The lesson: people will, if given the chance, pick dumb passwords. Have policies that force people to pick the least dumb passwords possible, and force them to change those passwords on a semi-regular basis.

Paranoid sysadmins will keep their OS patches up to date, of course. Windows in particular has a reputation as a leaky ship, and so tech staffers -- particularly tech staffers who may have been in part responsible for picking Windows as the OS of choice -- are generally good at keeping all those patches up to date.

The problem is that a lot of those most easily hacked vulnerabilities aren't in the operating system; they're in the applications that run within the OS. Just as an example, check out this list, put out by SANS in 2009, of . What's at the very top? Oh, just a text converter for , which you probably thought was about the most innocuous program on your computer. Also on the list is , which, as Mac users unhappily learned, .

Your data is among your most important assets: it may contain information proprietary to your business, or information about your customers that you've promised to keep secret and secure. Hackers will be trying to get this data, of course, but there's really no need to actively try to help them do it. Remember the 2006 incident when . It's easy to make fun (and especially easy to make fun of AOL), but the truth is that most organizations of any size have a heterogeneous host of servers, some public, some not, and some set up by shadow IT and not covered by rigorous security policies. The advent of cloud storage as a trend has just made it easier to perpetrate an embarrassing screwup along these lines.

Just as it can be difficult to keep track of how public various servers on your corporate network are, it can also be hard to keep track of network nodes that might be public facing. Rather famously, in 2007 TJX (the company that owns prominent discount department stores like TJ Maxx and Marshalls) suffered an embarrassing breach when hackers . (They even did so in plain sight, simply claiming to be IT staff there to repair the machines.) Remember, it makes no sense setting up elaborate defenses against unauthorized intrusions onto the network when you provide a fully authorized entrance that anyone can walk right through.