In the last couple of years the Anti-Vaccination crowd in the United States has started to make inroads with more and more people deciding that the perceived risk of the vaccination outweighs the known risk of the disease.
When you ask them why they dont vaccinatie they always have anecdotal evidence of how the vaccination could hurt them, how they know of someone else who 5 years ago got a vaccination and it made them *really sick* or they have an amazing supplement that they take that does much better than the vaccination would do.
I am not talking about parents who are put their children at risk of getting measles, I am talking about IT shops who are putting their companies, customers and data at risk by not taking proven preventative measures to secure their systems.
After 15 years in security I have heard all the excuses for not vaccinating systems:
It *might* break something.
We have a $500,000 Next-Generation ██████ Box (Unconfigured).
We have not a had a *serious* outbreak yet.
The problem is when you bring proven and tested solutions like the CIS Critical Security Controls and the anti-vaxxers bring an anecdote you are going to lose. My favorite mentor told me a long time ago you “you can’t debate an anecdote and win“.
This is normally where I like to end my blog post with a great solution we can all use. The problem is there isn’t a good solution to make people vaccinate their children and there isn’t a solution to make people to vaccinate their systems.
Until then I am just happy I dont have to deal with polio or WannaCry.