as someone who used to work in cybersec (and is also older), most of the time (in my experiences) it isnt sloppiness.
1) people fight tooth and nail against anything that inconveniences them. security is almost always going to be an inconvenience tradeoff, so it is always fought against. from every person and every department. rolling out 2fa was worse than pulling teeth, despite it being a single button press ("approve") on the phone, once or twice a day (or less). c-suite is the worst, demanding exclusions and bypasses. its hard to say no to your bosses boss when they refuse to use a password manager, refuse to setup 2fa, or whatever the case is.
2) security offers no immediate or visible return on investment. so, it gets little to no positive attention by c-suite and even less budget. you end up with underpaid, under-qualified, over-worked people trying to figure out which thing they might be able secure out of the 10 things that need securing. half of them will be tied up trying to explain to someone why they cant use the company name as their password or begging someone to use the password manager.
even here, a forum of hackers, security is often put in scare quotes and almost always mentioned beside the word "theater". people brag about still running windows 7, because it was the last good windows. antiviruses arent needed. X security feature is just a lie so that company Z can control my device. people get big mad when a company rolls out mandatory 2fa. and so on.
edit: case in point, on this thread a comment was just posted with "I think you can argue that cybersecurity doesn't really matter, in the grand scheme of things."
If that was all it was, people would be a lot less annoyed by it.
Reminds me of the time I accidentally entered my bank PIN into my washing machine and hackers ran off with $500 of my money.
What puzzled me most was the time and energy put into the attack, all for the off chance of a successful attack. Security footage showed them removing my washing while I was at work and replacing it with one the hackers controlled. This "phishing machine"-- as I now call it-- was apparently fitted with some kind of LoraWAN device waiting for me to unwittingly enter my PIN to unlock. Something my washing machine never asked me to do before, btw, but I did it anyway (like an idiot).
I changed my bank PIN, but I still use the old PIN to run the phishing machine-- funny enough it's fully functional and in fact works better than the old one.
All said, the hackers probably lost $1000 on the deal. Police said this is a very common attack on washing machine buttons throughout the Southeast, so I'm wondering if part of our current economic stagnation is due hackers going into bankruptcy from this.
This is the key. No incentive to change. It's always "the hacker's fault" and never "the manufacturer's negligence" or "the developer's carelessness" or "the user's gullibility." Combine this with the currently-prevailing Don't Blame The Victim mentality, and it's the perfect environment for never improving cybersecurity.
The wolf is seen as ever-present. Failure to consider the wolf when choosing building materials has consequences.
It blows my mind that this story has been part of our culture for centuries, yet we apply exactly the opposite model to cybersecurity.
Thank goodness for all the other layers... the firewall is just doing basic hygiene. The SASE and zero trust policies are doing the heavy lifting.
No one want's to follow any rules and when caught out do not want to take respnsibility for their own actions.
Since it was an open wifi, I hope we get nailed for hosting child porn or cryptocoin scams... ffs
Wait, what?!?! I gotta hear this story. I have so many questions like how in the hell do you casually smuggle in not one, but several Starlink dishes?
Didn't even notice until the wifi rogue detector flagged the SSID due to it's relative strength (we're in a highly contested area for 2.4 and 5 Ghz).