I have spent more than a decade running servers, fronting them with every firewall layer the documentation tells you to add, and writing hardening guides like the one on Linux server security fundamentals. Every breach I have personally cleaned up at a client site started with a person, not a packet. The human element in cybersecurity defense is the layer no WAF, no IDS, no kernel patch can substitute for, and it is the layer most agencies and small businesses ignore until it costs them.
This post is the version of “security awareness” I wish more clients heard before the incident, not after. Router hygiene, DNS choices, password discipline, the realistic threat model for your operating system, and the social engineering tactics that walk past every technical control you bought. I am writing it as the companion to the server-side guides on this site, because the hardest server in the world does not help when the person with the password hands it over.
About 2,000 words. No code blocks worth speaking of. Read it once, then go check your router.
Your home router is the most ignored piece of security kit you own
Every packet between your laptop and the rest of the Internet passes through your home router. Most of them are still on the firmware they shipped with, the password printed on a sticker on the back, and a remote-management interface listening on the WAN side that you never knew existed. I have been into client offices where the “IT person” was the one who spent the longest on hold with the ISP, and the router had not been touched since the day it was unboxed.
Three things matter, in order of impact.
Change the admin password. Not the Wi-Fi password. The admin login for the router’s web interface. The factory default is in a public database that every botnet on Earth queries before it tries anything else. Make it unique, make it long, and put it in your password manager. While you are in there, disable WPS and turn off remote management on the WAN interface unless you actually use it. You almost certainly do not.
Update the firmware. Most routers will not auto-update. Most users never log in to check. Manufacturers ship security patches, then nobody applies them, and the public exploit lands six months later. Once a quarter, log in and check. If your router has not received a firmware update in two years, the manufacturer has abandoned it and you should replace it. A 60-euro consumer router from 2019 is a worse investment than a 120-euro one from 2024.
Use WPA3 if your router supports it, WPA2-AES if it does not. Anything older (WEP, WPA-TKIP) is broken in a way that is now packaged in tools any teenager can run. If your router only does WPA, replace the router.
DNS is a security control, and your ISP is probably not running one
Every time a device on your network connects to a website, an app, or a smart-home backend, it asks DNS to translate the name into an IP address. By default, that lookup goes to whatever DNS server your ISP runs. ISPs are in the business of keeping the lights on, not in the business of blocking known malicious domains for you.
The fix is to point your router’s DNS at a service that filters. Three options I use and recommend:
- NextDNS. A configurable filtering DNS with malware lists, ad blocking, tracker blocking, and per-device profiles. Free tier covers most home use. The paid tier is a few euros a month and adds parental controls and analytics. This is what I run on my own router and what I recommend to clients who want one place to manage filtering.
- Cloudflare 1.1.1.1 for Families. Two flavours:
1.1.1.2for malware blocking,1.1.1.3for malware plus adult content. Free, fast, no setup beyond entering the IPs. The right pick if you want zero-config protection. - Quad9. Run by a non-profit, focused on threat intelligence from multiple security feeds.
9.9.9.9. Strong privacy stance, no ads in the business model.
Set this once on the router and every device on your network gets the protection by default. The smart TV that has not seen a firmware update since 2021 stops being able to resolve the malware command-and-control domain it was about to phone home to. The kid’s tablet that picked up a sketchy ad-redirect chain hits the block. You do not need to install anything on the endpoints.
I would skip the “secure DNS” feature your antivirus vendor sells you. They are repackaging the same lists with their own branding and a recurring fee. The free or low-cost public services are run by organisations whose actual job is DNS.
The operating system question: less interesting than you think
The original BookStack version of this article spent several thousand words comparing Windows, macOS, and Linux. I am going to compress all of that, because in 2026 the answer is mostly: it depends what you do, and the human factor matters more than the OS choice.
Windows is the largest target because it is the largest installed base. That is the entire story of why it sees more malware. The platform itself, on a current Windows 11 build with Defender enabled, is genuinely fine for general business use. The risks are the third-party software people install on top of it (Adobe Reader, random PDF tools, browser extensions of unclear origin) and the user habits around running unknown executables. If you must run Windows, run it patched, on Defender, with a non-administrator account for daily use. That alone moves you out of the bottom 80% of the threat profile.
macOS gets less commodity malware because the installed base on the desktop is smaller, the App Store gates a lot of distribution, and the platform has hardware-level security features (Secure Enclave, Gatekeeper, sandboxing) that raise the bar. It also gets targeted attacks from sophisticated actors, because the people using Macs at work are often the people with access to expensive things. The realistic threat model for a Mac user is phishing and supply-chain compromise of legitimate apps, not commodity ransomware.
Linux on the desktop is mostly safer in practice because the user base self-selects for technical literacy, the package manager handles updates for system software the way Windows users wish it would, and root access is gated by default. None of that is a guarantee. A Linux user who runs curl | sudo bash from a sketchy GitHub repo is in exactly the same trouble as a Windows user double-clicking a .exe from an email.
The honest take: for most agency and small-business work, hardened Windows on a non-admin account is fine, macOS is fine, and Linux is fine. Pick what your team will actually keep updated. The OS that gets patched on Tuesday beats the OS that is “more secure on paper” but never updated.
Passwords: the one piece of advice that actually matters
If I could only give one piece of security advice to a non-technical user, it would be this. Use a password manager. Generate a unique random password for every site. Memorise the master password. That is it.
Most account breaches I see happen the same way. The user has one “good” password they use everywhere. A site they signed up for years ago (a forum, a free game, a defunct retailer) gets breached. The password lands on haveibeenpwned.com. An attacker takes the same email-and-password combination and tries it against the user’s email, their bank, their domain registrar, their cloud provider. One of them works. The attacker is now in.
A password manager (I use Bitwarden, I have run KeePassXC for offline workflows, both are open source and good) breaks this chain. Every site gets a 24-character random password. The breach of one site reveals one password, useful nowhere else. The user only has to remember the master password, which they enter rarely enough that it can be a 5-word passphrase they actually retain.
The pushback I hear from clients: “What if the password manager itself gets breached?” Two answers. First, modern password managers encrypt the vault on the client device with a key derived from the master password. The hosted service holds an encrypted blob it cannot decrypt. Bitwarden has had its infrastructure hit and the vaults stayed encrypted. Second, the alternative (one password reused across sites, written on a sticky note, or stored in browser autofill that syncs to a Google account secured by the same password) has a worse threat model.
If you do not want a hosted service, run KeePassXC with the database file synced through Nextcloud, Syncthing, or a USB stick. Same protection, no third party.
2FA, and why hardware keys are worth the 25 euros
Two-factor authentication adds a second proof beyond the password. SMS codes, app-generated codes, hardware keys. They are not equivalent.
SMS-based 2FA is the weakest tier. It blocks lazy attackers but loses to SIM-swap attacks (an attacker convinces your carrier to port your number to their SIM). It is still better than nothing, but it should not be guarding anything serious.
App-based 2FA (TOTP) generates a 6-digit code that rotates every 30 seconds. Apps like Aegis (Android, open source), Raivo (iOS), or self-hosted 2FAuth all do this. It is the right tier for most accounts. The code is generated on your device with a shared secret, never transmitted, and immune to SIM swaps.
Hardware keys (YubiKey, SoloKey, Nitrokey) are the top tier. The key holds a private key it never reveals, signs a domain-specific challenge from the site, and physically requires a button press. This makes phishing functionally impossible for accounts protected by a hardware key, because a fake login page on a different domain cannot get the key to sign for the real domain. A 25-euro YubiKey on your email account, your domain registrar, your password manager, and your cloud provider is the highest-leverage 25 euros you will spend on security.
For the rest of your accounts (forums, social media, the second-tier stuff), TOTP via an app is fine. Do not use SMS unless the site offers no other option. If you want a self-hosted middle layer for managing TOTP across a team, 2FAuth is the lightweight option I deploy, and Authentik is the full identity-provider play for agencies that have outgrown a shared password vault.
Backups, browsers, and the 80/20 of personal hygiene
A few things that do not deserve a full section but matter.
Backups. The 3-2-1 rule is right. Three copies of important data, two different storage media, one off-site. For a sole operator that means: the original on your laptop, a Time Machine or similar local backup on an external drive, and an off-site copy on Backblaze, Borgbase, or your own server with restic. If your only backup is “iCloud” or “Google Drive sync”, you do not have backups, you have a faster way to propagate ransomware to your other devices.
Browsers. Firefox with uBlock Origin, or a Chromium-based browser with uBlock Origin. Anything that blocks ads also blocks the ad network as a malware-delivery vector, which is a non-trivial fraction of the threat. Avoid browser extensions of unclear origin, and review your installed extensions every six months. The dormant extension you installed in 2022 that just got sold to a malware operator is a real story, more than once.
USB sticks. Treat them like an open envelope from a stranger. The “found USB in the parking lot” attack still works in 2026. Do not plug in a stick whose chain of custody you cannot account for.
Updates. Operating system, browser, and password manager. Set them to auto-update. The patches landing today are mostly fixes for things that were exploited last week.
Social engineering is the layer no technology fixes
Every technical control on this list assumes the user does not voluntarily hand the keys over. They do, all the time, because attackers are good at their job and humans are predictable.
The phishing email that says “your invoice is overdue, click here to view” is sent to a hundred thousand inboxes. Most go to spam. Some land in the right person’s inbox at the wrong moment, while they are eating lunch and answering email on their phone, and they click. The page looks like Microsoft 365. They enter their password. The password lands in a credential dump that gets sold within the hour.
The voice call that says “this is the IT helpdesk, we need to verify your account, can you read me the code we just sent?” works on roughly one person in twenty under stress. Always.
The fix is not better filters, although filters help. The fix is a small set of habits.
- Slow down. Anything urgent in an email is suspect. Real urgency from real people comes through a channel you already trust.
- Verify out of band. If your bank emails about a problem, log in by typing the URL yourself. Do not click the link. If the CEO emails you to wire 50,000 euros to a new account, call them on the number you already have. Do not reply to the email.
- Assume credential phishing if any link asks for a login. Hardware 2FA on the accounts that matter neutralises the entire category, because the fake page cannot pass the cryptographic challenge.
- Treat unsolicited support calls as hostile until proven otherwise. Microsoft will not call you. Your bank’s fraud department will not ask you to read out a code. The IRS will not demand iTunes gift cards. None of these things have ever been real, but they keep working.
For sharing actual sensitive data with people who legitimately need it, set up a self-hosted secret-sharing tool like Cryptgeon so passwords and tokens never sit in email or chat history. The infrastructure is small. The behavioural payoff is large.
Closing the loop
The human layer is harder than the server layer because there is no apt install for “thinks before clicking”. You change behaviour the way you change anything else: small habits, repeated, anchored to a specific moment in the day. Once a quarter, check the router firmware. Once a month, review the password manager for sites that should rotate. Once a week, glance at the security log on your email account. Once a day, hesitate before clicking.
The technical baseline I have written about elsewhere on this site (the Linux server security fundamentals, CrowdSec for behavioural blocking, Nginx hardening, Authentik for identity) handles the machine layer. This post handles the part the machine cannot do for you.
If you are reading this and you have not done the router pass, the password manager pass, and the hardware key on your email account, those are the three to do this week. They will move you out of the casual-attack risk band almost completely. Everything else is refinement on top.
