The q2 2017 State of the Internet / Security Report represents analysis and research based on data from Akamai’s global infrastructure and routed DDoS solution. The number of organizations infected and harmed by WannaCry and Petya malware gives the security community a lot to think about. We know that patching software can largely prevent damage from malware infection. And yet months after a patch became available, even after global news of WannaCry signaled a clarion call to patch, many companies still fell victim to Petya. Patching is not a simple issue. Organizations make patching decisions based on risk and business priorities. Patching has direct costs, such as staff and testing, and indirect costs, such as downtime. Due to costs, patching is often de-prioritized as a business function. This is a legitimate decision, if it’s made from a rational, risk driven viewpoint. All too often though, it’s not: The conversation hasn’t happened and no careful evaluation of the risks involved has been presented to business leaders. But the risk equation is always changing. It’s estimated the WannaCry malware could cost businesses $4 billion worldwide by itself. Even the best, most rational, risk-driven decision made six months ago may no longer be appropriate today.