In all cases, vendors should vouch for the security of their products in writing, he said.
Businesses also need to practice what experts call "security in depth." Besides following best practices in purchasing hardware, companies should have technology in place to monitor networks for traffic that would indicate sensitive data is leaving an organization without authorization.
"No single point of security; no single point of failure," Coleman said.
However, no matter how many layers of security a company has a breach is always possible. "Never say never," said Danial Faizullabhoy, vice president of business development for Norwich University Applied Research Institutes.
Therefore, a company should always have policies and procedures that spell out how it should react when a breach occurs, Faizullabhoy said.
Sign up for CIO Asia eNewsletters.