If you don\u2019t know what ransomware is, chances are you haven\u2019t been victimized \u2013 yet. Let\u2019s clear the fog. Ransomware is a type of virus designed to deny access to a computer system or data until a ransom is paid.Some of the most vulnerable and critical agencies are being targeted \u2013 state, city and educational institutions. Recent state and local ransomware attacks include the cities of Baltimore and Albany,\u00a0school districts in Louisiana and 23 cities in Texas. And this is only going to get worse.With that doomsday prediction out of the way, it\u2019s instructive to get an idea why this is happening.The targets typically do not have adequate security technical expertise to keep up with software patches, ensure they have the appropriate security tools to keep their systems safe or even have a good ongoing data hygiene practice in place.The attackers have good understanding of how critical functions like tax payment systems or tuition e-commerce sites are the lifeblood of these taxpayer funded entities and other smaller institutions. And the longer they are offline the greater the propensity for the victim to feel the pain and pay up.Past success is a harbinger of future growth. This may sound outlandish, but it\u2019s true. Once the miscreants see that these targets have been paying up, all local, state, educational institutions become sitting targets.And with every passing attack, the chances of the next victim having cybersecurity insurance is greater which means a greater opportunity (and quicker too) of getting paid.There are also lessons to be learned from how some of these affected entities decided to deal with the issue. There is no uniform or consistent response from these organizations. For instance:Mayor Bernard C. Jack Young of Baltimore took to Twitter to defend his decision not to pay the ransom of $80000 in cryptocurrency and instead is now paying the price as the costs of the ransomware attack have reached $18 million including remediation, new hardware, and lost or deferred revenue.West Haven, CT messaged that their police IT experts determined the best course of action, given all the available information, was to\u00a0pay a one-time fee of $2,000to unlock servers. The money was paid in digital currency. The data restoration of a critical system occurred shortly after the completion of that transaction.Roseburg, OR public schools superintendent Gerry Washburn said that they exhausted all efforts to avoid paying the requested ransom out of concern that more damage could be caused; however, the experts ultimately determined that the solution was worth the riskSo that is where we stand today in terms of why this is happening and how inconsistent the responses are from these unfortunate victims.But that\u2019s only half the story. There needs to be an urgent and frankly existential need to shore up the defenses NOW.Specifically, the following steps will make for better defenses, foolproof #NO, make you a tougher target compared to your sister city #YES.Starting with the compute side:Understand what the critical system functions areFirst do an inventory of all the compute functions that the entity offers \u2013 email, e-commerce, chat functions \u2026Then rank order what the critical functions are \u2013 sometimes the only way to do this is to consciously turn off these systems and see the disruption they cause \u2013 aka in your home is turning off water, power or Internet going to cause you more angstAssess the security protections you have in place for these critical assetsFor these prioritized assets, are there strong security controls in place. For email systems, if it is hosted in the cloud, it is time to start asking some questions of your cloud providers. If it is hosted in your own data center, ditto. And maybe use this as a trigger to see if cloud options may be a better solution. Or not.Assign an owner for these systems. Someone whose job is to think about this day and night. And that may very well mean ask for budget. But contextualize the risk by showing the impact of an attack rather than just fear mongering.Very similarly, on the data side:Understand what the critical data isDo an inventory of ALL the data that you have and collect on an ongoing basis. Tax returns, utility bills, mid-term papers, in-process patent filings\u2026Rank order these assets in terms of criticality. What would cause the most damage if it were to be ransomware\u2019d. City employees\u2019 salaries, students term papers\u2026Assess the security protections you have in place for these critical assetsFor these prioritized assets, are there strong security controls in place. For data it comes down to encryption, key management, data disposal.Based on the above, it may also turn a light bulb on as to why you are collecting so much data in the first place. Yes, with new initiatives like Smart Cities or Digitized Education there is going to be more and more data. But don\u2019t forget the adage More data = more risk.Assign an owner for these systems. Someone whose job is to think about this day and night. And that may very well mean ask for budget. But contextualize the risk by showing the impact of an attack rather than just fear mongering.One more aspect to stay ahead of for these organizations besides staying competitive, compliant and cash-flow positive. But in this #ransomware age, is there any other choice? The answer, a resounding #NO.