The best part of a major data breach is that it serves as a cautionary tale for the rest of us. We get to learn everything that Equifax (hopefully) learned, without having to go through a class-action lawsuit.

The bigger the hack, the bigger the wake-up call. Pretty much every company in the Fortune 500 has suffered some sort of public data breach in recent years. It’s enough to keep IT managers up at night. If you’re second-guessing your own data security, feel free to check out UpStack’s data center comparison resources to see how you might improve your data protection.

With that in mind, here are some very expensive mistakes that other companies have learned.

People are Still the Problem

It’s maddening that your company can invest ungodly sums of money in hiring the best IT staff and building a secure infrastructure… only to see it all undone by a single employee opening a phishing email.

Verizon recently released a very insightful report on trends in data security, and their data shows that phishing is still the most popular cause of data breaches. Denial-of-Service attacks (DoS), data loss, C2, and misdelivery caused more security incidents, as a whole. However, phishing remains the most popular entry point for breaches.

Their data also revealed that the higher up the employee, the more likely they are to be targeted, with C-Suite executives being 12 times more likely to be attacked than other employees. And email was still used in 90% of reported attacks.

The Cloud is Still Vulnerable

Capital One suffered a massive breach that compromised the data belonging to about 106 million of their customers. As bad as that sounds, things may have been considerably worse if the hacker didn’t take the time to post about her exploits online.

Many experts are pointing to Capital One’s breach as a symptom of a bigger problem facing the financial sector in general. Organizations are rushing to adopt the cloud for their data, however, they need to feel the same sense of urgency to protect the cloud.

Not All Expensive Targets are Financial Institutions

One of the key takeaways from the recent Fortnite hack is that thieves don’t have to target a bank, credit bureau, or credit card company to gain access to financial data.

When hackers targeted the mega-popular online game, they were able to stand in for real players to buy in-game currency using the credit cards on file, then siphoned off those purchases into their own accounts. As soon as a phishing link was clicked by a user, that user was completely exposed.

It’s uncertain exactly what the user-side damages were, with no exact numbers released on how many people were affected or how much money was stolen. We are, however, clear on the company side damage, with Epic Games now facing a class-action lawsuit while losing the faith of millions of parents.

You could argue that none of this is new information. We have always known that users/employees are the #1 entry point for hackers. Likewise, we’ve also always known that the cloud is far from 100% impenetrable and that any company is a threat to be hacked at any time.

The biggest lesson may be that we have not made nearly as much progress in safeguarding these areas as we would like to think.