I am following up on the ARRL payment of USD$1M ransom to computer criminals. This would not happen with competent IT management. The defense is to have good off-site or off-line backups and to be able to identify the vectors to be blocked and restore your systems from bare metal when something like this happens. Not to pay someone a million dollars to leave you alone, and wait for the next criminal gang to come along for more.
The guilt belongs to ARRL Executive Director David Minster NA2AA. Before the breach, he had terminated the head of IT and was not able to hire or retain competent IT staff. Under his management, staff turn-over exceeded 50%. Many of the staff were in it for love of Amateur Radio, and ARRL, as a non-profit, was unable to pay salaries commensurate with the market. Thus, when the environment became toxic, many of the staff chose to leave.
The ARRL executive board, or at least a majority of them, are also at fault for their continuing support of Mr. Minster in the face of these issues.