According to the Open Security Foundation, three out of 10 of the all-time worst security breaches happened this year. That includes 173 million records from the NYC Taxi & Limousine Commission, 145 million records at Ebay, and 104 million records from the Korea Credit Bureau. And that's not counting the 1.2 billion user names and passwords reportedly stolen by Russian hackers, or the 220 million records recently discovered stolen from gaming sites in South Korea.
2014 is well on its way to replace 2013 as the highest year on record for exposed records, according to the Open Security Foundation and Richmond, Vir.-based Risk Based Security Inc.
If we learn from our mistakes, then this year should be a banner year in security education.
Here are some lessons.
1. It's time to take staffing seriously
The biggest security hole in information security might not be technical at all.
"Roughly 40 percent of security roles are vacant in 2014," said Jacob West, CTO of Hewlett Packard's Enterprise Security Products. "And when you look at senior security roles, that vacancy rate is nearly 49 percent. No matter what technology we use, no matter how we try to secure our systems, if we're going into this war with almost half of our army unstaffed, we're going to see our adversaries be successful."
West was referring to a study published this spring by the Ponemon Institute and sponsored by HP, which also showed that 70 percent of respondents said that their security organizations were understaffed. The chief reason? According to 43 percent of respondents, the organizations weren't offering competitive salaries.
Companies might want to reconsider their security staffing budgets in the wake of another Ponemon study, sponsored by IBM and published in May, which showed that the average total cost of a data breach increased 15 percent to $3.5 million, and the average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year's study.
2. Know your code
Over the past 10 years, many organizations have adopted software security best practices, building in security at a fundamental level.
However, that only applies to code they write themselves.
"One of the big points that was really brought to light this year -- and vulnerabilities like Shellshock and Heartbleed really made this point -- is that enterprises don't write the majority of software themselves," said HP's West. "Software is in fact composed rather than written. We take commercial components and open source components and build a little bit of proprietary on top of that."
Sign up for CIO Asia eNewsletters.