According to Verizon, 76 percent of all network intrusions involve weak or stolen credentials.
In September, for example, Illinois-based sandwich chain Jimmy John's reported that hackers stole payment data from 216 stores by using a login and password stolen from the company's point of sale vendor.
"It turned out the vendor was using a shared password to administer all their customers," said Tenable's Man.
Install and maintain a firewall configuration to protect cardholder data
Only 64 percent of companies were fully compliant with this requirement, even though, again, this seems like it would be something obvious that all companies would do.
And it's not enough to have the firewall up and running in time for the audit -- in order for it to do its job, it actually has to be up all the time.
According to Verizon, only 12.5 percent of organizations that had a data breach were fully compliant with this requirement. While having a firewall in place isn't enough by itself to protect a company, not having one is like leaving all the doors of a house wide open.
Attention to security and compliance must be ongoing, said Orfei.
"It's something you have to build into the DNA of the company, and you have to do it religiously," he said.
Sign up for CIO Asia eNewsletters.