The long and the short… the vast majority of security failings fall into these general categories… both behavioral and technical.
- Slow, Bad or Non-existent Patch Cycle
- Poor CONFIGURATION decisions
- Installing to much software of debatable value (and forgetting about it).
- The required use of legacy systems with ZERO compensating controls
- Fire-and-forget mentality (i.e. long term complacency or laziness)
- Not knowing your limits, unwilling to accept limits, being too cheap or not having enough funding (which all has to do with heeding your local professionals, paying for some or living with centralized services which might not be as flexible [for similar reasons]).
- No situational awareness of the current network’s configuration or defenses, again, an assumption of defacto protection when there is generally near zero protection. This also falls under the category of assuming someone else is defending you (that always makes me smile because it’s just… soooo wrong…).
- Being unware that some of your habits/behaviors, for good or ill, contribute deeply to your susceptibility (poor passwords, never changing them, having accounts on every website or service under the sun with the same passwords, etc).
- The very wrong assumption that no one wants to hack your machine (hint: they couldn’t give a rats-*ss about you or your unimportant data [selfies, cat pictures, great American Novel, etc]… it’s the equipment they want access too, you are barely part of the equation).
In all cases… bad decisions, foolish assumptions and fatal mistakes.
Make noooo mistake on this… your devices are targets, mainly because they are a working piece of equipment built on a lot of risky decisions and false assumptions.
In the end, I would say, heed experts. But this is not enough, you have to be able to think a little too and live within your limits. Technology is not perfect… precisely because people are not perfect (scary thought eh?) So you have to assume all your technology can betray you at some point (and someone else’s as well); so it’s best not to have blind faith in your device’s ability to protect you if you are not also an active part of it’s defense.