Perhaps the BEST B1G Forum anywhere, here at College Football Fan Site, CFB51!!!

You're in the tech industry, so you clearly know more than most of us here.

How do "we" accomplish this?

Who is "we" in this case? 

Individual enterprises (companies) should have a significant incentive already to maintain security. I'm not sure there is a "we" that has to do anything. It's the responsibility of the CIO/CSO (or equivalent position in smaller companies) to figure it out. That involves both security policies and employee training. Hell, about once every month or two I get an email that's designed to mimic a phishing attack and I hit the little "report phishing" button in Outlook, and get a congratulations email from our IT department for catching it. In that case there is no "we". And last year we went to a specific two-factor authentication protocol on top of existing security measures.

Anything owned by the government, it's the government's responsibility to make sure it is appropriately secure and hardened against attack. Same thing re: security policies and employee training. In that case the "we" is obvious--the government entity is responsible. 

As it relates to anything non-government involved in government contracting, utilities, "critical infrastructure", and the like? I'd probably make sure that all of those entities have either via regulation or via their contracts with the government, adequate cybersecurity protections and training programs in place and that they're regularly audited to remain in compliance. In this case the "we" is government, but indirectly via regulation of those third parties / critical infrastructure. 

Who is "we" in this case?

Individual enterprises (companies) should have a significant incentive already to maintain security. I'm not sure there is a "we" that has to do anything. It's the responsibility of the CIO/CSO (or equivalent position in smaller companies) to figure it out. That involves both security policies and employee training. Hell, about once every month or two I get an email that's designed to mimic a phishing attack and I hit the little "report phishing" button in Outlook, and get a congratulations email from our IT department for catching it. In that case there is no "we". And last year we went to a specific two-factor authentication protocol on top of existing security measures.

Anything owned by the government, it's the government's responsibility to make sure it is appropriately secure and hardened against attack. Same thing re: security policies and employee training. In that case the "we" is obvious--the government entity is responsible.

As it relates to anything non-government involved in government contracting, utilities, "critical infrastructure", and the like? I'd probably make sure that all of those entities have either via regulation or via their contracts with the government, adequate cybersecurity protections and training programs in place and that they're regularly audited to remain in compliance. In this case the "we" is government, but indirectly via regulation of those third parties / critical infrastructure.

I shouldn't admit to this, it's embarrassing,  but a couple of years ago I actually got caught by one of our IT department's fake phishing emails.  It was really, REALLY well done.  But even so, I should have caught it.  Honestly our corporate filtering is so good that REAL ones never make it to me.

They warned me and said if I missed another one I'd get reported to my manager and have to go through some extended compliance training. Ugh.  Suffice to say I've never missed another one.

I hear you. I *almost* got caught by one. Every other time I've spotted them just from the email and report, but I actually clicked the link on one because I wasn't thinking and didn't get the heebie-jeebies until then... Didn't put in my credentials though, so it doesn't count as a fail

And nobody took away any of my access, so I guess they didn't think less of me lol...

They had me upon first click, didn't even get to a credentialing page, just a pop-up that said:

They had me upon first click, didn't even get to a credentialing page, just a pop-up that said:

LOL... They went Candace and Vanessa on your ass?

Well, it's possible I added that bit of color myself, for the sake of a good story.  I'm sure it was something much more sterile and corporate.

HOWEVER

New Phineas and Ferb season coming sometime in 2024.  I'm so excited!  We're gonna throw a themed/costume party for the debut, my daughter already has a Perry onesie, and I'm sure I can find a white lab coat somewhere.

LOL... My oldest (16) has traded in Phineas and Ferb for physics videos on YouTube. My middle child (14) is all-in on Star Wars. And the youngest (11), well, all she cares about at this point is Taylor Swift. 

I did always enjoy Phineas and Ferb perhaps more than I should have at my age when the kids were still watching it, though...

The real security threats tend to creep up where you're not looking, or forget to look, like maybe there's a small bit player who is  a vendor to a city or maybe they contributed a piece of middleware a decade ago and it's so small that nobody thought to patch it over the years.

Something like this happened I believe it was around here like 10-15 yrs ago. With a local Target if I'm recalling correctly.And it involved a HVAC company who getting paid from them for contract work.Turns out that company's security had been compromised and the hacks got past their clients security and grabbed a bunch of credit card info and such

My cousin's husband was in the computer side of a large bank here back in the day.  I recall him chatting about how folks try and break their security ~20 years ago, broadly, it was interesting.  It was a nonstop effort by their department.

The blackmail attempt apparently just hit Fulton County, it's not known if the county paid ransom or not.