If you’re an IT pro or a serious PC hobbyist, computers are as logical as Mr. Spock. If you’re a human being without a technical background, the average Windows error message might as well be written in Klingon.
For that latter audience, computer security often devolves into magical thinking. That’s unfortunate because the reality is that most of the things you can do to protect yourself online are about simple psychology and basic human behavior.
When a business network is compromised with ransomware, the culprit is rarely an evil genius hacker. The source of the problem is usually far more mundane: Someone was fooled by a clever bit of social engineering.
For anyone who’s responsible for training others to avoid being online victims, the secret is not to explain how buffer overflows and code injection work.
Instead, help those people focus on how to approach PCs with a healthy dose of skepticism and build up some basic situational awareness. I’ve reduced the lesson plan to six simple rules, all written in plain language.
1. Don’t panic
A grizzled veteran of the computer security industry once shared a priceless piece of wisdom with me: “Don’t just do something. Stand there.”
Oh, wait. That wasn’t a security expert, it was the White Rabbit in Disney’s 1951 animated production of Alice in Wonderland. But it’s still good advice.
The natural human reaction when you see a potential threat is to panic and immediately try to do something to solve it. If you get an email alerting you that your credit card’s about to be charged $480 to renew your non-existent Geek Squad subscription or that your computer is infected with ransomware, you might be tempted to call the toll-free number in that email. That will, of course, connect you to a call center staffed by bad actors who will happily take your credit card details and process some real charges.
Scammers thrive by making people panic. Take the time you need to figure out what the real threat is before you do anything.
2. Don’t open unknown attachments
Many potential security threats arrive in the form of email attachments. Sometimes they’re executable files, but these days they’re just as likely to be Word documents, PDFs, or HTML files. They might be capable of running exploit code, or they might be simply an attempt to convince you to enter credentials for an email or bank account.
If you receive an attachment from someone you don’t know, the last thing you should do is open it. Even if the attachment appears to be from someone you know, it pays to be cautious, especially if the message is unexpected. The sender’s account information might be spoofed, or their account might be compromised.
If you suspect an attachment is malicious or if a message contains a link to a suspicious site, consider uploading it to Virus Total (https://virustotal.com). That free, trusted site (owned by a subsidiary of Google) scans your submission against 70 antivirus engines and a variety of other security-related services and can alert you if it’s known to be malicious or it’s a false positive.
3. Don’t click unsolicited links, either
Social engineering works by exploiting people’s trust. A scammer who puts even minimal effort into a phishing attempt can do a creditable job of mimicking a legitimate email and crafting links that look close enough to the real thing to fool you.
If you receive an email that makes you think, “Hmmm, that doesn’t look right,” your spidey sense is working. Trust it.
And even if the message doesn’t have any obvious red flags, it’s still OK to be suspicious, especially if you’re being asked to click a link to do something you didn’t ask for. When in doubt, don’t click that link; instead, use a bookmark you’ve saved for the site in question or type the URL directly to do whatever you need to do.
4. You don’t need to pay for security software
The security software industry wants you to be afraid. As part of that effort, they try their best to convince you that the core protections built into your PC, Mac, or mobile device cannot possibly be as good as the product they sell.
That might have been true two decades ago, but it’s certainly not true today. Most third-party security software developed for use by consumers offers only marginal extra protection, at best. That’s especially true for buzzy features like “Dark Web monitoring.”
If you’re an enterprise network administrator, you can probably benefit from software and services that give you greater visibility into what your users are doing as well as what’s happening on the periphery of your network. For your personal PC, save your money.
5. Don’t mess with a perfectly good PC (or Mac)
When it comes to keeping your computer secure, I have a slightly different take on the classic management advice: “If it ain’t broke, don’t break it.”
Drive-by exploits might get all the headlines, but the sad fact is that most malware arrives on PCs because someone willingly, even eagerly, chose to install it.
Maybe they downloaded a cracked program from a sketchy download site, or maybe they followed a sponsored link from a search engine and grabbed a program that included a bundle of adware or even malware in addition to the app they were looking for.
The obvious solution? Don’t install random apps.
If you need to check out a program, and you have Windows 11 Pro or Enterprise, try running it in the Windows Sandbox. If you’ve never heard of this feature, here’s how I described it when Windows 11 was released:
It allows you to instantly spin up a secure virtual machine without any complex setup. The VM is completely isolated from your main system, so you can visit a suspicious website or test an unknown app without risk. When you’re done, close the sandbox, and it vanishes completely, removing all traces of your experiment.
It’s a killer feature, and one you should know about.
6. Use a password manager
I’ve been pounding the table about password managers for years, so I won’t repeat those arguments here. (If you need a refresher, read this: “Forgot password? Five reasons why you need a password manager.”)
But the facts are indisputable: Human beings are terrible at generating random passwords, and it’s literally impossible to remember the kinds of strong, unique credentials that will keep you secure.
In fact, using a password manager makes it easier to navigate the modern internet and keeps you safer. If you’ve been putting off this task because you think it’s too difficult, try my three-step program, which you can implement in 30 minutes or less.
Oh, and while you’re at it, turn on two-factor authentication, too.