We've all seen users that are certain no one would ever want to break into their account, device or life, since they don't have anything anyone would possibly want - so why worry about security?
You and I have no doubt answered such users like so:
1. You should follow best practices to protect your boss or other users for whom you are responsible.
2. You should bear in mind that your LOCATION is valuable as a midpoint for attack use, even if your data is uninteresting and
3. Suppose, JUST SUPPOSE that there's something you don't know about. If there's an unknown threat out somewhere, best practices (like updates, not doing stupid stuff and so on) would be in order, eh? Maybe. Yeah. Sure.
But that's silly, paranoid, the-sky-is-falling nonsense.
However, let's say that overnight you develop a sudden Really Urgent Need for a tight security stance where one never existed before. People buy fire insurance for houses and business locations, right? (I wonder why they do that...) Well, imagine that we establish a Business Continuity Plan for this responsible person. But why? What could possibly go wrong? Obviously nothing, but stick with me awhile on this.
What if somebody with a very similar name to our subject gets into the news as a result of being a leader at a Ku Klux Klan rally? All sorts of activist groups may spring into action to doxx (publish documents regarding someone's location, identity, assets, relatives, known associates etc.) our subject in the mistaken impression that he's a dangerous, racist, anarchistic crackpot. If our subject found himself in that position, he'd have been well advised to avoid having no-password accounts, avoid leaving apps at default settings, and certainly well advised to do All The Things we security program speakers have been telling people to do for years.
Oh, but that's highly unlikely. Ok, how about another?
What if our subject's daughter or son at school becomes a victim of cyberbullies? They get into a TwitBook argument about politics or hairstyles or something and the bullies pull out all the stops and the attack follows the kid back to the (parent) subject's home router - in order to hit the kid, of course, not the parents who're not party to the argument. But the bullies don't care, so here come the free DDOS tools into play (that's Distributed Denial Of Service so's you can't get to the 'net).
Couldn't possibly happen, right? Naturally. Ok, how about another?
What if our subject decides to run for public off --- no, wait. Strike that.
What if our subject is the victim of a data leak at an insurance company or email provider or government agency or his own employer or his credit card company or his model train enthusiast club or his gym or his ONLINE DATING SERVICE? But of course, all of those entities may already have been hacked over recent months or years, the information combined into super-lists, that information provided to dark web marketplaces and sold. So the erstwhile hacker didn't actually have to hack anything to mess with our subject - he/she/it only had to pay $100 or so for X gigs of leads to script some attack toward.
And what if the jerks out there got some information entirely legally, due to a cell provider selling it? Sure, PII (Personally Identifiable Information) may not be in there but what about combining it with some of the dark source stuff? Better resolution? No; couldn't possibly happen.
I think we could sell this sort of reasoning to users like insurance. The house usually doesn't burn down. But fire insurance sells anyway, and for a reason.
