Is reinstalling the OS enough?

Isn’t there malware around that can store itself in the BIOS or something, and survive an OS reinstall?

It would need to be a zero-day (or close to it), which means nation-state level sophistication.

You can decide for yourself whether to include that in your personal threat analysis.

> Security people don't seem to really assess what are the actual consequences of breaches. Just that they are "really really bad" and

No

Security people are acutely aware of the consequences of a breach.

Look at the catastrophic consequences of the recent wave of ransomware attacks.

Lax security at all levels, victim blaming (they clicked a link....) and no consequences I know of for those responsible for that bad design. Our comrades built those vulnerable systems

> Reinstalling an OS is not really, really bad. It's an inconvenience.

Reinstalling an OS is not nearly enough. You have to reinstall all of them, without letting the "dirty" ones contaminate the clean part of your network; you have to re-obtain all of your binaries; and good luck trusting any local source code.

The way most places are organized today, getting computers infected is a potentially unfixable issue.

> Security people don't seem to really assess what are the actual consequences of breaches. Just that they are "really really bad" and

No

Security people are acutely aware of the consequences of a breach.

Look at the catastrophic consequences of the recent wave of ransomware attacks.

Lax security at all levels, victim blaming (they clicked a link....) and no consequences I know of foe those responsible for that bad design