Home Articles Data Protection & Safety
Security 9 min read Updated September 2025

Data Protection & Safety Basics

Security topics can feel overwhelming, or worse — they can be presented in ways designed to scare you into buying something. This article takes a different approach: practical habits, clearly explained, without exaggerating the risks or downplaying them either.

Digital data security concept with lock and network

In This Article

  1. Backups: The Foundation
  2. Password Habits That Actually Help
  3. Two-Factor Authentication
  4. Recognizing Phishing
  5. Updates as Security
  6. Public Wi-Fi
  7. What You Probably Don't Need
  8. If Something Goes Wrong

1. Backups: The Foundation

No security measure is complete without a backup strategy. Antivirus software, strong passwords, and careful browsing habits all reduce risk — but none of them eliminate it. A backup is the thing that lets you recover when something goes wrong anyway.

The most common backup mistakes: having only one copy (which defeats the purpose), keeping the backup on the same computer as the original (also defeats the purpose), and never checking whether the backup actually works.

A practical approach for most people uses two layers. A local backup goes to an external hard drive connected to your computer — Windows File History or a simple manual copy works fine. This protects you from drive failure, accidental deletion, and software problems. An off-site or cloud backup protects against physical events like theft, fire, or flood. Services like Backblaze ($99/year for unlimited backup), OneDrive, or Google Drive handle this well.

What to back up: Documents, photos, videos, and anything else you couldn't recreate or replace. You don't generally need to back up your programs — those can be reinstalled. Focus on your files.

Once you have a backup running, test it. Pick a file at random and make sure you can access the backed-up version. Do this every few months. A backup you've never tested may not work when you need it.

2. Password Habits That Actually Help

The biggest password problems most people have aren't using "password123" — they're reusing the same password across multiple sites and never changing credentials after a data breach.

When a website gets breached and login credentials are stolen (which happens regularly, to major companies), attackers test those username/password combinations on other sites. If you used the same password for your email and a shopping account that got breached, your email is now at risk too.

The practical solution is a password manager. Tools like Bitwarden (free), 1Password, or the built-in password manager in your browser generate and store unique, strong passwords for every site. You only need to remember one master password. This single change meaningfully reduces your exposure from credential breaches.

On the subject of password strength: length matters more than complexity. A passphrase like "correct-horse-battery-staple" is both easier to remember and harder to crack than "P@ssw0rd!". Modern password crackers are optimized for common substitution patterns — they're not fooled by replacing letters with numbers and symbols anymore.

For your most critical accounts — email, banking, any account used to verify your identity elsewhere — use a password you haven't used anywhere else, and enable two-factor authentication (covered below).

3. Two-Factor Authentication

Two-factor authentication (2FA) adds a second step to logging in — typically a code sent to your phone or generated by an app. Even if someone has your password, they can't log in without that second factor.

Most major services support this — Google, Apple, Microsoft, banks, and most email providers. Enabling it on your email account is particularly important, because your email is often used to reset passwords for other accounts. If someone gets into your email, they can potentially get into everything else.

Text message (SMS) codes are better than nothing, but authenticator apps — Google Authenticator, Authy, or Microsoft Authenticator — are more secure. They generate codes locally without relying on your phone number, which can be vulnerable to SIM-swapping attacks.

If you use a password manager, many of them can also store 2FA codes, making the experience smoother without giving up the security benefit.

4. Recognizing Phishing

Phishing — messages that pretend to be from a trusted source to get you to click a link, enter credentials, or take some other action — is the entry point for a large percentage of successful attacks. The messages have gotten better. They look legitimate.

A few things to notice: urgency is a common manipulation tactic ("Your account will be suspended in 24 hours"). Unexpected requests for login information should be treated with suspicion, even if the email looks right. The actual sender address (not just the display name) is often revealing — a genuine email from your bank will come from the bank's domain, not a slightly modified version of it.

When in doubt about a link or a request, go directly to the website by typing the address in your browser rather than clicking the link. If your bank is really having an issue with your account, you'll see it when you log in directly.

Phone-based phishing (vishing) follows the same patterns — impersonating banks, tech support companies, government agencies, or utilities. Callers creating urgency and asking for personal information or payment should be treated with skepticism. Hang up and call the organization back on a number from their official website if you're uncertain.

5. Updates as Security

Software vulnerabilities — flaws in the code that attackers can exploit — are discovered regularly in operating systems, browsers, and applications. Updates patch these vulnerabilities. Staying current with updates is one of the most straightforward security steps available.

This applies to Windows, macOS, your browser, and any software that handles external content — PDF readers, media players, office software. The more software has access to your files or the internet, the more important it is to keep it updated.

Older operating systems that are no longer receiving security updates (Windows 7, Windows 8) are meaningfully more at risk. If your computer can't run a supported version of Windows, this is a real consideration for its continued use — at least for anything involving personal information or online access.

6. Public Wi-Fi

Public Wi-Fi networks — in coffee shops, airports, hotels — are convenient and generally fine for casual use. Browsing the news, checking the weather, watching videos: no significant risk. Activities that involve logging in to accounts or transmitting sensitive information are worth being more careful about.

Modern encrypted connections (HTTPS, indicated by the padlock in your browser) protect your data in transit even on public networks — most sites use this by default now. The risk is lower than it used to be.

If you regularly work with sensitive information on public networks, a VPN (Virtual Private Network) encrypts all your traffic, not just websites that support HTTPS. There are reputable paid VPN services; free VPNs are generally not worth the risk as they have to monetize their service somehow.

A simple precaution: make sure your device isn't set to automatically connect to known networks without your input, and disable file sharing when on public Wi-Fi.

7. What You Probably Don't Need

The security industry sells a lot of products, and not all of them provide meaningful protection for ordinary users. A few things worth being skeptical of:

Third-party antivirus suites, for most users, aren't an improvement over Windows Defender, which is built into Windows and receives regular updates. The paid products can sometimes cause more problems than they prevent through aggressive behavior, frequent pop-ups, and system slowdowns.

VPNs marketed as "anonymity" tools are often overstated. A VPN hides your traffic from your internet provider and local network, but the VPN provider itself sees your traffic. It's also not protection against malware, phishing, or weak passwords.

Security software that cold-calls you, sends alarming pop-ups about infections, or is installed through bundled installers is almost certainly malware itself, or at best, junk software. Legitimate security software doesn't work this way.

8. If Something Goes Wrong

Despite reasonable precautions, things can go wrong. Knowing what to do in the first minutes can matter.

If you suspect your computer is infected with malware: disconnect from the internet (physically or by disabling Wi-Fi), avoid logging in to any accounts, and contact someone who can help assess the situation. Don't rush to click things or install tools you found in a search — some of these are themselves malicious.

If your accounts have been compromised: change passwords immediately on the affected account and any accounts that used the same password. Check whether any recovery information (backup email, phone number) has been changed. Enable two-factor authentication if you haven't already. Check for any activity you didn't authorize — purchases, sent emails, password reset requests.

If your files have been encrypted by ransomware: do not pay if you can avoid it. There's no guarantee of recovery even if you do, and it funds more of the same. Check whether your files are in a backup. Contact a professional to assess whether decryption is possible through other means — occasionally tools are developed for specific strains of ransomware.

The most resilient position is one where a security incident — however bad — can be recovered from without permanent data loss. That position is built with backups. Everything else reduces the likelihood of an incident, but backups are what let you recover when one happens anyway.

Questions About Your Computer's Security?

If you're concerned about something you've noticed on your machine, or want help setting up a reliable backup, we're happy to help with a no-pressure assessment.

Contact Us