There is no relief in sight from the data breach threat according to the Ponemon 2016 Cost of Breach Study. There is nowhere to hide from the potential extinction-level event that could be waiting around the corner for your enterprise. It is crucial for companies to protect themselves.

Whether you need to hire a chief information security officer, create data loss prevention controls, start using encryption or find cyber insurance--the time is now.

This is not about stupid moves, and how to avoid them. It is about knowing that no organization is above them.

Community Mercy Health Partners of Ohio just last year was outed for exposing upwards of 113,000 patients. The records were left in a recycling bin: documents and other material that contained the names, Social Security numbers, medical information, dates of birth and other sensitive data of patients treated at Community Mercy Health Partners, which includes a large regional hospital.

But let's say that you know old documents can be a source of identity theft, and your company has a shredder. Do you know everything else you need to know to keep the sensitive personally identifiable information in your company's possession out of harm's way? How about your employees?

Know What You Don't Know

There was an identity theft prosecution case some years ago that hinged on an electric typewriter seized when the suspects were arrested. The typewriter ribbon contained 400 names and Social Security numbers that matched information in notebooks also on the premises, which corresponded to clusters of people who all worked for the same company. That evidence helped the prosecution make their case.

It goes without saying there are plenty of people still living and breathing and thus still attackable whose personally identifiable information (PII) passed through a typewriter or an old-school thermal fax machine at some point in the past--and that equipment is still out there waiting for an identity thief to find it in a landfill or buy it for a dollar at auction.

Thermal fax machines are the famous other example of old technology that can pose an issue in the here-and-now even though they have been largely replaced by printers with hard drives.

Remember: Used equipment is often tossed with the film or ribbon or hard drive still inside--a potential cornucopia of information for an identity thief.

Think all this is hypothetical? ABC News's "7 on Your Side" went to Loudon County, VA a few years back after a tip that the county was getting rid of typewriters with super granular personally identifiable information on the ribbons--think names, dates of birth, Social Security numbers. ABC was able to trace the tipster's typewriter to Loudon County's Department of Mental Health. Visiting the surplus store where that machine was purchased, there was signage informing would-be crooks that the hard drives had been removed from all PCs, but the news team still was able to buy a typewriter with PII-riddled ribbon.

CISO's are paid to think about the various ways data leaks

It should not come as a big surprise that equipment used to make fake identification credentials might contain traces of those crimes.

What may not be entirely obvious (just long enough to cause you a major issue) is that equipment used to conduct day-to-day business can contain all the information an identity thief needs to commit crimes--and because of shoddy information security practices crimes are committed with an organization as unwitting accomplice all the time.

While typewriters and thermal film fax machines are largely a thing of the past, it is important to bear in mind something that a good CISO would never lose sight of: that the ribbons and films on those outmoded machines (don't forget the eraser ribbons) are basically old-school hard drives. More important: all the equipment that has a hard drive, but isn't a computer. A recent class action suit settled for $1,215,780. At issue, a hospital had returned copiers to a leasing company without wiping the hard drives, thus exposing the PHI (personal health records) of up to 344,579 people.

A CISO is paid to know that HIPAA Privacy and Security Rules require an institution to keep a list of risks and vulnerabilities; electronic protected health information stored on a copier's hard drives would definitely make that list.

Another thing that would make it onto any CISO punch list: being prepared for the day when a data breach happens. Leaks and compromises are as inevitable as a breaking Donald Trump news story. Having a plan in place, the right amount of cyber insurance, and everything else that goes into a great CISO breach preparedness program is no longer optional. Your survival depends on it.