1.  Never assume a hacker is stupid
Don’t assume your system is too complicated for a hacker to figure it out.  Complication is no defense.

2.  Never assume a hacker doesn’t have a lot of free time
They have an infinite amount of time when you factor in the scaling number of people and automated systems involved.

3.  Never assume a hacker is working alone
They often work in teams, spread out over many countries, timezones, and jurisdictions.

4.  Never assume a hacker is human
Bot networks, zombie servers, and automated systems are all used to magnify the capabilities of a dedicated hacker and work continuously even after everyone is away, asleep, or even in jail.