The shift to hybrid and remote working over the past five years has created a significant, largely unaddressed cybersecurity challenge. People are doing work — often sensitive, commercially significant work — on home devices, home networks and personal accounts that receive a fraction of the security infrastructure applied to corporate environments.

The majority of cyber attacks that succeed do not succeed because of sophisticated technical exploits that no individual could defend against. They succeed because of basic failures — clicking a phishing link, using a weak or reused password, running software with known unpatched vulnerabilities — that are entirely preventable.

This guide covers what actually works, based on the threat model that is relevant to most home workers.

Your Biggest Risk: Phishing

The National Cyber Security Centre (NCSC) consistently identifies phishing — deceptive emails, messages or calls designed to trick you into revealing credentials or installing malware — as the entry point for the vast majority of successful cyber attacks on individuals and organisations.

Understanding what phishing looks like in 2026 matters because it has evolved. Early phishing was obvious: poor grammar, implausible urgency, clearly fake email addresses. Modern phishing is sophisticated:

  • Spear phishing: personalised attacks that reference your specific employer, recent transactions, or colleagues by name (information gathered from social media, data breaches or LinkedIn)
  • Business email compromise (BEC): emails that appear to come from a colleague's or supplier's email account, either because the account was compromised or the email address was spoofed
  • Smishing: phishing via text message, often spoofed to appear from delivery companies, banks or HMRC
  • AI-generated phishing: attacks where the content is generated by AI, making grammatical errors and non-native phrasing essentially obsolete as detection signals

The most effective protection against phishing is not a technical tool — it is a mental habit of verification. Before clicking a link, entering a password, or taking any financial action in response to an inbound communication, take one additional step to verify the communication is genuine (call the sender on a known number, navigate directly to the organisation's website, check with a colleague) rather than following the instruction in the message.

This habit feels slower and more annoying than just clicking. The habit will, at some point, prevent a serious breach.

Passwords: Use a Manager, Full Stop

The majority of account compromises are enabled by one of three password failures:

  1. Reuse: the same password across multiple accounts, so that when one is breached (through no fault of yours), all accounts using that password are vulnerable
  2. Weakness: passwords that are easily guessable or that appear in leaked password databases
  3. Phishing: entering your password on a fake website that captures it

A password manager — 1Password, Bitwarden, Dashlane and others — solves all three problems. You create one strong master password. The manager generates unique, long, random passwords for every account and fills them in automatically. You never reuse passwords because you don't type them yourself. You never create weak passwords because you don't create them at all. Phishing is significantly harder because the manager will not autofill credentials on a fake site whose domain doesn't match the stored entry.

Bitwarden is free, open source, and well-audited. 1Password has a family plan at around £3/month and is excellent. Both work across all devices and integrate with browsers and apps.

The objection that "if the password manager is compromised, everything is compromised" is technically true but practically irrelevant for the vast majority of users. The risk of a well-chosen password manager being compromised is orders of magnitude lower than the risk from continued password reuse.

Multi-Factor Authentication

Multi-factor authentication (MFA, also called two-factor authentication or 2FA) requires a second proof of identity — in addition to your password — when you log in. This second factor is typically a time-based one-time code from an authenticator app.

Microsoft's internal data shows that MFA prevents approximately 99.9% of automated account takeover attempts. An attacker who obtains your password through a phishing attack or data breach cannot access your account without also having your physical device.

Enable MFA on every account that supports it, with priority on:

  • Email (this is the master key — someone who controls your email can reset every other account)
  • Banking and financial services
  • Work accounts (Microsoft 365, Google Workspace)
  • Password manager
  • Any account with payment information stored

Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) are more secure than SMS codes — SMS codes can be intercepted through SIM-swapping attacks. If an account only offers SMS MFA, that's still worth enabling, but authenticator apps are preferable.

Home Wi-Fi Security

Home routers have default configurations that are frequently insecure. Basic hygiene:

  • Change the router admin password: the default admin password is publicly known for most router models. Log into your router's admin page (typically 192.168.1.1 or 192.168.0.1) and change it
  • Use WPA3 or WPA2: if your router is offering WEP or WPA (without the 2 or 3), upgrade your router or update its firmware
  • Create a guest network for IoT devices: smart TVs, thermostats, doorbells and other IoT devices often have poor security. Isolating them on a separate guest network means a compromised IoT device cannot reach your work laptop
  • Keep router firmware updated: most routers can be set to auto-update; enable this if available

Software Updates: Non-Negotiable

The majority of successful malware deployments exploit known vulnerabilities in software that has available patches. Microsoft, Apple, Chrome, and security researchers regularly publish analyses showing that most "zero day" attacks (attacks exploiting unknown vulnerabilities) are actually exploiting vulnerabilities that were patched months or years before the attack.

Enable automatic updates on:

  • Operating system (Windows or macOS)
  • Browser
  • Any software that handles potentially untrusted input (PDF readers, email clients, Office)

The security conversation is "yes, updates sometimes break things" — the trade-off is real. The risk from running unpatched software is, for most people in most contexts, significantly higher than the risk of update-related instability.

Device Separation

The most effective organisational boundary between work and personal computing is separate physical devices — a work laptop for work, a personal device for personal use. This is the practice recommended by the NCSC and by enterprise security teams everywhere.

It is also the practice that is least followed by people who work independently, freelance, or use personal devices for work. The practical reality is that many people access work email on a personal phone, use a personal laptop for work tasks, and use work devices for personal browsing.

If full device separation is not practical:

  • At minimum, use a separate browser profile for work
  • Do not save work credentials in your personal password manager (or use a separate vault)
  • Be more careful about what you install on a device that also holds work data

The Boring Truth

Most effective personal cybersecurity is not glamorous. It is: a password manager, MFA on email and banking, not clicking links in unexpected emails, and keeping software updated. These four habits eliminate the vast majority of risk faced by a typical home worker. Everything else — VPNs, encrypted email, hardware security keys — is either unnecessary for most people's threat model, or an enhancement on top of these basics rather than a replacement for them.

The biggest gap between what would make people more secure and what people actually do is almost never technical knowledge. It is the gap between knowing that reusing passwords is bad and doing the 20 minutes of setup required to use a password manager instead. That 20 minutes is the most valuable security investment most readers of this article could make today.