Most cybersecurity advice sounds like this: “implement multi-factor authentication, use a VPN, enable full-disk encryption, review your security posture regularly.” That’s fine if you’re securing a business, but it’s overwhelming if you just want to protect your personal accounts.

The good news is that basic cybersecurity isn’t complicated. A few simple practices prevent most problems. You don’t need to be a security expert—you just need to do the fundamentals consistently.

The Password Situation

Weak passwords and reused passwords cause most account compromises. “Password123” is terrible. But so is using the same decent password across 50 sites, because when one site gets breached (and sites get breached constantly), attackers try those credentials everywhere.

Use a password manager. Bitwarden, 1Password, LastPass—pick one and use it. Generate unique, strong passwords for every account. You only need to remember one master password.

This single change dramatically improves security. Everything else builds on this foundation.

Your master password should be long and memorable. “correcthorsebatterystaple” is stronger than “P@ssw0rd!” because length matters more than complexity. Make it a phrase you’ll remember.

Two-Factor Authentication Everywhere

2FA means even if someone gets your password, they can’t access your account without the second factor—usually a code from an app or SMS.

Enable 2FA on:

• Email (critical—email is the key to everything else)
• Banking
• Social media
• Work accounts
• Anything with financial or personal information

Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) rather than SMS when possible. SMS can be intercepted through SIM swapping attacks, though it’s still better than nothing.

Yes, 2FA is slightly annoying. It’s also the difference between an account breach being impossible versus trivial.

Update Your Stuff

Security updates fix vulnerabilities. Running outdated software is running known vulnerable software that attackers can exploit.

Enable automatic updates on:

• Operating systems (Windows, macOS, iOS, Android)
• Browsers (Chrome, Firefox, Safari, Edge)
• Apps where possible

For software that doesn’t auto-update, check monthly and install updates. It’s boring but effective.

Think Before You Click

Most compromises start with phishing. Someone sends an email or message that looks legitimate, you click a link or download an attachment, and malware installs or you give away credentials to a fake site.

Before clicking any link:

• Who sent this? Is it actually from them?
• Was I expecting this message?
• Does the URL look legitimate when you hover over it?
• Is it creating artificial urgency? (“Account will be locked!”)

When in doubt, go directly to the website (don’t click the link) or contact the supposed sender through a different method.

Secure Your Network

Your home Wi-Fi should:

• Have a strong password (not the default from the router)
• Use WPA3 or WPA2 encryption (check router settings)
• Have a network name that doesn’t identify you (“SmithFamilyNetwork” tells everyone whose Wi-Fi it is)

Change the default admin password on your router. Many people never do this, leaving it accessible with credentials anyone can find online.

On public Wi-Fi, don’t access sensitive accounts unless you’re using a VPN. Public networks can be monitored. Coffee shop Wi-Fi is fine for browsing, risky for banking.

Back Up Your Data

Ransomware encrypts your files and demands payment. The defense isn’t prevention (though that helps)—it’s having backups so you don’t care if your files get encrypted.

Follow the 3-2-1 rule: 3 copies of data, 2 different storage types, 1 off-site.

Cloud backup (Google Drive, iCloud, Dropbox) + local external drive covers this. If ransomware hits, you restore from backup and lose nothing.

Privacy Settings Matter

Social media platforms default to sharing more than necessary. Review privacy settings on:

• Facebook, Instagram, Twitter
• LinkedIn
• Google account
• Apple account

Consider what’s public. Your birthday, phone number, location, friend list—each piece of information can be used for social engineering attacks.

You don’t need to delete social media (though that’s valid too). Just control what’s public versus friends-only versus private.

Monitor Your Accounts

Check bank and credit card statements monthly for unauthorized transactions. The sooner you catch fraudulent charges, the easier they are to reverse.

Consider credit monitoring services. Some are free, some charge fees. They alert you to new accounts or credit checks in your name, helping you catch identity theft early.

IDCARE is Australia’s national identity and cyber support service. If you suspect compromise, they provide free assistance.

Scam Awareness

Australians lost over $3 billion to scams in 2024. The most common scams:

• Fake MyGov/ATO messages
• Romance scams
• Investment scams promising high returns
• Fake online shopping sites
• Impersonation scams (someone pretending to be family/boss)

The defense is skepticism. If it seems too good to be true, it is. If it creates urgency, slow down and verify. If someone you know is asking for unusual help, confirm through a different communication method.

Scamwatch has current scam warnings and reporting tools.

For Business Owners

Everything above applies, plus:

Separate business and personal accounts. If one gets compromised, it doesn’t cascade.

Train employees. They’re the weakest link, not because they’re incompetent but because social engineering is effective.

Have an incident response plan. What do you do if someone gets phished? If ransomware hits? Planning before crisis prevents panic during crisis.

Consider cyber insurance if you handle customer data or depend on digital operations. It won’t prevent attacks, but it helps manage costs when they occur.

The Effort-to-Benefit Ratio

These basics require minimal effort and prevent most problems. Yes, there are more sophisticated attacks. But opportunistic attackers target easy victims. Basic security makes you a harder target, so they move on.

Perfect security doesn’t exist. Good-enough security is achievable and worthwhile.

Start with passwords and 2FA. Those two changes provide 80% of the benefit. Add the rest over time.

Cybersecurity isn’t about paranoia or perfect protection. It’s about reasonable precautions that significantly reduce risk. That’s achievable for everyone.