In CEO Mark Zuckerberg’s keynote, the topic was easily overshadowed by all the new developer toys the social media company announced. But during the rest of the two-day conference, it was clear that security and infrastructure stability was top of mind for Facebook, and multiple sessions offered guidance to partners. (“Move fast with stable infra,” Zuckerberg declared, his spin on the Silicon Valley mantra, “Move fast and break things.”)

Understandably, the F8 sessions detailing security and privacy contained noticeably fewer attendees than other sessions—a sign, perhaps, that many businesses still consider cyber security an afterthought.

But companies would be wise to take a look at how Facebook itself works to avoid the type of data breach that wreaked havoc on Sony Pictures Entertainment. Hackers have stung Facebook in the past, and the company clearly doesn’t want to subject itself to further embarrassment and public backlash.

Which is one reason why Jennifer Henley, Facebook’s director of security operations, emphasized during a conference session how her company is working to bake better security practices into all aspects of its operations. Each fall, Facebook hosts an event called Hacktober in which its security experts attempt to trick employees into falling for common hacking tricks such as phishing scams, in which malicious actors send emails that mimic genuine versions to dupe people into giving up confidential information.

During the event, Facebook’s security team also scatters around the company’s offices USB sticks and other media labeled “confidential” in order to see which employees are duped into inserting them in their computers, Henley explained. (Through these devices, hackers can penetrate into the company’s infrastructure.) Hacktober’s aim is to “stage scenarios to spark employee awareness,” Henley said, so that employees remain wary of security threats.

Facebook security engineer Ted Reed offered security suggestions of a more technical nature. Reed recommended that conference attendees—particularly managers or executives that oversee software development—tell coders to remove any secret tokens or keys that may be lurking around in your company’s source code.

These could serve as gateways for hackers to infiltrate a company’s back end, Reed said. Developers are often not keen on scanning their source code for security holes because of the time involved. But doing so could help prevent a potential data breach, he warned.

For Facebook, it’s all about creating a company culture that values security in order to offset the chances of getting breached. Of course, this is much easier said than done in a world that values rapid software development practices.

“It is hard,” Reed said. “But it is very, very worth it.”

[fortune-brightcove videoid=4136597216001]