Some real talk for businesses in 2017: Cyber attacks happen.
They don’t all have to be as ugly as the Equifax hack—which potentially exposed the personal data of nearly 15 million people—but for corporations, the question is not ‘if’ but ‘when,’ said Valerie Abend, who leads Accenture’s Financial Services Security practice in North America, and who was speaking at a panel at Fortune’s Most Powerful Women Summit in Washington, D.C. Tuesday.
“Avoiding the scary is not the solution,” she said, adding that it’s important for companies to have worked out the legal terms and communication protocols around cyber breaches before they happen. It’s not sufficient to simply react, she noted.
Another wake-up call for corporations: It’s not enough to merely guard against cyber threats in your own backyard, i.e. on your internal corporate network, said Edna Conway, chief security officer of Cisco’s Global Value Chain. In 75% to 80% of cases, she explained, a breach happens not on a company’s network, but on that of a third party provider working with the company.
Sign up: Click here to subscribe to the Broadsheet, Fortune’s daily newsletter on the world’s most powerful women.
“There’s no longer an ‘us’ and ‘them,’” said Conway, who encourages companies to “open your arms and embrace third-party providers” in efforts to mitigate and counter cyber risks.
Conway also stressed that companies should look at cybersecurity as a larger corporate risk and governance issue for which all executives are accountable, rather than a matter that is simply delegated to an IT department. For that reason, it’s important board members and non-technical executives be fluent in the issue, said Conway, who recommends companies and boards develop metrics and transparent reporting around cybersecurity. (Just as the retail industry talks about theft risk in terms of “shrinkage rates,” corporations can talk about “tolerance levels” when it comes to cyber risk, she said.)
Other expert tips: Lauren Penneys, who heads up business development at Palantir, advised companies to get their own data and IT assets in order—both to better understand what risks do exist and to improve readiness to respond when a breach does happen.
And all three panelists spoke of the value of “red teams,” or groups of benevolent white-hat hackers that find network vulnerabilities, in mitigating cyber threats. But Conway cautioned that corporations should use them thoughtfully. “You need to be careful who you use,” she said. “There are some things you don’t want to outsource.”