Of all the industries prone to data breaches — maybe better make that of all industries, period, since hacking and other incursions have become so prevalent — the financial industry stands out, and not for a good reason.

In fact, according to a report from eMoney Advisor, financial services firms are the most susceptible to the bad publicity that results from an exposure of what should have been private data. In fact, at 5.7%, the industry has the highest abnormal churn rate — a measure of lost customers — in the U.S. economy.

And even though cyberattacks make lots of headlines, that doesn’t mean that firms are prepared to ward them off. Says the report, they lack the resources, infrastructure or experience to keep them at bay.

The average financial firm breach costs nearly $7 million, while a recent report finds that in 2017, 25% of such firms were hit; in 2016, 20% of firms suffered a breach.

The purpose of data breaches can vary depending on the industry, with hackers of retail and government systems usually looking for data to sell online. Within the financial industry, hackers are typically looking to steal money or data directly from customers, eMoney says.

Some of the tricks hackers use are the business email compromise (BEC), which tricks someone in the company into sending funds to a bogus account; ransomware, shutting down a company’s systems until a ransom is paid; and phishing, which is the most common in financial sector companies. Phishing emails lure the recipient into clicking on a link, attachment or website that can then infect the computer with malware.

Attacks are getting more sophisticated and more common, with the risks including having to deal with irate clients and offering free or discounted services to them, time spent dealing with the situation, reputational damage and the cost of lost customers.

Some of the measures eMoney Advisor suggests to protect data include two-factor authentication, which makes it more difficult for bad guys to gain access to client accounts; encryption, which keeps hackers from being able to make sense of data if they’ve hacked in directly; and backups, which can protect against ransomware by allowing companies to restore their own data.

Vendors need to be monitored and a disaster recovery plan just for cyberattacks should be in place, and companies should also be prepared to review “lessons learned” in the wake of a problem.

Last but not least, “cybersecurity hygiene” that keeps systems and security measures current and active; better training of users to avoid their being taken in by tricks; and testing security to make sure that everything is working and protected as it should be have to be on a company’s list of protective measures.