It just so happens that the Star Wars saga (at least Episode IV-VI) is a textbook example of how not to handle what is basically a data breach. The Empire is, to put it mildly, woefully unaware of how data security works, resulting in less than ideal reactions in responding to the breach.
In fact, security has failed in so many ways that it is hard to pick any one of them without at least touching other areas as well. Therefore, we have just picked a few things they should have handled differently from a security perspective.
Shooting the messenger is bad form and brings with it tons of paperwork as well as unpleasant conversations if taken too literally (outside the silver screen universe, that is). You might as well find yourself in the situation of the messenger who has to break news to the CEO that the web shop was put out of action because the website was bombed into next week by a DDoS attack. Or, you know, someone has managed to steal the classified construction data for your new headquarters. You know it’s not your fault because funds for security measures were not approved, you didn’t get the three new hires you were promised to polish up the shop platform, the antivirus license renewal still was not greenlighted though four weeks out of date etc.. Yet, you stand there in front of your boss and are being told off for “your” fault.
Listen to what people tell you and don’t automatically assume that they are at fault. Besides: good messengers are not easy to come by, so don’t shoot them on a whim – even if you do not like the news they bring you.
So, in that respect, you have to give props to Kylo Ren – at least he only wrecked the office furniture instead of the officer who informed him about his escaped prisoner. The officers who served under his idol fared a lot worse – bring bad news and you will inevitably die, even if you just skype in. And the guy next to you who already looks decidedly uneasy gets your job while you - or rather your corpse - are being dragged out.
Make sure your troops have confidence and no reason to be afraid of getting shot at the first sign of failure. In all likelihood, the person informing you about an incident is not the one responsible for it. They should also know that you trust them.
If something doesn’t work, it doesn’t work and should be removed. It has no place in your plans unless you are looking for something to worry about. To stay in our picture: The Bad Guy kidnapped the Princess because he wants a slave/wife. Much to his dismay she does not seem to be too fond of the idea of being pressganged into this relationship and fights tooth and nail to get away. Try hugging a cactus and you get the idea. It will never be comfortable, ever. The smart choice would be to let her go. The not-so-smart choice for the Bad Guy is to hold on to his prize by way of an iron chain and to try to force her to do his bidding. Word to the wise: that chain might wind up around your neck if you are not careful. Just saying.
Always be aware that Assuming that having a bigger security budget implicates a higher security level has no basis in reality. Throwing money at a problem rarely makes it ‘go away’ – most of the time it just relocates the issue until it comes back to haunt you from a direction that nobody expected.
At the end of the day, there are still human beings involved. If the user decides that it is safe to override a certain security feature because he is not aware of a danger and hell-bent on opening that hatch with an angry Wookie behind it, training is the only way of getting what you want.