When data is stolen through a leak or a data breach, it’s not just a one-and-done situation where the company that’s breached pays a fine and works to keep its name out of the headlines. Cyberattacks that result in data theft or exposure set up an entire cascade of consequences for individuals whose personally identifiable information has been exposed, and for those who interact with them.

It’s not just a hacker or two accessing or stealing the information for their own use. Typically, the stolen data ends up on the dark web, making the situation even worse.

Hackers aren’t just zeroing in on individual consumers. They’re also going after corporate employees. Infosecurity reported that more than 600,000 corporate logins belonging to UK architecture, construction, and property firms are for sale on the dark web. Experts believe it’s the result of third-party breaches where employees signed up, using their corporate email.

When corporate logins fall into the wrong hands, all kinds of trouble becomes possible, from stealing intellectual property to impersonating a company official to move funds, to accessing customer data.

If you think that none of this has an impact on the corporate brand, think again. A study by analyst firm Frost & Sullivan shows that companies that suffer major data breaches end up losing half their customers.

A quote on Unisys’ website by its Chief Trust Officer says that its Security Index survey results suggest that “consumers around the world view the internet as scarier than earthquakes, terrorism and wars, largely because they feel they have little control over how to address bad actors leveraging internet-enabled technologies.”

They have reason to be concerned. The market for stolen data is growing as more mega breaches occur. Forbes reports that more than 81.5 million voter records are for sale on the dark web. “Voter databases from Alabama to Washington (and 18 others) are for sale on the dark web. These databases cover 21 states in all, with records for 81,534,624 voters that include voter IDs, names and addresses, phone numbers and citizenship status.” From that tranche it’s easy to imagine the identities that will be stolen and the social engineering that will result, leading to more abuses of sensitive information.

Earlier this month, The Daily Mail reported that soon after the massive Facebook data breach occurred, a study by Money Guru found that Facebook logins were selling on the dark web for just under $4.00. Apparently that’s a deal, since The Daily Mail reported in March, shortly after the Cambridge Analytica scandal, that Facebook logins were selling for about $5.20.

Money Guru estimated that an entire identity could be purchased online for just under $1,000.

While GDPR and other regulations will put pressure on companies to do more to harden their security, complying with regulations is just the start. It is not the ultimate solution. Five key principles can help keep data safe:

1. Cover the basics—patch and update for known vulnerabilities; segment your network; review policies and privileges; and audit.
2. Change the culture—help your employees understand what is risky behavior online and how to recognize suspicious actions. Make them aware of what can happen when data gets into the wrong hands.
3. Focus on prevention, not detection, with technologies that can stop today’s level of sophisticated threats and attacks—including anti-phishing solutions, sandboxing, and anomaly detection, among others.
4. Understand how threats can get in: malicious links in email or text messages, unsafe web browsing, compromised mobile apps, unpatched servers and systems, and infected external storage devices. Not to mention vendors or cloud providers with weak security.
5. Look at your security system as an architecture. Secure buildings are designed holistically, with decisions made upfront to make the building impenetrable from the elements and the bad guys. Buildings that are cobbled together without a master plan are less secure.