The recent document leak detailing CIA spying campaigns and hacking techniques has fostered conversations and news stories on how to balance intelligence gathering with privacy, as well as discussions on the agency\u2019s extensive spying capabilities. What hasn\u2019t been discussed as much is what enterprises (and governments in one case) can learn from the WikiLeaks Vault 7 leak.To me, three key takeaways are that leaks can happen to any organization, figuring out what entity carried out an attack is difficult to do, and we\u2019re in an era when nation-state weapons end up in the hands of criminals. Collectively, these development make practicing information security more complex than ever. Now, let\u2019s explore each one in more detail.Figure out the impact of a leak on your organizationEvery company is vulnerable to leaks. Whether a disgruntled employee releases your company\u2019s secret sauce recipe or there\u2019s a whistleblower who thinks your company has lost its way, there\u2019s the potential for trade secrets to end up in the public sphere.From a technical standpoint, preventing leaks from happening is challenging. You can prevent employees from using USB drives and FTP or monitor their email to see if any sensitive information is being improperly shared with outside entities. But just like a motivated hacker, a motivated employee will figure out how to get this information out of the company.While taking proactive steps to prevent leaks is highly important, companies should also run scenarios that look at how they would be impacted by a leak that exposes key data and develop a response plan in the event of a leak.Could there be public backlash if the leak shows the company was engaged in activities that some people would consider unethical? After Edward Snowden, for example, leaked information on U.S. government intelligence operations, civil liberty groups, law makers, tech companies and foreign governments demanded accountability. Companies involved in projects that could spark ethical concerns should talk about the potential fallout if the public learned about this work and how to quickly recover. Would the stock price tumble? Would revenue be hit? Would customers cancel contracts?Or could a leak seriously jeopardized the organization\u2019s main mission? The CIA may find itself in this situation after the Vault 7 leak. With information about the tools and techniques the CIA used to conduct operation publicly available, companies will use this information to patch flaws and harden the security of their products. This would force the CIA to develop new tools and procedures for carrying out its objectives. Companies need to consider how to react if their intellectual property were shared publicly, providing competitors with a chance to study their plan and even incorporate them into their products.You may never know who attacked youWhile every company would like to learn who attacked them, attribution is complicated to nearly impossible to pull off. Often, hackers make every effort to hide their tracks, and deception is an essential component of any campaign. Attackers want to make sure that if they\u2019re discovered, someone else is blamed. That\u2019s why Russian hackers include snippets of Chinese in their malware code. This give the appearance that China is the perpetrator.Deception is also part of the CIA\u2019s campaigns, according to WikiLeaks. Supposedly, an internal CIA group called UMBRAGE steals the tactics used by nation-states attackers to fool security analysts into wrongly attributing CIA attacks to those countries.For organizations, this should drive home the point that they may never truly know who attacked them. The reality is bad guys have too many methods for deceiving the good guys. Not placing so much emphasis on attribution may go against human nature, since people want some form of justice after a crime is committed. But attribution, I\u2019ve said before, does nothing to bolster a company\u2019s security.Businesses need to be ready for when nation-state exploits are used against themNation-states hoard hardware and software zero-day exploits and use them in their operations to take full control of devices. If these exploits or knowledge of them is leaked to the public, attackers have access to this information, as well, and could use it to attack organizations.This happened with the Vault 7 leak. At the moment, WikiLeaks isn\u2019t disclosing the technical details of the zero-day exploits contained in the leaked documents. WikiLeaks founder Julian Assange has promised to shares this information with vendors, allowing them to fix the vulnerabilities in their software and hardware. But the documents WikiLeaks did release describe these exploits.Theoretically, attackers could use this information to reverse-engineer the exploit. In fact, two weeks ago Cisco warned customers that a software flaw discussed in the Vault 7 leak allows the CIA to fully take over more than 300 of the company\u2019s switches. There\u2019s no fix to address the issue, but Cisco said it will release a software update that patches the vulnerability.When a nation-state, zero-day exploit becomes public information, companies need to be prepared. They should immediately contact the impacted vendor to see if a patch is available, and if one has been developed, apply it immediately. And if a patch isn\u2019t available, businesses need to find out if there\u2019s a work-around they can use.This a good time to stress that every organization needs to develop a complete incident response plan, test it at least once a year, and modify it as new threats emerge or the business changes. An incident response plan is especially prudent if threat actors end up leveraging a nation-state zero-day exploit in an attack.Security incidents, especially ones that involve zero days, are already stressful. Not having a detailed plan in place for how to handle these situations only adds to the stress and confusion. Your company\u2019s executives' and security teams' first exposure to the incident response team shouldn\u2019t be when there\u2019s breachConsider how a security incident could impact your businessWhether a security incident is as severe as a data breach or something that seems less harmful, like a leak of CIA spying tactics, companies should always consider how it will impact them. And if companies don\u2019t see a connection between their defense and a security incident, they shouldn\u2019t be afraid to ask, \u201cCould this happen here?\u201d Use an event as an opportunity to bolster your organization\u2019s protection capabilities.