The best security practice that I have ever come across is this one:
The Two Computers Practice
Computer (A) with Windows, for surfing wildly through the internet and for playing games.
Computer (B) with Linux, only for online shopping, banking and top secret emails.
We can only rely on a system like (B) for online shopping but this does not mean that we should be especially careless with it. As far as (A) is concerned we should also not be careless with it. We still need system (A) to be relatively secure because we want to protect our data and our online accounts (email, social media, online games etc).
To protect these we need to:
- keep good backups and… back up the backups.
- take care of system (A) by regularly updating and scanning for malware.
- be extremely cautious and suspicious with email attachments.
- always scan downloaded files before opening them.
- never click “Enable Content” in Word documents.
- practice good password security.
- activate two-factor authentication in all of our accounts.
- use two separate browsers, one without java, flash and cookies for googling and another one with these features on, for trusted websites.
It is also a good idea to store files like vacation photos on (B) to minimize the risk to our data. Generally, all data that does not necessarily need to be online, should be stored on a system that does not connect to the internet or is very secure, like (B).
If you need to retain absolute secrecy about your email contents then its a good idea to have a separate email address for those communications that will be accessed only from system (B). The email provider should NOT be an American company (see Snowden revelations) and you should use cryptography for additional security.
The hardest thing is to motivate home users to practice good security. Because knowing about the threats of the internet does not always imply understanding.
Applying these practices is not a guarantee that your system will not be compromised, but it does minimize the risks and helps in the recovery after a “disaster”. There is no such thing as 100% security, unfortunately.