Recently, I worked with a group who suffered an enormous data breach. The company realized something odd was afoot when payroll checks began to bounce.

In the security world, we often describe this type of breach discovery as “third-party” notification. In other words, someone not directly involved in the company’s operations informed the company of an issue. Also, many of us call this a resume-building opportunity.

I took a quick look at the core operations and assisted the IT team with a hasty inspection. In short, the company owned many security products, employed lots of tools. The board of directors wanted a single variable to surface as the reason for the loss of funds. However, a single smoking gun didn’t exist. The motive was simple: steal money. The success of the theft revealed numerous issues in the company’s execution of technology and associated protective measures. Below, I offer a list of the most common issues that I observe from similar events.

Let’s call these our top 10 habits to avoid data loss.

Coming in at number one, backup your data.

I’ve offered this suggestion on many occasions. However, the practice of backing up data is one of the most powerful and under-appreciated tactics for mitigating data loss. The rate at which you conduct backups should be based on your reliance on timely data. As an example, if your business cannot operate on data that is older than 24-hours, a daily backup process might be undesirable. Review your dependence on data. If you can manage on slightly dated information, a simple backup routine might serve your organization well. However, if you need everything, all the time, your backup strategy should reflect that business need. No matter how often you backup data, if you never test the integrity of the backups, don’t bother with the backups. I’ve stopped counting the number of groups whose robust backup efforts crumble when we try to restore data. If you’re not testing your backups, you have no idea if the process is working.

Number two, install and update anti-virus software. If you choose to avoid anti-virus for costs, for performance, it’s only a matter of time before you experience issues. A virus, malware can wreck your computing environment in a few moments. Make sure you are scanning frequently, updating the software and checking error logs for any concerns.

Number three, if you think all bad things are viruses or malware, and anti-virus software will stop everything, you’re wrong. Device protection doesn’t stop with anti-virus software, anti-malware software – you need to manage all threats. Use local firewalls, limit users’ abilities to install software, encrypt the device’s data. In short, throw as many obstacles at the would-be bad doers as possible.

Number four, update. I know it’s painful to see those pop-ups, the nagging notices about something that needs attention. Don’t ignore them.  The “remind me later” option isn’t your friend. Update often and avoid the new threats.

Number five, realize that email is a weapon. Scammers and other evil-doers love email. Some researchers estimate that over half of all email is junk. Detection tools aren’t perfect. Those who want to do evil work hard to improve their skills. As a result, bogus mail will often appear legitimate. Don’t open attachments unless you’re expecting them. Verify a sender if you see something odd about a message. A few moments’ review could save a lot of frustration and damage.

Number six, lock down your business WiFi. Your customers should not be using the same wireless network as your employees, and your employees should not connect work devices to guest/public WiFi. The potential for risk is phenomenal. Most businesses have an incredible time managing the devices they own. Why allow strange, unknown devices onto your network? Lock down your networks, only allow known devices into your corporate environments. If you have a business need for public or customer WiFi, keep it separate – make it a basic, simple connection that never crosses paths with your business operations networks.

Number seven, require complex passwords and two-factor authentication for software, data access. If the bad guys manage to punch through your perimeter defenses and land inside your network, throw another barrier at them: strong authentication. Employees will complain about complex passwords and two-factor authentication. Prepare yourself and allow no exceptions. Users employ notoriously simple passwords and reuse them across many systems. By promoting complex passwords and requiring a second component to complete access, you will annoy the bad guys and present a difficult obstacle, even if they have wiggled into your network.

Number eight, manage user accounts thoroughly. Do not provide users with more access than they need to conduct job responsibilities. Remove access when an employee is terminated, retires or quits. Orphaned accounts are a nightmare for system administrators, but a treasure for bad guys. Organizations often fail to notify IT of departing employees; as a result, accounts persist. Eliminate the accounts as quickly as possible.

Number nine, set expectations for technology usage. Do you want employees visiting Facebook from a work computer? Probably not, but are they aware of that? Create an employee technology usage policy that sets expectations of technology use and specifically describes unacceptable behaviors. A lack of a policy presents problems for discipline and fosters an environment in which anything is allowed. Policy guides aren’t static, especially technology guides. Review and update as needed.

Number 10, increase awareness. If employees aren’t aware of the “bad” that lurks among our technologies, they will not appreciate security efforts. Lunch and learn opportunities work well – free food is always a welcomed surprise. A poor effort is blasting employees with long lists of websites and materials via email. If the awareness opportunity isn’t engaging, it won’t be effective and meaningful.

Embrace these habits and frustrate the bad guys.