Cyberattack Central! Protect yourself with these 10 simple steps

Cyberattacks are becoming more common and more successful. A recent survey conducted by the Royal Institution of Chartered Surveyors (RICS) found that 27% of UK businesses reported suffering a cyberattack in the last 12 months, up from 16% the previous year. Big names like Marks & Spencer have also been targeted, costing the business £300 million in lost sales after a ransomware attack in April 2025.

Local authorities are particularly vulnerable, with over 150 cyber incidents and 2,400 data breaches reported to the Information Commissioner’s Office (ICO) last year. In October 2020, the London Borough of Hackney fell victim to a significant ransomware incident, compromising sensitive data of at least 280,000 residents and staff. Systems were disrupted for months, with some services not fully restored until 2022, with costs to the council reaching £12 million.

More recent incidents include an August 2024 cyberattack on Locata, a housing software provider, disrupting housing services at Manchester, Salford, and Bolton councils. Hammersmith and Fulham Council reportedly face 20,000 attempted cyberattacks daily as well!

By the way, did you know over 16 BILLION passwords were leaked recently?

This massive breach was discovered only a few weeks ago, with major services like Apple, Facebook, Google, and Meta being affected.

Have you been updating your passwords recently?

Okay, but what exactly ARE cyberattacks? How do they affect me personally?

In simple terms, a cyberattack is when someone tries to access your computer, smartphone, account, or data in order to steal from you and/or cause chaos. Below are some of the main types you might run into:

Phishing and social engineering – This involves an attacker pretending to be someone trustworthy so they can trick you into exposing your password, or click on a malicious link, or download a malicious file. It’s by far the most common and most successful type of cyberattack.
Ransomware – This involves an attacker installing malicious software on your device (e.g. because you clicked on a bad link or downloaded a file that automatically installs it). The ransomware encrypts (locks) your data, files, and/or device and then demands payment in order to unlock it.
Credential stuffing and password attacks – This involves an attacker taking your leaked credentials from a previous breach and using them on other websites. It works surprisingly well because, unsurprisingly, people like to reuse passwords across multiple sites.
Malware and trojans – Like ransomware, this involves an attacker installing malicious software on your device. Malware is often more sneaky as it’s designed to remain on a device for a long period of time to steal information, watch what you do, and even take over your device. If your device is connected to a network (e.g. at your workplace), malware can end up spreading across multiple devices undetected.

Okay, I’m very scared now! How do I protect myself from cyberattacks?!

The good news is that you don’t need to be a tech expert to protect yourself from cyberattacks. In fact, you can significantly reduce your risk with some basic cybersecurity steps!

1) ALWAYS use strong passwords

Use complex, unique passwords for every account you create. These should be 12+ characters with a mix of letters, numbers, and symbols.

… Yes, it’s annoying not being able to reuse the same password across multiple sites, but at least you’ll be preventing attackers from using your credentials from a previous leak.

To make things easier, use a secure reputable password manager to help you generate and store strong, unique passwords for all your accounts. That way you’ll only need to remember a single strong master password to access your encrypted password vault. Cloud-based password managers enable easier access from any device, while local password managers keep your encrypted password vault… well, local.

In either case, your password vault is encrypted. So long as your master password is strong, your data remains secure even if the service itself suffers a data breach.

In addition, some web browsers like Firefox can notify you when a website has been subject to a data breach. You can also sign up for breach notification services (e.g. https://haveibeenpwned.com) to see if your credentials have been exposed. If they have, change your password as soon as possible!

2) ALWAYS enable multi-factor authentication (MFA)

It feels like MFA is mandatory everywhere you go, adding more obstacles to your logins. What a pain!

Of course, it’s also a pain for attackers. With MFA enabled, even if they have access to your login credentials, they still won’t be able to get into your account.

However, while it might be tempting to install an MFA app in your web browser for faster authentication, it is always more secure to have the MFA app installed on a separate device (e.g. smartphone). If your device is compromised (e.g. malware), an attacker who already has your password might also be able to access the MFA app if it’s on the same device. Many cyberattacks explicitly target browser extensions and cookies, so keeping MFA separate protects you from these. Use an authenticator app like Google Authenticator, Microsoft Authenticator, Aegis, or Authy on your smartphone to keep this factor separate.

3) ALWAYS keep your software up-to-date

Attackers are always looking for new vulnerabilities to exploit. Likewise, cybersecurity staff are always searching for vulnerabilities to patch. Even after a vulnerability is publicly known and a patch is released, attackers still target users who have not yet updated their systems, because many people delay or ignore updates entirely. By keeping your systems up to date as soon as possible, you minimise the number of vulnerabilities an attacker can exploit.

Consider using automated updates if appropriate to do so – for most users, it is better to accept the small risk of an update causing a minor software issue than to leave known vulnerabilities exposed for weeks or months. Even if you don’t like being bombarded with “new feature!” updates, you should keep an eye out for security updates. These updates often fix serious flaws (e.g. allowing attackers to execute malicious code remotely or gain Admin level access).

4) ALWAYS be careful with emails, links, attachments, and communications

You should always be skeptical of unexpected messages. If you receive a message out of the blue, your first instinct should be: “This is a scam!”. Yes, even if it’s a nice message from your Nan (her device could be compromised, after all). Phishing and social engineering attacks are so common because they catch people off-guard and exploit their trust or sense of urgency.

Verifying the sender should be at the top of your checklist. In emails, check the full sender address carefully. Attackers often use lookalike domains (e.g. amaz0n.co.uk instead of amazon.co.uk) to trick you at a glance. Even if a message seems to come from someone you know, confirm using another trusted channel, such as calling them directly or sending them a new email using a known address.

Be especially wary around links. On a computer, you can hover your mouse over a link to see the full URL before clicking on it. If you’re ever unsure, DO NOT CLICK. Type the official website address manually into your browser instead.

Attachments are another common attack vector. Even if they appear to be legitimate (e.g. PDFs or invoices), they may be designed to automatically install malicious software to your device. Most ransomware and malware infections still originate from phishing emails or malicious downloads disguised as legitimate files!

Attackers want you to think and act quickly – don’t fall for it! Slow down and read carefully. Look for red flags like poor spelling and grammar, awkward phrasing, or threats that something bad will happen if you don’t act immediately.

When it comes to phone calls, NEVER give out sensitive information if someone asks for it (i.e. someone claiming to be from your bank, IT department, HMRC, etc). Just hang up on them, block the number, and call them back from the number on their official website. If you think hanging up is rude, just be aware that voice-cloning attacks (recording your voice for AI impersonations) are scarily accurate now.

Finally, NEVER send your password to anyone via email, chat, or text message. No legitimate service or professional contact will ever ask you to confirm or share your password, email credentials, or phone number in this way. Even if the request seems to come from someone you trust — such as your boss, a colleague, or your Nan — their account could already be compromised.

5) ALWAYS use secure Wi-Fi

You should avoid using public Wi-Fi for sensitive tasks whenever possible. Public Wi-Fi networks like those in airports, cafes, hotels, libraries, or on the train to work, are inherently risky because you don’t know who else is connected. It’s like sending your sensitive information through a transparent tube: others on the same network could potentially intercept your data and see what you’re doing!

If you absolutely must use public Wi-Fi, you can reduce the risk by using a VPN (Virtual Private Network). A VPN encrypts the connection between your device and the VPN server, which effectively shields your data from anyone else on the same network. Even if an attacker is monitoring the Wi-Fi traffic, all they would see is encrypted, unreadable data. Using a VPN is simple – you download a VPN app from a reputable provider, install it, and enable it.

Keep in mind that a VPN only protects you from snooping – it doesn’t stop phishing or malware. It’s also best to avoid free or unknown VPN services that might (i.e. will) log and sell your data.

6) ALWAYS use antivirus software and enable your firewall

Antivirus software is designed to detect and remove threats, including blocking malicious downloads and warning about dangerous links. Even the free, built-in antivirus and firewall tools on Windows and Mac are much better than nothing, and keeping your firewall enabled helps block unauthorised incoming traffic.

On Windows, Microsoft Defender antivirus provides solid protection out of the box for most home users. If you want an extra layer of security, you can consider reputable antivirus programs like Malwarebytes, Bitdefender, or ESET, which offer additional features and stronger detection rates.

On mobile devices, the situation is different. If you use an Android device, installing antivirus software can be a good idea, especially if you sideload apps, use open-source apps from outside the Play Store, or want extra protection against phishing and malicious websites. If you use an iOS device, installing antivirus software is unnecessary in most cases because iOS is a much more closed platform. Besides, apps on iOS run in their own isolated space, so traditional antivirus software can’t actually scan the system for malware in the first place!

7) ALWAYS back up your data regularly

Since you’re reading this, you must be a responsible person who always keeps regular backups of their data.

But let’s say, hypothetically, you haven’t backed up your data recently.

Now let’s say, hypothetically, your computer or smartphone explodes, or you become a victim of ransomware, and you lose access to all of your logins and passwords and files and contacts and apps.

What do you do?

You should back up your data – properly! You should at least be backing up your critical data on a regular basis. Save important files to an external offline drive and/or a secure cloud service so that you can recover your data. You should also be testing your backups periodically to make sure they’re actually working as expected and aren’t corrupted. If ransomware locks your files away and demands payment to release them, with a backup you can restore your files for free when the coast is clear!

8) ALWAYS limit the amount of personal information you display online

This is a minor point but is related to social engineering. Always be careful about sharing personal details on social media or other websites, especially if you’re responding to viral posts asking about your mother’s maiden name or your favourite colour. You don’t need to tell the world your home address, your travel plans, or your credit card information.

If available, adjust privacy settings on your social media profiles and other accounts to limit the amount of data that others can see (e.g. making your account private or limiting certain information to friends and family).

9) ALWAYS clean up junk apps and permissions on your smartphone

“I downloaded an app from the Apple/Google Play store that allows me to view PDF files on my phone. It’s from the official store, so it must be safe to use!”

Wrong!

Just because an app is “official” or “verified” doesn’t always mean it’s legitimate. There have been several instances in the past of “approved” apps being used to access user data. This ranges from stealing Facebook login information, installing adware on your phone, and even draining money from bank accounts and committing identity fraud!

Go through every app on your phone right now. If you haven’t used an app for a while, delete it. If you do use an app, check the permissions the app has – it could have access to your camera, microphone, files, contacts, etc. Click HERE to find out how to check app permissions on an Android phone. Click HERE to find out how to check app permissions on an iOS device.

10) ALWAYS use trusted websites

There are all kinds of websites on the internet, and not all of them are secure. If you’re unsure about a website (e.g. a shopping website you’ve never used before), check the URL to make sure it says “https://” at the front. Once you’re on the website, look at the address bar for a padlock icon indicating a secure connection.

You may also want to consider using reputable browser extensions such as HTTPS Everywhere to force websites to use secure HTTPS connections, or Ublock Origin to block malicious ads (malvertising) that can infect your device just by visiting a compromised site. Keep in mind that browser extensions can sometimes interfere with how a website functions. If you do encounter issues, you can always disable a browser extension on trusted websites (e.g. disabling Ublock Origin on a banking website if it’s stopping you from logging in).