Whether you’re an IT pro or a serious PC hobbyist, computers are as logical as Mr. Spock. If you are someone without a technical background, a common Windows error message can also be written in Klingon.
For later viewers, computer security often turns into magical thinking. That’s unfortunate because the truth is that most of the things you can do to protect yourself online are about simple psychology and basic human behavior.
Also: Today’s best VPN service: Expertly tested and reviewed
When a business network is compromised by ransomware, the culprit is rarely an evil genius hacker. The source of the problem is often more mundane: Someone has been fooled by a clever bit of social engineering.
For anyone responsible for training others to avoid being victimized online, the secret is not to explain how to buffer overflow and code injection.
Instead, help people focus on how to approach the PCs with a healthy dose of skepticism and build some basic situational awareness. I reduced the lesson plan to six simple rules, all written in plain language.
1. Don’t panic
A grizzled veteran of the computer security industry once shared a valuable piece of wisdom with me: “Don’t just do something. Stand there.”
Oh, wait. That’s not a security expert, it’s the White Rabbit in Disney’s 1951 animated production. Alice in Wonderland. But still good advice.
Also: This AI-generated crypto invoice scam almost got me, and I’m a security pro
The natural human reaction when you see a potential threat is to panic and take immediate action do something to solve it. If you receive an email alerting you that your credit card is about to be charged $480 to renew your expired Geek Squad subscription or that your computer has been infected with ransomware, you may be tempted to call the toll-free number in that email. That, of course, will connect you to a call center staffed by bad actors who will happily take your credit card details and process some real charges.
Scammers thrive by making people panic. Take the time you need to find out what the real threat is before you do anything.
2. Do not open unknown attachments
Many potential security threats come in the form of email attachments. Sometimes these are executable files, but these days they tend to be Word documents, PDF, or HTML files. They may be able to run exploit code, or it may simply be an attempt to convince you to enter credentials for an email or bank account.
When you receive an attachment from someone you don’t know, the last thing you should do is open it. Even if the attachment appears to be from someone you know, it’s worth being careful, especially if the message is unexpected. The sender’s account information may be spoofed, or their account may be compromised.
Also: The best security keys of 2023
If you suspect that an attachment is harmful or if a message contains a link to a suspicious site, consider uploading it to Virus Total (https://virustotal.com). That free, reliable site (owned by a subsidiary of Google) scans your submission against 70 antivirus engines and a variety of security-related services and can notify you when detected. -an it is malicious or it is a false positive.
3. Also don’t click on unsolicited links
Social engineering works by exploiting people’s trust. A scammer who puts even a little effort into a phishing attempt can do a credible job of impersonating a legitimate email and creating links that are close enough to the real thing to trick you.
When you get an email that makes you think, “Hmmm, that’s not right,” your spidey sense is at work. Trust it.
And even if the message doesn’t have any obvious red flags, it’s still OK to be suspicious, especially if you’re being asked to click a link to do something you didn’t ask for. When in doubt, don’t click on the link; instead, use the bookmark you saved for the site in question or type the URL directly to do whatever you need to do.
4. You don’t need to pay for security software
The security software industry wants to scare you. As part of that effort, they try their best to convince you that the core protections built into your PC, Mac, or mobile device may not be as good as the product they’re selling.
Also: Scammers use AI to impersonate your loved ones
That may have been true two decades ago, but it is not true today. Most third-party security software developed for consumer use only offers little additional protection, at best. That’s especially true for buzzy features like “Dark Web monitoring.”
If you are a business network administrator, you can benefit from software and services that give you greater visibility into what your users are doing as well as what is happening at the periphery of your network. For your personal PC, save your money.
5. Don’t mess with a perfectly good PC (or Mac)
When it comes to keeping your computer safe, I disagree with the classic management advice: “If it ain’t broke, don’t break it.”
Driving exploits may grab all the headlines, but the sad truth is that most malware ends up on PCs because someone willingly, even eagerly, chose to install it.
Maybe they downloaded a cracked program from a sketchy download site, or maybe they followed a sponsored link from a search engine and downloaded a program that included a bunch of adware or even malware. in addition to the app they are looking for.
Also: Concerned about privacy? Store Tails on a USB drive and save most of any computer
The obvious solution? Do not install random apps.
If you need to test a program, and you have Windows 11 Pro or Enterprise, try running it in Windows Sandbox. If you’ve never heard of this feature, here’s how I described it when Windows 11 was released:
It allows you to easily spin up a secure virtual machine without any complicated setup. The VM is completely isolated from your main system, so you can visit a suspicious website or try an unknown app without risk. When you are done, close the sandbox, and it will disappear completely, removing all traces of your experiment.
This is a killer feature, and one you should be aware of.
6. Use a password manager
I’ve been pounding the table about password managers for years, so I won’t repeat those arguments here. (If you need a refresher, read this: “Forgot password? Five reasons why you need a password manager.”)
But the facts are indisputable: People are terrible at generating random passwords, and it’s literally impossible to remember the kinds of strong, unique credentials that can protect you.
Also: The best password manager
In fact, using a password manager makes navigating the modern internet easier and you are safer. If you’ve been putting off this task because you think it’s too hard, try my three-step program, which you can implement in 30 minutes or less.
Oh, and while you’re at it, turn on two-factor authentication too.
