowned out the broader discussion of the underlying principles comprising a solid cyber security program.\u00a0 In addition, the tenor of the cyber risk discussion has seemingly changed as well, from an enterprise-level conversation to a single-point conversation.\u00a0 Neither of these trends\u00a0are positive.The first significant ransomware instance occurred in 1989.\u00a0 It was coined the AIDS trojan and was released on 5.25\u201d floppy disk.\u00a0 Similar to today\u2019s modus operandi, it attempted to extort currency from victims by encrypting their hard drive and demanding payment for decryption.\u00a0 It was ultimately unsuccessful due to several factors, despite the lack of security in place at the time, but set a precedent with regard to criminal motivation and intent.\u00a0 As most companies had yet to adopt personal computing and the internet was still in its infancy - used primarily by academia and scientists - the risk and potential of malware wasn\u2019t well understood or communicated.Throughout the 90\u2019s the use of personal computing and the internet grew exponentially along with the creation of standardized operating systems and associated applications.\u00a0 The adoption of personal computers and enterprise-level functionality increased within corporations as well, becoming the table stakes necessary to keep up with an increasingly connected marketplace.It was during this time that a need emerged for organizations to create processes to manage and maintain their technology stack along with the need to hire internal [or external] experts to manage and refine those processes.\u00a0 Building blocks emerged that formed the basis for how IT and cybersecurity\u00a0is run today.\u00a0 Identity and access management, anti-virus, firewalls, enterprise email, instant messaging, VPN, cryptography \u2013 all were developed rapidly during the technology boom of the 1990s.\u00a0 While security was becoming more relevant and the notion of IT security risk was beginning to emerge, the major focus from an IT risk perspective centered primarily on availability and emerging IT processes reflected the focus on that aspect.The late 1990s (and early 2000s) brought with them a new development in cybercrime.\u00a0 The first significant uses of malware for financial gain began to manifest themselves within online banking applications. As waves of consumers adopted the convenience of managing their money without having to leave home or work, the criminal acquisition of credentials became both highly sought-after and increasingly more profitable. \u00a0The ability to transfer funds internationally had also advanced significantly, allowing cybercriminals to exploit this threat vector quickly and without a high likelihood of being apprehended.\u00a0 As a result, the concept of cyber risk truly began to take shape.\u00a0 Losses could now be measured in hard numbers that directly affected an organization\u2019s bottom line and the realization emerged that steps had to be taken to address these new threats.Financial institutions and regulators responded to this realization by producing several significant requirements designed to directly address IT security and cyber risk.\u00a0 GLBA, SOX, NIST and BASEL, to name a few, all intended to provide some semblance of best practice requirements while allowing institutions flexibility to implement the requirements in alignment with business goals.\u00a0 While this didn\u2019t specifically address the malware threat, it did begin to form the basic building blocks of a sound security program, complete with increasing consequences for not adopting some form of security process.The mid-2000s and early 2010s brought the first \u2018modern\u2019 ransomware and the precursors to today\u2019s crypto-ransomware.\u00a0 Gpcoder, Winlock and so-called Police ransomware utilized a \u2018locker\u2019 approach, requiring victims to pay a fee to unlock files or perform some money-generating action to remove malicious functionality.\u00a0 Police ransomware (locking the peripherals and displaying a warning screen from a supposed law enforcement agency) began to show the emerging effectiveness of social engineering.\u00a0 In many cases, the user\u2019s IP address was displayed, the screens were generated in a victim\u2019s native language and a local or regional law enforcement logo was used, adding perceived legitimacy to the attack.\u00a0 While these early variants were impactful, they were easily mitigated (compared to today\u2019s efforts) due to their weak encryption and relatively basic infection methods.Standards continued to emerge and evolve simultaneously to address these threats.\u00a0 \u00a0In 2004, for example, the 5 largest payment card brands combined their individual security requirements into the PCI DSS, establishing 12 standards sections for accomplishing 6 objectives.\u00a0 While opinions vary on the effectiveness and necessity of the PCI DSS, many of the key requirements and processes in the standard outlined ways to address the threats.\u00a0 Encryption standards, network segmentation, vulnerability management, file integrity monitoring, training and awareness, perimeter security, etc., all could be applied in varying degrees of strength and effectiveness throughout the corporate infrastructure (not only within the cardholder data environment) to make organizations more secure.Today\u2019s modern ransomware emerged in 2013 and has been dominant since.\u00a0 Crypto-ransomware and its progressively more automated infection methods are straightforward and effective, encrypting the victim\u2019s files using strong encryption and demanding payment using various means \u2013 most frequently today, cyber currency.\u00a0 Recovery from these outbreaks is much more difficult and some organizations have had to resort to reformatting their entire hard drive population to remove the infection.This standard and threat progression has produced two additional trends.\u00a0 First, it made security more challenging to design and implement.\u00a0 Transforming enterprise architecture, for example, from a flat network to a segmented network and creating processes to deploy, manage and maintain encryption keys, were not small efforts.\u00a0 They required focus on people, process and technology to be effective.\u00a0Secondly, as security became more complex, effective enterprise implementation required knowledge, awareness and support from the business units within the organization.\u00a0\u00a0 Security leaders who recognized this, and could demonstrate and communicate the necessity of security being a critical part of doing business, typically received the funding and support required to build world-class programs.The moral of the story is that, while there\u2019s no such thing as 100 percent secure, the processes, tools and expertise to combat the threat has been around almost as long as the threat itself.\u00a0 The two most recent outbreaks\u00a0\u2013 WannaCry and Petya, for instance, likely could have been greatly minimized or potentially avoided altogether by focusing on the fundamentals.\u00a0 The fixes were there well in advance of the outbreaks.\u00a0 It simply took awareness and execution to address them before something bad happened.No one can predict the future.\u00a0 There will be bona fide threats that emerge without warning that the industry will have to collaborate on to address.\u00a0 In the meantime, let\u2019s cut through the \u2018noise\u2019, recognize today\u2019s (ransomware) threats for what they are and how they compromise the organizations we\u2019re responsible for protecting.\u00a0 Let\u2019s focus on ensuring the foundational building blocks are in place (patching, backups, vulnerability management, etc.) and be as ready as we can be to respond to future security news that\u2019s new.