Start with failing to do the security basics. Add an unhealthy dose of laziness. Ignore the writing on the wall. And after you realize that your IT system has been attacked and your customers’ data has been compromised, don’t tell anyone about it for days, maybe longer. For extra measure, don’t thoroughly investigate what happened, because that might help you potentially avoid it in the future.