Organizations that store customers’ private information have a duty of care to protect that data. Credit card numbers and other personal details fetch a high price on the black market and, unfortunately, organizations do a very poor job of keeping them out of the hands of cybercriminals. Regulators in many countries are now levying considerable penalties against organizations that fail to protect people’s private data. When the European Union’s General Data Protection Regulation (GDPR) comes into effect in May 2018, organizations face fines of up to €20m or 4% of annual turnover for exposures of European citizens’ private data. They must also disclose breaches within 72 hours of discovering them. And now for the bad news: Breaches are inevitable. Security researchers believe determined attackers can infiltrate any perimeter security system. Even so, the majority of data exposures stem from internal causes: malicious insiders, loss or theft of devices, accidental misuse, or simple err ors by IT and security administrators.