๐ Cybersecurity guide
Perfect security doesn't exist. But it's up to you to get as close as possible.
Cybersecurity guide
Perfect security doesn't exist. But it's up to you to get as close as possible.
Why it matters now
Prevention is the only security strategy that always works.
Cybersecurity isn't something you activate after something goes wrong. It's a set of habits applied before anything happens. This guide gives you exactly that: the habits and tools to protect what you've built.
According to IBM and Microsoft studies, the vast majority of security breaches don't exploit complex techniques. They exploit careless habits.
43% of cyberattacks target small businesses. Those that apply basic security measures reduce their exposure by more than 90%.
Passwords
One unique password per service: the simplest habit with the greatest impact.
If you use the same password across multiple services and one of them is breached, all of them are exposed. A unique password per service isolates the problem. You don't need to memorize them โ that's what password managers are for.
If you need to give someone access to your site or server, do it with a collaborator user, not by sharing your main password.
Bitwarden (free) or 1Password. They generate strong, unique passwords per site. You only need to remember one strong master key.
Two-factor authentication (2FA)
2FA protects your account even if someone gets your password.
Two-factor is a second verification when logging in: in addition to your password, you need to confirm your identity from another device. It's the most effective barrier against unauthorized access.
SIM swapping allows an attacker to convince your carrier to transfer your number. If 2FA comes via SMS, that protection can be bypassed.
Unlike Google Authenticator, Authy makes encrypted backups of your accounts. If you lose your phone, you can recover all your codes. Download it at authy.com.
Go to My Account โ Security โ Enable two-step authentication. It takes less than three minutes.
Your email, the master key
Your email is the master key to all your services โ it's worth protecting well.
Almost all services use email to recover passwords. If someone gains access to your email, they can access everything else. It's the most critical point in your entire digital security.
Having 2FA on other services but not on your main email doesn't make much sense. Start there.
- Enable 2FA with Authy on your main email
- Make sure your email has a unique password
- Check which is your recovery email and that it's also protected
Phishing
Recognizing a phishing attempt is a skill you can learn in minutes.
Phishing is when someone impersonates a trusted company or person to obtain your data or money. The most common channel is email, but it also happens via WhatsApp and social media.
- Check the actual sender of the email, not just the displayed name
- Never click links in emails that ask for money or sensitive data
- Save access to critical services as bookmarks (bank, Neolo, hosting)
No serious company will ever ask for your password by email. If someone asks for it, it's a phishing attempt.
In 2023, phishing accounted for more than 36% of all security breaches. It's the number one attack vector because it works.
Public WiFi
Browsing safely from anywhere is easier than it seems.
Public WiFi networks (airports, cafรฉs, hotels) can be intercepted. Someone on the same network can see unencrypted traffic.
- Banking operations or payments
- Access to your website or hosting admin panels
- Checking corporate emails with sensitive information
Use your mobile data as a personal hotspot. Your 4G/5G connection is private and encrypted.
Works on 100 devices, multi-platform, no activity logging.
See Neolo VPN โPhone security
Ten minutes of configuration turns your phone into a digital safe.
Your phone is the most accessed device in your day. Also the most exposed if it's not properly configured.
Many people think using an iPhone protects them from viruses. Apple devices can get infected. Phishing and SIM swapping are equally effective on iOS.
- Enable Face ID or fingerprint on sensitive apps (bank, email, Neolo)
- Auto-lock within 1 minute of inactivity
- Enable storage encryption (on Android: Settings โ Security)
- Disable sensitive app notifications on lock screen
- Old phone as 2FA backup, kept at home
Browser extensions
Fewer extensions means more control over your privacy.
Browser extensions have access to everything you do online: pages visited, forms, passwords entered. A malicious extension is a permanent backdoor.
Only install extensions from recognized companies with millions of users and recent updates. If you don't use it often, uninstall it.
In 2020, Google removed more than 500 malicious extensions that stole browsing data from millions of users without their knowledge.
Your domain and your website
Your domain and hosting must be in your name. Always.
It's more common than you'd think: a designer or agency registers the domain in their name. When the relationship ends, recovering it can involve months of legal proceedings.
The domain, hosting and emails go in an account in your name. If you hire someone to work on your site, give them collaborator or limited FTP access, not the main credentials.
Encrypts the connection between your site and the visitor, removes the 'Not Secure' warning and improves your Google ranking.
See SSL Certificates โAntivirus protection
An active antivirus on every device is your first line of defense.
Antivirus software detects and blocks known threats before they cause harm. Combined with good habits, it covers most attack vectors.
- Windows: Windows Defender is included but worth complementing with Malwarebytes
- Mac: macOS has built-in protections but isn't foolproof. Malwarebytes for Mac is free.
- Android: only install apps from Google Play and enable Google Play Protect
- iPhone/iPad: iOS is more closed but phishing and SIM swapping still apply
Software updates
Updating is the simplest and highest-impact security habit.
Every update includes fixes for identified vulnerabilities. Not updating means leaving doors open that attackers know about perfectly well.
Affected 200,000 computers in 150 countries. Exploited a vulnerability for which Microsoft had published a patch two months earlier. All infected machines could have been protected with a simple update.
- Enable automatic updates on Windows and macOS
- Keep your browser always on its latest version
- Update phone apps regularly
- WordPress: core, plugins and themes up to date
- Router firmware (often forgotten, but critical)
WordPress and malware
Keeping WordPress protected is simpler than it seems.
WordPress powers more than 43% of all websites in the world, making it the favorite target of automated attacks. An outdated WordPress or old plugins is the most common entry vector.
- Core, plugins and themes always updated
- Remove plugins and themes you don't use
- Unique and strong admin password
- Limit failed login attempts
Most attacks are automated and look for known vulnerabilities. If your WordPress is up to date, it simply doesn't appear in their results.
Continuous monitoring, forced HTTPS, Wordfence, real-time blocking. 99% resolution rate for WordPress errors.
See Neolo Care+ โBackups
Having an up-to-date backup is the best decision you can make today.
It's not a question of whether something will fail, but when. An up-to-date backup turns any catastrophe into a temporary inconvenience.
3 copies of your data, on 2 different media, with 1 copy at a remote location. If the backup is only on the same server as your site, it's not a real backup.
Resistant to floods, fires and power outages. Recovery in under 3 hours.
See Backups+ โVPS and isolated environment
When does shared hosting stop being enough?
Shared hosting puts hundreds of sites on the same server. A VPS is an isolated virtual environment: your resources are exclusive, your configuration is yours, and other people's problems don't affect you.
- Your business has grown and traffic has increased
- You handle sensitive customer data
- You need to install specific software
- You want total control over server security
- Shared hosting performance is no longer enough
Isolated environment with full root access. Scalable, secure and managed.
See VPS โCheck if your data was leaked
Check in 30 seconds if your data is exposed โ it's free.
Billions of accounts have been leaked from services like LinkedIn, Adobe, Dropbox and Yahoo over the years. Your credentials may be circulating on the dark web without your knowledge.
Created by Troy Hunt, Microsoft security researcher. Free, checks your email against more than 12 billion leaked accounts.
Don't panic. The next step is simple: change the password for that service and enable 2FA if you hadn't already.
A list with 10 billion unique passwords compiled from historical breaches. Attackers use it to automatically test combinations against any service.
Cybersecurity audit
Consider a professional audit every one or two years.
An audit gives you a complete and objective view of your business's security status: which devices are exposed, which services have weak configurations, what your real attack surface is.
- When your team grows and more people have access
- When you add new tools or vendors
- After an infrastructure migration
- As an annual periodic review
Our team analyzes your company's security: devices, access, services and configurations. We deliver a clear action plan, without unnecessary technical jargon.
Your cybersecurity checklist
- โUnique passwords for each service (Bitwarden or 1Password)
- โ2FA with Authy enabled on your main email
- โ2FA enabled on your most important services
- โ2FA enabled on your Neolo client area
- โNever SMS as a second authentication factor
- โCritical links saved as browser bookmarks
- โNever click links in emails that ask for data or money
- โMobile data or VPN on public WiFi networks
- โFace ID or fingerprint on phone apps
- โBrowser extensions only from recognized companies
- โDomain and hosting registered in your name
- โActive SSL certificate on your website
- โAntivirus active on all your devices
- โOS, browser and apps always up to date
- โWordPress (core, plugins and themes) up to date
- โRecent backup stored off your server
- โEmail verified on haveibeenpwned.com
- โOld phone as 2FA backup, kept at home
- โCybersecurity audit every 1 or 2 years
Neolo tools for your security
Designed to complement your good habits and give you real peace of mind, without technical headaches.
Browse encrypted from any network. Protect your online identity on up to 100 devices.
See VPN โThe padlock on your site. Encryption, trust and better Google rankings.
See SSL โActive protection for WordPress. Removes malware and monitors 24/7.
See Care+ โBackups stored in Switzerland. Recovery in under 3 hours.
See Backups+ โMost asked questions about cybersecurity
One per service. With a manager like Bitwarden (free) or 1Password, you don't need to remember them. You just remember one strong master password.
Better than reusing them, but dedicated managers are superior: encrypted, synced across devices, and not tied to one browser.
SIM swapping lets an attacker transfer your number to a SIM they control. The right alternative is Authy.
Don't enter any data. Close the browser. Change the password for that service. If you entered banking data, contact your bank immediately.
Not without protection. Use your mobile data as a hotspot, or activate a VPN before connecting.
Yes. The myth that Macs are invulnerable is false. Malwarebytes for Mac is free and effective.
A lot. 60% of hacked sites had outdated versions. Updates close known vulnerabilities that attackers actively exploit.
Not for all scenarios. You need an external copy in a different location from the server.
No. It encrypts your connection on public networks but doesn't protect against phishing or malware already installed on your device.
Your domain is your digital identity. If it's in someone else's name, they have legal control and recovering it can take months.