Though all vastly different in scale and impact, the breaches at the Office of Personnel Management (OPM), Sally Beauty Supply, Starbucks, Anthem, Adult Friend Finder, and Penn State teach valuable lessons and reminders about security vulnerabilities and the need to do more to protect against attackers.When data has been stolen, the breached organizations are in the spotlight. As they try to do damage control, those who have yet to fall victim to invasion wonder how they can avoid future public scrutiny.\u201cA lot of these breaches don\u2019t teach us, they remind us of things. There are few novel things in breaches. Most breaches are same old, same old: \u00a0security is poor,\u201d said Jonathan Sander strategy and research officer at STEALTHBits Technologies.Sander also noted, \u201cFrom a PR perspective, security is a losing game. No one will ever congratulate you for prevention, but everyone will flog you for failure.\u201d In order to barricade themselves during flogging, organizations queue the protocols, drop the blinds, and close the gates once they\u2019ve been breached.No one will ever congratulate you for prevention, but everyone will flog you for failure.Jonathan Sander strategy and research officer at STEALTHBits TechnologiesI reached out to several companies who have recently been breached, and repeatedly I received a kind note explaining that no one was available to speak to me. \u00a0It felt like one of those dark family secrets that everybody knows about but no one will actually discuss.Corporations are no different from families when it comes to protecting their reputations. To their credit, several of those recently breached are taking all the right steps. Penn State, Sally Beauty Holdings, Adult Friend Finder, and Anthem have all posted press releases outlining their responses to the attacks, which include bringing in third party forensics and legal counsel. \u00a0If the scope and depth of the OPM breach confirms anything about information security, \u201cIt reminds us that any time documents flow back and forth, you have a very heightened risk that demands special attention,\u201d Sander said.Starbucks serves as an imperative reminder that end users don\u2019t protect their passwords. \u00a0\u201cIn the case of Starbucks, the hackers got known password and email combinations,\u201d said Sander. If people are using the same password on a silly chat site as they use for their bank, they are making their accounts vulnerable.\u201cUsers treat security of their own data haphazardly. Users need to take responsibility,\u201d Sander said.Human error on the user end is not the only gateway for criminals to hack into a network, so companies need to focus on risk assessment to effectively plan for prevention, detection, and response. \u00a0\u201cThere is no way to understand all the ways something can be breached,\u201d Sander said, \u201cbecause the ways to be exploited are far greater.\u201dJeremiah Grossman, founder at WhiteHat Security, said about these six breaches, \u201cNot all the details are available yet, but one thing we\u2019ve learned is that they were defendable.\u201d Organizations need to see these attacks not as a swipe of the brow and \u201cglad it\u2019s not me\u201d moment, but a serious reminder that the criminals are sophisticated.A lesson of great value is for companies to understand the value of risk analysis. In order to build the best defense, organizations need to know where their vulnerabilities are. Investing in tools and programs can be a fool\u2019s errand if security administrators are only running through a compliance and regulation checklist without a strategy. \u00a0\u201cOPM got hacked on a system they didn\u2019t know existed. Risk management usually comes after the hack,\u201d Grossman said, \u201cso first understand what you are defending, what the threats are, then look at products.\u201dKnowing what they are protecting against is crucial for companies to position themselves for stronger defense, agreed Lamar Bailey, director of security research at Tripwire. \u201cYou need to go above and beyond the lowest common denominator to secure your network,\u201d said Bailey.\u201cProduct and solutions are great, but don\u2019t over invest in security. First, you have to know how you are integrating them into a security program,\u201d said Bailey.These breaches and others also highlight the malicious intent of criminals. While Starbucks and Sally Beauty Supply seem to be the victims of criminals looking for financial gains, OPM, Anthem, and Penn State prove that some criminals have far more malicious motives.\u201cOPM was targeted for the rich, single, source of federal employee identities. If you target individual federal entities, then you get that entity\u2019s information, but if you target OPM, you get the information for all the federal entities,\u201d said James Carder, CISO at LogRhythm. \u00a0Carder pointed out the weaknesses that are the root cause of information technology, which include weak access controls and the need for identity management. \u201cThe protection of applications and data using stringent authorization and access controls (identity management) should be a focal point across all federal agencies.\u201d\u201cIdentity management is something that the government and most companies do a very poor job at but it is the single element that defeats most security controls today and also the single element that is consistent across anything and everything related to security,\u201d said Carder.But what if everyone were an outsider?Carder said the most important lesson learned from these breaches is the need to eliminate the element of human error. \u201cThere is a crowded cloud environment. Move applications into a locked down infrastructure instead of trying to protect everything. Get rid of the human element,\u201d said Carder who argued that it is possible for organizations to prevent hacks by doing what Google has done with Google BeyondCorp.In their whitepaper, Rory Ward, site reliability engineering manager, and Besty Beyer, technical writer specializing in virtualization software for Google SRE, wrote \u201cThe perimeter is no longer just the physical location of the enterprise, and what lies inside the perimeter is no longer a blessed and safe place to host personal computing devices and enterprise applications.\u201dIn theory, this rip and rebuild approach to protecting data by completely redesigning the infrastructure to eradicate human error is an idealistic goal. The reality, said Jeremiah Grossman, is that, \u201conly when a system is built and has value can we examine what works.\u201dWhile they continue to search for ways to protect and defend their data, organizations need to know that they can survive an attack with little to no damage by installing trip wire policies, like honeytokens, which work like silent alarms, said Grossman.\u00a0\u00a0Grossman likened the functions of honeytokens to being granted full access to rob a bank with only limited time. \u201cI\u2019m not going to get all the money,\u201d he said. Trip wire systems that alert network administrators to suspicious behavior allows for earlier detection which can stop criminals from accessing everything.The final lesson, and the most important one, is that there is no shame in being breached. Yes, there are consequences, but there is no magic impenetrable security gate. \u201cIf you\u2019re out there on the internet you\u2019ve been breached. The same attacks are going on across multiples. Share information with each other without giving proprietary information to competitors,\u201d said Bailey.