As an IT professional, there are 10 things I would never do when it comes to computer security.

These are common mistakes that non-IT individuals often make, causing headaches for everyone involved.

With over 30 years of experience in the IT industry, I’ve been involved in testing antivirus software, providing tips on how to make Windows more secure, constantly seeking out the best security tools, and monitoring the activities of cybercriminals.

Over the years, I’ve developed a set of behaviors and principles that seem entirely normal and wise to me. However, when I observe other PC users, I often find risky or at least insecure behaviors.

That’s why I’ve compiled a list of the 10 most important things I would never do as an IT security expert, along with tips on what you should do instead.

Further reading: Best antivirus software

1. Move instead of copy

It’s hard to distinguish the difference in Windows File Explorer: here, photos and videos are moved, not copied. This not only fails to enhance data security, but worsens it.

Moving your files instead of immediately copying them makes me uneasy. This includes photos or videos from a camera, or recordings from a smartphone or recorder. If these are typically the only copies of the files, you face the risk of losing them once moved. While such occurrences are rare, they cannot be entirely ruled out.

But even if the moving process goes smoothly: the data is still only in one place. If the hard drive in the computer fails, the data is lost. If I make a mistake and accidentally delete these files, they’re gone. These risks only arise when you initiate a move operation instead of a copy operation.

If you think, “I need space on the SD card to save new photos,” then consider purchasing a second SD card. Your own data is always worth it.

When to free up space on the SD card? I execute this operation immediately after backing up the duplicated data on my PC. For me, this is done on a network drive running on a Raspberry Pi.

Important files are also automatically encrypted and uploaded to cloud storage.

2. Saving my own data without backing up

I’ve set up automatic backups for all important data. Because saving my own created files without timely backups is too risky for me. This also includes all data I input into applications, whether it’s Android, iOS, or Windows. Just because most applications don’t provide easily identifiable backup functions doesn’t absolve users of responsibility for their data.

For example, at two grammar schools in Koblenz, Germany, hundreds of school iPads were accidentally logged out of the school network. Handwritten notes in the Goodnotes app used by students were deleted. Many students only used the school’s own iPads and this app – in other words, their notes had no second copy. When the failure occurred, about 500 of a total of 7,500 iPads were affected by data loss due to being connected to the school network.

Cloud backups common on iPads have been disabled for data protection reasons. There appears to be no use of other forms of data backup. The fault lies not with the students but with the responsible system administrators.

3. Format storage without a thorough check

Drive management displays each connected drive and all its partitions. You can usually identify partitions clearly based on their names and sizes.

I would never make this mistake – because I’ve made this mistake before. Therefore, I can only advise from experience: only format storage drives when you’re sure you’ve selected the correct drive.

For years, I’ve been using external USB hard drives to store files. The folder structure on these hard drives is usually the same. There are folders like “My Documents,” “Videos,” “Temp,” “Virtual Machines,” and so on. More importantly, all the hard drives are of the same model, which I once spent a lot of money on. Some of these disks even have the same data carrier name – “Data.”

This isn’t very smart because it’s easy to mix them up. So, I ended up confusing one disk with another and formatting the wrong one.

Since then, I’ve been very careful about naming and labeling my external hard drive drives and USB sticks, and double-checking them before formatting.

Check first, then format: Choosing the correct drive before formatting is crucial to avoid accidental data loss. In Windows File Explorer, check the drive letter of the hard disk or partition you want to format. This may not immediately apparent on systems with multiple drives. Take the time to check, disconnect other hard drives and drives to increase clarity. The name of the disk and its size will help you identify it.

Additionally, launch “Disk Management” by typing “Disk Management” into Windows search. It will display all connected disks and their partitions. Only start formatting when you’re sure you’ve found the correct hard drive drive or USB stick or partition.

4. Opening links in emails

I don’t like opening links in emails. If an email purports to be from my bank or payment service provider, I never open the links. I don’t even open links in emails sent monthly by PayPal, even though I know the email actually comes from PayPal.

Why not? Nowadays, attackers can easily create deceptively real copies of bank emails. I can’t reliably distinguish between phishing emails and genuine bank emails – at least not in the short time I have to check my inbox.

Instead, I open online banking pages and other important pages through links saved in my browser or by typing the address into the browser every time. I log in to the website and check if I’ve received any new messages in my customer account. If not, the message in the email is either fake or not important enough for the bank to enter it into my customer account. For me, that’s the end of the matter.

5. Opening suspicious files

Online sandboxes perform mixed analysis by taking screenshots to record the behavior of suspicious programs. The service is free but often overloaded and responds very slowly.

If a file is suspicious, whether it’s a program or a document, I won’t open it. The risk is too high. As an IT editor, I regularly download tools from the internet, many of which are scanned by antivirus programs. This is one of the signs that makes files suspicious.

Another indicator is the source. Files from suspicious websites are as suspicious as email attachments or files from links in emails. If I can’t avoid opening or launching such files, I always check them first using This online service uses over 60 antivirus programs to scan files.

If you want more information about suspicious files than what provides, you can also upload the suspicious files to online sandboxes. However, this is more complex than Virustotal’s testing. These services usually require registration and sometimes payment.

You can get free and simple online sandboxing on without registering.

6. Give vouchers for payment of services

If you’re asked to purchase a voucher, you should listen carefully (at least if the request isn’t coming from your child). This is how scammers operate to swindle your money.

Who would do such a thing? Surprisingly many people! They are all victims of social engineering attacks. Social engineering exploits psychological techniques to manipulate people into doing things that are not in their best interest. Human traits like trust, fear, or ignorance are exploited.

A popular trick goes like this: You’re online and suddenly a warning message appears, seemingly from Windows. Your computer has been hacked, and you should call a support number to have Microsoft employees fix your computer. When you call, you’re told that your computer has indeed been hacked. However, it will cost money, and it should be paid with a voucher. Criminals ask for these because it’s harder for law enforcement to track voucher codes than bank transfers.

The fact is: No one is immune to social engineering. A well-prepared, technically savvy attacker can lure anyone into a trap. There are plenty of examples of this—just search for “CEO fraud”. However, when you’re asked for something as unusual as voucher codes for a service, you might get suspicious and escape the trap. The same goes if you’re told that someone is asking you for money.

7. Connecting unknown external devices

A USB stick that I don’t know the owner of. I don’t plug it in. Luckily, the days of Windows automatically launching EXE files from connected USB sticks are gone. By default, Windows 10 and 11 only offer to open Windows Explorer to display the content of the USB stick.

So, this isn’t a problem. But, like everyone, I’m curious. Attackers exploit this and use file names that you can’t resist opening to save malicious files.

For a long time, security experts have said that if you want to break into a company’s network, just leave some infected USB sticks in the company’s parking lot. Some employees will pick one up and plug it into their work computer.

It’s said that the professional malware Stuxnet even made its way to computers in Iran’s nuclear facility via USB sticks. It’s still unclear whether the USB stick was planted through a parking lot ruse or smuggled in by insiders. The worm destroyed centrifuges in the nuclear facility, delaying the production of fissile material.

When you must insert a foreign USB stick: Apply the same rule as point 5. Check the files on or launch them in a sandbox.

8. Using default passwords

When I connect a new device with default password protection, I immediately change the existing password. This also applies to online accounts that provide me with passwords.

There’s no denying that routers with default passwords are rare. However, taking action quickly in the remaining cases is more important. This is because attackers know default passwords and try to use them to log into devices. A good password manager can help you create strong and unique passwords for every website and service you use.

9. Enable unnecessary network services

For instance, if you don’t need remote access to your Fritzbox via, you shouldn’t activate it. Every access point in IT increases the attack surface for hackers.

Nearly every month, new security vulnerabilities are discovered in NAS (Network Attached Storage) or network cameras. These network devices are often easily exploitable over the internet, allowing hackers to access data on NAS, images on network cameras, or even the entire home network.

That’s why I don’t activate any network services that I don’t need. Remote access to my router – disabled. Remote access to my smart lighting – disabled. Access to my NAS and robot vacuum cleaner is also disabled.

10. Buy an expensive Plus version of antivirus

Most antivirus manufacturers offer three or more program versions. I won’t buy the most expensive one. I don’t need their costly additional features.

Antivirus software typically comes in three versions: basic, good, and very good — or antivirus, internet security, and total security. I will never purchase the third and most expensive version.

This is purely for financial reasons: if money were not an issue, I might make a different decision. But as long as funds are tight, I’ll stick to buying the middle version, often referred to as internet security. It usually offers more features than the free Microsoft Defender but isn’t as pricey as the full version.

For the latter, I’d be paying for services I might not necessarily need (metadata cleaning, social media monitoring), or I could get similar services cheaper elsewhere (VPN services, cloud storage).

As I’ve mentioned, the top-tier version provides more features, but I don’t need the extra functionality.

Leave a Reply

Your email address will not be published. Required fields are marked *