Assume You Will Be Hacked

I used to think cybersecurity was something that happened to other people.

You know, the people who click on emails from foreign princes, invest their life savings into a cryptocurrency called MoonLizardRocketCoin, or believe that a text message saying “Your package is being held hostage by customs” is a normal way for shipping companies to communicate.

I considered myself smarter than that.

Naturally, that meant I was exactly the kind of person who needed a reality check.

The modern internet has a special talent for humiliating confidence. It doesn’t care how educated you are, how careful you think you are, or how many articles you've read about digital safety. Somewhere, right now, there is a teenager in a dark bedroom who can bypass security systems while simultaneously losing an argument with his mother about unloading the dishwasher.

That realization changed how I think about cybersecurity.

I no longer ask, “How do I prevent being hacked?”

I ask, “What happens when I am?”

That single shift in perspective changes everything.

Most people treat cybersecurity like medieval castle defense. They imagine building a giant wall around their digital lives and then relaxing forever behind it. Strong password? Check. Antivirus? Check. Suspicious of strangers? Check.

Castle secured.

The problem is that modern cybercrime doesn't behave like an invading army. It behaves like water.

Water doesn't care about your walls.

It finds cracks.

Tiny cracks.

The crack might be a password you reused three years ago. It might be a website that stored your information badly. It might be a family member who clicked something they shouldn't have. It might be a company you've never heard of that somehow has your email address because every business on Earth now demands an account before allowing you to buy a pair of socks.

Eventually, water finds a way in.

That's why I've become a believer in one uncomfortable philosophy:

Assume you will be hacked.

Not might.

Will.

The moment you accept that possibility, you stop making decisions based on fantasy and start making decisions based on damage control.

It's the digital equivalent of owning a fire extinguisher.

Nobody buys one because they're excited about the possibility of a kitchen fire.

They buy one because kitchens occasionally attempt to become volcanoes.

The smartest homeowners don't walk around saying, “My house will never burn.”

They prepare for the day it might.

Yet people regularly say things like:

"My password is strong."

"My account isn't important."

"Nobody would target me."

That last one is my favorite.

Nobody would target me.

As if cybercriminals are personally evaluating our worth.

As if there's a board meeting somewhere.

"Johnson from Ohio has only $2,300 in checking. Ignore him."

"No, wait. Susan has a modest retirement account and frequently orders dog food online. Deploy the elite hacking division immediately."

Most cybercrime isn't personal.

It's industrial.

You're not being hunted.

You're being harvested.

That's actually worse.

Being individually targeted means someone cares who you are.

Being harvested means you're just another row in a spreadsheet.

A machine doesn't need a reason.

It only needs volume.

The internet figured out something casinos learned decades ago.

Small wins repeated millions of times create fortunes.

Stealing ten dollars from a million people beats robbing a bank.

Less risk.

More scale.

And infinitely more depressing.

Once I accepted this reality, I started looking differently at every digital service I use.

Every account became a potential future crime scene.

Every login became a future headline.

Every app became a future apology email.

You've seen those apology emails.

They're practically a genre now.

"We take your privacy seriously."

That's always how they begin.

If a company ever tells you they take privacy seriously, there's roughly a fifty percent chance they're about to explain why your information is currently floating around the internet like confetti.

"We recently detected unauthorized activity."

Translation:

Someone wandered into our systems and made themselves comfortable.

"Out of an abundance of caution..."

Translation:

We have absolutely no idea what they took.

"We value your trust."

Translation:

We would like to continue charging your credit card.

The modern breach announcement has become so common that people barely react anymore.

Ten years ago, a major breach felt shocking.

Today it feels like weather.

Another company leaked data?

Must be Tuesday.

Millions of records exposed?

Sounds about right.

Names, addresses, phone numbers, passwords, birthdays, Social Security numbers?

At this point, I'm amazed when companies still have data left to leak.

Somewhere there's a hacker downloading information and saying, "Wait, I already have this."

We've created a civilization where every institution insists on collecting personal information and then acts surprised when they can't protect it.

It's like watching people store gasoline in cardboard boxes and then expressing confusion about the fire.

The average person has accounts scattered across hundreds of services.

Not ten.

Not twenty.

Hundreds.

Shopping sites.

Streaming services.

Fitness apps.

Banks.

Insurance companies.

Food delivery platforms.

Social media accounts.

Medical portals.

Travel websites.

Government systems.

Random forums you joined in 2014 because you wanted advice about lawn care.

Each one contains pieces of your identity.

Each one represents risk.

And every one of them believes they deserve your trust.

That trust is expensive.

Unfortunately, it's usually paid for by you.

Not them.

When a company gets breached, the consequences rarely land where the failure occurred.

The company issues a statement.

You spend the next three years checking your credit report.

That's a remarkable arrangement when you think about it.

Someone else loses your data.

You inherit the anxiety.

It's the digital version of your neighbor crashing a car and your insurance premium increasing.

This is why I stopped focusing entirely on prevention and started focusing on resilience.

Resilience is boring.

Nobody wants to talk about resilience.

People want magical solutions.

They want one app, one purchase, one setting that guarantees safety.

Reality is messier.

Resilience means assuming things will eventually go wrong and arranging your life so that the consequences remain manageable.

Think about passwords.

The average person treats passwords the way people treated house keys in old sitcoms.

One key opens everything.

Convenient.

Also ridiculous.

If one password unlocks multiple accounts, you're essentially connecting your entire digital identity with a piece of string and hoping nobody notices.

When one service gets compromised, attackers immediately try those credentials elsewhere.

Because people are predictable.

We love convenience.

Convenience is humanity's favorite drug.

We'll sacrifice astonishing amounts of security for the ability to avoid typing six extra characters.

We'll hand over personal information to save three seconds.

We'll reuse passwords because our brains have collectively decided remembering unique credentials is an act of oppression.

Then we're shocked when it backfires.

The truth is that attackers understand human psychology better than most psychologists.

They know people rush.

They know people panic.

They know people get tired.

They know people trust familiar logos.

They know people fear missing opportunities.

They know people click first and think second.

That's why so many attacks aren't technical.

They're emotional.

A hacker doesn't necessarily need to defeat encryption.

Sometimes they just need to convince you to defeat yourself.

The internet loves discussing sophisticated cyberattacks involving nation states, advanced malware, and technical wizardry.

Meanwhile, countless compromises begin with someone seeing a message that says:

"Urgent action required."

Human beings have a complicated relationship with urgency.

We're terrible at it.

Urgency turns intelligent adults into startled deer.

Suddenly we're clicking links.

Entering passwords.

Downloading attachments.

Making decisions we'd never make under normal circumstances.

Panic is one of the most effective hacking tools ever invented.

And the best part, from the attacker's perspective, is that victims willingly supply it.

Assuming you'll be hacked forces you to think differently about these situations.

Instead of asking, "Could this be real?"

You ask, "What happens if it's fake?"

That question has saved me more trouble than any software ever has.

Because software protects systems.

Questions protect judgment.

The same philosophy applies to backups.

Nothing reveals someone's relationship with reality faster than discussing backups.

Everyone agrees they're important.

Almost nobody wants to maintain them.

Backups are like exercise.

People enthusiastically support the concept.

Participation is another matter.

Then disaster strikes.

A hard drive fails.

Files disappear.

Ransomware arrives.

Suddenly backups become extremely interesting.

It's remarkable how quickly people become backup enthusiasts after losing ten years of family photos.

The universe has a way of turning boring precautions into fascinating priorities.

Cybersecurity operates under similar rules.

Preparation feels excessive right up until the moment it feels inadequate.

That's why I assume every device I own could fail tomorrow.

Every account could become inaccessible.

Every service could suffer a breach.

Not because I'm paranoid.

Because history keeps proving that these events happen.

Frequently.

To everyone.

The internet has become one giant interconnected machine, and interconnected systems create interconnected risks.

When one component fails, consequences spread.

Sometimes in strange directions.

A breach at a retailer affects financial accounts.

A compromise at a healthcare provider affects identity verification.

A leak at a social platform affects personal relationships.

The boundaries separating different parts of our lives are becoming increasingly fictional.

Everything connects to everything.

Which means vulnerabilities connect too.

The funniest part of modern cybersecurity might be the mythology surrounding hackers themselves.

Popular culture portrays them as mysterious masterminds wearing hoodies in neon-lit rooms.

Reality is often much less cinematic.

Many attacks succeed because someone forgot basic security practices.

The digital world occasionally resembles a luxury apartment building where half the residents leave their doors unlocked.

Not because they're foolish.

Because humans are busy.

We have jobs.

Families.

Responsibilities.

Bills.

Deadlines.

Nobody wakes up excited to spend Saturday afternoon reviewing account security settings.

Cybercriminals understand this.

They're counting on it.

The greatest vulnerability in most systems isn't technology.

It's attention.

Human attention is limited.

Everything wants it.

Emails want it.

Advertisements want it.

Social media wants it.

News alerts want it.

Streaming services want it.

Your attention is under constant assault.

Security decisions are often made while exhausted, distracted, or overwhelmed.

Attackers know this.

They don't need perfection.

They only need moments.

One careless click.

One reused password.

One missed warning.

One lapse.

That's why assuming you'll be hacked creates healthier expectations.

It eliminates the fantasy that vigilance must be flawless forever.

Instead, it acknowledges that mistakes are inevitable.

The goal isn't perfection.

The goal is survivability.

Can you recover?

Can you limit damage?

Can you regain control?

Those questions matter far more than pretending mistakes will never occur.

I've reached a point where I view cybersecurity much like public health.

You reduce risks where possible.

You build protective layers.

You prepare for setbacks.

You recognize that absolute safety doesn't exist.

Then you continue living.

That's another mistake people make.

They hear discussions about cyber threats and conclude that technology itself is the problem.

It's not.

Technology remains extraordinary.

The internet allows communication, learning, business, creativity, and connection on a scale previous generations would consider magical.

The problem isn't that technology exists.

The problem is that humans remain human.

We carried every flaw from the physical world into the digital one.

Greed came with us.

Deception came with us.

Carelessness came with us.

Overconfidence came with us.

Naturally, cybercrime came too.

The internet didn't invent human weakness.

It automated it.

And automation scales everything.

Including bad decisions.

Especially bad decisions.

That realization leads to my favorite cybersecurity principle:

Your objective isn't to become impossible to hack.

Your objective is to become difficult to destroy.

Those are different goals.

The first goal is unrealistic.

The second is practical.

One depends on perfection.

The other depends on preparation.

Preparation lacks glamour.

Nobody brags about recovery plans.

Nobody posts screenshots of successful backups.

Nobody throws parties because their password manager worked correctly for another year.

Yet these boring habits quietly outperform dramatic heroics.

The same way seatbelts outperform confidence.

The same way smoke detectors outperform optimism.

The same way insurance outperforms wishful thinking.

Security often looks excessive until reality arrives.

Then it looks obvious.

I've come to believe that the healthiest digital mindset is one built around humility.

Not fear.

Humility.

The recognition that no individual, company, platform, or device is immune from failure.

The recognition that systems break.

People make mistakes.

Organizations get compromised.

Data gets exposed.

Accounts get stolen.

Life continues.

Humility encourages preparation.

Ego encourages denial.

And denial has an impressive track record of making problems worse.

Whenever I hear someone confidently explain why they'll never be hacked, I remember all the companies that once believed the same thing.

Entire corporations with security teams, budgets, consultants, monitoring systems, and sophisticated defenses have suffered breaches.

Yet somehow an individual with three passwords and a sense of optimism feels invincible.

That's ambitious.

What I've learned over the years is that cybersecurity isn't really about computers.

It's about expectations.

People expect permanence from systems that are constantly changing.

People expect certainty from environments filled with uncertainty.

People expect guarantees from technologies built by imperfect humans.

Those expectations create disappointment.

Assuming you'll be hacked creates a different relationship with reality.

You stop demanding guarantees.

You start building contingencies.

You stop asking whether bad things can happen.

You start preparing for when they do.

It's not pessimistic.

It's practical.

In fact, I find it oddly reassuring.

Because once you stop chasing impossible certainty, you can focus on achievable resilience.

You don't need perfect protection.

You need a plan.

You need backups.

You need unique passwords.

You need healthy skepticism.

You need the ability to recover.

Most importantly, you need to understand that cybersecurity isn't a destination.

It's maintenance.

There is no finish line.

No final upgrade.

No permanent victory.

Only ongoing attention.

The digital world evolves.

Threats evolve.

Defenses evolve.

Everything moves.

The best strategy isn't pretending you can freeze the game forever.

It's learning how to stay standing when the board inevitably shifts beneath your feet.

So these days, whenever I create a new account, buy a new device, or trust a company with my information, I operate under one simple assumption:

Someday, something will go wrong.

Maybe not today.

Maybe not next year.

Maybe never in a way I notice.

But eventually, somewhere, some system will fail.

And when that day arrives, I don't want my entire digital life balanced on hope.

Hope is wonderful for poetry.

It's considerably less useful for account recovery.

Assume you will be hacked.

Not because the world is ending.

Not because technology is evil.

Not because disaster is guaranteed tomorrow.

Assume it because reality consistently rewards preparation over confidence.

And because in a world where breaches arrive with the regularity of weather forecasts, the smartest question isn't whether the storm is coming.

It's whether you've remembered to bring an umbrella.