You’ve seen all the headlines: Individuals, businesses, and even municipalities are being targeted by hackers who want to gain access to personal and financial data. As someone who’s starting a company, or someone who has recently started a company but hasn’t thought enough about security, the time has come to dedicate time and resources to protecting your data. This includes everything from buying software designed to defend against attacks, backing up data in case of a disaster, and establishing emergency protocol in case all hell breaks loose.

I spoke with Adrian Liviu Arsene, Senior E-Threat Analyst at Bitdefender to determine the most important questions companies should ask themselves regarding data management and data security.

1. Are We Using Security Software?

The Best Hosted Endpoint Protection Services of 2015

Endpoint protection software monitors and defends your corporate network from external devices that are trying to create entry points for an attack. These tools typically include a combination of antivirus, firewall, and mobile device management (MDM) capabilities (more on this later). By employing one of these tools, your dedicated technology team (assuming you have one) will be alerted to threats if and when they arise.

“Even if you’re a small business, every endpoint needs to be secured by security software as there are plenty of threats out there that can both cripple your business and your customer’s data,” said Arsene. “From ransomware to keylogging malware and advanced threats aimed at using your company as a gateway into your clients, if you’re a service provider, having security software is not only recommended but mandatory.”

2. Are We Backing Up Our Data?

Best Online Backup Services for 2015

If your company is ever hacked or if your office gets knocked down by a hurricane, then having a backup of your most recent data will help you get back up and running with minimal data-based issues. A cloud backup of your information will ensure that, after a brief physical rebuild, your company can be up and running again. If you’ve never backed up your data, then you’re essentially starting your business from scratch. Also, data backups, in combination with endpoint protection software, lets you spot threats as they occur, expel them from your network, and then revert your network back to its most recent, most secure state.

There are simple ways to back up your data, including setting automated backups with disaster recovery (DR) software, and copying your system files to other regions (in case of a geographic issue). Regardless of which you choose, it’s imperative that you start backing up immediately.

“Backup and redundancy are vital to business continuity as any losses or disruptions could mean going out of business or being severely crippled for a long time,” said Arsene. “Ransomware is a perfect example of what can happen if you don’t have backups. But also factor in that hardware sometimes fails, and having a single copy of your critical assets is ill-advised.”

3. Are We Encrypting Our Data?

Best Encryption Software of 2016

Most endpoint protection software vendors will also help you encrypt your data as it moves within your network, as it leaves your network, and as it sits untouched on your servers. Encryption essentially turns your plaintext formatted data into ciphertext format—an uncrackable jumbling of your data’s true plaintext sequence. By entering a de-encryption key, your data is unscrambled and sent back into its normal format. So, if anyone ever hacks into your system and steals your data, they’ll see the encrypted version rather than the plaintext version.

Careful though: Attacks can happen at different stages in the data transfer process. They can happen when data is sent from the server to its destination. Attacks can happen as data is sitting in your servers and hacks can happen as data is transferred from one device to another within the network itself. When speaking to your endpoint protection services provider, make sure you ask if they can help you encrypt data in transit and at rest.

“Both types of data should be encrypted, especially if you’re working with sensitive and private information about your customers,” said Arsene. “Every piece of information can be monetized by cybercriminals, and keeping all information encrypted not only makes their job harder but also yours more worry-free.”

4. Do We Have a Firewall?

Everything You Need to Know About Firewalls

You wouldn’t own a home without a front door, would you? Then why would you run a network without a firewall? Your firewall lets you block unwanted traffic from entering into your corporate network. This means you’ll be able to maintain a private internal network without exposing all of your company data to the public web server on which your business is run.

“Firewalls are great for keeping away intruders that want to either scan your network or find open services and ports that can be exploited for remote access,” said Arsene. “With firewalls, you can also set rules as to which IP addresses can access various resources or monitor incoming and outgoing traffic.”

5. What’s Our Company-Wide Device Policy?

Running Your Business on Mobile Devices

Bring-Your-Own-Device (BYOD) policies let employees choose which hardware and software to run while conducting business processes. Although these policies provide flexibility for employees (and cost savings for companies that no longer need to purchase devices for new workers), there are several risks associated with BYOD plans. At the top of the list: How do you secure the data stored on these devices if you’re not choosing the software and building out the security access protocol?

“Most small businesses often rely on BYOD but usually don’t have a security policy in place,” said Arsene. “To that end, it’s also recommended to limit access to critical information being accessed by employee-brought devices, either via segregating networks or by implementing access policies, and also manage mobile devices. Since handhelds are also used to access emails and internal data, it’s important to either manage them with a dedicated solution or only allow them access to non-critical data.”

MDM software gives you the power to remote-wipe, remote-lock, geofence, and customize each device based on your specific needs. If employees lose devices, if devices are hacked into, or if devices are able to access more corporate data than you’d like them to, then you’ll be able to make adjustments using your MDM solution without touching the actual devices.