The lesson is that employees should only have access to the resources that they need to do their job at all times, and that there should be a fine-grained permission system to check if someone can read or read-write to all these resources.

Even when I am working on my projects, by myself, I use different accounts to access my services, depending on the role. At first it might seem crazy, but if you learned how to do this and you automate this process, it is a life-saver if you suddenly find yourself need quick help from some contractor or if you want to give a backup key to a trusted friend as a way to say "here is what you need to do in case something happens to me".