Passwords

Password reuse is the simplest way to lose control of an account. When a website leaks its user database (and hundreds do every year) attackers automatically try those leaked combinations against Google, Microsoft 365, banking portals and everything else. This is called credential stuffing, and it works because people reuse passwords across services.

The fix is a password manager. You do not need to remember a unique password; you just need to use the manager. For personal use, Bitwarden is free and open source. For teams, Bitwarden has a paid plan, and 1Password Teams is widely used. Both support shared vaults so you can share credentials for shared accounts without sending passwords over Slack.

Minimum standard: 16 characters, no reuse, not based on guessable words. A password manager generates this automatically.

💡 Tip: Check whether your addresses are already in known breaches at haveibeenpwned.com. Free and takes 30 seconds.

Two-factor authentication (2FA)

A strong password is not enough on its own. If someone obtains it (via phishing, a keylogger or a data breach) the account is gone. Two-factor requires something you know (password) and something you have (your phone or a hardware key).

SMS-based 2FA is better than nothing but is weak. SIM-swapping and SS7 attacks can intercept SMS codes. Use a TOTP app instead: Aegis (Android, open source, free) or Raivo OTP (iOS). They generate time-based 6-digit codes locally on the phone.

For admin accounts and critical systems, a hardware key is better still. A YubiKey 5 (around £45) supports FIDO2/WebAuthn and works with Microsoft 365, Google Workspace and most major platforms. A hardware key cannot be phished. It requires physical possession.

⚠️ Store backup codes securely. Lose your phone without a backup and you are locked out. Store TOTP backup codes encrypted in your password manager, or printed and physically locked away.

Backup: the 3-2-1 rule

3-2-1 is not a buzzword, it is a minimum standard: 3 copies of the data, on 2 different media, with 1 copy offsite. Ransomware encrypts everything it can reach from the compromised system, including mounted network drives. An offline or cloud copy is what saves the business.

For offsite cloud backup, Backblaze B2 is inexpensive (around $6/TB/month) and supports S3-compatible backup clients. For on-premises backup: rsync to a dedicated NAS (Synology, QNAP) with snapshot support, so ransomware cannot simply overwrite the backup files.

Test your restore procedure at least once a month. A backup you have never tested is not a backup, it is an assumption.

Patching and updates

According to the Verizon Data Breach Investigations Report (DBIR) 2023, over 32% of breaches exploited known vulnerabilities, security holes that already had a patch available. Not zero-days. Attackers reading patch notes to find what is not yet fixed.

Enable automatic updates on all operating systems: Windows Update, macOS Software Update, unattended-upgrades on Linux. Applications (browsers, Office suites, PDF readers) are not updated by the operating system and need separate attention.

Maintain an inventory of what you are running. Not for bureaucratic reasons, but because you cannot patch software you do not know you have.

Phishing and social engineering

Phishing is not only bad grammar and Nigerian prince emails. Modern spear-phishing is tailored with your name, a colleague's name and a convincing sender address. It is genuinely difficult to spot on first encounter.

Specific things to look for: urgency ("respond within 2 hours"), unusual sender address (check the domain, not just the display name), links that point somewhere different than they appear (hover before clicking), and requests to bypass normal approval procedures.

Be sceptical of invoices from new suppliers, requests to change bank account numbers, and access requests made over email. Call to confirm. It is annoying. It is cheaper than a wire transfer to an attacker.

DMARC, DKIM and SPF records on your email domain reduce the risk of attackers sending email that appears to come from you. A few hours of work at your DNS provider.

Encrypt devices

A lost laptop without disk encryption is a data breach. With encryption it is just a lost laptop.

Store the recovery key somewhere that is not on the encrypted device itself. A password manager is the obvious place.

Incident response: what to do when it happens

"When it happens" is more realistic than "if it happens". A plan written in advance is easier to follow under pressure than one improvised in the moment.

Basic steps: isolate the compromised system from the network (unplug the network cable, disable WiFi), change passwords on affected accounts from a non-compromised device, and document what you can see: screenshots, log files and timestamps.

In the UK: report to the National Cyber Security Centre (NCSC) at report.ncsc.gov.uk and to Action Fraud. If personal data was compromised, the ICO must be notified within 72 hours under UK GDPR Article 33.

In the US: report to CISA via cisa.gov/report and to the FBI's IC3 at ic3.gov.

📝 Note: Preserve all evidence. Do not format disks or delete logs. It is necessary for any investigation and insurance claim.

Free resources

Sources