"Expect it to be compromised," he said. "Don't put data out there, into Facebook or something, unless you really want to share that out to the world."
Users and businesses need to be skeptical. The security risks come not only from hackers, but from vendors that haven't done their due diligence in securing their products.
"Make them earn your trust," he said. "Make them demonstrate why you should trust them."
Jeremiah Grossman, chief of security strategy at SentinelOne
He recommends businesses do an inventory of every asset they own. This can help determine what company resources are online and where they might be vulnerable.
"When a company gets hacked, it's largely because there's a computer, a box, a website that they didn't know they owned," he said.
For a small business, an inventory may take a day, while for a Fortune 500 company, it can take a few weeks, he said. It can be done internally or outsourced to a consulting firm.
His advice for a company's IT security staff : "If I were to jump into a new company, what is it that I'm protecting?"