You can spend a lot of money on protection and still lose data through one click on a bad link. In the cases we handle, the attacker’s point of entry is almost always a person, not a flaw in a system. The good news is that a few simple habits close off most typical attacks. This guide is for employees and requires no technical knowledge. If you are a business owner, treat it as a list of rules worth passing on to your team.

Passwords and a password manager

Passwords are still the first line of defence and most often it is exactly where the problem starts. The rules are simple.

  • Long, not complicated. A long password made of several words is better than a short one with asterisks and digits. A longer password is harder to crack and easier to remember.
  • Never use the same password in two places. A leak from one service then means access to all the rest.
  • Do not save passwords in the browser or in a file on the desktop. That is the first place malware reaches for.

The solution that handles all three points at once is a password manager. It is an application that generates and remembers a unique password for each service for you. You only have to remember one, master password for the manager itself.

The most common excuse is: I have my own clever system for passwords. The attacker knows it too, because it is usually the company name plus the year. A password manager is the only sensible answer to the fact that we have dozens of accounts these days.

MFA, the second factor of sign-in

Multifactor authentication (MFA) is an extra confirmation of sign-in, usually a code or an approval in an app on your phone. Even if someone learns your password, without the second factor they will not sign in.

  • Turn on MFA everywhere you can, especially on company email and banking.
  • Best is an authenticator app or a hardware key. An SMS code is better than nothing, but weaker.
  • Watch out for notification fatigue. If you get requests to approve a sign-in you did not initiate, do not click approve and report it to IT. Someone may be trying to get into your account right now.

How to recognise phishing

Phishing is impersonating a known institution or person to extract data or prompt a click. It is the most common start of a serious incident. A few warning signs.

  • Time pressure and fear. Messages like your account will be blocked within an hour are meant to switch off your thinking. Serious institutions do not write like that.
  • An unexpected attachment or link. Especially an invoice, a parcel or a request to sign in. Hover over the link and check where it really leads.
  • Small differences in the sender’s address. A letter swapped in the domain name is a classic.
  • A request for an urgent transfer from the boss. Always confirm such an instruction by another route, for example by phone.
  • A request to sign in via a sent link. Instead of clicking, go to the service’s site manually by typing the address in the browser. Fake sign-in pages today look identical to real ones.

A practical rule: if something makes you uneasy, do not click and ask IT. Better to ask one question too many than to open the door to an attacker. It is also worth remembering that attacks increasingly come not only by email but also by text message or messaging app, and the mechanism is always the same: pressure and a request to act quickly.

Public networks

Free wi-fi in a cafe, at the airport or in a hotel is convenient, but you do not know who else is on that network or whether someone is eavesdropping on the traffic.

  • Avoid signing in to company systems and banking over open public networks.
  • If you have to work remotely, use a connection secured by the company, for example a VPN or company access to applications.
  • If needed, use the internet from your own phone rather than an unknown network. That is safer than random wi-fi.

Updates

Updates can be annoying, but they are one of the cheapest forms of defence. In them, vendors patch the flaws that attackers already know and exploit.

  • Do not put off updates to the system and browser forever. A restart every now and then is a small price.
  • Update your phone too, if you use it for work.
  • Do not install software from random sources. Stick to official stores and vendor websites.

A short everyday list

If you were to remember only a few things, let it be these:

  1. Use a password manager and a unique password for every account.
  2. Turn on MFA, especially on company email.
  3. Before you click, check the sender and the link. When in doubt, ask IT.
  4. Do not sign in to company systems over open wi-fi.
  5. Install updates and do not put them off endlessly.

These habits work best when the whole team applies them by reflex. That is what regular security awareness training leads to, and part of the risk can also be taken off people technically, for example by blocking access to malicious sites through DNS filtering. If you want to raise the level of security in your company without wearing your employees down, we will gladly suggest where to start.