If you found a USB stick in the bathroom at work, would you plug it into your computer to see what’s on it? Preying on our inherent curiosity is one clever way cybercriminals try to trick us into making security mistakes in an effort to gain access to sensitive computer systems and launch a cyber attack. 

Human errors—like clicking on a malicious link in a phishing attack—can have debilitating impacts on businesses and personal lives. Hackers can steal personal information, like credit card or social insurance numbers, and publish it on the dark web, while companies could see a sudden drop in revenue as cautious customers take their business elsewhere. A whopping 95 per cent of cybersecurity breaches are caused by human error, like failing to install software security updates or having weak passwords. In short, protecting your data is paramount. 

More than 20 years ago, computer privacy specialist Bruce Schneier wrote on his blog, “Only amateurs attack machines; professionals target people.” Schneier suggests it’s easier for hackers to exploit human weaknesses, calling the human-computer interface “the most insecure interface on the Internet.” 

Related: Is ChatGPT Coming for Your Job?

Luckily, there are simple ways to protect your data from cybercriminals, and it starts with freshening up your personal web hygiene. “Don’t make it easy for cybercriminals to learn about you,” says Claudette McGowan, CEO of Protexxa, a Toronto-based cybersecurity platform that uses artificial intelligence to help companies secure their data. Here are McGowan’s top tips:

Set your personal social media accounts to private

In “spear phishing,” hackers specifically target individuals based on their interests. So if you post a Monday morning yoga pose on an open Instagram account, or tweet about a weekly girls’ night out at Milestones, hackers watch and take note.

“You’ve let me into your world,” McGowan says of hackers’ thinking. “Now, hackers can shape something that really elevates the likelihood that you’re going to click on the link and give them access to your systems.” An example of spear phishing? A yoga enthusiast receiving an email that says, “Click here for a free yoga mat” with a malicious link.

Do away with easy-to-guess passwords

McGowan says extremely obvious passwords, like “password” or “password123″—which are shockingly common—need to go. (Last year, NordPass reported that “123456” is the most popular password among CEOs and executives.) Instead, a password manager, like 1Password or NordPass, should be used to monitor for weak or compromised logins. It’s also wise to diversify your passwords across accounts; using a single password leaves the door wide open for hackers to take control of entire systems.

Enable multi-factor or two-step authentication

If criminals hack your password, there should always be a backup in place, whether it’s a six-digit code that pops up on your phone, or a code generated by an authentication app. McGowan says using an authenticator app is ideal, rather than an emailed code, in case you lose access to your account.

Related: Is It OK to Use ChatGPT to Write My Résumé?

And, if you get a notification that someone is trying to log in to one of your accounts and it seems suspicious, see if there’s a “not me” option and select it. Then, reset your password and revoke any third-party connections. (Look for a button that says “sign me out of all devices.”)

Keep your software up to date

McGowan says the most notable data breaches happened because companies did not update the software used to carry out daily work, leaving their systems vulnerable to bugs that hackers exploit. This happened in 2017, when credit-reporting company Equifax found a vulnerability in its system, but did not patch it. Hackers took advantage of the lax security and stole hundreds of millions of customer records, including social security numbers, addresses and dates of birth. McGowan says individuals should make updates to their personal and work devices as soon as possible—ideally within 24 hours of being notified they’re due for a refresh. 

Be prepared for cybercrime

If you’re in the dark about how your cybersecurity stacks up, personally or professionally, you’ll be scrambling when hackers come knocking. And, unfortunately, McGowan says it’s not a matter of if you and your company will be targeted in a cyberattack or data breach—it’s when. Small businesses and not-for-profits are particularly vulnerable because criminals know they likely don’t have resources for cyber divisions with active patching or monitoring in place. 

In the war against cybercrime, McGowan says employees should be on the frontlines and report suspicious emails to managers, suggest mandatory password changes every 90 days or request education sessions to improve cyber literacy among staff. “We have the ability to be the most cyber-literate country in the world,” McGowan says. “But we have to start with every single individual first.”