Staying safe online
Key takeaways You don’t need to be an expert to be hard to attack. Turn on updates everywhere, use a password manager + MFA, keep backups, and carry a healthy suspicion of anything urgent. A short list of personal habits blocks the vast majority of everyday attacks — most of which are automated and simply move on to an easier target. Start with passwords & MFA and build from there.
Almost none of the attacks that hit ordinary people are clever. They reuse a flaw that was fixed months ago, a password that leaked from another site, or a message that panics you into clicking. That’s good news: the same handful of habits defeats nearly all of them, and none of them require deep technical skill.
Keep everything updated
The most common way in is an already-known, already-patched flaw. Attackers scan for devices running old software because the fix — and the exact weakness it closes — is public. If you haven’t installed the update, you’re the easy target.
Turn on automatic updates for your operating system, your browser, your apps, and your phone, and let them install promptly rather than clicking “remind me later” for weeks. This one habit closes the door on a huge share of attacks before they start. For the bigger picture of reducing what can be attacked in the first place, see hardening systems.
Password manager + MFA
Passwords fail in predictable ways: people reuse them, so one leak unlocks many accounts, and people pick guessable ones. A password manager fixes both by generating a long, unique, random password for every site and remembering them for you — you only memorise the one that unlocks the manager.
Then add multi-factor authentication (MFA) to your important accounts (email, bank, anything that can reset other accounts). MFA means a stolen password alone isn’t enough to log in, because the attacker still lacks your second factor. This pairing is the biggest security win for the least effort you’ll find anywhere; the full walkthrough is in passwords & MFA.
Back up your data
Backups don’t stop an attack — they make one survivable. Ransomware encrypts your files and demands payment; a hard drive dies without warning; a phone gets left in a taxi. In every case a recent backup turns a disaster into an inconvenience.
Make backups regular (automatic if you can) and test that you can actually restore from them — an untested backup is just a hope. Keep at least one copy offline or somewhere an attacker who gets into your machine can’t reach, so ransomware can’t encrypt your backup along with everything else. For how this fits into defending your devices, see malware & endpoints.
Recognise scams
Most successful attacks don’t break the technology — they trick the person. The tell is nearly always urgency: a threat, a countdown, a prize that vanishes if you don’t act now. That pressure exists to stop you thinking.
So slow down. Verify before you click or pay: check who really sent a message, look at where a link actually goes, and if it claims to be your bank or a service you use, contact them through a number or app you already trust — not the one in the message. And never hand over a one-time code, password, or payment because someone asked; no legitimate organisation needs your login code. There’s a whole lesson on how these tricks work in social engineering.
Protect your devices and connections
If a device is lost or stolen, the question is whether the thief gets your data too. Enable device/disk encryption (built into modern phones and laptops) and set a screen lock with a PIN, passcode, or biometric. Together they turn a lost device into a lump of scrambled data instead of an open filing cabinet.
On untrusted public Wi-Fi — cafés, airports, hotels — be cautious, and use a VPN when appropriate to encrypt your traffic to a server you trust. A VPN isn’t a magic shield, and modern HTTPS websites are already encrypted, but it genuinely helps when you can’t trust the network around you. See VPNs for what one does and doesn’t protect.
Mind your footprint
Every piece of information you put online, and every permission you grant an app, is something that can later be lost, leaked, or turned against you. You can’t share nothing — but you can be deliberate.
Think before posting details that answer security questions (birthdays, pet names, your street). Review the permissions apps ask for and deny the ones they don’t need — a flashlight app has no reason to read your contacts. Less exposed data is simply less to lose. For a fuller treatment of controlling your information, see privacy & data protection.
Quick check: which set of habits gives the most protection for the least effort?
Recap
- Most attacks are automated and reuse known flaws or leaked passwords — a few habits stop nearly all of them.
- Keep everything updated so you’re not exposed by an already-fixed weakness.
- Use a password manager + MFA — the biggest win for the least effort.
- Keep regular, tested backups, ideally with an offline copy, to survive ransomware and hardware failure alike.
- Slow down on urgency, verify before you click or pay, and never share codes or credentials.
- Encrypt and lock your devices, be careful on public Wi-Fi, and mind what you share and which permissions apps get.
Next up: wireless & RF security