Cybersecurity is dead. Let\u2019s face the facts here, folks \u2013 it\u2019s hopeless. The bad guys have won and anyone who depends solely on prevention is doomed. Cyberattacks are, at their essence, just like any other type of crime: you can make all the efforts to prevent it from happening but in the end it\u2019s going to happen anyway so you have to be prepared for it.I mean, really \u2013 do I have to remind anyone of the companies that supposedly protected their data and, well, didn\u2019t? Equifax is just the latest. Has everyone forgotten about Target, Citibank, Sony or the almost comically colossal screwup of THREE BILLION records revealed at Yahoo!? Ok, if you\u2019ve been living in a cave for a while how about this: The NSA \u2013 yes, that\u2019s right, the top-secret, James Bond-ish superspy arm of your U.S. government was hacked. And let\u2019s not forget that the government agency tasked with making sure that public companies disclose everything \u2013 the SEC \u2013 has been breached, too.Is there no safety from hackers anywhere? Actually, no, there isn\u2019tCrime prevention goes back to prehistoric times when cavemen would light fires to keep animals from stealing their food stocks. More recently, since the days of the Lindberg kidnapping high-profile individuals have taken precautions against being taken hostage. Sophisticated diversion schemes, armored vehicles, escape plans and other preventive measures slowed it down, sure, but ultimately kidnappers can\u2019t be stopped and the best we can do in many cases is to put a child\u2019s photo on a milk carton. That\u2019s not prevention \u2013 it\u2019s recovery.Ditto the approach towards robberies. Banks with huge vaults, massive automated locking doors and armed guards don\u2019t stop about 4000 attempted robberies per year, roughly 25% of which go unsolved. So even though banks and law enforcement try as hard as they can to prevent the robberies, it\u2019s the FDIC that protects customers\u2019 money (now up to $250,000 per account). Again, prevention fails a great deal of the time so recovery \u2013 this time of money \u2013 is the ultimate plan.Pick your crime: Kidnapping (ransom), robbery (theft of money or property), assault (attacking someone with the intent of doing them harm) or even shoplifting (grabbing something off the shelf and dashing out the door) has its equivalent in cybercrime. And in all cases the real-life crimes foreshadow the cyber versions in intent, execution, prevention (or lack thereof) and recovery.The problem that the cybersecurity industry is perpetuating, in my opinion, is that there\u2019s too much focus on the prevention and not enough on the recovery. In an earlier article I wrote, \u201cYogi Berra was never in the cybersecurity business\u201d I noted that the \u201cFour Rs\u201d of cybersecurity are: Resist. Restrict. Recover. Report. Too many people forget that third \u201cR\u201d and don\u2019t plan enough for the recovery.Don\u2019t get me wrong \u2013 I\u2019m all about educating employees not to click links, showing people what phishing emails look like and how to report them to the IT department, tightening up firewalls, installing virus detection and putting up whatever other obstacles can be erected that will block, delay or divert a hacker. But in the end, just like a house with a sophisticated burglar alarm system, dead-bolt locks, crash-proof glass and a really mean dog, if a pro wants to get in, they\u2019re getting in.Recovery takes planning and planning takes analysis. What you need to do is to take a close look at your own situation and decide how you\u2019d best recover when you get hacked or held hostage by a ransomware attack (probably the most likely scenario today). Ask yourself (and your IT department) these questions:1. If you were hacked, what would you do?If your internal operations \u2013 everything from HR to manufacturing \u2013 were held hostage by a hacker who slipped ransomware into your network (which is appallingly easy to do) what would you do? Do you have the backups and the plan to roll back your system to a snapshot taken prior to the hack? Does your team have workarounds planned in the event that all Internet-based data is offline and unavailable for several days? Can you remain off the grid and still in business?2. How frequently is your data backed up?Are there so many things changing on an hourly basis (pricing, inventory, travel plans, payroll, medical records, etc.) that a nightly backup isn\u2019t sufficient? What precautions have you taken to keep your backups current\u2026 and to make sure that they are maintained long enough to allow you to roll back to a point prior to when the cyberattack occurred?3. Will you pay the ransom?Have you developed a strategy and decision tree that prepares you to determine whether to pay up when a ransomware attack hits? Has your Board approved of this strategy in advance? Wasting precious hours of non-operational time while trying to get a quorum of your Board together for a vote to determine whether to pay a million-dollar ransom could be devastating to the company. Know your limits\u2026 are you willing to pay $10,000, $100,000, $1,000,000 as ransom payment for your system \u2013 or nothing at all?4. What about the companies and people you work with?Have you checked the security status of the vendors, divisions, contractors and everyone else connected to your company\u2019s network? Do your C-Level executives understand that it\u2019s not just your cybersecurity but that of everyone who is connected to you that determines your overall resistance to cyberattack? Bad cyber-hygiene affects everyone that touches the infected system, not just the original victim.5. What's your communication plan?Finally, do you have a plan in place to report \u2013 to the public, the media, the Board and others \u2013 what happened, how much damage was done, whether or not you paid any ransom and what you have done to prevent a similar attack from occurring again? Covering up is frequently worse than the consequences of the actual hack. Don\u2019t think for a minute that the news won\u2019t get out. It will. Plan for it.If you\u2019re the CEO of the company pay special attention to the recovery and reporting aspects of a cyberattack. Not only will it determine the public perception of the company and the amount of long-term damage to its business and reputation but it might have a lot to do with how long you keep your job.In short, my mind has changed about cybersecurity. While someone looking at this out of context might think that I\u2019ve thrown in the towel, I haven\u2019t. Instead, I\u2019m looking at this as a change in strategy. It\u2019s a fundamental shift in thinking from \u201cHow do I stop this?\u201d to \u201cIt\u2019s going to happen so what do I do to prepare for it?\u201dIt will almost certainly happen to your company. The only viable approach to take is to raise the level of cyber awareness and then plan for the inevitable. A solid recovery plan is the best form of damage control in today\u2019s cybersecurity environment. Get ready.