Listen to this post: Teaching Simple Cyber Hygiene to Non-Technical Clients (Without the Jargon)
A client rings, voice tight, because an email “from the bank” says their account will be closed in two hours. They’ve stopped clicking, which is good, but now they’re stuck. They don’t want a lecture, they want one clear next step, and they want to feel a bit less foolish.
This is where cyber hygiene helps. It’s just small, repeatable habits that stop most online problems before they start. Not a computer science course, not a new personality, just a few daily and weekly routines that make scams and break-ins much harder.
This guide is about teaching those habits to non-technical readers or clients in a calm, practical way, so they can actually do them when it matters.
Start with the why, make it feel personal (not technical)
Photo by cottonbro studio
Most non-technical people don’t ignore security because they’re careless. They ignore it because it sounds like homework, and the “bad outcomes” feel far away. Teaching works when the risk feels close, ordinary, and human.
A good metaphor helps. Cyber hygiene is like brushing your teeth. You’re not trying to become a dentist. You’re trying to avoid pain, cost, and a frantic appointment later. Or think of it like locking your front door and keeping your keys safe. It’s boring right up until the day it isn’t.
When you teach, anchor the message in outcomes they already care about:
- Money: card fraud, bank transfers, fake invoices, “refund” scams.
- Photos and memories: phones wiped, cloud accounts taken over, albums held hostage.
- Access: being locked out of email, social media, tax portals, even smart home apps.
- Reputation: a hacked account sending dodgy messages to friends or clients.
- Time and stress: hours on hold, resetting passwords, freezing cards, proving who you are.
The goal isn’t to turn them into an IT expert. It’s to help them build a little friction for criminals, and a little confidence for themselves. If the habits are simple enough to do when tired, distracted, or rushed, they’ll stick.
For a non-technical angle that’s easy to share with clients, see Bitdefender’s guide to cyber hygiene for non-tech family members.
Use stories they recognise, money, photos, and locked accounts
Keep your examples short and familiar, like scenes from real life:
Mini-story 1 (fake parcel text): They get a text saying a delivery fee is due, the link looks normal, they pay £1.49, then the card is used for bigger purchases later. The real cost is the admin: calling the bank, replacing the card, checking statements, worrying about what else was “seen”.
Mini-story 2 (invoice email): A freelance client receives an “updated bank details” invoice from someone they work with. They pay it. Later, the real supplier chases payment, and now there’s a messy dispute and awkward phone calls.
Mini-story 3 (“your account is locked” call): Someone phones pretending to be support, says the account is under attack, and pushes them to “confirm” a code. That code is the key to the account.
Each story lands the same lesson: scams don’t win by being clever, they win by rushing you.
A takeaway your clients can repeat is: “Slow down, then sign in your own way.”
Swap jargon for “second lock”, “updates”, and “back-ups”
Jargon creates two problems. First, it makes people switch off. Second, it creates shame, and shame kills follow-through. Plain words make it easier for someone to admit, “I don’t get it,” without feeling small.
A simple translation can change everything:
| Tech term | Plain-English version | What it means in one line |
|---|---|---|
| MFA / 2FA | Second lock | A second step to prove it’s you |
| Phishing | Bait message | A message trying to trick you |
| Ransomware | File lock-up | Your files get blocked until you pay |
| Patch | Fix | A repair for a known weakness |
When you teach, use the plain phrase first, then add the “proper” term in brackets only if needed. People remember pictures, not acronyms.
Teach the “Big 5” habits that block most attacks
If you only teach five things, teach these. They cover most everyday risks, and they don’t require special kit.
Updates on autopilot, fix the cracks before someone climbs in
What it is: Letting your phone, computer, apps, and browser install updates automatically.
Why it matters: Updates often fix known security holes. Leaving devices unpatched is like leaving a window stuck open because you “haven’t got round to it”.
How to do it (phone):
- Use Settings to turn on automatic system updates.
- Update apps only via the App Store or Google Play.
- Restart the phone once a week (restarts help updates finish properly).
How to do it (computer):
- Turn on automatic updates in Windows Update or macOS Software Update.
- Keep browsers (Chrome, Safari, Edge, Firefox) up to date, because browsers are a common entry point.
- Restart weekly, even if the laptop “seems fine”.
- If your router prompts for an update, do it. If it never prompts, check the router’s admin page every few months.
Watch for a common trick: Fake update pop-ups in a web page. Teach one rule: only update from Settings or the official app store, never from a random pop-up.
Done looks like: “Auto-updates are on, and I restarted this week.”
Passwords and passkeys, use one key per door, add a second lock
What it is: Unique sign-ins for each account, stored safely, plus a second step for logins.
Why it matters: Re-using passwords is like having one key that opens your house, car, and office. If it’s copied once, everything is exposed. Password leaks are common, and criminals try the same email and password across many sites.
How to do it (phone):
- Use a password manager (built-in options exist on iPhone and Android, or a reputable third-party app).
- Turn on a second lock for key accounts, starting with email.
- Where available, use passkeys (sign in using your phone, face, fingerprint, or device PIN). Passkeys are designed to be harder to steal because there’s no password to type.
How to do it (computer):
- Use a password manager browser extension or desktop app.
- Save new logins into the manager, don’t store them in notes or spreadsheets.
- Enable the second lock for email, banking, and any account that can reset other accounts.
Which second lock to choose: An authenticator app is usually stronger than SMS, but SMS is still better than nothing. Microsoft’s security guidance explains why turning on multi-factor authentication blocks the vast majority of account attacks in their data, see the Cyber Resilience Hygiene Guide.
What to do today (a simple order):
- Change email password first (email is the master key for resets).
- Turn on the second lock for email.
- Then update banking, then social media, then shopping sites.
Done looks like: “My email has a unique password in a manager, plus a second lock.”
Spot bait messages, slow down, check, and verify
What it is: A repeatable pause routine before you click, pay, or share details.
Why it matters: Most scams aren’t technical wizardry. They’re pressure and timing. The message tries to make you act first and think later. That’s why your teaching should focus on behaviour, not fear.
Give clients a script they can follow every time:
Stop: Don’t click yet. Don’t reply yet.
Look: Who’s it from, really? Does the tone match?
Check: Does the link match the real site? Are there tiny spelling changes?
Confirm: Use a trusted method (type the address yourself, use the app, or call a known number).
Quick cues worth teaching (and re-teaching):
- Urgency (“final warning”, “today only”, “within 30 minutes”).
- Payment requests that come out of nowhere.
- Odd sender details, or a near-match domain.
- Attachments you weren’t expecting.
- A link that looks wrong when pressed and held (mobile) or hovered (desktop).
A safe habit that beats most bait messages is simple: type the website address yourself, or open the official app, instead of tapping the link.
AI-driven scams have made messages sound smoother, with fewer typos. That’s another reason to rely on your routine, not your gut feeling.
Done looks like: “I never log in through links from messages.”
Back-ups, a spare copy beats panic every time
What it is: Keeping a second copy of your important files and photos, separate from your device.
Why it matters: Phones get lost. Laptops die. Accounts get locked. Sometimes files are encrypted in a file lock-up (ransomware). A back-up turns a crisis into an annoyance.
How to do it (phone):
- Turn on iCloud Photos (iPhone) or Google Photos/Drive (Android), or another trusted cloud service.
- Check that photos are actually syncing (open the app and look for sync status on Wi-Fi).
How to do it (computer):
- Choose one: cloud back-up, external drive, or both.
- If using an external drive, plug it in weekly and let the back-up run.
- Once a month, restore one file as a test. Back-ups you’ve never tested are guesses.
A simple plan you can teach in one minute:
- Weekly back-up (calendar reminder).
- One copy off the device (cloud or external drive).
- Monthly test (restore one file).
If they feel overwhelmed, set priorities:
- Photos and videos
- Identity docs (passport scans, certificates)
- Work files (invoices, contracts)
- Passwords vault (most managers handle this safely, but they still need the main password and recovery options)
Done looks like: “I can restore one photo or document right now.”
Secure the device and Wi‑Fi, lock screens, tidy access, protect the home network
What it is: Basic locks on the device, and sensible settings on the home Wi‑Fi.
Why it matters: Many breaches start with a lost phone, a shared device, or an easy-to-guess Wi‑Fi password. Think of this as keeping your keys out of the door.
How to do it (phone):
- Use a strong screen lock (PIN is better than a simple pattern).
- Turn on Face ID or fingerprint if comfortable, it increases locking because it’s easy.
- Set auto-lock to a short time.
- Enable “Find My” features so a lost phone can be located or wiped.
- Review app permissions monthly (does a torch app need location?).
How to do it (computer):
- Require a password on wake.
- Turn on the firewall (built-in options are fine for most people).
- Don’t share the main computer account, create a separate login for family members if needed.
Wi‑Fi basics you can teach without sounding scary:
- Change the router admin password from the default.
- Use a strong Wi‑Fi password, and don’t post it in group chats.
- Use WPA3 if available (or WPA2-AES if not).
- Use a guest network for visitors and smart gadgets, if the router supports it.
Done looks like: “My phone locks fast, and my Wi‑Fi isn’t using defaults.”
Make it stick, teach in small steps with practice and follow-up
You can teach the Big 5 perfectly and still fail, if the person never practises them. Cyber hygiene is muscle memory. It needs repetition, not speeches.
A useful teaching frame is: show, do together, then watch them do it. If they can complete the task while you sit quietly, they’ll be able to do it later when they’re alone and stressed.
Also, be careful with fear. A little seriousness helps, but too much makes people freeze. If your client is anxious, focus on the next action, not the worst-case story.
For broader ideas on training everyday users at scale, Infosecurity Magazine has a practical piece on ways to educate people on cyber hygiene.
Run a 30-minute “set-up session” that ends with real wins
A short session beats a long workshop because it ends with proof. Keep it hands-on, and aim for visible changes on their device.
A simple agenda:
- Turn on auto-updates (phone and laptop).
- Add a second lock to their email account.
- Start a password manager, or enable passkeys where offered.
- Set up a back-up for photos and documents.
- Practise one bait message example, and rehearse “type the site yourself”.
Finish with a calm recap: “You’re safer now because your accounts have a second lock, your devices update themselves, and your files have a spare copy.” Then ask them to take a photo of a short checklist on their phone, so it’s there when panic hits.
Use the 5-minute weekly check, one calendar reminder, one habit at a time
Cyber hygiene sticks when it becomes a tiny ritual. Five minutes a week is realistic for almost anyone.
A weekly routine that works:
- Restart devices (helps updates complete).
- Check for any pending updates.
- Quick back-up check (did photos sync, did the laptop back-up run).
- Scan alerts (email security notifications, banking alerts).
- Remove anything odd (unknown logins, old apps you don’t use).
Tie it to something they already do. After Sunday tea. After payday. When taking the bins out. Habit stacking feels small, which is the point.
When mistakes happen (and they will), teach a calm script:
- Stop replying or clicking.
- Change the password (starting with email).
- Check bank activity.
- Ask for help early, not after three days of worry.
LinkedIn’s community advice also has a useful perspective on keeping training human and practical, see teaching cybersecurity to non-technical users.
Conclusion
Teaching cyber hygiene works best when it feels normal. Simple beats perfect, and boring beats brave. The Big 5 are easy to remember: auto-updates, unique passwords and passkeys plus a second lock, a pause routine for bait messages, regular back-ups, and basic device and Wi‑Fi locks.
If you’re teaching clients or readers, aim for small wins they can repeat, not a one-off talk. Start today with the most protective step for most people: turn on the second lock for their email. Then schedule the five-minute weekly check, so security becomes a habit, not a panic.
