Last week’s publication of the SANS Top 20 confirms a surge in sophisticated zero-day attacks on users and web applications. It should be seen as a wake-up call for those organisations who think security can be left to their IT operations staff. A new approach is needed. We’ve been de-perimeterised, as we say in the Jericho Forum. The threat we face today is no longer random vandalism by hobbyists. It’s targeted attacks by criminals or perhaps intelligence services on valuable information and essential services. We can’t expect to stop tailored, zero-day attacks with firewalls, virus scanners and penetration tests. We have to harden our applications, encrypt our sensitive data and implement strong authentication. This can’t be achieved overnight but the sooner we start the better. In the meantime we will have to raise our game substantially in monitoring, patching and user education.