Do you know what the biggest threat is to your company’s cyber security? I’ll give you a hint. It’s not the middle-aged man in yesterday’s John Oliver video.

It’s your employees. Cyber attacks target the weakest link, and more often than not that weak is your employees.

According to CFO magazine, nearly half of all data breaches result from careless employees. Whether it’s an employee using a company-issued laptop on an unsecured wifi network, or an employee losing a password-unprotected iPhone, your employees present the greatest risk to the security of your company’s network and data.

What can you do about it? Train your employees. They need to understand the risk of their carelessness, and the steps they can take to mitigate that risk.

Here are 10 issues about which you should be training your employees right now to limit your company’s cyber exposure.

1. Passwords are mandatory, and must be strong. Employees generally resist having to enter a four-digit pin code every time they turn on their iPhones. The iPhone’s recent fingerprint scanner makes this process relatively fricionless. Your IT, legal, and risk management departments, however, should require them, since they make it that much harder for someone to access data on a lost or stolen device. If your organization deals in confidential information (e.g., doctors, lawyers, etc.), this requirement is that much more important (and might be mandated by law).

2. Manage email and attachments. Do your employees know not to open attachments from unknown sources? Even the best and most up-to-date security software will miss some viruses and malware. Your employees must understand not to open any attachments unless they can 100 percent verify the authenticity of the sender.

3. Fear phishing emails. Do your employees know how to recognize an attempted phishing attack—a syber-criminal impersonating a trustworthy source in order to steal credentials, or place malware on a system? Nearly 40 percent of all employees report opening a suspicious email. “When in doubt, throw it out” is a refrain you should drill into your employees’ heads.

4. Limit removable media and cloud storage. Removable and cloud storage limit your control over the portability of your data. If you need portable data, limit your employees to company-approved solutions that you can monitor and control.

5. Avoid public and other unsecured wifi. An open wifi system is no different than an unlocked house. Just as you would not leave your house in the morning with the front door wide open, don’t leave your network exposed by using open wifi networks.

6. Report lost or stolen devices immediately. IT must have the ability to remote-wipe a missing mobile device. Guess what happens, though, if an employee’s first call upon losing a phone is to their mobile carrier? The carrier turns off the device, and your organization loses the ability to remote wipe any data from it. Employees should be told that if they lose a mobile device, their first call should be to IT so that the device can be wiped of any corporate data.

7. Limit apps and programs. Ban the installation of apps other than from the official iTunes App Store and limit software installations to approve programs. It will limit the risk of the installation of viruses, malware, and other malicious code on the devices.

8. Back up everything. In the event of a cyber attack that shuts down or kills your system, you need to have the ability to restore from ground zero. You cannot do this unless you routinely back up everything.

9. Think before you post. Social media has irrovcably blurred the line between public and private. This evisceration, however, does not mean that your employees need to share everything. In fact, the more they share, the easier it will become for a phisher to gain trust, and, therefore, access.

10. Terminating employment means terminating access. Employees should be reminded that at the end of their employment, devices must be returned immeidately, or, if it’s an employee’s BYO device, it will be wiped clean of all company information.

Data breaches are not an if issue, but a when issue. You will be breached; the only question is when it will occur. While you cannot prevent a data breach from occurring, you can and should train your employees to sure up any knowledge gaps that further opens the risk they inadvertently pose.