Copyright CNET
For many young adults, college is the first time they’ll be managing their own digital lives, and that can make them easy targets for hackers and scammers to exploit. Which college student doesn’t use public Wi-Fi and have dozens of logins, potentially all reusing the same password (school, email, online banking, streaming, etc.)? Truth is the average person may not think much about cybersecurity until something goes wrong. A data breach, stolen password or a lost/stolen laptop can cause real problems, especially when school or financial information is involved. And trust me, hackers aren’t going to do your online assignments for you. The good news is that staying safe doesn’t require that much effort. You don’t need expensive software or a tech background. A few smart habits and good digital hygiene are all you really need. There are also several decent free tools that will keep your data and accounts safe, so you don’t need to put yourself in debt to protect yourself. Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source. Here’s what should be on your cybersecurity checklist so you can focus on classes, study abroad or going to football games. 1. Use strong, unique passwords Most people know they should use strong passwords, but many people still don’t. It’s not uncommon to recycle the same one across a dozen accounts, and understandably so. You’re juggling classes, projects and everything else, so remembering 30 different passwords isn’t high on the list. But that’s exactly what bad actors count on. Once your credentials leak in a data breach, the bad guys run those same logins through every major service. It’s called credential stuffing, and it works. Do yourself a favor and use passphrases instead of single words. “CoffeeandLibraryNights2025!” is a lot stronger than “password1234.” The US Cybersecurity and Infrastructure Security Agency, or CISA, suggests making passwords at least 16 characters long, while including a mix of letters, numbers, special characters and words. Better yet, offload the whole thing to a password manager like Bitwarden, Proton Pass or KeePass. Password managers are free or cheap tools that remember everything for you. Then you only have to recall one master password, not fifty. If you have the extra cash, I personally recommend 1Password because it uses robust industry-standard AES-256 encryption, secret key architecture for enhanced account security and comes with built-in Watchtower alerts to check for security problems with websites you use. But any of the password managers we recommended work well. 2. Turn on multi-factor authentication Multi-factor authentication, or MFA, stands between you and someone pretending to be you online. You log in with your password, then confirm it’s really you by some other means, such as entering a code from your phone or tapping a prompt on an app. MFA uses two or more separate methods of authentication. That extra step or steps can sometimes turn a stolen password into a useless piece of information, because without a text message, authentication code or another way to verify the login attempt, access can’t be granted. Hackers and bad actors rely on the fact that most people skip this. They acquire or buy leaked passwords in bulk and test which ones still work. MFA can shut that door. Even if they have your login, they usually can’t get past the second check unless your subsequent methods of verification have also been compromised. Some schools already support MFA through Duo or Google Authenticator. I work for a large IT company in Tokyo, and we use Duo. We haven’t had any problems (yet). Once it’s set up, it takes a few seconds to approve a login. Those few seconds can help keep your data out of someone else’s hands. 3. Keep software and devices updated Yes, software updates can be annoying, but they do matter. Some of them fix security vulnerabilities that hackers already know about. When you ignore them, you’re basically leaving your front door unlocked. The easiest fix is to turn on automatic updates and let them run in the background. You usually won’t even have to think about it. And when your device tells you it needs a restart, just go ahead and do it. That quick reboot is often what actually locks in any available security fixes. 4. Install trusted antivirus or anti-malware tools Most modern devices come with some kind of built-in protection. Windows 10 and 11 come with Microsoft Defender Antivirus, and I’ve enjoyed it. Similarly, on MacOS devices, you’ll find XProtect built in to guard against threats. But you can opt for third-party Mac antivirus software if you want multi-device protection or additional cybersecurity benefits, like parental controls or identity theft insurance. A separate antivirus program may provide additional security benefits, like advanced threat removal, a better malware detection rate or identity theft protection. If you’re on a budget, there are several free antivirus options that we recommend. AVG and Avira are free and do the job well. Bitdefender also has a free tier that works well. They scan your files, flag suspicious activity and tackle most of the stuff you’d expect an antivirus to do. Run a full scan once in a while. And please don’t download anything from sketchy websites. 5. Use a VPN on public or unsecured Wi-Fi Public Wi-Fi is convenient, but it’s easy for internet service providers or network administrators to snoop on what you’re doing online. Additionally, if you're concerned about a compromised network, a VPN may be able to guard against adversary-in-the-middle attacks. A VPN, or virtual private network, fixes that by keeping your online activity private, even on shared or unsecured networks, and stopping internet providers or other snoops from tracking your data. Luckily, there are plenty of cheap VPNs or even free VPNs, so if you’re on a university student budget, you don’t have to shell out a lot of money. Our top budget picks are Mullvad VPN, Surfshark and Proton VPN, which is the best -- and only -- zero-dollar VPN we recommend. Aside from having a VPN for school Wi-Fi, VPNs can be useful when you travel (like on a study abroad or spring break trip) or want to access content that isn’t available in your region, such as foreign Netflix libraries. 6. Be skeptical of phishing and scams Phishing is when someone tries to trick you into giving up personal information by pretending to be a trusted source like your school, bank, friend/relative or a well-known company. Phishing messages are more convincing than ever, but there are signs you should still look out for. Watch for generic greetings (Hello, Dear), weird-looking URLs and urgent language pushing you to click a link or respond right away. Always inspect links to see where they actually go. Hover your mouse over the hyperlink or right-click > Inspect before clicking to preview the full URL. Also, double-check the sender’s address before doing anything. The difference can be as subtle as microsoft.com and rnicrosoft.com. If you’re unsure, contact the organization directly through their official website. Students, in particular, are often targeted by fake job postings or internship scams that ask for banking or ID details. If it happens to you, ignore the message and report it to campus IT. They may send out a mass warning email, so you could be helping someone else. 7. Secure your social media and personal info Social media is a big part of life, but sharing too much can put you at risk. Bad actors look for small details like your birthday, school, hometown, etc. to guess passwords or security answers. From your profile, I might be able to learn your email and that your first dog was named Chewbarka -- which may be one of your frequently used passwords or the answer to one of your security questions. Keep your accounts private and limit what you post publicly. Only accept requests from people you actually know, and avoid sharing personal updates in real time. Most cases of identity theft start with bits of personal data collected over time. The less you share, the harder it is for anyone to use that information against you. Also, stop doomscrolling. You should be studying. 8. Back up your data regularly When I applied for a job with Synology in 2016, part of the interview process was writing about the importance of backing up your data. It was a late night, and I spilled a glass of wine on my laptop. I lost everything. Ironic, to say the least. I switched to craft beer shortly after. Losing your work is more common than people think, and it usually happens at the worst possible time. Backing up your files keeps your data safe when a laptop breaks or a phone gets stolen. You don’t want to lose your essays or personal photos with it. You can save your data in the cloud using services like Google Drive or Dropbox, or use a physical backup like a network-attached storage --NAS -- or USB. Relying on cloud services and a local backup can both be reliable, and using each gives you extra security. Personally, I love TrueNAS (formerly FreeNAS) as a NAS operating system. But there are much cheaper options, like Unraid. And if you buy an off-the-shelf NAS from a company like Synology or TerraMaster, it should come with its own operating system that you can use. Turn on automatic backups so your files save regularly without you needing to remember. By the way, I got the job. 9. Be smart about device safety It only takes a moment for a laptop or phone to disappear. Keep your devices with you when you study, grab food or head to class. Public spaces make it easy for someone to grab what you leave behind. Always secure your devices with a password, personal identification number –- PIN -- or biometric lock to protect your data. If your school allows it, register your devices with campus police so they can help if something goes missing. This may not be an option for every university, but some offer it (Purdue, for example). Protip: Cover your webcam when you are not using it. A simple cover or piece of tape is enough to keep anyone from watching without you knowing, and some webcams even come with a physical shutter to cover the lens. 10. Review app permissions and privacy settings Most software and apps collect data by default, and usually more than they need. They can access your contacts, location, photos, microphone and more, without you realizing it. Take a few minutes to check your app permissions in your phone or computer settings and see what each one is allowed to do. You can -- and should -- check privacy policies and app permissions when downloading apps to look for red flags. Turn off anything that doesn’t make sense. A social media app doesn’t need your precise location, and a photo editor doesn’t need your contact list. An added benefit to this is that reducing permissions can also extend your battery life and make your device run more smoothly. 11. Know what to do if you've been compromised If one of your accounts gets hacked or your device starts acting strange, deal with it immediately. Waiting usually only makes things worse. First, change your passwords for any accounts that might be affected. Start with your email and financial accounts. Then run a malware scan on your device to clear out anything suspicious. If you gave out payment details or personal information, call your bank and let them know what happened. They can monitor or freeze your account if needed. Finally, report the issue to your school’s IT team and/or local authorities so they can help trace it and stop it from spreading. Fast action limits the damage. The longer you wait, the harder it is to undo. Bonus: Build a cyber-savvy routine Cybersecurity works best when it becomes a regular habit. You don’t have to think about it constantly. Occasional check-ins do the trick. Set a monthly reminder and go through this quick checklist: Review your passwords and replace weak or repeated ones. Install updates for your operating system, browser and apps. Check your backups to make sure they’re current and working. Run a malware scan to catch anything suspicious. Review app permissions and remove access you don’t need. These steps only take a few minutes but can save you from a lot of headaches later. And if you do all of this and still have your devices or data compromised, at least you’ll know you tried harder than most other folks.
