Every 39 seconds, a cyberattack happens somewhere on the internet. According to cybersecurity research, global cybercrime costs are on track to exceed $10 trillion annually in 2025. That figure sounds like a problem for banks and governments. But the individual sitting in front of a phone or laptop is just as much a target, often more so, because individuals tend to have far weaker defences.
A hacked bank account. A stolen identity. A social media profile taken over. An email account used to scam your contacts. These things happen to real people every day, and in the vast majority of cases, a handful of basic security habits would have stopped them entirely.
This checklist covers every practical step you need to secure your online life right now. No technical background required. Work through it section by section, and by the time you finish, your accounts, devices, and personal data will be significantly harder to compromise.
Section 1: Passwords, Your First Line of Defence
Weak passwords remain the single most exploited vulnerability across the internet. Research from the Verizon Data Breach Investigations Report 2025 found that compromised credentials are involved in over 80% of hacking-related breaches. And the most common passwords in use globally are still variations of “123456” and “password.”
Here is what a secure password practice actually looks like in 2025.
Use a password manager. A password manager generates, stores, and fills in strong, unique passwords for every account you own, so you only need to remember one master password. Reputable options include Bitwarden, which is free and open source, 1Password, and Dashlane. Once you use a password manager, there is genuinely no excuse for reusing passwords across accounts.
Make every password unique. If you use the same password across multiple accounts and one of those accounts is breached, every other account using that password is now compromised. This is called credential stuffing, and it is one of the most common attack methods online today. One account, one password. Always.
Make your passwords long and complex. A strong password is at least 12 characters long and contains a mix of uppercase letters, lowercase letters, numbers, and symbols. A passphrase like “BlueSky!Rain7Lagos” is both strong and memorable. Your password manager can generate something far more complex than that automatically.
Change passwords immediately after any breach. Go to haveibeenpwned.com and enter your email address. This free service, run by respected security researcher Troy Hunt, checks your email against a database of over 13 billion breached credentials and tells you exactly which of your accounts have been compromised. If any come up, change those passwords today.
Section 2: Two-Factor Authentication, The Most Important Security Step You Can Take
Two-factor authentication, commonly called 2FA or MFA (multi-factor authentication), adds a second layer of verification beyond your password. Even if someone steals your password, they cannot access your account without also having access to your second factor.
Enable 2FA on every account that offers it. Start with the accounts that matter most: your primary email, your banking apps, WhatsApp, Instagram, Facebook, Twitter/X, LinkedIn, and any account linked to your financial information.
Authenticator apps are stronger than SMS codes. Many services offer 2FA via a text message sent to your phone number. This is better than nothing, but SIM swapping attacks, where a fraudster convinces your mobile network to transfer your number to their SIM, can intercept those codes. An authenticator app like Google Authenticator, Authy, or Microsoft Authenticator generates codes locally on your device, making them immune to SIM swap attacks.
To enable 2FA, go into the security or privacy settings of any account and look for Two-Factor Authentication, Two-Step Verification, or Multi-Factor Authentication. The setup process takes under two minutes per account and is one of the highest-impact security changes you can make.
Section 3: Your Email Account Deserves Special Attention
Your email account is the master key to your digital life. Every other account you own has a “Forgot password” option that sends a reset link directly to your email. If someone gets into your email, they can reset the password to every other account you own.
Treat your email security as a priority above everything else.
Enable 2FA on your email account first, before any other account. Use a strong, unique password that you do not use anywhere else. Review the list of devices that have active access to your account. On Gmail, go to your Google Account, click Security, then scroll to Your Devices. On Outlook, go to Account > Security > Sign-in Activity. Remove any device you do not recognise.
Also check which third-party apps have access to your email. On Gmail, go to myaccount.google.com/permissions. Revoke access for any app you no longer use or do not recognise. Some of those old app permissions have been sitting there for years, quietly maintaining access to your inbox.
Section 4: Device Security, Protecting the Hardware
Your accounts can be perfectly secured and still be compromised if the device you use to access them is not protected.
Lock your phone and computer. Every device you own should require a PIN, password, fingerprint, or face recognition to unlock. This is basic but frequently neglected, particularly on laptops.
Enable full-device encryption. Encryption scrambles the data on your device so that it is unreadable without the correct credentials. On iPhone, full-device encryption is enabled automatically when you set a passcode. On Android, go to Settings > Security > Encryption and verify it is active. On Windows, search for BitLocker in the Start menu and turn it on. On Mac, go to System Settings > Privacy and Security > FileVault and enable it.
Keep your operating system and apps updated. Software updates patch security vulnerabilities that hackers actively exploit. Research from Verizon’s 2025 report found that a significant portion of successful cyberattacks exploited known vulnerabilities that patches for had already been released. The attack worked simply because the victim had not updated their software. Turn on automatic updates on both your phone and computer and leave them on.
Install reputable antivirus software on your computer. On Windows, Microsoft Defender, which comes built into Windows 10 and 11, provides solid baseline protection at no extra cost. On Mac, Malwarebytes offers reliable additional protection. On Android, Bitdefender and Kaspersky are well-regarded options. iPhones are more locked down by design, but keeping iOS updated remains critical.
Section 5: Safe Browsing Habits
Your browser is the window through which most online threats enter your device. A few adjustments and habits here make a significant difference.
Use a reputable, up-to-date browser. Google Chrome, Mozilla Firefox, and Apple Safari are all maintained with regular security patches. Avoid using outdated or obscure browsers that do not receive regular updates.
Install a browser extension for additional protection. uBlock Origin is a widely trusted, free extension that blocks malicious ads, tracking scripts, and known dangerous websites. It works on Chrome, Firefox, and Edge. Privacy Badger by the Electronic Frontier Foundation adds further tracking protection.
Check URLs before you click. Phishing attacks, where criminals create fake websites that look identical to real ones to steal your login credentials, remain one of the most effective attack methods in use today. Before entering any login details, look at the URL bar carefully. Verify that the address is spelled correctly, that it uses HTTPS (the padlock icon), and that it matches the legitimate domain of the service you intend to use.
Think before you click links in emails and messages. Phishing emails are increasingly convincing and are now frequently personalised using AI. Industry data shows phishing attacks increased 68% in 2024. If you receive an urgent email from your bank, a delivery service, or any institution asking you to click a link and log in, go directly to that institution’s website by typing the address into your browser rather than clicking the link in the email.
Section 6: Your Wi-Fi and Network Security
Secure your home Wi-Fi. Log into your router’s admin panel and change the default username and password, which are publicly known for most router models and represent an easy entry point for anyone on your network. Use WPA3 encryption if your router supports it, or WPA2 at minimum. Your Wi-Fi password should be long and complex.
Be careful on public Wi-Fi. Public Wi-Fi networks in cafes, airports, hotels, and shopping centres are fundamentally insecure. Avoid accessing banking apps, logging into important accounts, or entering sensitive information on public Wi-Fi. If you regularly use public Wi-Fi, consider using a reputable VPN (Virtual Private Network) service. A VPN encrypts your internet traffic so that others on the same network cannot intercept it. Reputable paid options include ProtonVPN, Mullvad, and ExpressVPN.
The most sophisticated technical security setup in the world can be bypassed if someone tricks you into handing over your credentials willingly. This is called social engineering, and it is the most consistently successful attack vector online today.
Common forms of social engineering to watch out for in 2025 include phishing emails that impersonate trusted institutions, WhatsApp and SMS scams that create urgency around fake prizes, deliveries, or account problems, and voice calls where someone claims to be from your bank, a government agency, or a tech support team.
The rule of thumb is simple. Legitimate organisations never ask for your password, your full bank account number, or your 2FA codes over email, SMS, or phone. If anyone ever asks for those things unprompted, it is a scam regardless of how official it looks or sounds.
When in doubt, hang up or close the message and contact the organisation directly using contact details from their official website.
Section 8: Back Up Your Data Regularly
Even with every security measure in place, things can still go wrong. Ransomware attacks, where criminals encrypt all your files and demand payment to restore them, are still increasing. Hardware failure happens. Devices get stolen.
Regular backups mean that even in a worst-case scenario, your data survives.
For phones, use Google Photos or iCloud for automatic photo backup, and enable your phone’s full backup through Google Account or iCloud. For computers, use an external hard drive combined with a cloud backup service like Google Drive, OneDrive, or Backblaze. Backblaze offers unlimited computer backup for a flat monthly fee and is widely recommended by security professionals.
Follow the 3-2-1 rule: keep three copies of your data, on two different types of storage, with one stored offsite or in the cloud. This setup protects you against virtually any data loss scenario.
Your Quick Reference: Complete Online Security Checklist
Work through this list and tick off each item. This is your digital security health check.
Passwords
- Using a password manager for all accounts
- Every account has a unique password
- Passwords are at least 12 characters long
- Checked haveibeenpwned.com for breached accounts
Two-Factor Authentication
- 2FA enabled on email account
- 2FA enabled on banking and financial apps
- 2FA enabled on social media accounts
- Using an authenticator app rather than SMS where possible
- Strong unique password on primary email
- Reviewed active devices with access
- Revoked unused third-party app permissions
Device Security
- Screen lock enabled on phone and laptop
- Full-device encryption active
- Automatic software updates turned on
- Antivirus software installed on computer
Browsing
- Using an up-to-date browser
- uBlock Origin or similar extension installed
- Checking URLs carefully before entering login details
- Not clicking email links to login pages
Network
- Home Wi-Fi router password changed from default
- WPA2 or WPA3 encryption enabled on router
- Avoiding sensitive activity on public Wi-Fi
Backups
- Phone photos backing up automatically to cloud
- Computer backed up to external drive or cloud service
Online security is not a single action. It is a collection of small, consistent habits that compound into a genuinely strong defence. No single step makes you invincible, but working through this checklist puts you in a significantly better position than the vast majority of internet users.
The most impactful things you can do today, right now, are: set up a password manager, enable two-factor authentication on your email and bank accounts, and check haveibeenpwned.com for any existing breaches. Those three steps alone address the most common attack vectors used against individuals online.
Revisit this checklist every six months. The threat landscape changes, platforms update their security settings, and new risks emerge. Staying ahead of it is a habit, and habits are built one step at a time.
Is there a security step on this list you had not thought about before? Or do you have a tip that keeps your accounts safe that we did not include? Drop it in the comments below. We would love to hear from the TechCityNG community!
