It might be impossible to prevent hackers from breaking into corporations like Capital One. But here's what companies should do anyway to make sure data doesn't fall into the wrong hands.

Among the most important lessons is recognizing that while the data was stored in Amazon Web Services, that doesn't mean it was Amazon's fault, according to Ameesh Divatia, co-founder and CEO of data protection firm Baffle. 

Read more: A professional hacker reveals how to create the best possible password

In short, Amazon Web Services rents functionally unlimited supercomputing power to anybody with a credit card, from individual developers up to behemoths like Capital One. According to the criminal complaint against Thompson, Amazon's cloud storage itself was never directly breached — rather, she took advantage of a "firewall misconfiguration" in how Capital One set up its cloud infrastructure to steal customers' information.

Divatia says this speaks to a common misconception held by customers of AWS and other major cloud platforms: That Amazon will handle everything. Rather, Divatia says, remember that the burden of actually locking down the data stored in that cloud largely belongs to the customer. 

"Step one in terms of mitigating these issues is [to] get out of this false sense of security that cloud users have, that Amazon will take care of it," says Divatia. 

Preventing malicious actors from stealing personal data involves more than just keeping attackers out of the servers that contain sensitive information, though. It's also about ensuring that if criminals do find a way in, the data is sufficiently safeguarded and effectively useless to them.

That involves encrypting data at all stages, whether it's in the customer's own servers or in the cloud, says Divatia. Capital One said in a press release that it encrypts its data as standard operating practice, but that in this case, the unauthorized user was able to decrypt it.

Avoiding breaches like this also entails putting in multiple types of security systems at the perimeter, endpoint, and network level, says Michael Rezek, vice president of cybersecurity strategy and business development at analytics firm Accedian.

He used the analogy of running security for a bank as an analogy for how these techniques work.

When protecting a bank, you'd probably use three methods to secure it: monitoring the entrance to know who's entering and exiting the building (perimeter security), keeping track of critical assets like ATMs, cash registers, and safes (endpoint security), and using video surveillance to monitor what's happening inside the bank (network security).

Those last two points of protection are particularly important, he says, in a scenario like the Capital One breach, where the intruder was able to exploit a security flaw to gain entry into the system. Having endpoint and network security in place means being able to track what the hacker did once they got in and keeping tabs on what they might have stolen. 

An important way companies can spot trespassers earlier is by having a firm grasp on who has access to critical user data in the first place.

"Knowing that this user over time maybe never visits a critical assets server . . . you learn that's kind of a normal behavior," Rezek said."And then all of a sudden one day you see this anomaly where he goes to a critical assets server and he spends time connected to it."

For example, if an intruder just dumped a bunch of data from the servers, that should raise a red flag, says Divatia. That's because applications typically process data rather than dumping it, which could have been a sign that abnormal activity was occurring. 

It may be impossible to prevent intruders from entering in the first place. But what companies can learn from the Capital One breach is to always be prepared for what happens once they do get inside.

 "You cannot keep the bad guys out," said Divatia. "You assume that the house will get broken into, but what they steal doesn't mean anything."