At a recent cybersecurity forum hosted by U.S. Sen. Angus King and the Maine State Chamber, one CEO confessed that her company was “ignorant” about protecting itself against cyber-crime.

It is a comment I hear frequently. The CEO who made this confession — a savvy manufacturing executive — is in good company. Too many organizations have outdated firewalls, limited security features and weak company-wide policies regarding data security. And that just scratches the surface.

The threat of some foreign entity trying to access a company’s server, or some college scammer hacking into its system late at night, are examples we romanticize. The fact is, hackers are everywhere and indiscriminate, and often attack using sophisticated processes.

What’s worse, successful cyberattacks and compromised cybersecurity often result from internal sloppiness.

According to the IT security software company Tripwire, more than 60 percent of security events are the result of an inside attack. And about 80 percent are from insiders who unintentionally compromised their company’s security. In these cases, it could be poor password settings, or employees who were granted access when they shouldn’t have been.

But cybersecurity is part of a much larger issue of business continuity and data security planning. For almost all companies, a prolonged period of downtime without access to critical applications and data can have dire consequences.

Here’s a list of critical questions that organizations — small, medium or large — need to consider so their management can sleep better at night:

• Does the company have a disaster recovery plan? If it does, congratulations, but it should be tested regularly with close-to-real-life scenarios about how to handle power outages, cyberattacks, system failures, human errors and natural disasters. If it doesn’t, it should start planning now.

• Is the computer’s server room a disaster waiting to happen? Redundant cooling isn’t an option for most businesses that have a separate room for their servers. If the business relies only on its air conditioner to keep its server rooms cool, it can run into big problems if the AC fails. If the heat levels aren’t monitored by the IT team 24/7 or controlled through an automated cooling process, there’s no way of knowing if the server room is overheating.

• How does the company handle an electricity failure? It should consider having an uninterruptible power supply — an alternate battery backup system — or a generator. And a plan for what happens when more fuel is needed for that generator if an outage lasts more than a few days.

• Does the company have a firewall? If it does, but it’s a couple of years old, it may as well not have one. An estimated 51 percent of organizations have a firewall that is more than 3 years old, leaving them vulnerable to attack. New threats require protection from up-to-date, next-generation firewall technology.

• What about data security and password protection? Does the business encrypt sensitive data? Does it password-protect its files and establish unique user names and passwords that must change regularly? Sure, it’s a nuisance to remember new passwords, but it’s much more painful to lose data in a successful hack.

• Does the company have data backup and recovery? Companies should follow the 3-2-1 rule. It should have three copies of its data (one primary and two backups). They should be on two types of media (storage hardware), and at least one of the copies should be in the cloud.

• How does the company protect itself from data being lost or stolen off laptops or other devices? Many companies have faced significant PR backlash and expensive lawsuits simply because an employee had sensitive data on a laptop that was stolen or compromised.

One solution that ensures security compliance is a virtual desktop solution in the cloud. Virtual desktops exist on a secure infrastructure inside a cloud provider’s data center, not on an individual device. This means that data is kept secure in the cloud at all times, and a lost laptop becomes a relatively minor equipment loss rather than a potentially serious data compromise.

With so many security threats circling the Web, it’s more critical than ever to implement reliable security measures. Like most criminals, hackers tend to be lazy, and look for easy, unguarded targets. Let’s at least make hackers work hard and give up on attacking our data.

Craig S. Gunderson is president and CEO of Oxford Networks in Lewiston.