I recently ventured to Carefree, Arizona to learn more about thestate of cybersecurity at the IDT911 PrivacyXchange Forum.

My trip seemed fitting, as October is National CybersecurityAwareness Month, and lately, I find myself inundated with more andmore news of hacks and breaches, whether at medicalinstitutions or more notably, during thisyear's electioncycle.

While some are tired of the constant cyberattack chatter, I'mnot. A small part of me not-so-secretly hums the “MissionImpossible” tune as I plug USBs into one computer, share files onanother, all while wishing I could be as cool as LisbethSalander.

Alas, I am not the Girl With The Dragon Tattoo. Instead, I'm theperson curious why cyberattacks can dominate our news feeds,overtake our important data, and yet no one in the benefitsindustry is talking about this issue as much as they should be.

While cybersecurity should be everyone's concern, as we getcloser to open enrollment, we must worry even more about theprotection of sensitive information. Although benefits selectionhas become simpler thanks to technology, it's that same technologythat puts us at greater risk.

So, here are a few things I learned this week about how we gothere and what we can do about it. TheDawn of Today's Hacking

In the opening session of IDT911's Privacy Xchange Forum, JoelBrenner, former senior counsel at NSA, mused that espionage is oneof the oldest professional businesses, but this ancient job hasgone from “resale to wholesale.”

The focus has shifted to the hacking of the private sector, butit wasn't always that way.

During the Gulf War, many were worried about how the land warwould be fought by Americans — while it was clear what would behappening in the air, the same couldn't be said for footsoldiers.

However, information was exchanged between satellites,empowering American troops to gain an almost clear view of thebattlefield, giving them the leg up on adversaries.

Brenner said the Chinese and Russian governments realized that,if in addition to its financial power, Americans could use this“magic” to win a war, there was little way to defeat the U.S eitherin battle, or in any other meaningful geopolitical space.

“That's why people are targeting American intellectual propertytoday,” Brenner said. Is ransomwarechanging the hacking game, or is it just anotherdomino?

During a session titled “How to Evaluate Risk From the InsideOut,” Tim Francis, cyber lead at Travelers, and Graeme Newman fromCFC Underwriting, tackled some of the changes we've seen incyberattacks lately. They kicked it off with a popularworry: ransomware.

“Back in the day, extortion was going to be a disgruntledemployee, someone close to the company,” Francis said. “It used tobe infrequent and pretty much a 'none thing.'”

But now, angry ex-employees aren't the ones stealing a company'sdata; it's an entire business model that looks eerily similar tohow most “legitimate” organizations are run. That's becauseransomware hackers believe what they aredoing is a legitimate business, says LanceJames, chief scientist at Flashpoint and cyber intelligenceadvisor. (“Remove the kingpin, put in a CEO, and you have the sameoutsourcing model most companies do.”)

Newman said ransomware was the leading cause of cyberinsuranceclaims last year, with 1 in 4 or 5 clients experiencing it, but noteveryone admitting it.

Why? Because having your company's data (and potentially, thatof your clients') compromised is pretty damaging for anorganizational brand — and paying the ransom can be relativelycheaper than getting authorities and regulatory institutionsinvolved.

In fact, James says most ransomware hackers take home $7,500 amonth from their endeavors; that's a drop in the bucket compared tosome fines and costs organizations can accrue following a hack.

Just look at the case of WellPoint: It was issued a $2 millionfine after a breach exposed over 600,000 people's healthinformation, but the costs associated with the hack skyrocketed toover $142million after legal actions, recovery, new securityinvestments, and extended protections for victims were put inplace.

James singled out the hacks of website Ashley Madison and theemails of Hillary Clinton's campaign chairman John Podesta, asking:“Wouldn't they have rather paid the ransom than have those hacks gothrough?” Maybe WellPoint would've liked that option, too …

While Francis made note that ransomware will “get out of hand”in the coming years, Newman said he thinks 2015 and 2016 was theheight of hackers holding information hostage. “Ransomware is justeasy,” he said. “I would almost guarantee that next year we won'tbe talking about ransomware, we'll be talking about somethingelse.”

For James, though, ransomware isn't the problem, it's just asymptom of something bigger. “It's not necessarily about if it'sgoing to get worse or better next year.”

If you're taking this as a suggestion to try to mitigate aransomware hack on your own, don't. First, there is no guarantee ifyou pay the ransom that your files will be returned. Second, evenif you get your data back, there is no guarantee it hasn't alreadybeen copied, downloaded, shared, or compromised. Third, hackers aresmart — are you sure there isn't any remaining virus lingering onyour systems?

There is a silver lining though: James says the Russians believethere is something “intellectual” about hacking and don't believein doing it for money, so they won't be the ones holding yourcompany and employee data for ransom. TheC-suite Is to Blame

One resounding theme of the conference was accountability. Whenhacks happen, when breaches compromise data, when lives are put atrisk — who is to blame? Hint: It's not your IT team.

As vArmour Vice President Keith Stewart said in our articleon healthcare hacking, security is a “board room conversation.” Thatsentiment was echoed throughout the conference, starting withBrenner.

Related: Cybersecurity, coding are high on employer wishlist

“Network security is not even mostly an IT issue,” he said.“Sure, there are important issues dealing with IT, but it's at mosta governance issue.”

Brenner was quick to point out the gripes of some businessteams, which often result in shifting responsibility across theboard without anyone truly owning security measures:

• Legal says security is a technical issue

• CIOs and CTOs say it's an employee issue

• Management says it's a technical and legal issue

• HR says security is “trouble” and “our job is to avoidtrouble”

“Operations management, IT, legal, and HR all need to worktogether, and someone at the C-suite level needs to work with thesefour groups to make them all understand that security is ahigh-level corporate problem.”

Related: Lip service given to employee security breachprevention

Adam Levin, chairman and founder of IDT911, weighed infurther.

“Some of the most dangerous words from IT can be, 'We gotthis,'” he said. “The C-suite doesn't think cybersecurity is reallya problem yet. My friend calls it 'asleep at the laptop.'”

Levin says when it comes down to it, cybersecurity in the officeis a culture issue. It's imperative that companies operate in aculture that reverberates from the mail room to the board room,with C-suite players being the ones taking ownership.

As evidenced by the “Services in Action” session — a cautionarytale of a targeted IDT911 client was shared, wherein aspear-phishing scam resulted in the head of HR sharing all employeeW2s to what he believed was the CFO's email — Levin said there is aculture problem where employees don't feel they are able to secondguess orders from their higher-ups.

The employee from the session's anecdote illustrated thisfeeling. Apparently, he felt he was supposed to follow ordersrather than question a superior.

“There needs to be a culture shift,” Levin said. “The buck stopswith the C-suite.” “It Won't Happen toUs”

You're wrong. It will happen to you.

“Every company will be breached — every customer will suffersome type of identity theft over the next few years,” saidLevin.

Smaller companies often operate under a veil of ignorance,believing they aren't coveted “gets” for hackers, but that couldn'tbe further from the truth.

“Small companies are delicious targets because they probablyaren't protecting their systems, and by virtue of theirrelationship as a vendor, they can be a gateway into a largecompany,” Levin said.

Don't think that could be you? I'm sure Target didn't think itsnow-infamous breach would come at the hands of its HVACvendor, either.

“You are your vendor,” Levin said, as he made the call for allcompanies to demand stringent privacy protocols from everyone theydo business with.

Even if your small- to medium-sized business doesn't have majorclients, it's naïve to think you're safe for that reason alone.

“Small businesses will be a big target, especially as largercompanies tighten security measures,” Levin said.

According to a recent Bloombergarticle, the idea that “it won't happen to me” sets a dangerousprecedent. While hacking has certainly made its share of headlinesthis year, it still seems as though no one is really ready tochange behaviors that leave them susceptible to a breach. Yes,Americans are worried about the (very real) possibility of losingtheir and others' data, but if we aren't willing to change, wheredoes that leave us? So, What Do WeDo?

First, accept your fate. According to Brenner, there is no suchthing as total security; it's just a matter of deciding how muchrisk is acceptable (a decision that should be made by the C-suite,not your IT department).

“Figure out what information is critical to protect, andremember that you cannot protect everything,” he said. “If you try,you'll protect everything poorly.”

Brenner also said it's important to get a clear understanding ofwho has access to your systems. That might be difficult,considering so many workforces are now mobile, meaning employeesmight be working on shared devices or saving passwordsautomatically rather than filling them at every login (two faultsI'm guilty of myself).

In this vein, he talked about what he calls the “Private ManningProblem,” referencing Private ChelseaManning's disclosure of nearly one million sensitivemilitary documents to WikiLeaks.

“Why do low-level employees have access to importantinformation?” According to Brenner, there needs to be limits onwhat information certain employees can access. “There is no reasonsomeone in the mail room should have the same clearance ashigher-level employees.”

He also suggests avoiding unnecessary collection of personalinformation.

“Personally identifiable information is a big get,” he said.“Don't take more than you need, get rid of it when you stop needingit, and remember there are penalties for losing it.”

Chad Gray, senior director of business development and employeebenefits at IDT911, says education and being proactive can make aworld of difference when it comes to protecting your company, youremployees, and your clients.

First, he proposes better training for employees on how to avoidcyber pitfalls by making securitytraining a part of the employee onboarding process.

“Offer a phishing seminar or cyber protection class, and includean addendum in your employee handbook,” he says. “Make employeespass a cybersecurity test after the training, and have them sign adocument that says they'll follow their training.”

But cybersecurity shouldn't just be a rule to follow; it shouldalso be a benefit for employees. As the job market continues to getmore competitive, Gray says it's important to look to inventivesolutions to retain workers.

“Employers need to innovate past dental and vision,” he said.“You go to the dentist once or twice a year, same with your eyedoctor. But how often are you part of a breach?” (According to whatI learned this week, even if you don't know it, you probablyalready have been.)

He says this opens up the door for benefits managers and brokersto look at ID protection as a possible benefit.

“Education needs to come from the employer side, and it's up toa good HR team to research out-of-the-box solutions,” he said.“Maybe that means cutting down on other voluntary benefits or nothaving a mid-year event in order to supplement or provide morefunds for better security measures.”

While some brokers haven't been eager to implement thisoffering, Gray said employers and employees have been quick to acton an ID protection benefit. He said between 40 percent to 60percent of employer groups with two to 20,000 employees are lookinginto such benefits.

Because as Gray noted, “It's not a matter of if something willhappen; it's a matter of when.”