The checklist

224 actions, 16 domains, in the right order and explained. Tick them off, track your level, come back.

⬇ Download the roadmap
0%
0/224
YOUR LEVEL
Exposed

Everything is still ahead, and that is good news: the first steps pay off the most.

By priority
0%
Essential
0/57
0%
Important
0/113
0%
Advanced
0/54
Coverage by domain
Achievements 0/6
2FA everywhereZero reused passwordsEverything encryptedMessaging locked down3-2-1-0 backupsPhishing-proof
Domains

The fundamentals

Before the settings, the mindset. Map what you expose, understand how you get attacked, and build the reflexes that stop 90% of real attacks.

Read the terms before you accept themImportant10 min
Look for what the service collects, resells and shares; ToS;DR (tosdr.org) flags the worst clauses for you.

Clicking “I agree” without reading is signing a contract blindfolded. At the very least, skim what the service does with your data, the way you’d read the ingredients to dodge an allergen.

ToolsToS;DR
Treat the internet as insecure by defaultImportantOngoing

Assume anything you send online can be read, copied or diverted. Before you send an ID for a rental or a scan of your card, ask yourself whether the recipient has really earned that trust.

Stay deliberate instead of running on autopilotImportantOngoing

Most attacks bet on your autopilot: the reflex click on a pop-up, the tempting link, the impulsive reaction. Taking back control of those habits blocks a large share of threats on its own.

Pause when a message plays on your emotionsEssentialIn the moment

Urgency, fear or excitement are exactly the levers social engineering pulls: you’re rushed so you can’t think. The moment a message triggers a strong emotion, stop, breathe, and only act afterwards.

Ask three questions before reacting to a messageEssentialIn the moment
Was this message expected? Is the sender who they claim to be? Is it normal to be approached like this?

Before you click or reply, filter it: was this message expected, is the sender really who they claim to be, and is it normal to be approached this way? Three reflexes are enough to unmask most traps.

Map your attack surface (1/5): inventory your devicesEssential30 min
List desktops and laptops (OS and versions), mobiles (model, OS, main apps), smart devices (thermostats, cameras, voice assistants) and peripherals (printers, external drives, USB sticks).

You only protect what you’ve listed. Write down everything that connects: computers, phones, smart devices, printers, drives and USB sticks, with their OS and versions. Every forgotten device is a blind spot.

Map your attack surface (2/5): list your online accountsEssential30 min
Write down your email addresses, social accounts, banking and payment accounts, shopping accounts, then everything else (streaming, subscriptions, forums).

Every account is one more door into your digital life. List them all: email addresses, social media, banking and payments, shopping, streaming, forums. What you don’t list, you won’t secure.

Map your attack surface (3/5): locate your important dataEssential30 min
Find where your key documents (certificates, passports), photos and videos, bank statements and tax records, and any work data actually sit.

Your sensitive documents live somewhere: on the drive, on an external disk, in the cloud. Know exactly where, because you can’t back up or defend data you’ve lost track of.

Map your attack surface (4/5): assess your weak pointsEssential30 min
Check the basics (firewall, antivirus, updates), password strength and 2FA, then how your data is protected (encryption, backups, restricted access).

Run every device and account through the sieve: firewall and antivirus on, updates done, strong passwords, two-factor, data encrypted and backed up. Wherever the answer is “no,” you’ve found a gap.

Map your attack surface (5/5): pinpoint your critical pointsEssential20 min
Note the devices most used for sensitive access, the most exposed accounts, and rank the data whose compromise would cost the most (financial, personal, professional).

Not everything carries the same weight. Spot the devices you use most, the accounts holding the most sensitive information, and the data that would do the most damage if it leaked. That’s where your effort goes.

Recognize the signs of a compromiseImportantOngoing
Watch for unusual slowdowns and crashes, unknown apps or files, and unexpected error windows or security alerts.

A device slowing down for no reason, programs or files you never installed, unusual error messages: those are the engine misfiring. A noticeable change in behavior deserves an investigation, not a shrug.

Keep an eye on your account activityImportantOngoing

A sign-in from an unfamiliar place, a password changed without you: these traces reveal a break-in before it does real damage. Check the login history of your sensitive accounts regularly.

Check a login alert on the site itself, never through the messageEssentialIn the moment

A “suspicious login detected” email is phishing’s favorite disguise. Never click its link: open the official site yourself and, if the alert is real, you’ll find it waiting in your account.

Stay calm when you suspect an attackImportantIn the moment

Panic drives rushed decisions, and those almost always make things worse. When you’re under attack, the first thing to do is stay calm: size up the problem before you act.

Set up regular backupsEssential1 h then auto
Automate regular backups of your important data, keep one copy offline or off-site, and test now and then that restoring actually works.

The number-one regret after an attack is not having backed up. With recent copies of your files, ransomware becomes a setback, not a catastrophe: you restore instead of paying the ransom.

Prepare a plan for reacting to an attackImportant30 min
Write down in advance how to isolate a compromised device (cut Wi-Fi and network), which passwords to change first, and who to turn to.

The worst time to improvise is mid-crisis. Decide the first moves while you’re calm: disconnect the infected device from the network, change your critical passwords right away, and know who to alert.

Review an incident afterwards to harden your defensesAdvanced1 h

An attack you survive without learning from invites the next one. Once things are calm, retrace what happened and where it got in, then close that exact gap so it can’t reopen.

Put tools in place to monitor your devicesAdvanced30 min

The human eye misses things: an up-to-date antivirus and well-tuned alerts catch suspicious activity while you get on with your day. Early detection is what turns a break-in into a mere scare.

Keep learning and staying informedImportantOngoing

Scams evolve faster than any piece of software. Your best defense isn’t a tool but your own awareness: continuing to learn is precisely what keeps your resilience standing over time.

Invest in a few well-chosen toolsImportantVariable

Protecting yourself doesn’t mean emptying your wallet. A few modest, well-placed purchases, like a password manager or a backup solution, do more for your security than ten expensive gadgets.

Test your protections regularlyImportantQuarterly

A backup you never restore or an alert that never fires are worthless when the day comes. Test your protections like you test a smoke detector: better to learn they work before the fire, not during it.