Jeremiah Grossman, founder at WhiteHat Security, said about these six breaches, "Not all the details are available yet, but one thing we've learned is that they were defendable." Organizations need to see these attacks not as a swipe of the brow and "glad it's not me" moment, but a serious reminder that the criminals are sophisticated.
A lesson of great value is for companies to understand the value of risk analysis. In order to build the best defense, organizations need to know where their vulnerabilities are. Investing in tools and programs can be a fool's errand if security administrators are only running through a compliance and regulation checklist without a strategy.
"OPM got hacked on a system they didn't know existed. Risk management usually comes after the hack," Grossman said, "so first understand what you are defending, what the threats are, then look at products."
Knowing what they are protecting against is crucial for companies to position themselves for stronger defense, agreed Lamar Bailey, director of security research at Tripwire. "You need to go above and beyond the lowest common denominator to secure your network," said Bailey.
"Product and solutions are great, but don't over invest in security. First, you have to know how you are integrating them into a security program," said Bailey.
These breaches and others also highlight the malicious intent of criminals. While Starbucks and Sally Beauty Supply seem to be the victims of criminals looking for financial gains, OPM, Anthem, and Penn State prove that some criminals have far more malicious motives.
"OPM was targeted for the rich, single, source of federal employee identities. If you target individual federal entities, then you get that entity's information, but if you target OPM, you get the information for all the federal entities," said James Carder, CISO at LogRhythm.
Carder pointed out the weaknesses that are the root cause of information technology, which include weak access controls and the need for identity management. "The protection of applications and data using stringent authorization and access controls (identity management) should be a focal point across all federal agencies."
"Identity management is something that the government and most companies do a very poor job at but it is the single element that defeats most security controls today and also the single element that is consistent across anything and everything related to security," said Carder.
But what if everyone were an outsider?
Carder said the most important lesson learned from these breaches is the need to eliminate the element of human error. "There is a crowded cloud environment. Move applications into a locked down infrastructure instead of trying to protect everything. Get rid of the human element," said Carder who argued that it is possible for organizations to prevent hacks by doing what Google has done with Google Beyond Care.
Sign up for CIO Asia eNewsletters.