The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at and repair. \u2014 Douglas Adams\n\n\nWe as people in IT and as people in business need to get over the idea that we can stop 100% of those out to do us harm 100% of the time. We can\u2019t. We need to acknowledge that we will do the best we can to protect our organizations, our customers and ourselves, but that there are others who see us as prey that present them with opportunities to reap some ill-gotten gains.\n\n\nIf you accept that some others \u2014 maybe not all others, but some others \u2014 will attack your company\u2019s systems, then you should plan to do three things: Prevent the attacks as best you can, contain the ones that happen, and then recover and continue operating.\n\nPrevent\n\nYou are never going to be able to defend successfully against every possible attack on your company\u2019s people and its infrastructure. Attackers have too much time and too many resources. Your environment is only as strong as its weakest link, and some of the software you run has some pretty weak links. Even if you defend against everything you can, eventually you or one of your company\u2019s employees will make a mistake.\n\n\nThis doesn\u2019t mean you crawl under your bed with a flashlight and a bottle of aspirin. You should educate yourself and your users about what to watch for, and you should deploy as much defensive technology as you can afford. But you need to consider the next step: Contain.\n\nContain\n\nIf you have been attacked successfully, you need to move to contain both the attack and the damage it is causing and could cause. Depending on what got through your defenses, your actions at this stage will vary.\n\n\nIf the attack is limited to a specific user or to a specific system, then your goal is to keep it to that user or system. If you have a laptop that is infected with malware, you should seek to limit the impact on the organization by separating that laptop from your network and by making sure that the source of the infection is not elsewhere in your systems.\n\n\nIf the attack has already moved more pervasively into your environment, then you should seek to keep it from moving to your customers and to your business partners. Planning for these eventualities before they happen is your best defense.\n\n\nOnce you have successfully contained the attack, you are ready for the next step: Recover.\n\nRecover\n\nFor a simple attack \u2014 say, one that succeeded against a single PC \u2014 it may be sufficient to restore from backup and then remind your full user base about safe practices. For more complicated incidents, you may have to rebuild servers and restore applications. Part of the recovery process may involve commercial or legal activities, because you may need to pay service level agreement penalties for being down or purchase identity monitoring if personal data was compromised.\n\n\nRegardless of what got through your defenses and how, you should take the time to learn from the attack and to remind your users that they play a role in keeping the organization safe. Much like a neighborhood watch, your users can be a last line of defense against or an early warning of trouble.\n\n\nIf you plan for just about anything going wrong, you should at least be able to recover and repair the damage when things do happen.