Benild Joseph

White Hat Hacker

Security Researcher

Author & Podcaster

TEDx Speaker

Benild Joseph

White Hat Hacker

Security Researcher

Author & Podcaster

TEDx Speaker

Personal Cybersecurity Checklist

👋🏽 Start here!

📖 How to use this guide

  • Level 1 is the quick essentials section. You should be able to work through it within 30-45mins, and chances are, you’re already familiar with many of the recommendations there — however it never hurts to double check.
  • Level 2 digs deeper into your device/app settings and will help you fine tune your privacy online. This section will take 30-45mins, depending on how many accounts and devices you frequently use.
  • Level 3 ties up loose ends in your digital safety practice. Depending on the amount of digital housekeeping required, this part may take anywhere from 15-30mins.

🔰 Level 1️⃣

📋 Things to do 👇


  • Imagine that an attacker gains access to all of your online accounts. Which of these accounts would be really painful to lose? List them out and write them down.
  • Typically this list includes accounts used for email, online banking, social media, and maybe one or two related to work.
  • The list should be short, and have less than 5-6 items.


The first lock is usually your account password. The second lock takes on a different form and/or comes via a different channel — most often as a code sent to your phone via an app or text message (SMS). This additional lock is usually called two-factor authentication (abbreviated as 2FA) or two-step verification.

  • Turn on two-factor authentication for the important accounts you just identified. To find instructions on how to do so:
    • Run an internet search for two-factor authentication and the account name
    • Look up the account provider on
  • Use an authenticator app if one is available. They’re more secure than using SMS to receive your 2FA code.
    • Recommended app: Authy. 👈 Personal Recommendation
  • Turn on cloud-backup for your authenticator app in case you ever lose your phone.
    • Instructions for: Authy.


  • Make sure the answers to these questions are not easy to find using public information about you. Security questions are often used to verify your identity during login or password resets, hence they play a crucial role.


  • Check the address bar for https:// If you’re using a webmail service, ensure that you’re logging into it using an https:// URL. If there isn’t one available, find a new email provider.
  • Find out if your email service supports backup codes. Once you turn on 2FA, your email provider may provide single-use backup codes you can use if you lose your phone.


  • Use an uncommon or not obvious unlock code for your phone with at least 9 digits. We recommend using a long string of numbers as it’s easier to tap (but using both letters and numbers is okay too). Swipe patterns are not recommended, however, as they are too easily replicated by onlookers.
  • Set up a pin code for your mobile phone SIM card:
    • Instructions for:
    • If it asks you for a SIM pin code and you don’t remember setting up one, then the phone company/provider might have set one up by default. Go to your phone provider’s website to find out what it is.
  • Don’t allow USB accessories to control a locked device:
    • iOS: Turn off Settings → Face ID & Passcode → Allow Access When Locked: USB Accessories.
    • Android: Setting is off by default and is only available if Developer Options are turned on.
  • Set up anti-virus/malware software on your phone:


  • Turn on HTTPS-only mode (warns against unencrypted website traffic) on your desktop web browser(s):
  • Turn on your computer’s firewall:
    • macOS: System Preferences → Security & Privacy → Firewall.
    • Windows: Control Panel → System and Security → Windows Firewall.
  • Turn off your computer’s remote access:
    • macOS: System Preferences → Sharing → Remote Login, Remote Management.
    • Windows: Control Panel → System and Security → System: Allow remote access → Don’t Allow Remote connections to this computer.
  • Set up anti-virus/malware software on your computer:


  • Turn off app-specific passwords that bypass two-factor authentication (wherever possible).
  • Turn off automatically added calendar invitations, which can be used to send malicious links.
    • Google Calendar Settings → Event Settings → Add invitations to my calendar: When I respond to the invitation in email
    • Outlook: File → Options → Calendar → Automatic accept or decline → Auto Accept/Decline: Automatically Accept Meeting Requests and Remove Cancelled Meetings
  • Disable macros in Microsoft Office. Macros are small bits of code that automate actions which can be exploited by attackers. They can still be useful sometimes, which is why we recommend the Disable all macros with notification, which allows you to manually allow macros from trusted sources to run.

💪🏽 Habits to grow


A phishing scam is an email or text message where an attacker is trying to trick you into giving your password or other login details. To defend yourself:

  • Trust your instincts. If you feel like something is off — whether it’s the way the text is written, the way the graphics look, or an unusual first-time request from a service provider — it probably is.
  • Check who it’s from. Look over the sender’s name and phone number or email address. If it’s an email, be sure to closely read the bit after the @ symbol.
  • Think twice before clicking a link. When in doubt, carefully examine the domain in the link. To look at it without opening the link:
    • On mobile:
      • iOS: Tap and hold on a link. A mini preview of the destination will appear. On the top right of this mini-window, tap Hide preview. From then on, iOS will show the full URL whenever you tap and hold on a link.
      • Android: Tap and hold on a link.
    • On desktop:
      • Firefox, Chrome, Edge: When your mouse cursor hovers over a link or button, the full URL will show up on the bottom left.
      • macOS Safari: To turn on the above feature, go to View → Show Status Bar
      • macOS Mail: Hover your mouse cursor over a link and wait for a few seconds for a pop-up to appear.
  • After clicking links, scan the URL address bar in your web browser.
    • Is there a red warning icon or ‘Not Secure’ label? This means the website is running unencrypted on http (rather than https).
    • Is the domain spelled incorrectly?


  • Don’t download/open unnecessary attachments.
    • When in doubt, reply to the original sender to ask what it is.
    • On email, preview attachments within the app or website. On Gmail and Protonmail, simply clicking the attachment brings up its preview, which runs in a safe environment inside the mail program.
    • Ask the sender to use a file-sharing service (Dropbox, Google Drive, pCloud), which also have their own online preview system.
  • Upload suspicious attachments to VirusTotal to have them analyse it. Keep in mind files submitted to VirusTotal may be shared with multiple security researchers, so don’t submit sensitive information.


  • Device operating systems: When you get a notification on your devices to update the operating system, do it as soon as possible.
  • Automatic updates: Turn on auto-update for your apps if the feature is available. If asked to update an app, do so as soon as possible.
  • Firmware updates: Check occasionally for firmware updates for your router and other internet-connected devices.


  • Wipe your devices properly before donating or giving them away. If you’ve encrypted your phones and computers (as suggested earlier), a standard factory reset will work for most of the cases.
  • Don’t charge your phone at public charging stations/ports. They present a risk because attackers might steal your data. Instead, use a portable battery or bring our own adapter to plug directly into the power outlet.

👏👏 Great job!
You’ve secured some important quick wins for your online safety & privacy.

👍 Now, ready for Level 2?

🔰 Level 2️⃣

📋 Things to do 👇


One common way attackers gain access to your account is if your password is too easy: it’s too short, too obvious, or — if you use the same password on multiple accounts — already been leaked as a part of a data breach/hacking incident.

The best way to counteract this problem is to install and use a password manager, which helps you generate long passwords, store them, and fill them in automatically when you’re logging into a website.

  • Recommended password manager:
    • NordPass 👈 Personal Recommendation
  • Install the password manager app on both your phone and computer.
  • Install the password manager browser extension on your desktop web browser.
  • Only create passwords with more than 12 characters. We recommend using the option in the password manager that strings together random, unrelated words (e.g. plant-truck-nose-frame-lace) so that it’s easy to type in those rare instances when the autofill isn’t working.
  • Create login items/entries for your important accounts (identified in Level 1) and make sure each password is unique.
  • Next time you have to type in your password for another account, create an entry for it. This way, you will gradually get any frequently used accounts into the password manager.
  • Transfer all your accounts later. Entering all your accounts into the password manager will take a while, and is best saved for another day. (We’ve placed this time-consuming task in our Level 3.)
  • Don’t use your password manager as a two-factor authentication app. It’s better to not put all your eggs in one basket.


Remember, encryption is only fully effective when the device is off!

  • Encrypt your computer hard drive.
  • Encrypt your phone storage.
    • iOS: Automatically encrypts.
    • Android: Almost all recent versions automatically encrypt. Double-check by going to Settings → Security → Encryption.
  • Encrypt your backup hard drives.


  • Log into the administration and settings dashboard. It’s usually accessible by going to in your web browser. Otherwise, check your router’s instructions.
  • Update the dashboard login if the password is simple.
  • Review the devices currently connected to your network. You may have to explore until you find the access control. Make sure you know what every device on the list is.
  • Turn off the following options if you see them. (Look for them under advanced settings or gateway functions):
    • UPnP (Universal Plug and Play)
    • WPS (Wi-Fi Protected Setup)
    • Remote Management
Track your devices in case you lose them
  • Set up tracking or Find My, which will allow you to remotely find and wipe your devices by logging into a website if you ever lose them.
  • Instructions for:


On social media & messaging apps
  • Review the privacy settings on social media platforms and messaging apps you frequently use. Check who can see your content, what information about you is being made public, and what you are sharing with third-party apps/advertisers.
  • Here are the links to and instructions for the most commonly-used platforms/apps:
    • Platforms/apps with privacy settings available through a desktop browser:
    • Platforms/apps with mobile-only access to update privacy settings:
      • Instagram: Settings → Privacy
      • WhatsApp: Settings → Account → Privacy
      • Snapchat: Settings → Privacy controls
      • TikTok: Profile → Settings and privacy → Privacy
      • Telegram: Settings → Privacy and Security
  • Limit how Facebook tracks you on other websites by clearing and disconnecting Off-Facebook activity.
On email & social media accounts
  • Review Third-Party Apps or Connected Apps linked to major social media/email platforms. These third-party/connected apps have access to your data, and they might be selling it.
  • Instructions for:
On your phone
  • Review which apps on your smartphone have access to your location data. Turn off access for the apps that don’t need it, and minimise the number of apps tracking your location.
    • iOS: Settings → Privacy → Location Services
    • Android: Settings → Location → App access to location
  • On Android, turn off passive Wi-Fi and Bluetooth scanning.
    • Settings → Location → Wi-Fi and Bluetooth scanning
  • Delete third-party keyboards on your phone. They often share what you type with the software maker.
    • These keyboards are installed as apps on iOS and Android, so take the time to scan through all of your installed apps to find and delete them.
    • If you need to use a third-party keyboard, make sure it’s an open-source project that others have verified and does not share your data with third parties.
On your mobile/computer web browsers
  • Review your web browser’s privacy settings
    • On your mobile:
      • iOS Safari: [iOS] Settings → Safari → Privacy & Security, turn on all of them except Block All Cookies
      • Android Chrome: [Chrome] Settings → Privacy and security, turn on Safe Browsing (either option), Always use secure connectionsDo Not Track\
      • Android Firefox: [Firefox] Settings → Privacy and security, turn on HTTPS-Only ModeEnhanced Tracking Protection
    • On your computer:
      • macOS Safari: Preferences → Privacy, turn on Website tracking and Hide IP address
      • macOS/Windows Chrome: Preferences → Privacy and security → Cookies and other site data, turn on Block third-party cookiesDo not track
      • macOS/Windows Firefox: Preferences → Privacy & Security, turn on Enhanced Tracking Protection (any option), Do Not Track and HTTPS-Only Mode (scroll to the bottom)
  • Install these web browser extensions/add-ons if your browser supports it. Make sure they’re on even during private/incognito mode.
  • The above extensions/add-ons are available for Firefox (macOS, Windows, Android) and Chrome (macOS, Windows).
  • Review your other web browser extensions/add-ons. Delete any that you haven’t used in a while or don’t remember installing.
On other internet-connected devices
  • If you use smart speakers, turn off their recording function.
  • For an Amazon Ring or Echo, turn off the feature that shares your internet with strangers.
    • In the Alexa app: Settings → Account Settings → Amazon Sidewalk
Other considerations

💪🏽 Habits to grow


  • Post less personal information online. This includes information that can be used to identify/track/scam you (addresses, phone numbers, birthdays, etc.).
  • Set up a separate account under a pen name to leave local business reviews (on Google Maps, Yelp, etc.) if you write many of them. Otherwise, reviews will be shown under your real name and possibly give away your home location.
  • When registering domains, make sure WHOIS/domain privacy is turned on. Many domain name registrars and web hosts offer this feature for free. Note: There are unofficial WHOIS lookup/history tools out there that make it hard to remove your information from the history log once you’ve entered it at an earlier point in time.


Don’t say anything you’d regret in a “private” group on Slack, Discord, Facebook, WhatsApp group chat, Telegram channel, or any “private” online forum. Here’s why:

  1. Any member can leak all your data.
  2. Administrators usually have access to everything within the group, including deleted messages and private direct messages between two people.
  3. What you say can be traced back to your account’s phone number or email. Even if you’re not using your real name or photo.
    • To prevent this in Telegram, go into Settings → Privacy and Security → Phone Number, and then set:
      • Who can see my phone number to Nobody.
      • Who can find me by my number to My Contacts.


  • When downloading a new mobile app, double-check to confirm it’s the right one. Many fake apps trick people by using a slightly modified name or icon of an existing, popular app.
  • Regularly check the installed apps on your phone. Delete the ones you’re no longer using.
  • Need to send someone a password? Split it in half and send it via two different channels. For example, send half of the password through email and the other half via a voice call.
  • Place a sticker (or webcam cover) over your laptop’s front-facing camera.
  • Don’t use Google/Twitter/Facebook to sign up or log into other services, which gives these platforms unnecessary data about you. Each service should have its account, and it should be easy to do this with a password manager.

🎉 Congratulations! You dove fearlessly into your settings clicking, tapping and swiping which makes you a very, very above average human being.
👍 Now, ready for Level 3?

🔰 Level 3️⃣

📋 Things to do 👇


  • Identify files you don’t want others to access. This may include private photos, passport scans, and financial documents.
  • Create an encrypted, password-protected vault for your files.
    • Recommended tool: pCloud 👈 Personal Recommendation
  • Set up this vault on your computer and your phone.
  • Move your files into the secure vault. Make sure copies aren’t hanging around in an old folder or on your phone.


  • Use a VPN service both when you’re on a public network (library or café) and when you’re at home (to decrease data shared with your internet/phone company).
    • Avoid free VPN services because free services often make their money back by selling your data.
    • Recommended VPN: NordVPN 👈 Personal Recommendation


For secure messaging & calls
  • Use apps with open source end-to-end encryption protocols and easy-to-use disappearing message timers.
    • Recommended apps:
      • Signal: Sign up with a phone number.
      • Wire: Sign up with an email address or phone number.
    • Set messages to disappear after 1 or 4 weeks.
      • Signal: Go to Settings → Privacy → Disappearing Messages → Default Timer for New Chats.
      • Wire: No app-wide setting exists. You have to set it up for each conversation by tapping/clicking the timer icon ⏱.
    • These apps also encrypt video and voice calls end-to-end, so continue using them wherever possible.
  • End-to-end encryption for video/voice calls with more than 5 people may not be worth it. There are several reasons:
    • Privacy is hard to maintain in large group calls as they often become quasi-public events due to the large number of participants.
    • End-to-end encrypted video/voice calls require more bandwidth than usual, and there’s a large chance one or more people on the call won’t be able to connect properly.
For online file-sharing and backup
  • Store files on the cloud using end-to-end encryption.
    • Recommended app: pCloud 👈 Personal Recommendation
    • Remember: files stored on Dropbox, Google Drive and iCloud are not end-to-end encrypted.


  • Store login credentials for all online accounts in a password manager. We previously asked you to store passwords for your most important accounts there. Now, it’s time to transfer everything there.
    • The fastest way to enter the details is to logout and login to each account on your computer, and let the password manager’s browser extension/add-on capture the details automatically.
    • In some cases, the password manager may warn you that the password you have is weak. If so, spend that extra minute on the account website to change to a new password.
  • Use your password manager’s feature that checks your passwords for weaknesses. If available, this scans your stored passwords to see if it’s too short, has been reused, or has already been leaked as part of a data breach.
    • Feature name in:
      • NordPass: Password Health/Data Breach Scanner

🏆 Wow, you really did it.
🏅 You have finished all 3 levels and now protected from most common cyber attacks.