The Ten Commandments of Computer Security for Mere Mortals

Not long ago, an acquaintance had their identity stolen. The case was rather serious, with the perpetrators attempting to drain thousands of dollars from the victim’s bank accounts.

Image by Peter Olexa from Pixabay

At that time, I began to refine a list of ten common-sense security guidelines that the victim could observe to avoid a repeat of the ordeal. I came to think of the list as The Ten Commandments of Computer Security for Mere Mortals. I have copied them below:

1. Accept that you cannot buy security; no product or service alone will keep you safe.
2. Update software regularly.
3. Update hardware (phones, tablets, computers, etc.) when they’re so old that the they stop receiving software updates.
4. Use a password manager to generate and remember random, unique passwords for you.
5. Enable multi-factor authentication on important accounts.
6. Do not install anything that you do not trust.
7. Treat all unsolicited pop-ups, emails, phone calls, and links as guilty until proven innocent.
8. Be suspicious of anyone claiming to be technical support or a government official, as well as anyone who pressures you to act quickly or not talk to others.
9. Use a reliable email service that accurately detects and quarantines malicious emails.
10. Keep everything backed up at all times.

I recommend using Wirecutter’s recommended password manager and Wirecutter’s recommended multi-factor authentication app. PCMag published a great introduction to multi-factor authentication for anyone unfamiliar with the subject.

Multi-factor authentication (MFA) should be enabled on all accounts that you care about. The most important of these might be your email account; if a hacker can read your email, they can probably use the Forgot password feature on other sites and services to change those passwords. It’s also important to enable MFA for accounts that you use to log into other accounts, like your Facebook account. (Better yet, stay away from the digital smoke of Facebook and other antisocial media platforms.) Finally, you should of course enable MFA with any financial institutions that do not enable some version of it by default. Thankfully, MFA is becoming the default in more and more places.

There are some caveats with my commandments, of course. I have found that Gmail, at least, is getting worse at detecting spam and phishing emails. Some programs like Malwarebytes and AdGuard can be helpful when their limitations are genuinely appreciated and they are not considered panaceas. The list could also highlight that the benefits of VPNs are dramatically overstated.

Still, at this point in time, I think these are good guidelines. They are designed to counter credential stuffing, phishing, social engineering, scams, ransomware, and more. I imagine that anyone following them would be safer than 99% of people.