TC
Troy’s Tech Corner
understand tech2026-02-2214 min read

Cybersecurity basics for normal people

Troy Brown

Written by Troy Brown

Troy writes beginner-friendly guides, practical gear advice, and hands-on tech walkthroughs designed to help real people make smarter decisions and build with more confidence.

About the authorEditorial policy

Cybersecurity basics for normal people

Most digital security advice falls into two categories: either it is so basic it insults your intelligence, or it is so paranoid it feels like a job you did not sign up for.

The reality is somewhere in the middle. You do not need to become a security researcher. You do need to stop reusing the same password everywhere and calling it a day.

This guide covers the stuff that actually matters for everyday people — not threat models for whistleblowers, not enterprise compliance checklists. Just the things that will stop the most common attacks with the least friction.

The three things that matter most

If you do nothing else, do these.

1. Use a password manager

This is the single highest-value change most people can make.

A password manager generates and stores strong, unique passwords for every account. You remember one master password. The tool handles the rest.

Why this matters: password reuse is how most people actually get hacked. One service leaks your credentials, attackers try that same email and password on every other site, and suddenly your email, bank, and shopping accounts are all compromised.

What I would use:

Bitwarden is my default recommendation. It is free, open-source, works everywhere, and the paid tier ($10/year) is worth it for the extras. The free version is excellent.

1Password is great if you want a more polished experience and do not mind paying. Good for families.

Apple Keychain and Google Password Manager are decent if you live entirely in one ecosystem and want the lowest friction option.

Pick one. Use it. The specific tool matters less than actually using it consistently.

Common mistake: picking a password manager, setting it up, and then not actually using it for new logins because "I'll do it later." Force yourself to save every login for the first two weeks and the habit sticks.

2. Turn on two-factor authentication

Two-factor authentication (2FA) means that even if someone gets your password, they still need a second thing to log in.

Priority order for enabling 2FA:

  1. Your email (this is the master key to everything else)
  2. Banking and financial accounts
  3. Social media
  4. Shopping sites with saved payment info
  5. Everything else

What kind of 2FA to use:

Hardware security keys (like YubiKey) are the most secure option. They are also the most annoying to set up. Worth it if you are willing.

Authenticator apps (Google Authenticator, Authy) are the sweet spot for most people. Good security, minimal hassle.

SMS codes are better than nothing but the weakest option. Use them only when nothing else is available.

Common mistake: enabling 2FA and not saving the backup codes. If you lose your phone and your backup codes are also on that phone, you are locked out. Save them somewhere separate.

3. Keep everything updated

Updates are not just about new features. Most updates include patches for security holes that attackers already know about.

Turn on automatic updates for:

  • your phone (iOS and Android both have this)
  • your computer (Windows, Mac, Linux)
  • your browser
  • your router firmware

That last one — router firmware — is the one people forget most often. Log into your router admin panel once every few months and check.

Common mistake: hitting "remind me later" on updates until the device is months behind. Set a rule: if an update is available and you are not in the middle of something time-sensitive, just install it.

Securing your phone

Your phone is probably the most personal device you own. It has your email, banking apps, photos, messages, and location history. Losing it or having it compromised is a bigger deal than most people think about.

The basics

  • Use a strong passcode (6 digits minimum, not 1234 or your birthday)
  • Enable biometrics (Face ID, fingerprint) for convenience
  • Turn on Find My (iPhone) or Find My Device (Android)
  • Enable automatic updates
  • Review app permissions occasionally — does that flashlight app really need your contacts?

What you probably do not need

You do not need antivirus on an iPhone. Apple's sandboxing handles it.

On Android, Google Play Protect is built in and catches most problems. Bitdefender or Malwarebytes are reasonable additions if you want extra peace of mind, but they are not strictly necessary if you stick to the Play Store and keep things updated.

The biggest phone security risk

It is not sophisticated hacking. It is:

  • clicking links in phishing texts
  • downloading apps from outside the official store
  • using public Wi-Fi for sensitive things without thinking about it
  • handing your unlocked phone to someone you should not trust

Securing your computer

Windows

Windows Defender is genuinely good now. You do not need to buy a separate antivirus product unless you want features like a VPN or parental controls bundled in.

The important settings:

  • Make sure Windows Defender is on and real-time protection is enabled
  • Keep the Windows Firewall on
  • Enable automatic updates
  • Use a standard user account for daily use, not admin (this alone stops a lot of malware)

Mac

Macs are not immune to malware, but they are targeted less often. The built-in protections (Gatekeeper, XProtect, FileVault) are solid.

The important settings:

  • Turn on FileVault (encrypts your disk)
  • Enable the firewall
  • Keep automatic updates on
  • Be cautious about apps downloaded outside the App Store

Browser security

Your browser is where most of your online activity happens.

  • Use Chrome, Firefox, or Edge — all are fine, pick the one you like
  • Install uBlock Origin — it blocks ads and trackers and is the single most useful browser extension
  • Keep the browser updated
  • Use your password manager instead of saving passwords in the browser itself

Home network security

Your router is the front door to your home network. If it is using default settings from three years ago, it is probably weaker than it should be.

The quick fixes

  1. Change the admin password. This is the login for the router settings page, not your Wi-Fi password. If it is still "admin/admin" or "admin/password," change it now.

  2. Update the firmware. Check the router admin page for available updates.

  3. Use WPA3 or WPA2-AES. If your router still offers WEP or original WPA, those are not secure.

  4. Turn off WPS. It has known vulnerabilities.

  5. Disable remote management unless you need it.

  6. Set up a guest network for visitors and smart home devices.

DNS upgrade

Switching from your ISP's default DNS to something like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) is free, takes two minutes in your router settings, and can improve both speed and security.

If you want network-wide ad and tracker blocking, Pi-hole is a great project for that.

Smart home devices

Smart home gear is convenient but often poorly secured by default.

The minimum:

  • Change default passwords on every device
  • Keep firmware updated
  • Put IoT devices on a guest or separate network
  • Replace devices that stop getting updates

The reality is that most smart home security problems come from bad defaults, not sophisticated attacks. Fix the defaults and you are already in a much better position.

Recognizing scams and phishing

The vast majority of successful attacks against regular people are social engineering, not technical exploits.

Phishing emails

The red flags:

  • urgent language ("your account will be suspended!")
  • generic greetings ("Dear customer" instead of your name)
  • links that do not match the claimed sender
  • requests for passwords or personal information

When in doubt, do not click the link. Go directly to the website by typing the address yourself.

Tech support scams

Real companies do not cold-call you to say your computer has a virus. If someone calls claiming to be from Microsoft, Apple, or your ISP and asks for remote access, hang up.

The general rule

If something creates urgency and pressure, it is probably a scam. Legitimate companies give you time. Scammers rush you.

Backups

Backups are not exciting. They are also the thing that saves you when everything else fails.

Ransomware encrypts your files. Hard drives die. Phones get stolen. Laptops get dropped. The only real protection is having a copy somewhere else.

The simple approach

  • Cloud backup for photos and documents (iCloud, Google Drive, OneDrive, Backblaze)
  • Local backup to an external drive (Time Machine on Mac, File History on Windows)
  • Ideally, both

What to back up

  • Photos and videos
  • Important documents
  • Financial records
  • Anything you would be upset to lose permanently

Common mistake

Having backups that you have never tested. Try restoring a file once to make sure it actually works.

Privacy: the practical version

Perfect privacy online is essentially impossible without changing your entire lifestyle. Practical privacy — reducing unnecessary tracking — is very achievable.

Quick wins

  • Use a privacy-focused browser or at least install uBlock Origin
  • Use DuckDuckGo for searches you do not want tied to your Google profile
  • Review social media privacy settings once a year
  • Use different email addresses for important accounts vs throwaway signups
  • Turn off location sharing for apps that do not need it

If you want to go further

  • Use Signal for encrypted messaging
  • Use ProtonMail for sensitive email
  • Consider a VPN for public Wi-Fi (not as a magic privacy shield — it just moves trust from the coffee shop to the VPN provider)
  • Freeze your credit at all three bureaus (free and one of the most effective identity theft protections available)

If you think you have been hacked

Do not panic. Most "hacking" is actually a leaked password or a phishing link, not someone specifically targeting you.

  1. Change your passwords, starting with email and banking
  2. Enable 2FA on everything important
  3. Run a malware scan on your devices
  4. Check bank and credit card statements for anything suspicious
  5. Monitor your credit reports for a few months

If it is serious — identity theft, financial fraud — report it through identitytheft.gov and your bank's fraud department.

The honest summary

Cybersecurity for regular people is not about becoming unhackable. It is about not being the easiest target.

The majority of attacks succeed because someone reused a password, clicked a phishing link, or ignored an update for too long. Fix those three habits and you are already ahead of most people.

  • Use a password manager
  • Enable 2FA on important accounts
  • Keep everything updated
  • Do not click suspicious links
  • Back up what matters

That is the core of it. Everything else is useful but secondary.

Enjoyed this guide?

Get more beginner-friendly tech explanations and guides sent to your inbox.

No spam. Unsubscribe at any time. We respect your privacy.

Related Guides

understand tech

AI Agents on Smartphones: How Your Phone Is Becoming a Personal Assistant

Your mobile device is evolving into a proactive personal assistant. Learn how AI agents on smartphones are boosting productivity by predicting your daily requirements and managing tasks automatically.

understand tech

Meta Disables Encrypted DMs for Instagram: What Does This Mean for Users?

Recent updates regarding Meta encrypted messages have caused confusion. Understand what these changes mean for your personal chats and online security.

understand tech

Photo Metadata Explained: How Your Pictures Can Reveal Your Location

Understanding photo metadata location privacy is essential for staying safe online. Learn how these hidden details can expose your physical whereabouts and how to manage your digital footprint.