Companies must address cybersecurity, or else “sentence ourselves to a permanent state of watching this problem grow worse and worse,” Microsoft’s president and chief legal officer Brad Smith said in a keynote session at Microsoft Envision on Tuesday.

With the European General Data Protection Regulation coming into effect in 2018, a global standard will be set that increases the responsibility to protect data, as well as the penalties if it is not done adequately, Smith said.

“There is no privacy without security,” Smith said. “It doesn’t matter how much work you do to document all the careful steps you’re taking during the day if someone is going to come in in the middle of the night and steal the data you possess … we have no choice but to get this right.”

Smith laid out the following five sets of questions that enterprise IT shops must ask to ensure they address all elements of cybersecurity and keep their data safe:

1. Have you enabled multi-factor authentication?

Who has the authority to grant exceptions? How many exceptions have they granted? If IT grants exceptions for its entire team, that poses a security problem, Smith said.

SEE: Information security incident reporting policy (Tech Pro Research)

2. What is your practice for updating and patching systems?

How frequently do you patch your computers? How many computers are still running Windows 7 or older? In the WannaCry attack, more than 10% of the computers penetrated were running Windows XP, which was released in 2001 and has not been supported since 2014. “You cannot defeat the threats of the present with the tools from the past,” Smith said.

3. How do you manage systems access?

What data on your network would most likely attract attackers? This is different from what you regard as being most valuable to your organization, Smith said. “We have to encourage people to think like criminals” when it comes to this, he added. Further, how many employees have access to these sites? Do they all really need to access that resource?

4. Do you whitelist applications?

What applications can employees download and install? Have you already deployed a “trusted applications only” model? Is it possible for employees to bring in other things as well that might infect the network?

5. Do you monitor the health of devices accessing your network?

Do you require modern hardware in order to access critical assets? Do you regularly scan these assets for malware?

A strong cybersecurity approach requires combining deep technical expertise with broad business management, Smith said. “One of the great lessons of 2017 is security is a team sport,” he said. “Not only an IT team sport, but one everybody in the enterprise needs to play together.”

Companies should not only celebrate new technological advances in the security space, but also preventative efforts from employees, Smith said. “IT staff should be honored for the problems they prevent, and not just fired for the problems they couldn’t stop,” he added.

“Cybersecurity needs to become one of the importance causes for our time,” Smith said. “This is fundamental to building a more secure planet and creating a better world.”