Re: Dumb and Dumberer
Its predicated on the false assumption that people buy the insurance rather than fix their legacy software and hardware estates, and its also predicated that IT is the fundamental reason a business exists rather than a useful tool like accounting or sales people.
This is exactly what's going on though. Having spent a few years doing on-site testing for CE+ (which is pretty basic stuff, nothing like a full-on pentest) I am absolutely astounded at the shocking state of the security in the vast majority of places I went to. Really basic stuff not done. And then companies wonder why they get hit.
I did some incident response for a place that got hit by ransomware, and they had all of:
* All users as domain admin
* Password complexity not enabled, periodic password resets not enabled (example passwords found included: the company name)
* RDP server wide open on the internet and connected to their internal (flat) network
They had a nice fancy building with fancy video screens on the walls and all sorts of expensive manufacturing equipment.
...Which was all completely useless because they couldn't take orders, ship orders, pay their staff or bills, operate the machinery, etc. IT is intrinsic to most companies and organisations these days.
Go and look up if your bank has even the basic Cyber Essentials. No? How about your utilities providers? More than likely not. Pick almost any company or organisation that you deal with: probably doesn't have it.
CE is easy to comply with, but nobody wants to sort their sh*t out because they don't think anything bad will happen to them and they're rubbish at assessing risk (both of getting hit, and of negative impacts of doing the few common sense things needed to achieve CE).