Ransomware is a threat to the data and the financial health of businesses all over the world. No longer limited to old versions of Windows, modern ransomware is targeted squarely at servers because they represent a more lucrative payday for online criminals. Businesses across the US and Europe have been victimized by amoral criminals, losing data, the trust of their customers, and money. But is ransomware really all that difficult to defend against? Do CEOs have to accept the risk of ransomware as part of the cost of doing business online?

The answer is no. With the exception of highly targeted ransomware attacks, the risk posed by ransomware is not difficult to mitigate compared to more potent security threats. Most ransomware can be stymied by two simple security best practices: updating software and keeping comprehensive backups.

Ransomware is, for the most part, spread by worms that exploit known vulnerabilities in software. The recent WannaCry attacks exploited the EternalBlue vulnerabilities in Microsoft Windows. The patches that would have removed those vulnerabilities were released months before the most devastating attacks. Companies that had applied the patches to their machines were not vulnerable. Applying patches and running the most recent version of software will drastically reduce the likelihood that a ransomware worm can exploit a company’s systems.

Backups are the second line of defense. If a company has comprehensive off-site backups, having their on-site data encrypted in a ransomware attack is annoying, but it’s not critically damaging. They can simply wipe the affected machines and restore from a backup after discovering and fixing the vulnerability the attack exploited.

Why are ransomware attacks so often successful if they’re relatively easy to fend off? In many cases, it’s because executives don’t prioritize security. Security doesn’t contribute to the bottom line, “we have great backups” isn’t impressive on a feature list, it doesn’t move the company’s agenda forward in a meaningful way. But a catastrophic data loss can destroy a company and its reputation, so basic security precautions must be taken.

Businesses only implement security best practices if executives make space for security. One way of doing so is to make security a core part of the company’s mission. Ensure that the staff who are in a position to affect security have the support of the executive team and the time to do what they know to be right. Implement and enforce security best practices as company policy. Give managers and executives the power and budgets they need to build secure systems.

Many forward looking companies have hired Chief Security Officers (CSO) or Chief Information Security Officers (CISO) to ensure that security is given a voice in the C-Suite. Ideally, a CSO will have a dedicated security budget and report to the CEO, not to the CIO or other department head who may have conflicting incentives.

Many of the most widespread security risks facing modern business could be avoided if CEOs made security central to their business’s operations. As we become more dependent on data and networked systems and attackers become more sophisticated, companies that don’t prioritize security face serious consequences.

Author: Dean Madison is the president of TD Madison & Associates. The company is founded on the principle of providing a more predictable approach for evaluating the culture, strategic fit and qualifications of potential candidates for key senior level positions within the cable and telecom industries.