I've been working in the IT industry for over 30 years. Over the years, I've acquired a number of behaviors and principles that seem completely normal and sensible to me. However, when observing other PC users, I often discover risky behaviors, or at least less security-oriented ones. ⚠️

That's why I've compiled the top 10 things I'd never do as an IT security expert, along with tips on what to do instead.📋

1. Move instead of copy

In Windows Explorer, the difference is barely noticeable: Here, photos and videos are moved instead of copied. This can worsen data security rather than improve it.

Moving my own files instead of copying them makes me feel uneasy. This includes, for example, photos or videos from my camera or audio recordings from a smartphone or recorder. If I move single files, I run the risk of losing them as soon as I move them. Although this is very rare, it can't be completely ruled out. 🥴

Even if the move process is successful: The data will only be available once. If the PC's hard drive fails, the data is lost. If I make a mistake and accidentally delete the files, I lose them too. These are risks that only arise if you initiate a move operation instead of a copy. ⚠️

If you're thinking, "I need more SD card space for new photos," consider buying a second SD card. Your own data is always worth it. 🏷️

And when do I free up space on the SD card? I do this as soon as my backup plan on the PC has backed up the copied data. In my case, this is done on a network hard drive running on a Raspberry Pi. 💾

Important files are also automatically encrypted and uploaded to cloud storage. ☁️

2. Save my own data without a backup

I've set up automatic backups for all my important data. Because saving files I've created without a backup is too risky for me. This includes all the data I enter into apps, whether for Android, iOS, or Windows. Just because most apps don't offer an easily recognizable backup feature doesn't relieve users of their responsibility for their data.

For example, in two schools in Koblenz, Germany, several hundred school iPads were disconnected from the school network due to a bug. The students' handwritten notes on the Goodnotes app were deleted. Many students had worked exclusively with the school iPads and this app, meaning there was no secondary copy of their notes. Around 500 of the 7,500 iPads were affected by data loss because they were connected to the school network at the time of the outage.

A cloud backup, as is usual for iPads, was disabled for data protection reasons. No other form of data backup appears to have been used. The affected students cannot be held responsible here, but the responsible system administrator is. 👨‍💻

3. Format storage without a thorough review

Disk Management displays each connected drive and all its partitions. You can easily identify a partition by its name and size.

I would never make this mistake—because I've done it before. Therefore, I can only advise from experience: only format a storage drive when you're sure you've selected the right one.🔍

For years, I used external USB hard drives to store my files. The folder structure on these drives was generally identical. I had folders like “My Documents,” “Videos,” “Temp,” “Virtual PCs,” and a few others. Plus, all the drives were the same model, which I once bought at a good price. Some of these drives even had the same media designation: “Data.”

It wasn't very smart, because it made things easier to get confused. So, late one night, I ended up mistaking one of these drives for another and formatting the wrong one. 🤦‍♂️

Since then, I have very clearly named and labeled my external hard drives and USB drives and check them again before formatting.📝

First check, then format: Choosing the right drive before formatting is crucial to avoid unintentional data loss. In Windows Explorer, check the drive letter of the hard drive or partition you want to format. This is often not obvious on systems with multiple drives. Take the time to check, disconnecting other hard drives and other drives for clarity. The drive name and size will help you identify it. 🖥️

Also, start disk management by entering "Disk Management" in the Windows search. All connected disks and their partitions will be displayed. Only begin formatting when you're sure you've found the correct hard drive, USB drive, or partition.

4. Opening links in emails

I don't like opening links in emails. And I never open links if the email is supposedly from my bank or payment service provider. I don't even open links in my monthly PayPal email, even though I know it's really from PayPal. 🚫💳

Why not? These days, it's very easy for an attacker to create a deceptively real copy of a bank email. I wouldn't be able to reliably tell the difference between a phishing email and a legitimate email from my bank—at least not in the short time I have to check my inbox.

Instead, I open online banking and other important pages via links I've saved in my browser or by retyping the address each time. I log in to the site and check if there's a new message in my customer account. If not, then the email is either a hoax or not important enough for the bank to credit to my account. That's the end of it for me.

Advice: Change these 5 Windows settings to improve your data privacy.

5. Open suspicious files

The Hybrid Analysis online sandbox documents the behavior of a suspicious program with a screenshot. The service is free, but it's often overloaded and slow to respond.

If a file is suspicious, whether it's a program or a document, I don't open it. The risk is simply too great. As an IT editor, of course, I'm constantly downloading tools from the internet, and many of them are scanned by antivirus software. That's a clue that a file looks suspicious. 🦠

Another sign is the source. Files from dubious sites are just as suspicious as files attached to emails or from links in emails. If I can't avoid opening or launching such files, I always check them first with the tool www.virustotal.com. The online service analyzes a archive with more than 60 virus scanners. 🔒

If you want even more information about a suspicious file than www.virustotal.com provides, you can also upload suspicious files to an online sandbox. However, this is somewhat more complicated than a Virustotal test. The services often require registration and sometimes cost money.

A free and easy online sandbox without registration is available at hybrid-analysis.com 🍃

6. Provide vouchers for payment of services

If you're asked to buy vouchers, you should pay attention (at least if the request isn't coming from your children). This is how scammers trying to get your money operate.

Who would want to do this? A staggering number of users! They're all victims of a social engineering attack. Social engineering uses psychological tricks to manipulate people into doing things that aren't in their best interest. Human characteristics like trust, fear, or ignorance are exploited.🤷‍♀️

A popular trick is the following: Are surfing the internet And suddenly, a warning message appears that appears to be coming from Windows. Your PC has been hacked, and you should call a support number so a Microsoft employee can fix it. When you call, you're told that your PC has indeed been hacked. However, this costs money, and you're supposed to pay for it with vouchers. Criminals demand this because voucher codes are much harder for the police to trace than a bank transfer.

The fact is: No one is safe from social engineering tricks. A well-prepared and skilled attacker can lure anyone into a trap. There are many examples of this—search for "CEO fraud." But the moment something as unusual as a voucher code for a service is requested, you can be on guard and escape the trap. The same applies if you're told someone is coming to collect money from you.🆘

7. Connect unknown external devices

A USB flash drive whose owner I don't know. I don't plug it in. Fortunately, the days when Windows' autostart feature would immediately launch an EXE file from a connected USB flash drive are over. By default, Windows 10 and 11 simply offer to launch Windows Explorer to display the contents of the USB flash drive. 💼🔌

So that's not the problem. But like everyone else, I'm curious. Attackers take advantage of this and save malicious files with filenames you can't resist opening.😈

For a long time, security experts said that if you wanted to infiltrate a company network, all you had to do was leave a few infected USB drives in the company parking lot. Some employees will pick up a USB drive and plug it into their work PC. 🕵️‍♂️

Stuxnet professional malware is also said to have reached computers at the Iranian nuclear facility via a USB flash drive. It remains to be seen whether this USB flash drive entered the plant via the parking lot hack or was smuggled into the facility by an insider. Stuxnet destroyed the centrifuges at the nuclear facility and delayed the production of fissile material for a nuclear bomb.

When you need to insert a foreign USB drive: the same rules apply as in point 5. Check files at www.virustotal.com or run them in a sandbox.

8. Use default passwords

When I connect a new device that has default password protection, I immediately change the existing password. The same applies to online accounts that have been given a password. 🔑

I admit: It's been rare for a router to come with a default password. However, it's even more important to act quickly in the remaining cases. This is because attackers know default passwords and try to use them to log into devices. A good password manager can help you create strong, unique passwords for every site and service you use. 🛡️

9. Enable unnecessary network services

If you don't need remote access to the Fritzbox via www.myfritz.net, you shouldn't activate it. Each access point to your IT increases the attack surface for hackers.

Rarely does a month go by without a new security vulnerability being discovered in a NAS or webcam. These network devices are often vulnerable via the internet, allowing hackers to access NAS data, webcam feeds, or even the entire home network. 🔒👀

That's why I don't enable any network services I don't need. Remote access to my router is disabled. Remote access to my smart lighting is disabled. Access to my NAS and robot vacuum is also disabled. 🙅‍♂️

10. Buying an expensive version of antivirus

Most antivirus manufacturers offer three or more versions of the program. I would never buy the most expensive one. I don't need its expensive extra features.

Antivirus software typically comes in three versions: Simple, Good, and Very Good—or Antivirus, Internet Security, and Total Security. I would never buy the third and most expensive version. 💰

That is purely a financial consideration: If I were rich, I'd decide differently. But as long as money is tight, I'll only buy the mid-range version, which is usually called Internet Security. This option typically offers more than the free Microsoft Defender, but isn't as expensive as the full version. 📊

With the latter, I'd be paying for services I don't necessarily need (metadata cleansing, social media monitoring) or that I can get cheaper elsewhere (VPN services, cloud storage).

As I said, the full versions offer more, but I don't need that extra. 🚀

In conclusion, IT security is not just the responsibility of experts, but a daily commitment that every user must make to protect their data and devices 🔐.

Avoiding these 10 common mistakes — from not moving files without backup, avoiding opening suspicious links or files, to properly managing passwords and network services — can make a big difference in protecting against data loss, attacks, and fraud 🚫💻.

More than three decades of experience in the sector demonstrate that prevention, prudence, and the use of good practices are the best defense in an increasingly vulnerable digital environment.

Adopting these tips not only ensures greater security, but also peace of mind and efficiency in managing our personal and professional information ✅📊.

Safety starts with small habits that we should never underestimate! 🔑✨