Recent cyber-attacks hurt individuals and investors on a regular basis. Recent attacks have cost hundreds of millions of dollars. Firms that have dismissed the dangers are increasingly at risk of regulatory action. New European laws will likely increase fines for non-compliance with cyber-security standards.  New York’s financial regulator recently enacted new cyber-security rules in August.

The types of threats are ever evolving. Increasingly sophisticated technology and the internet of things is catnip for hackers. For example, hackers recently broke into an internet-connected fish tank and used the tank as a launching pad to more sensitive parts of the company’s network. Hackers’ business models are also evolving. For better or worse, ransom payments are more common than sales of stolen data on the black market.

All to say the plans companies have laid out must be evolving as well. The first principle is that companies must take a layered approach to defense. Prevention is really only half the battle when a breach, large or small, is a near inevitability for most companies.  This move beyond prevention is new in the cyber-security world.  As many companies have seen, mitigation and disaster recovery is as important as prevention. Segregating sensitive data within a company can reduce the impact of any hacks that do breach the company’s outer barrier. Planning in advance how to respond to a hack reduces the risk of botches which often cause instant stock market plunges.

The second principle is to get smarter about your data more intelligently–know how much is stored, where and for how long. Information is an asset that makes companies vulnerable to hackers. The rise of artificial intelligence, data mining, internet of things and other cutting edge technologies can catalyze companies to stockpile information. Regulators’ wrath and the costs of maintaining a rock-solid digital infrastructure make data a source of business and legal risk. Companies should make sure they are ready.