The threat landscape
The majority of successful cyber attacks on individuals and organisations do not involve sophisticated hacking. The most common vectors are: phishing (fraudulent emails, texts or websites designed to steal credentials or deliver malware), credential stuffing (using leaked username/password combinations to access other accounts where people reuse passwords), unpatched software vulnerabilities, and social engineering (manipulating people into revealing information or performing actions).
Password hygiene
The most impactful individual security measure is using a strong, unique password for every account. The challenge is remembering them. Password managers (1Password, Bitwarden, Dashlane) store and generate strong passwords, require you to remember only one master password, and can auto-fill credentials on legitimate sites (which provides some phishing protection — a password manager will not auto-fill on a fake phishing site). Using the same password on multiple sites means one breach compromises all those accounts.
Two-factor authentication
Two-factor authentication (2FA) requires a second verification step beyond your password — typically a code from an authenticator app or SMS. Even if an attacker has your password, they cannot access your account without the second factor. Authenticator apps (Google Authenticator, Authy) are more secure than SMS codes (which can be intercepted via SIM swapping). Enable 2FA on every account that supports it, prioritising email, banking and social media.
Organisational basics
For organisations: network segmentation (limiting what an attacker can access if they get in), regular backups (ideally offline and tested), basic security awareness training that focuses on phishing recognition, and keeping software patched. The NCSC's Cyber Essentials certification covers the fundamental technical hygiene that prevents the majority of common attacks.