Just look at some of the big brands that were all hit by recent data breaches in recent years — Target, Sony, Yahoo, Home Depot, JP Morgan — and it appears that cyber-attacks are an increasing threat to all businesses as the severity and frequency of these events are all over the map. The cost of a breach extends beyond downtime and profits lost; it can also negatively affect your company’s brand and customer loyalty.

With almost every organization out there, including yours, collecting some form of personal information about customers and employees these days, it is more imperative than ever to protect your company from potential data breaches.

In some cases, it’s often the small and medium-sized business who are targeted by hackers and individuals who misuse the network, system or data access. Businesses this size are in that sweet spot where they’re likely to have more digital assets than an individual but less security than a large corporation.

To safeguard and protect your company’s data, consider these top five security best practices that can help you avoid, mitigate and manage data security risks.

Don’t just rely on encryption as your online mode of defense.

Encryption (the conversion of data into a format that cannot be understood by unauthorized users) alone tends to give businesses a false sense of security. Not only should you be employing virtual security measures like encryptions, passwords, firewalls and anti-viruses, physical measures like a lock-and-key cabinet and paper shredder are just as important. To keep personal information and sensitive data secure, work across departments beyond just IT. Consider your exit strategies for outgoing employees with Human Resources, make your security requirements clear with third-party vendors and have protocols on how data is stored on and offsite clear for remote projects. Mobile and remote workers must also have adequate training and technical support.

Change default passwords.

Sounds relatively simple and straightforward right? Well, many devices and applications are protected by default usernames and passwords and oftentimes, users don’t change them which can make their systems vulnerable. Don’t reuse passwords and repeat username/password combinations across multiple accounts. Set up two-factor authentication for your online business accounts. For example, this means you have to validate access by using something only you should know (a password) and authenticate using something only you should have (a phone) to verify your identity.

Hire a third-party data security expert to analyze your level of exposure.

Think of them like an objective friend who can tell you where something is wrong. A neutral third-party can give an unbiased look at your organization and point out potential areas for information breach. These experts can also help make sure you are in compliance with applicable laws. Conducting periodic assessments can also keep you on your toes and allow you to detect ongoing vulnerabilities as your business evolves. Using an objective third party means your employees can feel comfortable disclosing more honestly about any weaknesses in the company without concern over their jobs, giving you a clearer picture.

Make sure you have a data loss prevention protection plan.

If and when a breach occurs, a plan and policy can help you manage and communicate across the company how employees should properly respond and act. By devising a plan before it is too late, you can anticipate what may happen and address security risks before they are real threats. For example, conduct regular inventory of your sensitive data and identify clearly who manages it and where it’s located. Have a backup data solution so if information is compromised or lost, it can easily be recovered.

Remember to review and update your information security policies regularly because a company’s policy is only as good if it’s practiced. Train your employees regularly and ensure everyone is complying.

Clean house every so often and update procedures and files. 

As there is no one-size-fits-all when it comes to information security, remember to look for solutions that protect you from both internal and external threats. Keeping your operating system and application software patches and security updates current can help to foil potential breaches from outside your organization.

Don’t collect information you don’t need in the first place and reduce the number of places where you keep data. Only give access on a needed basis and keep records of who has access to what at your company, then purge data responsibly after it is no longer applicable. Once an employee has left your organization, disable all their IT accounts whether or not they departed amicably.