Personal Cybersecurity Basics (That Actually Reduce Risk)

Most security advice is either too technical, or too casual.

This is the middle: a small set of habits that meaningfully reduce your odds of account takeover, payment redirection, or identity misuse.

If you do nothing else, do the first three sections.

1) Treat your email inbox as the master key

For most people, the fastest way into “everything” is not your bank login. It is your email account.

If someone controls your email, they can usually:

• reset passwords
• intercept one-time codes
• approve new device logins
• impersonate you in a way colleagues will believe

Minimum standard:

• A unique, strong password (use a password manager)
• Multi-factor authentication (authenticator app or passkey preferred)
• Recovery options that are not easy to socially engineer

A simple test: if you would be annoyed to lose your email, you are underestimating the blast radius.

2) Use a password manager, and actually let it do the work

The goal is not “a better password”. The goal is unique passwords everywhere.

Password reuse turns one breach into a chain reaction.

A password manager helps with:

• generating long random passwords
• storing them safely
• making “unique per site” painless

Two practical notes:

• Pick one good manager and commit (1Password, Bitwarden, etc.). The decision matters less than the consistency.
• Protect the manager with strong MFA. It becomes a high-value asset.

3) Prefer passkeys and authenticator apps. Avoid SMS where possible.

SMS-based MFA is better than nothing, but it is not the standard you want for high-value accounts.

Common failure modes:

• SIM swap attacks
• account recovery via phone carrier social engineering
• number porting fraud

Better options:

• Passkeys (device-based, phishing resistant on many services)
• Authenticator apps (time-based codes)
• Hardware keys (best for high-value accounts if you can tolerate the friction)

If a platform offers passkeys, it is worth using them.

4) The real threat model is social engineering, not malware

Most modern attacks are persuasion problems.

The pattern is predictable:

• urgency
• authority
• a “quick confirmation”
• a link or attachment

In 2026, the tooling is better. Deepfakes, voice cloning, and AI-written phishing emails reduce the obvious mistakes.

So the defensive behaviour matters more:

• Do not act from the message. Navigate independently.
• If money or account access is involved, verify via a second channel.
• When in doubt, slow down. Speed is the attacker’s advantage.

5) Payment redirection is the quiet killer (especially for businesses)

If you run a business, or you approve payments, business email compromise is one of the highest-impact risks.

Typical scenario:

• attacker gains access to an inbox (yours, or a supplier’s)
• they watch for invoices
• they alter bank details at the last moment
• the money leaves, and recovery becomes a legal and banking process, not a “support ticket”

Controls that help:

• Confirm bank detail changes by phone using a known number (not the number in the email)
• Use dual approval for payments above a threshold
• Lock down mailbox rules and forwarding (attackers love stealthy auto-forward rules)

6) Device hygiene: boring, effective

You do not need a “cyber setup”. You need consistent basics.

• Keep your OS and browsers updated
• Turn on full-disk encryption (FileVault on Mac, BitLocker on Windows)
• Use a screen lock and short auto-lock timer
• Avoid installing random browser extensions

If you have one device you use for sensitive accounts, keeping it “clean” is a real advantage.

7) A short checklist you can do today

• Secure your primary email account (password manager + passkey/authenticator)
• Turn on MFA for: email, bank, brokerage, super, password manager
• Remove SMS MFA where stronger options exist
• Review account recovery methods
• Check your email rules/forwarding settings
• Pick a payment verification rule and stick to it

A calm truth: you do not need perfect security. You need to stop being the easy target.

Closing

Security is not a one-time task. It is a small system.

If you want a second set of eyes on your workflow, controls, and risk surface (especially for a financial services team), send me what you have. I will tell you what I would fix first.

Information on this site is general in nature and not financial advice.