There were plenty of news in recent years where corporations became victims of data breach.
The attacks were completed in various ways, and here are some common examples of vulnerabilities:
Software were not patched even after known bugs were discovered.
Staff lost a flash drive (aka USB stick) containing sensitive data.
Network ports were exposed to non-trusted personnels.
Inadequate server room access control.
Endpoint security software were not installed.
Firewall was not configured to only allow expected services to pass.
Disgruntled or recently fired employees steal data for revenge.
Staff clicked on malicious link on their email.
Passwords are too simple to guess.
Staff connect to free Wi-Fi in mall, airport, rogue network, etc.
The list could continue for another hundreds of points, but here are the bottom lines.
All computer system software shall be hardened based on security policy.
Physical access to computer systems shall be restricted.
All data access rights shall be restricted to a need-to-know basis and subject to renewal.
Remember: No amount of logical security will be able to protect your data if such data were physically breached.
Speak to your trusted security consultant to assess and manage your current risk environment holistically.