Gauging a company's true data breach risk from the outside is adifficult endeavor for insurers, with challenges both technical andinformational. But even less attention has been paid to howcompanies would manage a breach if it happened, which has anenormous impact on the toll of the final damage.

No organization is immune to breach. If the National SecurityAgency can lose data, anyone can lose data, yet the scope of thecurrent issue is still astounding.

According to the 2017 Hiscox Cyber Readiness Report, 72% oflarge U.S. businesses — nearly three out of four — and 68% ofsmall- and mid-sized businesses — about sevenin ten — reported cyber incidents in the previous year. Amongthese, close to half (47%) experienced two or more cyber incidentsduring that same time.

Related: Are most U.S. organizations as truly 'cyber-ready'as they think? (VIDEO)

The largest breaches, affecting big-name companies like Equifax,Target, Home Depot and many others, drew substantial headlinesbecause of the huge number of identities involved. But almost everybusiness holds some sensitive information, either regarding itscustomers or its own intellectual property, finances or employees.In fact, smaller organizations often lack the internal resources todedicate towards preparedness, making them very attractive targets for hackers.

Assessing the threats to your business

The first challenge with measuring a company's risk exposurerelates to the industrywide problem of tying compliance and policyto actual security. A company may have checked all the right boxeson paper, but doing so guarantees little about their actual cyberrisk position.

The second issue is that people often matter much more thantechnology.

The public conversation focuses on high-profile hacking events,but data breaches are even more likely to be the result of internalissues, including breakdowns in training, procedure or plain oldmistakes.

Related: Cyber hacks cost up to $109 billion in 2016, U.S.estimates

The overwhelming majority of all cyber attacks are successfullyexecuted with information stolen from employees who unwittinglygive away their system ID and access credentials to hackers orprovide a gateway via a malware link embedded in some form ofcommunication.

One of the most important components of an effective data breachreadiness program is mandatory and frequent training to remindemployees about the importance of security awareness.

Education information security best practices can help arm a team against threats such as phishing,man-in-the-middle attacks, malware, and ransomware, substantiallylowering the long-term risk.

An accurate understanding of a company's sector-specific risksis another important point of departure in corporate cybersecurity.Healthcare employees, for instance, need to be especially on guardfor EHR-related attacks and RDP server breaches, like the onesinstigated by the SamSam virus (which took down Allscripts last month).

Other industries are more vulnerable to loopholes incommon business apps; still, others are morefrequently victims of point-of-sale malware or e-mail phishingscams. Once businesses understand where and how they are mostlikely to be targeted, they can begin providing training that takesinto account the need for added vigilance in these specificareas.

The final challenge in correctly identifying breach riskinvolves understanding the extent to which recovery costs can vary.Discrepancies in cost depend not only on the severity ofthe breach, but also on how well the organizationresponds. Globally, the average cost to recover from a securitybreach is $158 per impacted individual, but that varies from of $60to $400 per person.

While more companies than ever before are now either consideringor have taken out some form of cyber insurance, this should not beconsidered an unloadable risk. Smart organizations are increasinglyfocusing on proactively identifying data breaches and preparing toefficiently react to them in advance of a data breach crisis.

Proper preparation means more education

The most devastating impacts of a data breach can only beavoided by coupling breach awareness and prevention efforts withreadiness and response planning ahead of a cybersecurityincident.

Comprehensive breach readiness plans break down both pre-emptiveand retrospective action steps by department: it's sensible, forexample, to task IT personnel with monitoring cloud connectivityand identifying network loopholes while entrusting financial staffwith detecting suspicious activity along company bank and creditaccounts.

Customer relations experts and account managers, on the otherhand, are likely the best resources for overseeing clientcommunications during and after a data breach, helping tore-establish trust and informing their consumer-facingworkforce.

Here, inter-departmental communication is paramount: all workersshould understand how and to whom they are to report possiblebreaches or scams, and when such breaches occur, the entire companyshould know what to expect employees in every department to donext.

Related: Cybersecurity threats in the insuranceindustry

Even for the most cyber-savvy corporations, however, internalresources alone are not enough these days. Outside resources areoften critical to mitigating the threat of cyber attacks; Stop themonce they start and restore company functions in a breach'saftermath.

Establishing relationships and negotiating agreements withexternal subject matter experts is better done far in advance of anactual data breach. Contractual terms can be negotiated without thechaos and urgency of a crisis situation. The same is true forinterfacing with law enforcement and regulatory agencies.

Knowing whom to contact and having an established communicationchain can pay off when trying to execute an urgent data breachresponse.

Both internally and externally, the human element ofcybersecurity remains a business's best defense across anever-widening threat landscape. With the right planning and a rapid response team,companies should be able to withstand a breach with the leastdamage possible, limiting losses – and claims.

Related: What are the top 10 risks to U.S. business in2018?

Jerry Thompson is senior vice president at Identity Guard,which has helped companies manage data breaches for more than adecade.