A somewhat obvious rule of internet security to add to the first three:
- Against a sophisticated attacker, nothing connected to the internet is secure.
- Everything is internet now.
- You should probably worry more about being attacked online by your own government than by any other organization.
- Sensitive data about you is largely on the computers of other people who care little about your security.
Equifax is getting lots of attention right now, but consider also Deloitte, Adobe, Stratfor, Blizzard, LinkedIn, DropBox, Ashley Madison, last.fm, Snapchat, Adult Friend Finder, Patreon, Forbes, Yahoo, and countless others.
As Bruce Schneier points out, the only plausible path to reduce such breaches is for governments to make them far more painful and costly for corporations.