For organizations and consumers, 2017 has been a particularly devastating year. The recent Equifax breach exposed the personal information of as many as 143 million Americans. Just months prior to that, organizations around the world were caught off guard when widespread malware attacks compromised system after system and resulted in hundreds of millions of dollars lost.

The WannaCry ransomware attack hit more than one million computers worldwide when it began its spread in May. The attack, which encrypted vital files on the machines it infected and made them inoperable until the victims agreed to pay a ransom, knocked out operations at hospitals, major corporations, law firms, medical devices and even infected traffic cameras on stop lights.

Just a month after WannaCry, organizations around the world—and primarily in Ukraine—were hit by Petya. This attack looked similar to WannaCry as it began its spread but was quickly revealed to be something even more malicious. While presenting itself as a ransomware attack, Petya was actually a wiper—an attack that completely deletes the files it finds on infected devices and attempts to destroy the machine, making any information unrecoverable. Petya reach as many as 65 countries, and FedEx reported the attack cost it more than $300 million.

The year’s three biggest attacks (so far) had different targets, different victims and different intentions. The perpetrators of the attacks remain mostly unknown, save for a few leads and suspicions. But all shared the troubling commonality they all could have been avoided.

There are still a lot of questions surrounding the Equifax breach, including who carried out the attack and just how much information did they make off with, but what is known is that it could have been prevented. The attacker made use of a exploit in a web application framework called Apache Struts. The vulnerability was patched two months before the breach at the credit reporting firm took place, and had been exploited numerous times in the wild before a threat actor tried their hand at hitting one of the there major credit reporting companies in the United States.

Likewise, the vulnerability in Microsoft Server Message Block (SMB) that was targeted by the attackers behind WannaCry—theorized to be a group of hackers tied to North Korea—had a patch out for at least a month before the global cyberattack started to spread. Organizations that downloaded the patch were able to mitigate the effects of the ransomware. Those who failed to do so saw their systems rapidly infected as the malware jumped from vulnerable machine to vulnerable machine, blocking out access and forcing shut downs of organization networks.

Petya also used the vulnerability in Microsoft SMB to spread its destructive malware to machines, though it also made use of another exploit that, like the first, was stolen from the U.S. National Security Agency and published by the hacking group the Shadow Brokers. Patching could have hindered at least one of the vectors of attack, and WannaCry should have served as a massive red flag when it occurred just one month prior to Petya.

2017 has revealed that many organizations have a patching problem. Some with good reason: it can be hard to get machines up to speed in a reasonable amount of time without affecting other parts of the system. Many organizations also operate on legacy systems that may be slower to receive vital protections or may be permanently exposed after being declared obsolete by the system maker, as was the case with WannaCry, which hit Windows XP machines and forced Microsoft to push out an emergency patch for the operating system it ceased supporting in 2014.

It’s also an issue exacerbated by the fact there is a massive shortage of workers to fill necessary information technology security roles. It is projected that there will be at least one million unfilled positions in the field by 2020, and organizations operating while short handed will be hard pressed to patch machines before an attack begins spreading.

Even when those positions are filled, there is no guarantee that they will be able to solve one of the biggest challenges presented to any organization’s security: other people. Employees are considered one of the biggest security risks, accounting for the origin of more than 50 percent of all breaches according to a study by Keeper Security —be it due to an insecure password, downloading a malicious file or falling for a phishing email that hands over account credentials to attackers who can then login to an account with access to sensitive files and documents.

These are problems that are more difficult to account for and have been exploited time and time again to gain unauthorized access to valuable data, from user account credentials to personal emails, as happened in the recent hack of Deloitte.

For businesses and government agencies, the window for readiness is growing increasingly tight. The fixes that would have prevented the spread of attacks like WannaCry and Petya or enabled hackers to break into Equifax existed before the vulnerabilities were exploited. That is to say, the incidents could have been prevented.

The warning signs have been made increasingly clear, with experts around the world beginning to ring the alarm bells that an even more devastating attack will occur in the near future.

The U.S. National Infrastructure Advisory Council (NIAC)–a group commissioned by the National Security Council (NSC) to review more the federal government’s capability to secure infrastructure against targeted cyber attacks— warned of what it called a “cyber 9/11” earlier this year.

Last week Ian Levy, the technical director of the United Kingdom’s National Cybersecurity Centre said a “category one” cyber attack will happen within the next few years. For context, the WannaCry ransomware attack was considered a category two event.

The damage caused by a category one attack could be unimaginable, which is exactly what Levy fears, as some organizations won’t take seriously the threat of a massive cyber attack until they experience one.

Governments and businesses alike should not wait to find out just what will happen if a category one attack or “cyber 9/11” strikes. A zero-day attack that exploits a vulnerability that has not yet been patched could be the cause, but organizations can defend against the harshest damages caused by such an attack with resilience efforts.

Unfortunately, many organizations wouldn’t be able to focus on resilience until they cover the basics—which reports have shown many still fail to do. Nearly a month after the spread of WannaCry and Petya, there were still tens of thousands of organizations with public-facing systems that had not yet applied the necessary patches to avoid infection.

Continuing to not clear the lowest bars will put organizations at risk of losing millions of dollars and put consumers at risk of having their personal accounts hacked or their identities stolen.

If neither of those potential outcomes are enough to affect the change necessary, then organizations will have to accept the potentially disastrous results and make the changes they need after the fact and continue to play from behind.