WannaCry and NotPetya’s worldwide, cross-sector impact plainly illustrated that governments and private industry have a shared responsibility to prevent, mitigate and respond to cyber. What lessons can we learn about the proactive measures that mitigated their effects, and how can we refine policies and processes to prevent a similar (or potentially more serious) attack in the future?