The good news in cybersecurity is that we can control our own terrain. What that means is.... If you think like an adversary and you think about what the adversary is going to try to do.... They have their terrain where they're launching attacks from the offence. It's not the duty of the private sector to be concerned with that; it's the duty of governments. As an organization, whether you're a government organization or otherwise, you can reorder and configure your terrain to harden yourself quite significantly against an attack. This means you set up your perimeter defence. You have your firewalls. You're encrypting your email. You have multi-factor authentication for your users and you invest in this microsegmentation capability. That way, if someone breaks past your defences, they're going to be stopped in their tracks inside your data centre or your cloud.
If you've done all that and you've invested in cyber-insurance, you're going to have taken some very strong steps. You would assume, then, talking to a bank or a major institution, that they would have done this. The number of times when I give an address to a cybersecurity community and I say to raise their hands and tell me how many of them use multi-factor authentication, it's less than 20% almost every time. When I ask how many of them encrypt their emails, the numbers are also very low. This does get to the sort of nudging and regulatory demand.
I think, though, that if we take these steps, we can put ourselves at a significant advantage against those who would try to intrude against us. You can block 95% of the intrusions that would happen, or you can prevent the damage from 95% of the intrusions that would happen. There does ultimately have to be a partnership with the government in order to impose sanctions, or punitive measures, in the cases where you may not be able to do so as an organization.