10 simple security actions that keep you much safer online

Online safety doesn’t have to be complicated. With some simple steps, you can easily protect your PC from malware and safeguard your personal data with very little extra effort.

The best part? None of these tips cost money. In fact, most important security tools you need are completely free. You can keep yourself and your PC safe online without spending a single dime. Here’s how.

1. Use an antivirus

Antivirus software is a must-have for any PC. Thankfully, you don’t have to go out of your way to get one anymore because all Windows 11 and Windows 10 PCs come with Windows Security and Microsoft Defender, giving you access to a minimal-yet-capable antivirus.

It automatically scans your system in the background and checks the files you download and the applications you run, spotting malware before it can take hold. You can go further and configure Microsoft Defender for extra security if you want.

Or you could opt for a third-party antivirus, many of which come with extra security features. If you decide to take this route, know that we currently recommend Norton 360 Deluxe, but any antivirus will do if all you care about is basic protection.

Recommended: The best antivirus software for Windows

Just be sure to leave your antivirus’s real-time protection feature enabled. Don’t turn off real-time scanning because mistakes can happen to anyone—and when they do, you want your antivirus to be active.

2. Use a password manager

Once you start using a password manager, you’ll never go back—it’s that life-changingly convenient. So, if you aren’t using one yet, we highly recommend using a password manager. (A free one, even!)

Recommended: The best password managers worth using

The unfortunate truth is that many companies—no matter how big they are or how reputable they seem—end up facing data breaches and leaks that release their password databases to the public.

That’s why the biggest risk you can take online is reusing the same password for multiple accounts. If your password gets leaked in a data breach, hackers can use your email/password combination to break into your other accounts that use the same password.

The solution? Use strong passwords that are unique every single time.

The problem? Remembering so many passwords is almost impossible—and that’s why you need to be using a password manager.

A password manager remembers all of your passwords and associates them with their respective sites, apps, accounts, etc. All you need to do is remember the master password; the password manager will fill in the appropriate password whenever you need to log in.

3. Keep your software up to date

Chris Hoffman / IDG

Chris Hoffman / IDG

Chris Hoffman / IDG

Modern operating systems and all the applications on your system receive regular security updates that fix exploits and vulnerabilities. If you skip these important patches, you’re opening yourself up to risks.

The good news is that most modern applications—whether it’s Windows, Microsoft Office, Google Chrome, or something else—regularly check for and automatically install such updates.

If you’ve disabled automatic updates, you should reconsider. There may be a niche reason to do so, but most of the time you’re just putting yourself in danger.

And yes, sooner is better than later. If your operating system or web browser says it needs to restart to install updates, do it. Sure, it’s inconvenient to restart your Windows PC or web browser in the middle of something, but it just might protect you from an attack.

4. Stop using unsupported operating systems and applications

It’s one thing for operating systems and applications to get automatic updates—it’s another thing when those updates are discontinued.

No software lasts forever. Eventually, developers and companies end long-term support and stop issuing security updates for older hardware and software. At that point, the hardware/software should be treated as unsafe and you should stop using it as soon as you can.

What happens if you keep using it? Older software and unsupported devices gradually grow increasingly more vulnerable to attack, and it’ll only be a matter of time before you get hit with something.

For example, Windows 7 is no longer supported and using it puts you at risk because newly discovered security holes aren’t being patched. The same is true for individual applications—like Office 2016 and earlier versions of Microsoft Office, which no longer receive security updates.

While an older version of Office might work well for your needs, it could open you up to an attack. For example, you might download a malicious Word document that exploits an Office vulnerability to hack you.

That’s one reason why Microsoft Office 365 is a good deal: you’ll always have access to the latest versions of Office on all your devices.

5. Be mindful when browsing the web

How you browse the web is important. In an ideal world, you shouldn’t have to worry about the sites you visit and whether something could go wrong—but the world is far from ideal.

Untrustworthy websites can attack your browser through unpatched security flaws. More commonly, sketchy websites may try to download malware onto your PC, trick you with misleading advertisements, or get your personal information with phishing scams.

Take care when browsing the web and be mindful. Think twice before downloading software, avoid dodgy sites that make promises that seem too good to be true, and don’t enter personal information on any website that you haven’t vetted and trust 100 percent.

6. Only download files and software from trustworthy sites and sources

Chris Hoffman / IDG

Chris Hoffman / IDG

Chris Hoffman / IDG

Any time you download software, you have to be very careful. Even something as innocuous as a PDF or Word document can potentially wreak havoc on your PC if it exploits an unpatched flaw in your PDF reader or Microsoft Word.

Any file you download off the internet can do nasty things to your PC, and only an antivirus that recognizes it will protect you. So, you should only download, install, and run software that you completely trust—and only if you get it from a source you trust.

Also, stop ignoring Windows SmartScreen! On Windows, SmartScreen warnings pop up when you try to run software that few people have downloaded and run before. You can tell Windows to run the application anyway, but you should always pause and consider whether you truly trust the application. If you don’t, then you shouldn’t run it. When in doubt, stick with known-as-trustworthy applications.

7. Learn to identify phishing scams

Phishing scams have grown into a huge problem over the last several years, and you’re at risk whether you’re using a Windows PC, a Chromebook, a smartphone, or anything else.

Long story short: a phishing scam is one where someone tries to bait you into giving away sensitive information or installing malware. This is usually done by tricking you into clicking a deceptive link.

More on this: The most common types of phishing scams

Phishing scams are tricky because they’re usually disguised as coming from a trusted source: a reputable company like Microsoft, a widely used service like USPS, or even a friend or family member. That’s why is so important to learn how to identify phishing emails and text messages.

A password manager can help here, too. Let’s say you click a phishing link and end up on a fake site pretending to be your bank. If you were on your real bank’s website, your password manager would know and automatically fill in your login details. But since it’s an imposter site, your password manager won’t fill in—a clue that something is amiss.

8. Don’t click unsolicited links

Every link should be treated as questionable, whether that’s on a website, on social media, in an email, or even a text message. If you never click on unsolicited links, you can drastically reduce your risk of malware.

For example, let’s say you get a text message about a package delivery failure and you need to click this link and provide personal information to make sure you get it. You don’t know whether it’s a scam or not—but you aren’t expecting a delivery, so you treat it as questionable. In most cases, you just successfully avoided being scammed.

The same goes for when you get a link that purports to come from Amazon, PayPal, or your credit card company. It may have an alarming angle to it, such as claiming your account has been banned. This is meant to induce panic and cause you to lower your guard. But if you have a general policy of not clicking unsolicited links, you’ll be okay.

When in doubt, avoid unsolicited links and go straight to the source. Got an alert email that claims to be from your bank? Don’t click it. Instead, manually navigate to the bank in your web browser. Got an urgent alert about a package from FedEx? Don’t click it. Go straight to the FedEx website yourself and confirm if it’s true.

9. Use a standard Windows user account

Chris Hoffman / IDG

Chris Hoffman / IDG

Chris Hoffman / IDG

When on Windows, we recommend using a “Standard” account type rather than an “Administrator” account type for day-to-day activity.

Yes, Administrator accounts are more convenient because they can install software at the system level with fewer hurdles. But being logged into an Administrator account also makes it easier for malware to take hold.

For passive protection, it’s better to create a secondary Windows user account with Standard user permissions. That way if malware does try to infect you, it will have a harder time doing so.

For best results, only use an Administrator account to set up your PC and install software, then switch to a secondary Standard account for your day-to-day computer usage. Microsoft has a detailed help website with information about creating new user accounts.

The good news is that Microsoft is making some changes to Windows that may make this unnecessary soon.

10. Set up two-factor authentication for your accounts

Two-factor authentication is non-negotiable these days. With this extra layer of protection for an account, even if someone knows your account’s password, they still won’t be able to sign in.

Why? Because the intruder will also need a specific two-factor authentication code: perhaps a code sent to your phone, a code generated by an app, or even a physical security key.

I recommend setting up two-factor authentication with all accounts that support it, particularly bank accounts and email inboxes. It may be a tad more inconvenient to sign in—you’ll have to provide a code in addition to your usual password—but it’s an important way to stay safe online.

Outdated practices that don’t really help

I think you’ll agree with me that the above tips and tactics aren’t very difficult at all. Some are one-and-done (like using a Standard Windows account), some are repeated (like keeping software updated), and some are passive (like never clicking unsolicited links), but they’re all simple.

Now that you know what to do, you should also check out my other advice on what you shouldn’t do. In fact, there are several outdated security practices that may have been useful in the past but are no longer helpful. It’s better to stop doing them now.