The experience of the last year and a half has made us reluctant to use words like “epidemic” and “pandemic” in a metaphorical sense, given the literal reality of COVID-19. But the temptation is strong when it comes to ransomware.

Ransomware attacks, however one wishes to characterize them, are a persistent and rapidly growing scourge. In 2016, a bulletin from cybersecurity firm Kaspersky Lab reported a threefold increase in attacks over that year, to the equivalent of one every 40 seconds. And the situation has only grown worse since then. Last year, the FBI estimated total losses from ransomware in the U.S. alone at $19.1 billion. And Cybersecurity Ventures has predicted that the total cost of global cybercrime, much of it in the form of ransomware, will reach $10.5 trillion by 2025, up from $3 trillion in 2015.

Businesses are responding with big expenditures in cybersecurity products and services; Cybersecurity Ventures puts the number at more than $1 trillion between 2017 and 2021, and Gartner reports that worldwide spending on information security and risk-management technology will reach $150.4 billion in 2021 alone. But the continued proliferation (and success) of ransomware attacks makes one question whether that money is enough, or is being deployed in a productive manner.

Cyberattacks are constantly evolving, and the use of ransomware to extort businesses is particularly popular today. Victims of recent attacks include the Colonial Pipeline, meatpacker JBS, chemical distributor Brenntag, and computer manufacturer Acer. No industry or organization, public or private, seems immune. And many end up paying millions of dollars in ransom to have their computer systems restored.

With all the media attention paid to these attacks, it raises the question of why companies aren’t doing more to shore up their information. Notwithstanding the big names that make the headlines, many of the attacks have been directed against smaller entities — local police stations, mom-and-pop shops and government agencies — that lack the resources or expertise to combat them, says Dave Senci, vice president of product development with the Mastercard company NuData Security.

The first step toward protecting oneself against ransomware is asking the right questions, Senci says. “What value do I have behind the platforms and accounts I’m protecting? Am I holding personal 401K information? Someone’s bank account information? What am I trying to protect?”

After that comes a close examination of where the biggest vulnerabilities lie. Answers to all these questions will help to determine the amount of effort that an organization should be expending on cybersecurity, and where it should be directing its limited resources, Senci says.

Employee education is essential. Many cyberattacks succeed by targeting the personal devices of employees who bring them to work and plug them into the system. These are typically less protected against hackers than corporate networks. Vulnerabilities also occur with everyday communications, such as the receipt of invoices which an employee might not take the trouble to validate. “You’ve got to prevent ransomware at the front door,” says Senci.

The unfortunate reality for most companies is that there’s only so much money and time that they can afford to spend on cybersecurity, despite the potentially devastating impact of an attack. So resources must be targeted where they’ll have the greatest impact — areas where the odds of an attack are highest. Says Senci: “Fraudsters go for the biggest value and the least amount of work.”

Chief information officers and I.T. professionals are under an unprecedented amount of pressure to secure corporate systems. Cyber teams need to interact with network users both within and outside the organization. In the case of the latter, that includes just about any individual or business that supplies goods or services. Senci recommends working with an expert third party that’s familiar with current trends in cybersecurity and can smoke out anomalies in behavior or workflow patterns. Such entities must also keep current with the constantly shifting nature of cyberattacks. Yesterday’s breach of choice might have been distributed denial of service; today’s it’s ransomware, and who knows what form it will take tomorrow? Advises Senci: “Don’t work with someone who’s leveraging static data only. It’s going to continue to change.”

Next: Ransomware “as a service.”