Why does ransomware seem like a losing battle?

As long as the cybersecurity insurance pays the ransom and companies are ok with that, it is very lucrative for the cybercriminals to increase their attacks. For some companies its worth more not to invest in security and just pay the ransom. I am not saying this is ok or should be something to even consider but I am seeing more and more organizations that when they hear how much they need to invest in security they opt to take their chances and have their insurance pay the breach.

Because Ransomeware only needs one open door/window and IT needs to secure millions of potential doors/windows

It is a losing battle because just like any crime, bad actors can dedicate themselves to hitting their target 24 hours a day, seven days a week with no competing priorities. It's like somebody launching a thousand nukes at you: Only one of them has to get through and you only have resources to stop 10 of them. The best analogy is the budget that NASA's given to search the skies for asteroids that will strike the earth. It's like 1%. Cyber security is given 1% to defend against a swarm of asteroids in a really big sky.

It's ironic to see how the industry has actually downgraded and gone low tech. And their most successful things aren't hitting the technology; it's hitting people using psychological aspects. You can send the CEO an email saying, "How would you like a free terabyte of cloud storage for a year? Click on this link to sign up." And it could look totally legit.

I'm on the warpath to stop all this stuff but it does seem like a losing battle. Every time a new vertical gets hit, then all of a sudden, "Hey, we've got to figure out how to fix this." I was working with a government contracting company who manufactured a certain piece of equipment and they got hit. When they called us we realized that it was a small manufacturing facility but they had one class B subnet—not only for the office workers but for the manufacturing facility as well because it was in the same building.

When we went in there we asked, "Where's your MFA? How does everybody log in?" It was old school, not quite Windows NT but pretty bad, just local username and password login. So we fixed them to stop it from spreading but also we helped them deploy better security practices as well. I thought government contractors were checked out really well before they could sign anything with the government but apparently not.