I have been working in the IT industry for over 30 years, for most of this time as an editor at PC-WELT (PCWorld’s German sister publication), specializing in security. I test antivirus software, give tips on how to make Windows more secure, am constantly on the lookout for the best security tools, and monitor the activities of cyber criminals.
Over the years, I have acquired a whole range of behaviors and principles that seem completely normal and sensible to me. However, when I observe other PC users, I often discover risky or at least less security-oriented behavior.
That’s why I’ve put together the 10 most important things I would never do as an IT security expert, with tips on what to do instead.
1. Move instead of copy
IDG
Moving your own files instead of copying them immediately makes me feel uneasy. This includes, for example, photos or videos from the camera or audio recordings from a smartphone or audio recorder. If you move such files, which are usually unique, you run the risk of losing them as soon as you move them. Although this is very rare, it cannot be completely ruled out.
But even if the moving process goes smoothly: The data is then still only available once. If the hard drive in the PC breaks, the data is gone. If I make a mistake and accidentally delete the files, they are gone. These are risks that only arise if you start a move operation instead of a copy operation.
If you think “I need the space on the SD card for new photos,” then you should consider buying a second SD card. Your own data is always worth it.
And when do I release the space on the SD card? I do this as soon as my backup plan on the PC has backed up the copied data. In my case, this is done on a hard drive in the network that runs on a Raspberry Pi.
Important files are also automatically encrypted and uploaded to cloud storage.
2. Save my own data without a backup
I have set up an automatic backup for all important data. Because saving files I have created myself without a prompt backup is far too risky for me. This also includes all data that I enter into apps, for example, whether for Android, iOS, or Windows. Just because most apps don’t offer an easily recognizable backup function doesn’t absolve the user of responsibility for their data.
A cloud backup, as is usual for iPads, was deactivated for data protection reasons. No other form of data backup appears to have been used. The pupils concerned cannot be blamed here, but the system administrator responsible can.
3. Format storage without a thorough check
IDG
I would never make this mistake — because I have made it before. Therefore, I can only advise from experience: Only format a storage drive when you are sure that you have selected the correct drive.
For years, I used external USB hard drives to store my files. The folder structure on these hard drives was usually identical. There were the folders “My Documents,” “Videos,” “Temp,” “Virtual PCs,” and a few more. What’s more, all the hard drives were the same model, which I had once bought generously on a good deal. Some of these disks even had the same data carrier designation — namely “Data.”
That wasn’t very clever, because it made it too easy to mix them up. So I ended up confusing one of these hard drives with another one at a late hour and formatted the wrong one.
Since then, I have named and labelled my external hard drives and USB sticks very clearly and take another close look before formatting them.
First check, then format: Choosing the right drive before formatting is crucial to avoid unintentional data loss. In Windows Explorer, check which drive letter the hard drive or partition to be formatted has. This is often not immediately apparent on systems with multiple drives. Take the time to check, unplug other hard disks and drives to increase the overview. The name of the disk and its size will help you to identify it.
In addition, start Disk Management by entering Disk Management in the Windows search. All connected disks and their partitions will be displayed. Only start formatting when you are sure that you have found the correct hard drive, USB stick, or partition.
4. Open links in emails
I don’t like to open a link in an email. And I never open a link if the email is supposedly from my bank or payment service provider. I don’t even open the link in the monthly email from PayPal, even though I know that this email actually comes from PayPal.
Why not? Nowadays it is very easy for an attacker to create a deceptively real copy of a bank email. I wouldn’t reliably recognize the difference between a phishing email and a real bank email — at least not in the short time I have to check my inbox.
Instead, I open online banking pages and other important pages via links I’ve saved in my browser, or retype the address into the browser each time. I log in to the site and check whether a new message has arrived in my customer account. If not, then the message in the email is either a fake or not important enough for the bank to enter this information in my customer account. That’s the end of the matter for me.
5. Opening suspicious files
If a file is suspicious, regardless of whether it’s a program or a document, I don’t open it. The risk is simply too great. As an IT editor, I am of course constantly downloading tools from the internet and quite a few of them are scanned by the virus scanner. That is one indication that makes a file suspicious.
Another is the source. Files from dubious websites are just as suspicious as files that are attached to an email or come from links in emails. If I can’t avoid opening or starting such files, I always check them first with the tool www.virustotal.com. The online service checks a file with more than 60 virus scanners.
If you want even more information about a suspicious file than www.virustotal.com provides, you can also upload suspicious files to an online sandbox. However, this is somewhat more complicated than a test at Virustotal. The services often require registration and are sometimes subject to a fee.
A free and uncomplicated online sandbox without registration is available at www.hybrid-analysis.com.
6. Give vouchers for payment of services
Foundry
Who would want to do this? An astonishing number of users! They are all victims of a social engineering attack. Social engineering uses psychological tricks to manipulate people into doing things that are not in their interests. Human characteristics such as trust, fear, or ignorance are exploited.
A popular trick goes like this: You are surfing the internet and suddenly a warning message appears that appears to come from Windows. Your PC has been hacked and you should call a support telephone number so that a Microsoft employee can fix your PC. When you call, you are told that your PC has actually been hacked. However, this costs money and is supposed to be paid for with voucher cards. The criminals demand these because voucher codes are much harder for the police to trace than a bank transfer.
The fact is: Nobody is immune to the tricks of social engineering. A well-prepared and skillful attacker can lure anyone into a trap. There are many examples of this — search “CEO fraud.” But the moment something as unusual as a voucher code for a service is requested, you can become suspicious and escape the trap. The same applies if you are told that someone is coming round to collect money from you.
7. Connect unknown external devices
A USB stick whose owner I don’t know. I’m not plugging it in. Fortunately, gone are the days when Windows’ autostart function immediately launched an EXE file from a connected USB stick. By default, Windows 10 and 11 only offer to start Windows Explorer to display the contents of the USB stick.
So that’s not the problem. But like everyone, I’m curious. Attackers take advantage of this and save malicious files with file names that you can’t resist opening.
For a long time, security experts said that if you wanted to break into a company network, all you had to do was leave a few infected USB sticks in the company parking lot. Some employee will grab a stick and connect it to their work PC.
The professional malware Stuxnet is also said to have reached the computers at the Iranian nuclear facility via a USB stick. It is only unclear whether this USB stick got into the plant via the parking lot trick or whether an insider smuggled it in. Stuxnet destroyed the centrifuges in the nuclear facility and thus delayed the production of fissile material for a nuclear bomb.
When you have to insert a foreign USB stick: The same rules apply as under point 5. Check the files on www.virustotal.com or start them in a sandbox.
8. Use default passwords
When I connect a new device that has default password protection, I immediately change the existing password. The same applies to online accounts that have given me a password.
Admittedly: It has become rare for a router to come with a default password. However, it is all the more important to act quickly in the remaining cases. This is because attackers know the default passwords and try to use them to log into the devices. A great password manager can help you create strong, unique passwords for every site and service you use.
9. Enable unnecessary network services
Hardly a month goes by without a new security vulnerability in a NAS or webcam becoming known. These network devices are usually vulnerable via the internet and allow hackers to access the data on the NAS, the images on the webcam, or even the entire home network.
That’s why I don’t activate any network services that I don’t need. Remote access to my router — deactivated. Remote access to my smart lighting — deactivated. Access to my NAS and the robot vacuum cleaner is also deactivated.
10. Buy an expensive Plus version of antivirus
Antivirus software is usually available in three versions. Simple, good, and very good — or antivirus, internet security, and total security. I would never buy the third and most expensive version.
That’s purely a financial consideration: If I were rich, I would decide differently. But as long as money is tight, I only buy the middle variant, which is usually called Internet Security. It usually offers more than the free Microsoft Defender, but is not as expensive as the full version.
With the latter, I would be paying for services that I don’t necessarily need (metadata cleansing, social media monitoring) or that I can get cheaper elsewhere (VPN services, cloud storage).
As I said, the total versions offer more, but I don’t need that extra.