The Breach That Started With a Single Password

In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered a help desk employee with a ten-minute phone call. The attackers didn't exploit some exotic zero-day vulnerability. They used basic social engineering — information scraped from LinkedIn — to reset credentials and burrow into the network. That's the reality most computer security advice ignores: the expensive breaches almost always start with something embarrassingly simple.

I've spent years watching organizations pour money into firewalls and endpoint detection while neglecting the basics. This post is the computer security advice I actually give to clients — the stuff that moves the needle, not the stuff that sounds impressive on a slide deck.

Why Most Computer Security Advice Falls Flat

Here's the pattern I see constantly: someone reads a generic list of tips, enables a couple of settings, and assumes they're protected. Then three months later they're staring at a ransomware note or discovering their credentials on a dark web marketplace.

The problem isn't a lack of information. It's a lack of prioritization. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — phishing, stolen credentials, or simple mistakes. That number has barely budged in years. Technology alone doesn't fix human problems.

Good computer security advice starts with understanding what attackers actually do, not what we imagine they do.

The 7 Pieces of Advice I Give Every Client

1. Treat Passwords Like They're Already Stolen

Assume every password you've ever reused is compromised. Credential stuffing attacks — where attackers test leaked username-password pairs against other services — are fully automated now. One breach at a site you forgot you signed up for can cascade across your entire digital life.

Use a password manager. Generate unique, random passwords for every account. If you do nothing else on this list, do this. NIST's Digital Identity Guidelines (SP 800-63B) now recommend long passphrases over complex character requirements, and they explicitly advise against forced periodic password changes. Follow that guidance.

2. Enable Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) remains the single highest-impact security control for individual accounts. I've seen organizations cut account takeover incidents by over 90% after enforcing MFA across all user accounts.

But not all MFA is equal. SMS-based codes are better than nothing, but SIM-swapping attacks have made them unreliable for high-value targets. Use an authenticator app or, better yet, a hardware security key. Phishing-resistant MFA methods like FIDO2 keys make credential theft almost impossible.

3. Stop Clicking, Start Verifying

Phishing is still the number one initial access vector. The emails have gotten terrifyingly good — AI-generated, grammatically perfect, and personalized with details scraped from your social media profiles. I've seen phishing simulations where over 30% of employees at well-run companies clicked a malicious link.

The rule is simple: never trust a link or attachment you weren't expecting, even if it appears to come from someone you know. Verify through a separate channel. Call the person. Check the actual URL. If your organization hasn't run a phishing simulation recently, you're flying blind. Our phishing awareness training for organizations walks your team through exactly these scenarios with realistic exercises.

4. Update Everything — Yes, Everything

I know this sounds like the most boring computer security advice on the planet. It's also one of the most effective. CISA's Known Exploited Vulnerabilities Catalog tracks the specific flaws attackers are actively using right now. A huge percentage of them have patches available — sometimes for months — before they're exploited at scale.

Turn on automatic updates for your operating system, browser, and phone. Patch your router firmware. Update your apps. Every unpatched system is an open door.

5. Back Up Like Your Business Depends on It

Because it does. Ransomware gangs know that most small and mid-sized organizations will pay if they don't have backups. The FBI's IC3 received over 2,800 ransomware complaints in 2023 alone, with adjusted losses exceeding $59 million — and that's just what was reported.

Follow the 3-2-1 rule: three copies of your data, on two different media types, with one stored offline or offsite. Test your restores. A backup you've never tested is just a hope.

6. Embrace Zero Trust Thinking

Zero trust isn't just a corporate buzzword. The core principle — never trust, always verify — applies to individual users too. Don't assume your home network is safe. Don't assume a device on your network belongs there. Don't assume an email from your CEO is actually from your CEO.

In practice, this means segmenting your network (keep IoT devices off your main Wi-Fi), encrypting sensitive files at rest, and limiting app permissions to the minimum necessary. Question everything.

7. Invest in Security Awareness — Not Just Tools

I've audited organizations that spent six figures on security tools and zero dollars on training. Then they act surprised when an employee wires $200,000 to a spoofed vendor account. Every dollar spent on security awareness training pays for itself many times over.

The Verizon DBIR data makes this crystal clear year after year: humans are the primary attack surface. Our cybersecurity awareness training program covers everything from social engineering to credential theft in a format that doesn't put your team to sleep.

What Is the Single Best Piece of Computer Security Advice?

If I had to give one answer: enable phishing-resistant multi-factor authentication on every account that supports it. It neutralizes the most common attack chain — stolen or phished credentials leading to account takeover, lateral movement, and data breach. No single control prevents more real-world attacks per dollar spent.

Combine MFA with a password manager and basic phishing awareness, and you've just eliminated the majority of attack paths threat actors rely on. That's not theory — that's what the breach data consistently shows.

The Mistakes I See Over and Over

After years in this field, certain patterns are painfully predictable:

  • Reusing passwords across personal and work accounts. One compromised gaming forum account becomes a corporate data breach.
  • Ignoring mobile device security. Your phone has your email, your MFA codes, and your banking apps. Treat it like the high-value target it is.
  • Assuming antivirus is enough. Modern threat actors routinely bypass signature-based detection. Layered defense — including network monitoring, endpoint detection, and trained humans — is the only realistic approach.
  • Sharing too much on social media. Every detail you post publicly is reconnaissance material for a social engineering attack. Your pet's name, your high school, your mother's maiden name — those are security question answers.
  • Delaying incident response planning. The time to figure out who to call and what to do is before a breach, not during one.

Build the Habit, Not Just the Checklist

The best computer security advice isn't a one-time checklist. It's a set of habits. Verify before you click. Question unexpected requests. Keep everything updated. Assume compromise is possible and plan accordingly.

Attackers don't need to be sophisticated when targets make it easy. Don't make it easy.

Start with the fundamentals. Get your team trained through our organizational phishing awareness program and build on that foundation with our comprehensive security awareness training. The threats evolve every month. Your defenses should too.