As a business owner, cybersecurity can be a daunting topic: It’s complex, threatening, and you might not even know where to start. But considering hacks will cost companies as much as trillions of dollars annually within the next five years, cybersecurity is a measure all businesses — both big and small — must take.

To help break down different pieces of the puzzle, we’ve compiled tips and takeaways from 14 cybersecurity experts from Forbes Technology Council.

1. Cyber criminals feed off human error

“With the proper behavioral changes, organizations can greatly minimize their chances of suffering a devastating blow. It all starts with developing a culture of cybersecurity. But what does that look like?,” writes Reg Harnish, CEO, GreyCastle Security.

“A consistent buy-in among employees starts with driving home the fact that everyone has a role to play in protecting the company’s assets, and no role is more important than any other,” writes Harnish. “Additionally, employees are more likely to stay committed to the task if the security concepts can be easily implemented into their daily routines, much like brushing their teeth.”

Read more in What It Means To Have A Culture Of Cybersecurity

2. But you might want to hire a hacker …

Research forecasts the cost of cybercrime to hit $6 trillion per year by 2021. Whether you own a company or not, everyone is at risk of having their data stolen, as cybercrime is the fastest-growing crime in the U.S.. Knowing how to best position yourself before an attack happens is essential.

“More and more businesses and government agencies are engaging with independent security researchers to help them find vulnerabilities in their systems that they otherwise wouldn’t,” writes Alex Bekker, VP of engineering at HackerOne, “Most cyberattacks are executed via security holes unknown to the target organization, so having well-intentioned hackers find vulnerabilities in our computer systems is the closest we can get to real-world conditions.”

3. Most companies know about cyber threats, but aren’t doing much about it

“The hackers have done an excellent job of bringing the cybersecurity industry to the forefront, but how can we translate that into successfully helping corporations, governments and individuals defend themselves? The answer is rather simple: education,” writes Nick Espinosa, Chief Security Fanatic of Security Fanatics.

“Consider two major points in this vein: First, a recent study of global governments shows that while they’re aware of cyberthreats to their infrastructure, roughly 50% of said governments do not have a formal cyberdefense strategy or plan,” writes Espinosa. “Second, we have plenty of corporations and governments with vast amounts of intellectual property who continue to be behind in cyberdefense, using outdated strategies instead of the latest and greatest defense hardware, software and methodology. The ‘if it ain’t broke, don’t fix it’ mentality is alive and well, sadly.”

4. Beware of another threat: biased security providers

As cybersecurity becomes non-optional, third-party vendors seem to be popping up out of the woodwork. They make big promises, but not all of them can deliver.

“Setting advanced testing standards would be an important step in codifying what is promised and delivered by various products,” writes Jamie Butler, CTO of Endgame, “Unfortunately, much of the available third-party testing organizations receive compensation for testing, which makes the results inherently biased. Instead, non-pay-to-play organizations like MITRE and the Cyber Independent Testing Lab need to become the norm.”

5. It’s not enough to plan against an attack, IT departments must plan for one as well

“No matter the extent and level of investment an organization puts into cyberthreat prevention, leadership must recognize a hard reality: It only takes one wrong click to invite an intrusion . Thus, a restorative approach (i.e., a well-equipped disaster recovery plan) is needed to ensure ongoing business in the event of a ransomware attack,” writes Jeffrey Ton, EVP of product and service development at Bluelock.

“It’s crucial for companies to ensure their restorative capabilities are just as strong, if not stronger, than their preventative measures in place. In every breach scenario, quick responsiveness avoids extensive data loss and reputational fallout,” writes Ton. “Achieving the creative and analytical tension for this type of resilience is just another reason for IT departments to shift their traditional approach.”