Use Google services. Google is by far the safest and most reliable place to store your email, calendar, contacts, and documents. The primary credible threats to Google are superpower-grade espionage or U.S.-based legal process, and Google has world-class security and legal teams. This isn’t universal advice for everyone, but most people are safer with Google.
Use Chrome with HTTPS Everywhere and Privacy Badger. Chrome is the safest and most secure browser out there. HTTPS Everywhere upgrades your web browsing wherever it can, protecting private information & browsing history, and preventing some attacks. Privacy Badger blocks online trackers, which are also a common source of malware.
Use a password manager (like 1Password). There’s simply no way to memorize lots of secure passwords. Instead, randomly-generate them with your password manager. Changing all your passwords at once is a lot of work, so change your most important passwords first, then spend a little while every week updating less-important accounts. After a few months, run 1Password’s Watchtower feature to find and clear up stragglers. Having a strong password is more important than changing it often. The only time you need to change a password is after a known breach.
Pick a complex master password. It’s pretty easy to create a complex password that’s easy to remember but impossible to guess. It’s possible to memorize a half-dozen of these (try turning it into a song or picture in your head), and most people can memorize a dozen.
Turn on two-factor authentication (2FA) everywhere you can. The best option for 2FA is a hardware token like a Yubikey — however, that’s only available for some services. The next best approach is a code-generator app on your mobile device — this is the most-common approach, and it’s very safe. Codes sent by SMS are weaker, but much better than no 2FA.
Lock your screens. Use a PIN with at least six digits on your mobile devices. Eleven digits is best. (Each digit makes it exponentially harder to attack.) Use a complex, memorable account password on your laptop. Ensure all your devices screen-lock after a minute or two.
Encrypt your hard drives. All your devices come with this feature, and it never takes more than a few minutes to switch it on. For Macs, it’s FileVault; Windows has BitLocker; device encryption is available on Android; Chromebooks and iOS devices have full-disk encryption enabled by default. Use a strong PIN or passphrase.
Install software updates. Automatic updates are best — then you don’t even have to think about it. The easiest way to attack a computer is with a known bug in out-dated software. Make sure that you enable automatic updates for your OS and all the applications you use. If one of your apps stops getting updates from the creator, it becomes the weakest link for attacking your computer.
Protect your network connection. Signal and WhatsApp provide easy-to-use, end-to-end encryption for the contents of calls and text messages, but don’t necessarily conceal who you’re contacting. Use Tor Browser for research. Use Tor more widely if you’re technically able. Use a VPN, especially when traveling. OpenVPN software and protocols are safest. Be aware that your VPN provider becomes your new ISP — they can see everything you’re doing online, so choose a trustworthy provider. Set your VPN to connect automatically so you won’t be without it if your network connection cuts out. Use your VPN on your laptop and mobile devices.
Don’t get phished. “Phishing” is sending a legitimate-looking message to trick you into opening a malicious attachment or a malicious link where you might be asked to enter username and password for a different site. Spearphishing is where that legitimate-looking message is further-customized to you personally. Identifying these emails can be difficult — avoiding phishing requires you to be on your guard all the time. A Chromebook will protect you against most malicious attachments. Chrome will protect you against many malicious sites which try to install malware when you visit them. A password manager integrated with your browser helps avoid entering a password into a fake site.
Occasionally, step back, ponder and plan. The Electronic Frontier Foundation’s Security Self-Defense Guide helps you think about what you have to protect and how. The Freedom of the Press Foundation is also an excellent resource for journalist digital security. Using safer-by-default tools and sensible practices is always a good starting point. But it’s also important to think about your own individual threats and the best ways to protect yourself. Take some time every few months to review your ways of working, and consider improvements. It gets easier every time you do.