Cybersecurity sounds intimidating. Like something that requires a degree in computer science and a wardrobe full of hoodies. But the truth is, protecting yourself from the most common online threats is surprisingly straightforward. You don’t need specialised knowledge. You need a few good habits.

The vast majority of successful cyberattacks target human behaviour, not technical vulnerabilities. Phishing, weak passwords, and outdated software account for the overwhelming majority of breaches. Fix those three things and you’ve blocked most of the attacks that could realistically affect you.

The Foundation: Passwords and Authentication

I’ve written about password managers before, so I’ll keep this brief. Use one. Every account should have a unique, randomly generated password. Your password manager remembers them all. You remember one master password. Done.

But passwords alone aren’t enough anymore. You need two-factor authentication (2FA) on every account that offers it. 2FA means that even if someone steals your password, they can’t log in without a second verification step — usually a code from an app on your phone.

The hierarchy of 2FA methods, from best to worst:

1. Hardware security keys (like YubiKey) — most secure, slightly inconvenient
2. Authentication apps (like Authy or Google Authenticator) — very secure, easy to use
3. SMS codes — better than nothing, but vulnerable to SIM swapping attacks
4. Email codes — weakest option, since email accounts can be compromised

At minimum, enable 2FA on your email, banking, social media, and cloud storage. These are the highest-value targets. Use an authenticator app, not SMS, if you have the choice.

Recognising Phishing

Phishing is the single most common attack vector for personal accounts. An attacker sends you a message — email, text, or social media DM — pretending to be a legitimate organisation. They want you to click a link and enter your credentials on a fake website.

Modern phishing has gotten remarkably sophisticated. The days of obvious Nigerian prince emails are mostly over. Today’s phishing messages look legitimate, use proper branding, and often reference real information about you.

Red flags to watch for:

• Urgency. “Your account will be suspended in 24 hours.” “Unusual activity detected — act now.” Legitimate companies rarely create artificial urgency.
• Unexpected requests. Your bank won’t ask you to verify your password via email. The tax office won’t contact you by text message demanding payment.
• Slightly wrong URLs. Check the actual link before clicking. “g00gle.com” isn’t Google. “paypa1.com” isn’t PayPal.
• Generic greetings. “Dear Customer” instead of your actual name can be a sign, though sophisticated phishing often does include your name.

When in doubt, don’t click the link. Go directly to the company’s website by typing the URL yourself, or call them using a number from their official website.

Keep Everything Updated

Software updates aren’t just about new features. They patch security vulnerabilities that attackers actively exploit. Delaying updates leaves known holes in your defences.

Turn on automatic updates for:

• Your operating system (Windows, macOS, iOS, Android)
• Your web browser (Chrome, Firefox, Safari, Edge)
• Your apps (especially email and messaging apps)

The occasional inconvenience of restarting your device is a tiny price for closing security holes that hackers are actively scanning for.

Public Wi-Fi: Be Careful

Free Wi-Fi at cafes, airports, and hotels is convenient but potentially risky. On an unsecured network, other users can potentially intercept your traffic. This matters most when you’re accessing sensitive accounts.

Practical rules for public Wi-Fi:

• Don’t access banking or financial accounts on public networks
• Use a VPN if you regularly work from public Wi-Fi. A VPN encrypts your traffic, making interception pointless. Reputable options include Mullvad, ProtonVPN, and NordVPN.
• Verify the network name with staff before connecting. Attackers sometimes set up fake hotspots with names like “CoffeeShop_Free_WiFi” to lure victims.
• Forget the network when you leave, so your device doesn’t automatically reconnect next time you’re in range.

Social Engineering: The Human Factor

The most effective attacks don’t target your technology — they target you. Social engineering is the practice of manipulating people into giving up information or access.

Common tactics include:

• Pretexting — the attacker creates a believable scenario to extract information. “Hi, I’m calling from your bank’s fraud department. Can you confirm your account number?”
• Baiting — offering something appealing to get you to click. “You’ve won a $500 gift card!” No, you haven’t.
• Tailgating — in physical spaces, following someone through a secure door. Less relevant for personal cybersecurity, but worth knowing.

The defence is simple: be sceptical of unsolicited contact, especially when someone’s asking for information or action. Verify through a separate channel. If someone calls claiming to be your bank, hang up and call the bank directly.

The team at Team400 published an interesting piece recently about how businesses are training employees to recognise social engineering. The same principles apply to personal security: slow down, verify, and don’t let urgency override your judgment.

Limit Your Digital Footprint

The less information you have scattered across the internet, the harder it is for attackers to target you:

• Review app permissions — does that flashlight app really need access to your contacts?
• Delete old accounts — services you signed up for years ago and forgot about still have your data
• Be cautious on social media — birthdates, pet names, school names, and mother’s maiden name are common security question answers. Don’t post them publicly.
• Use disposable email addresses — services like SimpleLogin let you create aliases for sign-ups, keeping your real email private.

The Priority List

If all of this feels overwhelming, here are the five things that matter most, in order:

1. Use a password manager with unique passwords for every account
2. Enable two-factor authentication on critical accounts
3. Learn to recognise phishing and don’t click suspicious links
4. Keep your devices and software updated
5. Be sceptical of unsolicited requests for information

These five habits will protect you from the overwhelming majority of common threats. You don’t need to be a security expert. You just need to be a little more cautious than average.

That bar, unfortunately, isn’t very high.