A data breach will cost a business $4 million on average, according to a 2016 study from IBM. Large organizations have more to lose; Yahoo’s sale price was reduced by $350 million after being hit by the largest breach in history.

US companies are now scrambling to meet the stringent data privacy rules required by the EU General Data Protection Regulation (GDPR) when it is introduced in 2018. Businesses that fail to comply with GDPR’s broad rules will face a potentially massive fine: four percent of global revenue, which could equal tens of millions of dollars.

There may never be a better case for US companies to fortify their cyber security. Security has jumped to the top of manufacturers’ priorities but barely half of IT professionals are confident in the security of their supply chain.

If your company stores personal data about customers and vendors, even a minor security breach could seriously damage your company’s reputation and cause millions in damages. And with GDPR on the horizon, what can businesses do to protect themselves?

Secure your network
Your company network is the gateway to your sensitive data and cyber criminals are experts at infiltrating them.

Symantec lists the top four means of hacker incursion into your company’s network as exploiting system vulnerabilities, default password violations, targeted malware attacks and SQL injections.

“Often these attacks are successful because criminals discover vulnerabilities in the network that the business is unaware of…Attackers can be inside an organization for months, even years, monitoring and exfiltrating the data,” said Paul Fisher, research director for cyber at Pierre Audoin Consultants (PAC).

To prevent these incursions, you’ll need to employ a variety of solutions to shut down potential vulnerability. Even the most basic protection will discourage many hackers.

Tighten your network security by implementing strong passwords and ensuring these are never written down or stored without encryption. Logins to your systems should also be set to expire after a period of inactivity.

Limiting company admin privileges, like the number of people with admin accounts, will reduce the opportunities for intruders to gain access to them. An intruder with admin account access could wreak havoc on your systems by leaking or manipulating your sensitive data at will.

Some networking solutions also provide tools for tracking and visualizing users across your network, allowing your IT team to identify and react to suspicious activity in real-time.

Encrypt your data
But security doesn’t end at your network and concentrating resources on defending your perimeter will not suffice. Businesses must also now accurately identify and protect their information, wherever it is stored.

By enforcing data protection policies across servers, networks and endpoints throughout your business, you can reduce the risk of a data breach.

Data encryption is one of the most popular and effective security methods, but it’s often ignored. 60 percent of businesses that lost information as a result of a data breach had not encrypted their data, the Ponemon Institute recently discovered.

To reduce the likelihood of a breach, and to reduce your company’s liability if one does occur, it’s crucial to encrypt your files.

“Anytime you’re storing important data when the data is at rest–which means it isn’t being transmitted over the internet somehow–you want it encrypted,” said Steve Cullen, Senior Vice president of Worldwide Marketing at Symantec (provider of Norton Antivirus).

Data security applies to your vendors too. If you provide your vendors–or any third-party services–with access to your confidential data, make sure to research their policies and that they comply with security best-practices.

Plus, when General Data Protection Regulation (GDPR) is introduced in Europe next year, US businesses will have to take Europe’s new data laws into account. Under GDPR US-based companies will face significant fines – percent of global annual income – if they refuse to align with the new regulation.

Ninety-two percent of U.S multinational companies cite GDPR compliance as a top data protection priority, according to new research from PwC. Over two-thirds are setting aside between $1 million and $10 million on GDPR readiness and compliance.

Regulation is complex and specifics differ for each EU country, so it’s important US companies familiarize themselves with GDPR as it promises to revolutionize data protection globally.

Hackers for hire
For a more holistic approach to cyber security, organizations increasingly hire penetration testers – also known as ethical hackers. Ethical hacking or penetration testing activities are integral to any comprehensive security policy. Penetration testers will use the same techniques as hackers, including phishing your employees over email, scanning your network for flaws to exploit or barraging your servers as part of a DDoS attack.

However, instead of compromising your data, these professionals report your security vulnerabilities, providing your business with actionable guidance on how they can be fixed. Without these tests, holes in your network security could potentially remain undiscovered. Your organization could be vulnerable to exploitation and you wouldn’t know until it was too late.

Your employees are vulnerable
While networks are historically the primary route cyber criminals take into your business, today the weakest link is increasingly likely to be your staff. Nearly half of breaches are caused by human error, according to CompTIA.

To prevent this, businesses must evaluate employee exit strategies, remote project protocol, on/off-site data storage practices and establish policies to ensure employees are protected against cyber criminals. Privacy and security training should be provided to all employees, not just those in IT. Luckily, some organizations, like the nonprofit CompTIA, are already providing platforms to skill-up your staff in security basics, regardless of their experience.
Unfortunately, the state of cyber security means that–for most businesses–data breaches are inevitable. But with a comprehensive response plan, you can mitigate much of the damage; the cost of a breach increased by 30 percent if it takes longer than 30 days to contain.

Businesses must do three things post-data breach: contain the breach immediately, inform customers promptly and promptly take defensive measures to prevent future attacks. For more information on formulating effective data breach response plans, take a look at this guide from the Federal Trade Commission.

Alex Bennett is a technical writer for Firebrand Training. Working at the forefront of the IT training industry, Alex uses his insider knowledge to write regularly on IT security, networking and cloud technology.