In the wake of the Target breach, the Home Depot breach, the PF Chang’s breach, and hundreds of other corporate hacking events that made headlines in the last year, it’s easy to assume that cybercrime is only a “big company” problem. After all, hackers are taking a huge criminal risk in stealing and using other people’s data, so it’s understandable to think that hackers wouldn’t go after a small or mid-sized company. But that’s proving to not be the case, as small business owners are finding out almost every day.

October is National Cyber Security Awareness Month, and the focus of week four is on how small business owners need to prepare for data protection in order to safeguard their customers’ information and their own business security. By having adequate protocols in place to prevent a breach and a streamlined process for responding to a hacking event, hardworking business owners can know they are doing everything within their power to protect sensitive information.

Many industry experts have taken the viewpoint that it’s not a matter of “if” a data breach will affect a business, regardless of its size, but “when.” But one of the biggest obstacles small business owners face when it comes to data protection is the typically high price of investing in tools like quality anti-virus software, external hard drives for backing up consumer data, running system checks of their credit card systems, and more. Experts caution business leaders that investing in the right preventive tools before an incident occurs will result in tremendous savings by minimizing the damage and the resulting financial liability of exposing their customers’ data to hackers.

Also, given the fact that a high percentage of data breaches are actually “inside jobs,” it’s important to make sure that employees are limited in their ability to access customers or client information. By making sure that employees cannot retrieve sensitive data for which they really have no need—as in the case of not one, but two data breaches of cellular provider AT&T’s customers’ information in 2014 alone—a lot of expensive damage can be prevented.

But when an employee is responsible for a data breach, it’s not always malicious. Sometimes a lack of training or tech-awareness is all it takes to expose a business to hackers from the inside. By making sure that all employees are fully trained in the dangers of certain online behaviors like opening links in emails or downloading videos and images, as well as by ensuring that company computers that access sensitive data are not able to interact on social media, companies can help ensure the protection level of their content.

One other important tool is a routine checkup of company technology and networks, meant to uncover flaws or vulnerabilities in protection. This is especially important in a business’s credit card system, as a number of breaches have occurred due to malicious software running in the background on POS machines and other network-based computers. These checkups can have a significant cost, but it’s far better to pay for one before an incident happens, rather than as part of the process of assessing liability after a breach.

Perhaps the most crucial step a company can take in protecting its customers’ data is to not store unnecessary information in the first place. If a company requires customers’ personally identifiable information such as Social Security numbers or driver’s license numbers in order to establish an account, for example, there’s no need to hang onto that data after the account is opened and in good standing. It leaves the customers vulnerable to hacking, and the company liable for paying to clean up the mess after a data breach. By not holding onto information that hackers want, it might be possible to prevent a breach from ever happening.