There is a old movie about pickpockets called Harry in Your Pocket. Harry, the master thief, has never been caught because he abides by one strict rule: Harry never holds. Once he has stolen a wallet, he immediately passes it off to an accomplice.
On occasions when I shared responsibility for network security, my mantra was: Harry never holds. The best way to protect valuable data was to avoid it like the plague. Never gather it. Never accept it. Never keep it. Never, ever hold.
There are times when it's nearly impossible to avoid the data, but adhering to the that rule as closely as possibly was an important step in minimizing risk.
Twenty years ago, for organizations that didn't hold valuable data, the greatest risks associated with hacking came from the possibility that their systems might be misused or vandalized. The mail server might be used to send spam, the public FTP site might be used for serving warez, the website might be vandalized. Script kiddies were the primary threat; if you didn't hold credit cards or other financial data, there were few compelling reasons for a skilled hacker to go to the effort to break into your systems.
That, unfortunately, has changed: With the advent of ransomware, everyone holds valuable data. Let's suppose your company designs embedded systems for household appliances. Setting aside the relatively slim threat of industrial espionage, who would want to steal that? You're not likely to get much of an offer if you try to hock proprietary C++ code at the local pawn shop.
Ransomware changes the nature of financial incentives for hackers: Now, the value of your data for your own organization is its exact value to a hacker. (I'm going to avoid the temptation to digress into a rant about the role of cryptocurrency in enabling ransomware and opening new streams of revenue for thieves, terrorists, and repressive regimes.)
Times have changed. Harry may not be holding the wallet that he just lifted, but he's got those valuable kidneys, lungs, and a pretty decent liver. They'll fetch a good price. It's way more than what he had in that wallet.
