Who doesn’t want to avoid a data breach? They’re bad for business, on so many levels. If you needed any reminders about this, consider that within the last two weeks, Equifax was fined $750 million for its massive breach and Capital One had to announce to the world that 100 million of its credit card application records had been stolen.

You’re glad that’s not you, right?  But, before we get all smug and superior about it, remember that everyone is vulnerable. If you run a business of any size, you’re at risk for being breached. In fact, you probably already have been. You just don’t know it yet. With that in mind, here are 10 keys to avoiding data breach.

1. Assume breach

The truth is, even the most sophisticated cybersecurity organizations in the world have been penetrated by advanced hackers – some of whom are spies from nation states. If it’s your security team vs. North Korea, China, Iran or Russia, you’ve got unwanted visitors in your network. This does not mean you will lose data, but it means you’re exposed. Your approach to security should be premised on this assumption.

2. Focus on the crown jewels

You cannot afford to defend all of your digital assets at the same level of intensity. You must choose which data is the most valuable, i.e. what will cost you the most to replace or cause the most financial damage to your brand. These are your crown jewels. They deserve the highest level of focus and investment in cybersecurity countermeasures, e.g. firewalls, encryption, access controls, etc.

3. Think about the data you keep

Unless you need it, data can be dangerous to keep in storage. As the Capital One case showed, having a lot of old credit card applications in cloud storage is not wise. It was sitting there, waiting for an exploit in the firewall to let it all get into the wrong hands.

4. Set policies and enforce them

Security is about rules, aka security policies. To defend against data breach, you have to establish what’s allowed and what isn’t. For example, what are the firewall configurations for sensitive data? Who is allowed to see what?

5. Protect your endpoints

Breaches start at the endpoints, like PCs, phones, servers and so forth. These are some of your biggest areas of attack surface area. It’s a good practice to implement one or more endpoint detection and protection technologies.

6. Protect data at rest

If you must keep data on hand, protect it when it’s at rest. This usually means encryption.

7. Establish a SoC, or subscribe to one

The best practice now is to have a dedicated Security Operations Center or SoC. A SoC is staffed with security analysts who can react to alerts and other warnings that a breach is in progress. If you cannot afford to run a SoC, and to be fair, they’re expensive, there is a whole industry of SoC-on-demand type services to whom you can outsource security monitoring and incident response. At a higher level, there are Managed Security Service providers (MSSPs) who can take over most or all of your security tasks for a monthly service fee.

8. Track who has access

Access control is essential to preventing breach. A variety of tools enable this capability. Hackers can impersonate your employees to breach your data. Insiders are even a problem, potentially. In particular, Privileged Access Management (PAM) is extremely important for staying on top of critical systems that hold your data.

9. Train your people

Awareness helps a lot. Your people need to know not to click on strange links or files sent from unknown people.

10. Pay close attention to the fine print in the cloud

Know what you need to do to stay secure in the cloud. The Capital One breach was all about inattention to security detail in the cloud. The cloud service agreement almost always specifics that you, not the provider, is responsible for securing your actual data. They secure the infrastructure, not your specific instance.

Data breaches are a serious matter. You can do many things to reduce their likelihood and impact.