Top 10 IT Security Tips for Individual Users
This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users.
- Enable automatic updates wherever possible
- Don’t use obsolete software versions
Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.
Most at risk: OS (Windows), browsers (Chrome, Firefox, Edge, IE), MS Office (Word, Excel), PDF reader (Adobe Acrobat)
Your OS, your browser, and applications like Adobe Acrobat all come with automatic updates enabled. There is really not that much to do – except not disable this essential functionality.
- Block Office Macros (VBA code) from running
Office macros contain code written in Visual Basic for Applications, a full-blown programming language. Macros are embedded in Office documents (Word DOCX, Excel XLSX, etc.) and can be executed when a document is opened. This is one of the most popular initial attack methods.
To manually disable the execution of Office macros go to File > Options > Trust Center > Trust Center Settings > Macro Settings and select Disable all macros without notification.
Important: there is another setting, Disable all macros with notification. This won’t do! It is the default, and it shows a button that enables blocked macros with a single click. Every single phishing campaign out there tries to coax users into clicking that button.
This blog post explains how to block Office macros via Intune on Windows and macOS. It contains procedures and scripts that are useful even if you are using some other systems management product.
- Open and view PDFs in Sumatra instead of Adobe Acrobat Reader
Many attacks target Adobe Acrobat Reader because it’s so widely used. By switching to a different app for viewing PDFs, those attacks are defused.
Bonus: Sumatra PDF is much faster than Adobe Acrobat, saving you precious seconds every time you open a PDF.
- Sumatra PDF homepage & download
- Never reuse passwords across websites or applications
- Generate a unique strong password for each individual site
Data breaches have become a common thing, user/password databases are stolen from websites regularly. Even though passwords should never be stored in plaintext, it’s easy enough to make mistakes with the mandatory hashing and salting steps that many sites get it wrong. Assume that any password can be stolen at any time.
Use a password manager application like KeePass to store your passwords (see below).
- Enable two-factor authentication (2FA) for any account on the internet
- Avoid SMS as second factor if possible (but use it if there’s nothing else)
The level of protection offered by passwords alone is simply not good enough, they can easily be stolen (see above). You need something in addition to a password for authentication, a second factor.
Most sites offer TOTP-based 2FA. These are the ones showing a QR code during setup. Use an authenticator app like Authy that comes with an (encrypted!) backup functionality so you don’t lose all 2FA configs when you switch phones.
- Don’t memorize passwords (except select few, e.g., for your email account)
- Store your passwords in an encrypted password manager application
- Protect your password manager app with a very long passphrase and a second factor
A password manager enables you to do two things:
- Securely store passwords and other sensitive information (e.g., credit card data)
- Generate strong passwords
Do not use your browser’s password manager.
KeePass is an excellent free password manager. Its database file can be synchronized with any cloud storage service. On your phone, use an app like Keepass2Android for read/write access to the password data.
If you store your password database in the cloud, consider adding a key file (a second factor) as additional protection. The key file needs to be available on your phone, too. Sync it with a different cloud storage provider than the password DB.
If you prefer a cloud-based password app, take a look at Bitwarden.
- Don’t spend money on a third-party antivirus product
- Use Windows Defender (which comes with the OS)
Long gone are the days when the protection built into Windows was insufficient. Defender has excellent detection capabilities, is part of the OS, updated and improved regularly.
Take a look at the little shield icon in the taskbar’s info area. There should be a green checkmark on it. If that is not the case click the icon and follow the recommendations.
- Perform regular backups (ideally scheduled, so you don’t forget)
- Store backups offsite (in a different building or city)
Backups protect from accidental deletion, theft, disaster (e.g., fire), and ransomware (malware that encrypts your files).
Out of the innumerable backup tools and techniques I recommend encrypted backups to cloud storage with the free Duplicati 2.0. Don’t worry about the “beta” label. Duplicati 2.0 has been stable for many years.
- If you’re using a laptop, enable full-disk encryption
Your data is safe even if the device is lost or stolen.
BitLocker Drive Encryption comes with every edition of Windows 10, including Windows 10 Home. Its performance impact is negligible, there are no downsides to enabling it.
BitLocker makes use of a recovery key (a kind of password) that you may need occasionally. Store it in your password manager app (see above).
- Enable all available safety measures for your email account
Email is often used for password reset. Anybody with access to your email can simply click a site’s password reset button and configure a new password via the link in the email.
Take all the advice in this article to heart. Use a strong password for your email account and enable two-factor authentication. Don’t log into your email account on someone else’s computer. If you have to, make sure to log out once you’re done.