PERSONAL SECURITY ASSESSMENT

Is your digital
life secure?

A practical, plain-English walkthrough of the checks that actually protect you. No tech expertise needed.

6SECTIONS
30CHECKS
~20MINUTES
Start the Assessment
🔐
SECTION 01 / 06
Passwords & Multi-Factor Authentication
0/5COMPLETE
MFA is enabled on your email account CRITICAL
Your email is the master key — if it's compromised, everything else falls.
WHY THIS MATTERS
Most "forgot password" flows send a reset link to your email. If an attacker gets into your email, they own every account linked to it — banking, social, work, everything. MFA adds a second layer that stops attackers even if they have your password.
HOW TO CHECK
  1. Open your email provider (Gmail, Outlook, Apple Mail, etc.)
  2. Go to Security or Account Settings
  3. Look for "2-Step Verification", "MFA", or "Two-Factor Authentication"
  4. If it's off, turn it on. Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) rather than SMS if possible
  5. Save your backup codes somewhere safe (printed out or in a password manager)
↗ Gmail MFA ↗ Outlook MFA ↗ Apple ID MFA
MFA is enabled on banking & financial accounts CRITICAL
Online banking, PayPal, super/pension apps, and any investment accounts.
WHY THIS MATTERS
Financial fraud is often automated. Once credentials leak in a breach, bots attempt logins within hours. MFA buys time and stops most automated attacks entirely.
HOW TO CHECK
  1. Log into each financial account you use
  2. Navigate to Security or Profile settings
  3. Enable MFA — for banking, SMS codes are acceptable if an authenticator app isn't offered
  4. Repeat for: bank, super fund, PayPal, Afterpay/Klarna, brokerage accounts
You use a password manager HIGH
1Password, Bitwarden, Dashlane, or even your browser's built-in vault.
WHY THIS MATTERS
Humans can't memorise unique 20-character passwords for 50+ accounts. Without a manager, we reuse passwords. When one site gets breached, credential stuffing attacks try that same password everywhere else.
HOW TO CHECK / SET UP
  1. If you reuse passwords across sites, that's the top sign you need a manager
  2. Free options: Bitwarden (excellent), Apple Keychain, Google Password Manager
  3. Paid options: 1Password, Dashlane (more features, family sharing)
  4. Start by importing your existing passwords, then gradually update weak/reused ones
↗ Bitwarden (free) ↗ 1Password
You've checked if your email has been in a breach HIGH
Check HaveIBeenPwned to see if your credentials have leaked online.
WHY THIS MATTERS
Billions of credentials from past breaches (LinkedIn, Adobe, Canva, etc.) are freely available on dark web forums. Attackers use these lists in automated attacks. Knowing you're exposed means you can act first.
HOW TO CHECK
  1. Go to haveibeenpwned.com
  2. Enter your email address(es) — it's safe, the site is run by a reputable security researcher
  3. If you appear in breaches, change the password for that site immediately
  4. Enable notifications so you're alerted to future breaches
↗ HaveIBeenPwned
Social media accounts have MFA enabled MEDIUM
Facebook, Instagram, LinkedIn, X/Twitter — account takeovers are common.
WHY THIS MATTERS
Compromised social accounts are used to run scams on your contacts, spread misinformation under your name, or even for identity fraud. They can be very hard to recover once lost.
HOW TO CHECK
  1. On each platform, go to Settings → Security & Privacy
  2. Find Two-Factor Authentication and turn it on
  3. Also review "Login activity" or "Where you're logged in" and remove old sessions
💻
SECTION 02 / 06
Devices & Software Updates
0/5COMPLETE
Your phone OS is up to date CRITICAL
iOS and Android patches fix security holes that are actively being exploited.
WHY THIS MATTERS
Security patches close known vulnerabilities. Attackers actively scan for devices running old software. Being even one major version behind can expose you to public exploits.
HOW TO CHECK
  1. iPhone: Settings → General → Software Update
  2. Android: Settings → System → System Update (varies by brand)
  3. Enable automatic updates so you don't fall behind
  4. If your device is too old to receive updates, consider upgrading — it's a real security risk
Your computer OS and apps are up to date HIGH
Windows, macOS, and especially your browser need regular patching.
WHY THIS MATTERS
Browsers and office software are the most common attack vectors. Ransomware often enters through unpatched software vulnerabilities.
HOW TO CHECK
  1. Windows: Start → Settings → Windows Update → Check for updates
  2. Mac: Apple menu → System Settings → General → Software Update
  3. Check your browser: chrome://settings/help or Firefox menu → Help → About
  4. Also update: Office apps, Adobe Reader, Zoom, and any other apps you use regularly
Your devices have a PIN, password or biometric lock HIGH
Phone and laptop screens should lock automatically.
WHY THIS MATTERS
Physical theft or "shoulder surfing" is still a major attack vector. An unlocked phone left on a cafe table is a goldmine. Auto-lock within 1–2 minutes is best practice.
HOW TO CHECK
  1. Phone: confirm a PIN/Face ID/fingerprint is required after screen timeout
  2. Laptop: Settings → Lock screen → set to lock after 1–2 minutes of inactivity
  3. Also enable remote wipe: Find My (Apple), Find My Device (Android/Google), or BitLocker for Windows laptops
You have antivirus / endpoint protection on your PC MEDIUM
Windows Defender is built-in and adequate; Macs benefit from Malwarebytes.
WHY THIS MATTERS
Malware, ransomware, and keyloggers can be installed through phishing links, dodgy downloads, or infected USB drives. AV software provides a catch-net for known threats.
HOW TO CHECK
  1. Windows: Search "Windows Security" → Virus & threat protection → ensure it's enabled and up to date
  2. Mac: No built-in AV, but macOS has XProtect. Consider running a free Malwarebytes scan quarterly
  3. Avoid installing multiple AV programs — they conflict with each other
↗ Malwarebytes (free scan)
Your important data is backed up HIGH
Follow the 3-2-1 rule: 3 copies, 2 media types, 1 offsite.
WHY THIS MATTERS
Ransomware can encrypt everything on your device and demand payment. Hardware fails. Phones get dropped in toilets. A backup is your get-out-of-jail-free card.
HOW TO CHECK
  1. Phone: check iCloud Backup (iPhone) or Google One backup is enabled and recent
  2. PC: use Time Machine (Mac) or Windows Backup to an external drive
  3. Also use a cloud storage service (OneDrive, Google Drive, iCloud) for key documents
  4. Test a restore every 6 months — backups that can't be restored are useless
📡
SECTION 03 / 06
Network & Wi-Fi Security
0/5COMPLETE
Your home Wi-Fi uses WPA2 or WPA3 encryption HIGH
Old WEP/WPA encryption can be cracked in minutes.
WHY THIS MATTERS
An attacker on your network can intercept unencrypted traffic, see what sites you visit, and potentially access other devices. WPA3 is the modern standard.
HOW TO CHECK
  1. Log into your router admin panel (usually 192.168.0.1 or 192.168.1.1 — check the sticker on your router)
  2. Look for Wireless Security settings
  3. Ensure it's set to WPA2-AES or WPA3 — not WEP, WPA, or TKIP
  4. While you're there, change the default admin username and password if you haven't
You avoid doing sensitive tasks on public Wi-Fi HIGH
Cafes, airports, hotels — these networks can be monitored or faked.
WHY THIS MATTERS
Attackers set up "evil twin" hotspots with names like "CafeWifi_Free" to intercept your traffic. Even legitimate public networks carry risks from other users on the same network.
WHAT TO DO
  1. On public Wi-Fi, avoid logging into banking or sensitive accounts
  2. Use your mobile data hotspot instead for sensitive tasks
  3. If you regularly use public Wi-Fi, consider a reputable VPN (Mullvad, ProtonVPN)
  4. Ensure sites show HTTPS (padlock icon) before submitting any info
Your router firmware is up to date MEDIUM
Router vulnerabilities can expose every device on your network.
WHY THIS MATTERS
Routers sit at the gateway of your entire home network. Unpatched router vulnerabilities have been used in large-scale attacks affecting millions of homes.
HOW TO CHECK
  1. Log into your router admin panel
  2. Look for Firmware Update or Software Update in the settings
  3. Some modern routers (Eero, Unifi, Google Nest) auto-update — confirm this is enabled
  4. If your router is more than 5 years old, consider replacing it
Guest network is set up for visitors and IoT devices MEDIUM
Smart TVs, doorbells, and visitor phones should be isolated from your main network.
WHY THIS MATTERS
IoT devices (smart bulbs, TVs, thermostats) often have weak security and rarely receive updates. If compromised, an attacker on the same network can try to reach your PC or NAS. Isolation limits the damage.
HOW TO SET UP
  1. In your router admin panel, look for "Guest Network" or "Guest Zone"
  2. Create a separate SSID with its own password
  3. Ensure "client isolation" is enabled (devices can't see each other)
  4. Move all smart home devices and visitor devices onto the guest network
Your DNS is set to a privacy-respecting resolver MEDIUM
Cloudflare (1.1.1.1) or Google (8.8.8.8) are faster and more private than ISP defaults.
WHY THIS MATTERS
Your ISP's default DNS can log every site you visit and sell that data. Cloudflare 1.1.1.1 promises not to log queries and is significantly faster. NextDNS and AdGuard DNS can also block ads and trackers at the network level.
HOW TO SET UP
  1. In your router admin, find DNS Settings
  2. Set Primary DNS to 1.1.1.1 (Cloudflare) and Secondary to 1.0.0.1
  3. Alternatively, set to 9.9.9.9 (Quad9 — blocks malicious domains)
🎣
SECTION 04 / 06
Phishing & Social Engineering
0/5COMPLETE
You know how to spot phishing emails CRITICAL
Phishing is still the #1 way attackers get into accounts and networks.
RED FLAGS TO WATCH FOR
Modern phishing emails look incredibly convincing. Here are the tells:
THE PHISHING CHECKLIST
  1. Check the sender's actual email address — not just the display name. "PayPal Support" can come from anything@scamsite.com
  2. Urgency is a weapon. "Act NOW or your account will be suspended" is designed to make you panic and not think
  3. Hover over links before clicking — the destination URL appears at the bottom of your browser. Does it match the company's real domain?
  4. Unexpected attachments are dangerous — especially .zip, .exe, .docm files from unknown senders
  5. When in doubt, go direct. Don't click the link — open your browser and go to the site yourself
↗ Google Phishing Quiz
You're aware of phone call scams (vishing) HIGH
Scammers impersonate the ATO, NBN, banks, Amazon, and Microsoft Support.
HOW THESE SCAMS WORK
Scammers call claiming to be from a trusted organisation, often saying you owe a fine, your account has been compromised, or your computer is sending viruses. They create urgency and ask for payment, remote access, or personal information.
GOLDEN RULES
  1. Legitimate government agencies (ATO, Centrelink) will never demand immediate payment by gift card or cryptocurrency
  2. Microsoft, Apple, and Amazon do not cold-call you about viruses or account issues
  3. If unsure, hang up and call back on the official number from the organisation's actual website
  4. Never give anyone remote access to your computer unless you initiated a support call with a verified company
↗ ScamWatch (AU)
You limit personal info shared publicly on social media MEDIUM
Date of birth, phone number, address, and pet names help attackers guess passwords and security questions.
WHY THIS MATTERS
Attackers use "OSINT" (open source intelligence) to gather info from your public profiles before targeting you. Your pet's name, mother's maiden name, and high school are all common security question answers — and common post topics.
WHAT TO REVIEW
  1. Review your Facebook/Instagram privacy settings — who can see your posts and profile?
  2. Avoid posting: full date of birth, current location in real-time, home address, travel dates
  3. Consider using fake answers for security questions and storing them in your password manager
You use unique email aliases for sign-ups MEDIUM
Apple Hide My Email, SimpleLogin, or +tags reduce spam and trace breaches.
WHY THIS MATTERS
Using one email everywhere means every breach exposes it for spam and credential stuffing. Aliases let you trace exactly which service leaked your data, and you can disable them instantly if they're compromised.
OPTIONS
  1. Gmail trick: yourname+shopname@gmail.com — easy to set up, but the base address is still visible
  2. Apple Hide My Email (free with iCloud+): generates random addresses that forward to your real inbox
  3. SimpleLogin or addy.io: free, open-source, works with any email provider
↗ SimpleLogin ↗ addy.io
You've reviewed what apps have access to your accounts MEDIUM
"Login with Google" and "Login with Facebook" grant third-party app access.
WHY THIS MATTERS
Every time you use "Sign in with Google/Facebook", you grant that app some level of access to your account. Many people have dozens of apps they no longer use that still have persistent access.
HOW TO AUDIT
  1. Google: myaccount.google.com → Security → Third-party apps with account access
  2. Facebook: Settings → Security → Apps and Websites
  3. Apple: Apple ID → Sign in with Apple → review and revoke old apps
  4. Remove any apps you no longer use or don't recognise
↗ Google App Permissions
👁️
SECTION 05 / 06
Privacy & Data Exposure
0/5COMPLETE
You've reviewed app permissions on your phone HIGH
Does that torch app really need your contacts and microphone?
WHY THIS MATTERS
Apps routinely request far more permissions than they need. Location data, contact lists, and microphone access are valuable for advertising — and a privacy risk if the app is compromised or sold.
HOW TO REVIEW
  1. iPhone: Settings → Privacy & Security — review each category (Camera, Microphone, Location, Contacts)
  2. Android: Settings → Privacy → Permission Manager
  3. Revoke any permissions that seem excessive for the app's purpose
  4. Set location to "While Using App" rather than "Always" for most apps
You use a browser with good privacy defaults MEDIUM
Firefox or Brave are significantly more private than Chrome or Safari out of the box.
WHY THIS MATTERS
Your browser sees everything you do online. Chrome sends significant telemetry to Google. Brave blocks ads and trackers by default. Firefox has strong privacy extensions and a solid track record.
QUICK WINS FOR ANY BROWSER
  1. Install uBlock Origin — the best free ad and tracker blocker
  2. In Chrome: Settings → Privacy → turn on "Send a Do Not Track request"
  3. Use private/incognito mode on shared or public computers
  4. Consider switching to Firefox or Brave for daily browsing
↗ Brave Browser ↗ Firefox
You've enabled disk encryption on your laptop HIGH
BitLocker (Windows) or FileVault (Mac) protects data if your device is stolen.
WHY THIS MATTERS
Without encryption, anyone with physical access can pull your hard drive and read every file — no password needed. With encryption, a stolen laptop is a useless brick to an attacker.
HOW TO CHECK / ENABLE
  1. Mac: System Settings → Privacy & Security → FileVault — turn it on if it's off
  2. Windows 11 Pro: Search "Manage BitLocker" and turn it on
  3. Windows 11 Home: Search "Device encryption" in Settings
  4. Store your recovery key somewhere safe — if you forget it and get locked out, data is gone
You've set up credit/fraud monitoring MEDIUM
Know quickly if someone opens a credit account in your name.
WHY THIS MATTERS
Identity thieves can use stolen personal information to apply for loans, credit cards, or even phone plans in your name. Early detection means early resolution.
WHAT TO DO
  1. Australia: Check your credit report for free at Equifax, Experian, or illion annually
  2. Sign up for free credit monitoring alerts (many banks now offer this)
  3. Review your credit card statements monthly for unrecognised transactions
  4. If you suspect identity theft, contact IDCARE (Australia's national identity support service)
↗ Equifax Free Report ↗ IDCARE
You use HTTPS-only sites for sensitive actions MEDIUM
Always check for the padlock — plain HTTP sites expose your data in transit.
WHY THIS MATTERS
HTTP sites transmit data in plain text. Anyone on the same network (especially public Wi-Fi) can intercept and read it. HTTPS encrypts the connection between you and the server.
WHAT TO DO
  1. Never submit a form with personal or financial info on an http:// site
  2. Most browsers now warn you — pay attention to these warnings
  3. Enable "HTTPS-Only Mode" in Firefox (Settings → Privacy → HTTPS-Only Mode)
  4. Chrome users: Settings → Privacy → Advanced → Always use secure connections
🏠
SECTION 06 / 06
Smart Home, Accounts & Habits
0/5COMPLETE
Smart home devices use unique, strong passwords HIGH
Default passwords on cameras, doorbells, and smart speakers are publicly known.
WHY THIS MATTERS
Shodan.io (a search engine for internet-connected devices) indexes thousands of cameras and routers still running default credentials. Attackers use it to find and access these devices — including baby monitors and security cameras — remotely.
WHAT TO DO
  1. Log into each smart device's app or admin panel
  2. Change any default username/password to something unique (use your password manager)
  3. Enable auto-updates if available, or check for firmware updates quarterly
  4. Disable remote access/UPnP on devices that don't need it
You've deleted old/unused accounts MEDIUM
Dormant accounts with old passwords are easy targets — and hold your data.
WHY THIS MATTERS
You can't be breached through an account that doesn't exist. Old forums, shopping sites, and apps hold personal data you've forgotten about. When those sites get breached, your data leaks.
HOW TO FIND AND DELETE
  1. Search your email inbox for "welcome to", "confirm your account", "verify your email" to find old sign-ups
  2. Use JustDeleteMe.xyz to find deletion instructions for hundreds of services
  3. Unsubscribe from mailing lists you no longer need while you're at it
↗ JustDeleteMe
You use encrypted messaging for sensitive conversations MEDIUM
Signal or WhatsApp (end-to-end encrypted) instead of plain SMS for private matters.
WHY THIS MATTERS
Plain SMS is not encrypted in transit and can be intercepted. End-to-end encrypted apps like Signal mean only you and the recipient can read messages — not telecom companies, not governments, not the app maker.
RECOMMENDATIONS
  1. Signal: gold standard for privacy — fully open source, no ads, non-profit
  2. WhatsApp: end-to-end encrypted by default, widely used, though owned by Meta
  3. iMessage (blue bubbles only): encrypted between Apple devices; falls back to unencrypted SMS for Android recipients
  4. For truly sensitive matters, prefer Signal with disappearing messages enabled
↗ Signal
You have a plan for a security incident MEDIUM
Knowing what to do when something goes wrong reduces damage dramatically.
IF YOU THINK YOU'VE BEEN HACKED
Panic is the enemy. Having a clear plan means you act fast and correctly instead of making things worse.
THE INCIDENT RESPONSE CHECKLIST
  1. Change your password immediately on the affected account, from a trusted device
  2. Revoke active sessions: most accounts have a "Sign out everywhere" option
  3. Check for forwarding rules in your email — attackers often set these up to silently copy emails
  4. Notify your bank if financial accounts may be involved — freeze your card if needed
  5. Report it: ReportCyber.gov.au (Australia) or scamwatch.gov.au for scams
↗ ReportCyber (AU)
You'll schedule a security review every 6 months HABIT
Security is a practice, not a one-time event. Calendar a reminder now.
THE SECURITY HABIT
New threats emerge, services change, and we gain new accounts. A 6-monthly review — ideally when changing clocks for daylight saving — keeps you ahead of the curve.
YOUR SEMI-ANNUAL CHECKLIST
  1. Run through this assessment again
  2. Check haveibeenpwned.com for any new breaches
  3. Review and update your most important passwords
  4. Check for any app/device software that's been neglected
  5. Review who has access to your shared accounts (Netflix, Spotify, etc.)