It’s not an easy task for any organization to defend against the wide range of attackers going after intellectual property, credit card information, customer information or other business assets. There’s an inherent asymmetry in these attacks: the defender must be right 100%of the time, while the adversary only needs to get lucky once. Additionally, this inherent imbalance of power can become an expensive arms race where each incremental dollar spent doesn’t necessarily equate to another unit of security – which may still leave an organization exposed.

See also: Inside the Hack of the Century

Arguably, the Sony hack created an inflection point for board-level leadership at many companies worldwide. And the string of high-profile breaches that followed the disruptive attack, including the first that affected electricity output to thousands, triggered a new refrain: Cybersecurity is a shared responsibility and cyber risk-management has to be addressed from all corners of the organization. Looking at how the conversation about cybersecurity has changed in the past year, here are some key security lessons learned that the 2015 hacks brought to light:

Every business is a target
Whether a Fortune 500 company, a mom-and-pop shop or even a utility company, all businesses today are vulnerable and are proactively sought after as attack targets – whether by a nation-state group, a criminal network, or an independent hacker. From social security numbers to intellectual property – every brand today is trusted with information that translates to monetary value which can be sold on the Black Market or used for strategic espionage and data collection.

Visibility into threats is key
In today’s vast threat landscape, no organization can prevent 100% of breach attempts. Adversaries are sophisticated, determined and often times well-funded. This is why businesses across every industry need to shift their focus towards detecting threats and gaining insight into what risks they are exposed to. In many cases, it still takes months to detect adversary activity, and often by that time, the attackers have siphoned trade secrets and exposed the organization to serious liability or loss of IP. The ability to detect and prevent intrusions – whether malware or malware-free – lessens business risk.

Credential theft is devastating
The most common goal of attackers upon initial entry into the network is to secure domain and enterprise credentials to maximize chances of staying unnoticed. In many of the breaches that made the headlines in 2015, the adversaries succeeded in stealing administrative credentials and moving laterally across the environment. To that end, leveraging technologies that look at behavioral based indicators of attack and track the effects of what the adversary is trying to accomplish are more effective in identifying attacks in progress. Moreover, it is fallacy to believe you are safe if you stop every piece of malware, this thinking doesn’t hold true today as over 60% of successful breaches are malware-free intrusions.

Protect every endpoint
When adversaries pursue economic espionage or network destruction they look at endpoints as the starting point for assaults. Although endpoints are often the first line of defense against adversaries, in most enterprises, very few people are behind the VPN 24/7. To that end, organizations need thin, easily scalable solutions that protect all endpoints – servers, PCs, workstations – without hampering productivity or slowing down network processes. Adapting corporate risk mitigation strategies to incorporate endpoint protection enhances attack readiness.

Treating cybersecurity as an add-on to IT operations is just not working for corporate America. Without a radical change to make cybersecurity a part of the fabric of the organization, from the server room to the Board of Directors, the balance of power will continue to favor the adversary.

With unprecedented attacks from Sony to the recent hack of the Ukrainian power grid, it’s become clear that each and every organization must implement a top-to-bottom risk mitigation plan which includes investing in breach readiness, and response capabilities. Note the word “mitigate” not “eliminate,” as 100% elimination of a breach risk would be too costly and not possible. Risk mitigation should include evaluating cyber-insurance options to insure for some of the risk that cannot be eliminated – organizations should prevent what it can, but be ready to deal with an intrusion. The key is to rapidly assess any intrusion that has managed to sneak past your defense and contain that intrusion immediately. Containing an intrusion as early as possible will ultimately prevent the “mega” breach we have become desensitized to.

George Kurtz is the CEO and co-founder of cybersecurity technology firm CrowdStrike.