Start with your threat model. Who is the “someone” you’re imagining attacking you? What are the most likely risks to occur? What are the most damaging? Where do those two lists overlap? Prioritise addressing those first. There’s no point worrying about someone stealing your laptop if it rarely leaves the house, but something like not having reliable 2FA on your accounts is probably more likely to get exploited and potentially as damaging. There’s no point worrying about nation state actors exploiting a side-channel to leak data via an LED on your earphones if you’re currently embroiled in a messy divorce.
Don't use chrome to store your passwords. Use a password manager that's not tied to a cloud company that you can use multifactor Auth with, one of which is off device.
Don't leave yourself signed into your accounts. As soon as you're done sign out.
Keep everything portable and not centralised.
Convenience doesn't make for good cyber security.
You can't protect yourself from everything but you can make it more difficult.
A simple starting point for me was checking password reuse and enabling hardware-based 2FA everywhere possible.
It’s surprising how much risk disappears just from that.
Do you have off-site backups of all your critical data on a regular schedule?
Do you have physical 2FA on all your accounts?
Are you actively patching/updating all your devices on a schedule, and actively discarding the devices that are too old to patch?
Only after these are done should you start looking at complex phishing and social engineering scenarios. You can successfully mitigate everything you are worried about by nailing these fundamentals.
Start with your threat model. Who is the “someone” you’re imagining attacking you? What are the most likely risks to occur? What are the most damaging? Where do those two lists overlap? Prioritise addressing those first. There’s no point worrying about someone stealing your laptop if it rarely leaves the house, but something like not having reliable 2FA on your accounts is probably more likely to get exploited and potentially as damaging. There’s no point worrying about nation state actors exploiting a side-channel to leak data via an LED on your earphones if you’re currently embroiled in a messy divorce.
I just came across this checklist the other day: https://andrew-quinn.me/digital-resiliency-2025-checklist/
In addition to the short checklist, the author has a lengthy blog post describing its implementation in his life: https://andrew-quinn.me/digital-resiliency-2025/
Don't use chrome to store your passwords. Use a password manager that's not tied to a cloud company that you can use multifactor Auth with, one of which is off device.
Don't leave yourself signed into your accounts. As soon as you're done sign out.
Keep everything portable and not centralised.
Convenience doesn't make for good cyber security.
You can't protect yourself from everything but you can make it more difficult.
A simple starting point for me was checking password reuse and enabling hardware-based 2FA everywhere possible. It’s surprising how much risk disappears just from that.
I’m wary ofhardware 2fa because I’m prone to losing things. Do you have a plan for if that happens?
Karpathy had an amazing tweet about this if you’re interested in a deep dive.
[1]https://x.com/karpathy/status/1902046003567718810
Start at the fundamentals, dammit!
Do you have off-site backups of all your critical data on a regular schedule?
Do you have physical 2FA on all your accounts?
Are you actively patching/updating all your devices on a schedule, and actively discarding the devices that are too old to patch?
Only after these are done should you start looking at complex phishing and social engineering scenarios. You can successfully mitigate everything you are worried about by nailing these fundamentals.
Do you have suggestions on how to do off site backups? For example for images and documents
XXTB HDD in a safe deposit box. Rotate the disks with on-site backup. Test restore once per year.
I would be more careful towards social engineering than some random typical hackers. The former seems more prevalent and successful in my POV.