–Inventory your devices. Inventory your IT devices which may include: desktop and laptop computers, tablets, mobile phones, cameras, portable drives, memory chips, and thumb drives.

–Inventory your accounts and passwords. Make a list of your online accounts and passwords. If you use a password manager, make sure it is in the inventory. Make sure your loved ones know where this list is and update it when your accounts change.

–Know where your data resides. Where are the originals of your most important data? Where are the copies? Which data is automatically copied to the cloud? Do your old phones and tablets have irreplaceable data on them, because you never backed them up?

–Consolidate your data. When you have photographs in ten different locations, it is hard to protect them. Consolidate your most important and most irreplaceable data into one or two places so it is easy to manage, and then arrange to back it up regularly and robustly.

–Back up your data regularly. Back up your important data and files. For your most important files, make a backup copy periodically—say once a quarter—and store the backup offline in a safety deposit box or something similar. Update those backups regularly so they stay current, but be careful of incremental backups that can introduce complex dependencies between backup files. Encrypt your backups but make sure you have or know the keys for data recovery.

–Back up your data again. If your data is really important, back it up multiple times. Some experts recommend that the most important data be backed up at least three times: (1) the original file, (2) an online backup that may be automatically performed, and (3) an offline archive that is isolated and protected. This approach guards against a single incident taking out both the original and the backup, all at once.

–Understand the limits of automatic backup. Automatic and cloud-based backup are useful for automatically making extra copies of your files separate from the originals. “File history” backups can even keep track of different versions of your files, so you can undo changes to a favorite photo or lookup older versions of a document. However, these technologies provide limited protection against an attacker who is intent on destroying your data. Advanced malware and ransomware will attempt to damage the online backups as well as the originals.

–Back up your devices and applications. Make sure you have backups that allow you to “restore” your computers, their operating systems, and applications to their original configurations (also known as, “bare metal” backups). Update these backups if your hardware changes, or when you install new software. You may want to keep more than one bare metal backup on hand in case one of them becomes corrupted.

–Organize your backups. Another challenge is organization for backups. A good technique is to name backups based on: (1) the date the backup was made; (2) the name of the device backed up; and (3) the type of the backup. Backup types may include “bare metal,” “application data,” “personal files,” or something similarly descriptive.

–Test your backups. Countless enterprises and many more individuals have found out too late the backup they thought they had was useless. Occasionally connect your backup devices and make sure they work, and you can read them. You probably do not want to test a “bare metal” restore on your computer, but you should at least check that the data is there. Backup drives that are more than five years old should probably be replaced with newer media, even if the older drives still work.

–Have contingency plans. Have options in case the primary contingency backup plan does not work, and maybe even backup options after that. This includes having more than one backup of your data. Have paper copies of password sheets, in case the digital versions are unavailable. Have your software installation discs and license keys, in case a “bare metal” restore fails.

–Malicious pop-ups. When browsing the web, you may run into pop-up windows designed to deceive you, either by telling you to update your computer’s software or telling you your computer has been hacked. These are not signs of compromise! These are signs you have stumbled into a malicious website or malvertising. Only be concerned if the windows continue appearing after you have closed your browser and restarted your computer.

–Ransomware screens. Ransomware is one of the few malicious attacks that announces its arrival. If your computer is infected with ransomware, it will announce to you quite clearly that your system is being held ransom, and the steps you need to take to decrypt it. Whether or not you pay the ransom is a personal decision. Just be aware you may not get your data back, even if you do pay up.

–Ransomware encryption. While it is encrypting your system, ransomware replaces regular files with encrypted versions of those files. This process can take several hours, so it is possible you will be sitting in front of your computer while it is being encrypted. You may notice that some of your files have become encrypted and the hard drive or solid-state drive (SDD) are showing heavy, nonstop activity. If you see this activity, one technique is to turn off your computer at the power switch to stop the encryption process. By aborting the encryption process, you may be able to retrieve your other files that had not yet been encrypted. Note that this does not work for all ransomware strains, and may require considerable technical expertise to recover the remaining unencrypted files.

–Strange startup programs and browser plug-ins. When you first start up your computer, there should be very little running except for the operating system. Check your operating system’s “startup programs” list and make sure you recognize all of them, or they make sense. For example, Windows 10 allows you to manage your startup programs, by going to Settings > Apps > Startup. You will see a list of “Startup Apps” designated to run automatically when you sign into your computer. You can configure which apps you want to automatically start. The same goes for web browser plug-ins. Check your web browser’s documentation for how to configure which plug-ins are installed and enabled.

–Changed web browser home page. Malvertisers and click fraud attacks may change your browser home page. By changing your browser home page to their customers’ pages, malvertisers generate page views and clicks that translate directly into fraudulent advertising revenue for them and their partners.

–Malware alerts. If your antimalware software alerts you of malicious software, take it seriously. If you suspect malware, open your antimalware program directly from your operating system and follow its instructions from there. Do not rely on a pop-up window, as the pop-up may be malicious and designed to deceive you.

–Unusual program installs. Periodically, check the programs installed on your computer or device. Do you remember installing that software? Do you know what that software does? Can you find the program in your “Start” or “Applications” menu to be able to run it? If in doubt, do some research on the program to see if you can understand what it does. Remove applications you do not recognize, or no longer need.

–High central processing unit, disk, or battery usage. Heavy usage of your central processing unit (CPU), disk, or battery may be a sign of malware. For example, “cryptoware” malware surreptitiously uses your computer to mine cryptocurrency, potentially resulting in high resource usage. Ransomware uses large amounts of resources while it is encrypting your files. Botnet malware may use resources to launch distributed denial of service (DDoS) attacks from your device. Other viruses and worms may use resources scanning your network or replicating themselves across it. On mobile devices, this activity may rapidly drain your battery—examining your battery usage may reveal the offending malicious app.

–This list is just a start. Unfortunately, this list of dangers is just a start, and plenty of malware can elude basic detection by hiding in the registry, in boot records, in hardware non-volatile memory, and other places. Other sophisticated malware may “throttle” its resource usage so it is hard to recognize that malicious software is running. Stealthy malware can be almost impossible to find, and attackers are coming up with new concealment techniques all the time.

–E-mail notifications. Sometimes, we find out our accounts have been compromised through a notification from the account operator. Unfortunately, these types of notifications are popular with fraudsters, so they may be malicious, too. If you receive an e-mail notification that one of your online accounts has been compromised, go directly to the account’s website (do not click on the link) and login. If the notification was legitimate and the site is using good practices, you will be prompted to change your password when you logon. Go ahead and change your password. If it is a password you use elsewhere, you should change it everywhere you use it.

–Compromise in the press. Sometimes the press may cover a breach that does not directly affect you or where you are not notified by the account operator. Similarly, you may see a site such as www.havibeenpwned.com showing that your account has been compromised. When a breach occurs, use your judgment – it is always safer to change your credentials when it is possible they have been compromised, than to leave them alone and be vulnerable.

–Strange e-mails. If your friends report receiving strange e-mails from you or you find strange e-mails in your sent or deleted items folders, it is a sign that your e-mail account has been hacked or compromised. The same goes if you receive strange e-mails from your friends. In all of these cases, consider changing the credentials on your e-mail account, and watch it carefully for further suspicious activity.

–Account access or fraudulent transactions. Many online services allow you to see a log of account logins or tell you when you last successfully logged in. You should review the logins to look for fraudulent transactions or activities. If you think you are a victim of fraudulent activities, consider changing your credentials, as well as any other uses of the same passwords elsewhere.

–Account hijacking, hostage, and ransom. More malicious than simple account access is account hijacking. With hijacking, attackers deliberately take control of your accounts and try to deny you access to those same accounts. They may do this hijacking by changing the password and password reset parameters to values only they know. They may also take control of your e-mail accounts so they can control e-mail-based password reset mechanisms and notifications. When your accounts are hijacked, attackers may start racking up fraudulent charges or they may contact you with ransom demands. In all of these cases, you will likely need to contact your accounts’ customer service to prove your identity and get assistance. You may also need to involve law enforcement, depending on the amount of monetary damage. Do not expect getting the situation resolved to be easy or quick.

–Blackmail and extortion. Similar to account hijacking, criminals may attempt to blackmail you or extort you through compromise of your computers, devices, or accounts. In these cases, they will most likely contact you with their demands. Usually this blackmail is via e-mail but it may be through social media. While their demands will frequently be monetary, it is not always the case. Sometimes, you may be simply a stepping stone toward “bigger fish” in your social network or at your employer. In all of these cases, you should get help from professionals, law enforcement, and your accounts’ customer service departments. You should also include your company security office, if you suspect the incident is employment-related.

–Cyberbullying and revenge porn. Online intimidation takes many forms. Cyberbullying involves bullying and intimidating the victim online in chat rooms, on social media, or by defacing personal postings with slanderous comments or counter-postings. Revenge porn involves obtaining access to personal pictures or videos from webcams or mobile devices, and then posting those images or videos online. Frequently, these actions are performed by someone known and trusted by the victim—or at least previously trusted. These actions can be frightening and intimidating and are frequently criminal. You can reduce your vulnerability to these types of attacks by being careful where you post and what you say. Regarding revenge porn, do not keep highly personal photos on your computers, connected devices, or online accounts. Cover up your webcam when it is not in use. If you think you are a victim, contact law enforcement.

–Use a trusted device. The first rule of locking down your accounts is you need to do it from a device that is trusted. If your main computer has been compromised, maybe you can lock down your accounts from your smartphone, or another computer. Be cautious using another computer in the same household, as malware may “jump” to other computers on the same network. Malware frequently has difficulty replicating between different types of devices—like from a Windows PC to an Apple Mac, or from Android to iOS—so if the devices are different operating systems your risk is lower. Make sure you can access the accounts in question from your device, and that you have all necessary apps, bookmarks, or multifactor authentication tools in place to logon to your accounts and configure them. Another option may be to contact your provider’s customer service and ask for assistance.

–Do it as soon as possible. Once you have identified a trusted device to work from, start changing passwords as quickly as possible. Start with your password manager (if you have one) and your e-mail accounts, as they tend to be key to doing password resets and “lost password” functions for your other accounts. Then, consider accounts in terms of their monetary or personal value and change credentials for the most important ones first. For all password resets, use care to go directly to the website for the account or service, and use the password reset function there. Do not go to it from e-mail messages or other links.

–Check your password reset settings and identity questions. As you log in to accounts and change your passwords, check the settings for the accounts, especially registered e-mail addresses, telephone numbers, and identity verification questions. Make careful note of any data you will not immediately recall—including passwords if necessary. If you use a password manager, make sure you update passwords there as well. If you have multiple e-mail accounts, make sure you know which e-mail addresses are tied to which of your accounts. Keep notes if necessary.

–Watch out for password reset e-mail messages. As you change your passwords, you should receive e-mail messages from your accounts indicating you had changed your credentials. Make sure you get these e-mail messages, and they look correct. If you change an account and do not get a password reset e-mail message, double-check the e-mail account associated with your account is correct. It is possible, but unlikely, your account holders do not send password reset notifications.

–Consider turning on fraud alerts and multifactor. Some accounts may permit you to activate multifactor authentication using cell phone messaging, Duo Security software, or other additional factors. Financial accounts may also permit you to put a “fraud alert” or other safeguard onto your account. Consider the possible benefits and challenges of using multifactor authentication or fraud protections, if only temporarily.

–Do not get locked out. It is easy to end up locking yourself out of your own accounts, if you are not careful. It is even easier if an attacker is actively wrestling with you for ultimate control of your online accounts. Be careful, and make sure you have control of your password managers and e-mail accounts first. These accounts will serve as the identity foundation you use to control access to your other accounts. If they are re-compromised, you may have to start all over again to reset everything.

–Be prepared to lock down accounts multiple times. Do not assume you are going to get it right the first time and use your “second-most-favorite-clever-password” everywhere. Unfortunately, the days of having one single “super key” to your online identity are rapidly coming to an end. You will likely run into issues with timing, password policies, and password reuse requirements that make your password selections considerably more complex. Make careful notes for your accounts and do not hesitate to re-change passwords for accounts that are problematic or appear to be at further risk of compromise.

–Make note of customer service numbers. For many of your online accounts, there are customer service lines where you can get a real live person to help you, at least during business hours. Know what these phone numbers are and be prepared to prove your identity to their customer service representatives or to argue that your identity has been hijacked. Financial institutions may even set up separate identity verification criteria for over the phone, which may be useful if your online accounts are compromised or need to be locked down. Alternatively, you may be able to submit a customer support request online, and someone will call you back.

–Unplug from the network. By disconnecting from the network, you make it impossible for malware to communicate with “command and control” servers that may be instructing it on what to do. While disconnecting the network connection does not defeat the malware, it stops the malware from reporting your activities and getting new instructions. Once you are unplugged, you should still be able to perform most of the procedures described in this section while remaining disconnected.

–Use your antimalware “clean” function. Some malicious software is caught by antimalware software and can then be quarantined and “cleaned up.” Some antimalware like Windows Defender also has an “offline” function that may be able to remove malware embedded within the operating system. Note that while these features are useful, they may not always be effective; some malware is specifically designed to defeat them.

–Address ransomware. If your computer has been infected with ransomware, special procedures can apply. If you could stop the ransomware before its installation is completed, and your antimalware software detected the malware, you may be able to clean up your system and restore damaged files from backups. Even if you were not successful in stopping the encryption, the “No more ransom” project may have some help for you at their website https://www.nomoreransom.org. The worst-case scenario is you may have to reinstall your system and your data from a backup. Watch out for ransomware that encrypts your cloud backups, and attempts to reinfect you from there as well. Microsoft’s OneDrive and other cloud services include anti-ransomware features that may help to protect you and your data from these attacks.

–Uninstall the program or app. If you can identify the malware as being related to a specific program or app you installed (or that was installed for you), go ahead and remove the program or app. While this approach is hardly guaranteed, it can defeat many forms of “adware,” “spyware,” and some free programs that are somewhat malicious but not particularly dangerous.

–Disable startup programs or browser plug-ins. Similarly, you may be able to trace the behavior to a specific startup program or browser plug-in. If this is the case, go ahead and disable it, reboot your computer, and see if it stays removed. If your symptoms disappear, then you may be okay. If the malware comes back, then you may have a larger problem requiring security support personnel to get involved.

–Modify the registry. Some malware hides in the operating system “registry” that contains system configuration settings, or in other files used when the computer starts up. While it is possible to remove such malware, these actions are nontrivial and may render your system unusable. Use care if you choose to do something like this approach yourself.

–Computer system restore point. Your operating system may have a “system restore point” function that allows you to “roll back” the operating system to a known-good configuration. This feature removes programs and operating system changes made since the selected restore point, but generally leaves your files and settings intact. If you know approximately when your problems started, you can use this feature to reconfigure your system. You will likely have to manually reinstall any legitimate programs that were installed since the restore point. Be careful not to reinstall the malware!

–Computer “bare metal” restore. If a system restore does not work, but you still have an idea of when your system was last “good,” you may be able to do a “bare metal” restore from a backup that was made before the problem occurred. This approach, of course, assumes that you are making regular backups of your operating system and programs. Note that a bare metal restore will likely not preserve your personal files, so they may have to be recovered separately. Recovering your personal files separately may make a bare metal restore more disruptive than a computer operating system reset, described below.

–Computer operating system reset. Operating systems like Windows 10 and MacOS have a “reset your operating system” feature. This feature completely reinstalls your operating system, while leaving your personal files intact. The downside of this approach is that while your files are retained, it removes all of your applications. So, you will have to reinstall your applications from the original media or downloads. However, preserving your personal files may be more important. Make sure you have your license keys!

–Mobile device factory reset. Many mobile devices have a “factory reset” function that resets the operating system back to its “factory” configuration when you got the device new. This feature only takes a couple of minutes to reset the operating system, but will also delete all your files and apps. While apps can usually be reinstalled from the app store relatively easily, your personal data must be backed up to the cloud or to another device. Incidentally, this reset function is useful for giving your used mobile device to charity, or to another family member.

–Computer system rebuild. If an operating system reset does not work, you may have to do a complete system rebuild. If this is the case, you may also need to check your system’s motherboard firmware, as some attacks can even modify the firmware to survive even a complete system rebuild. Rebuilding your system involves reformatting your system’s hard drive or solid-state drive (SSD) and then reinstalling the operating system and applications from scratch. Personal files can then be restored from backups or secondary copies. This approach is a major undertaking and generally should be a last resort.

–Computer firmware reset. Some malware can even infect the BIOS firmware in the motherboard and some peripherals. Such sophisticated malware may require extensive cleanup including reflashing of firmware memory, replacement of peripherals, or replacement of the computer hardware altogether. These undertakings are complex, risky, and non-trivial—nontechnical users should collaborate with experienced security professionals or support staff.

–Backups and spare drives. In many of these scenarios, before you make a bad situation worse by removing programs, changing registry keys, or wiping hard drives, you may want to make additional backups to protect yourself should things get worse. “Clone” your system hard drive so you can work on a copy of the original, while still being able to go back to the original should the recovery attempt fail. This situation is where having multiple backups is wise; it is easy to completely destroy the system you are trying to recover. It is far better to have a compromised copy of your files that is intact than it is to have destroyed all your copies in a recovery attempt gone awry. Use extreme caution, take your time, have extra copies, and do not hesitate to ask for help.

–Where the data comes from. Where did the data originally come from? Was the data e-mailed to you or did you download it from the internet? Does the data consist of documents you created yourself, or edited? The documents you created or the pictures you took are often considered some of the most valuable data you have. Those documents and pictures may be irreplaceable if you do not have them backed up. Make sure you back up the data you create when you create it, or soon thereafter.

–How often the data changes. For documents you actively modify, including e-mail archives, software development, photos you take, or personal documents, you should think about how often they change. If you are making daily changes to files, you need to make sure you are backing them up daily, as well.

–When and where the data has been backed up. Where are your backups? Which backups are online or offline? When was the most recent backup made? Did you e-mail files or post them to the internet? Frequently, your most recent copies of files may be in e-mail or online in document shares or posted to social media. Do not underestimate the power of e-mailing something to yourself as a backup mechanism, or asking friends for copies of materials you had sent them previously.

–The integrity of the backups. Which backups are intact and which are corrupted? Frequently, ransomware attempts to encrypt backups that are online, so you may find your most recent backups to be unusable. If this situation occurs, you need to look into alternative offline backups, as well as contingency locations for your favorite files. Make sure you understand what backups are usable or not, and have contingencies for important files that were changed recently but you still want to be able to recover.

–Ease and convenience of recovery. You will likely find yourself facing some difficult tradeoffs when doing a large-scale data recovery. Do you get that hard drive out of your safe deposit box from last year, or do you ask your cousin to send you that “in case of emergency” thumb drive from six months ago? Or are the 15 gigabytes in your cloud drive “good enough” for now? Consider the tradeoffs and make the choices that are best for you.

–Single points of failure. After a failure occurs, you are in a vulnerable state since you have lost one or more of your stores for important personal data and documents. Be careful your recovery effort does not leave you with “single points of failure” that could cause you to lose a decade of documents should a second failure occur. It may be prudent to make additional copies of your backups immediately, just to give you redundancy. In other words, make sure you restore your redundancy as soon as possible, to guard against future mishaps.

–Data comparison tools. In a recovery situation, you will likely find yourself in a situation of having multiple copies of documents, messages, pictures, videos, or other documents. You will probably have folders containing hundreds or even thousands of documents. You may need to determine which of them contains the most documents, the most recent documents, or the most useful documents. Comparison tools like “windiff” and “kaleidoscope” can help you to compare large numbers of files quickly to find differences and determine which documents to keep. Other tools can help you find duplicate copies of documents and photos, so you do not have to keep multiple copies of the same file. Use these tools to organize your data and reduce duplication.

–Your work may be the actual target. You may have been breached at home, but your work may be the actual target. In this day of social media, attackers can correlate databases to match up your personal identities with your professional identities. Attackers may have targeted you at home because it is easier than hacking your workplace and gives them a “back door” into your workplace accounts and networks. Think about what you do professionally and how it might be a target for attackers.

–Resetting your work credentials. Along with resetting your personal account credentials, you should consider resetting your work credentials, if you believe they may have been compromised. Note that password reset mechanisms on work networks are usually different from those used for your personal accounts. If you are locked out of your work accounts, you may need to contact your IT help desk or human resources for assistance.

–Time frame of the compromise. Think through when your system may have been compromised and what has happened since then. When did you first detect that something was wrong? When was the earliest time you may have been compromised? When was the most likely time that you were compromised? Have you used your work accounts, credentials, network connections, or files since then? If so, do you remember when? What work projects were you working on? What sensitive or customer data did you access? When did you start taking actions to address the problem? What actions did you take? This information will be important if an investigation needs to be conducted.

–Alerting your security office. If you suspect your work accounts, credentials, network connections, or files may have been compromised, you should probably alert your employer’s security office, along with your management. While this notification can be uncomfortable, it is better than your employer detecting the breach on their own and confronting you. Your employer’s security office will likely want to start an investigation to understand the possible scope of the compromise and potential damage. To do this investigation, the security office will most likely work with IT and cybersecurity to check logs of when your accounts were used and what files and data attackers may have accessed.

–Contract and regulatory requirements. Depending on your employment and your employer’s business relationships, compromise related to your account could have contract and/or regulatory consequences. For example, if you are in the medical industry, a compromise could have consequences under the Health Insurance Portability and Accountability Act (HIPAA). If your account has access to customer data and there is evidence of inappropriate access, then your customer contracts may require that they be notified. Your security office’s investigation will most likely consider these types of factors. Consider your contracts and business relationships, and their potential regulatory consequences.

–Possible breaches of data. Unfortunately, in today’s hyper-connected world, even “unimportant” accounts and connections may turn out to be avenues for a breach. The Target Corporation breach of millions of credit cards started from an air conditioning contractor who had access to the Target network. Do you really know everything you have access to at your workplace? Unfortunately, it may be far more than you think. If you are compromised, work with investigators to fully understand the scope and impact of the compromise and any associated data breach.

–You could die. The reality for all of us is that horrible accidents happen every day, and take away people in the prime of their lives. These accidents include parents, siblings, and caregivers upon whom others are dependent. If you die, all of your accounts and passwords go with you, unless they are written down somewhere and someone else can find them. As morbid as this thought is, think it through and consider your successors and beneficiaries.

–Paperless makes it difficult for survivors. When you are paperless, your survivors (or helpers if you are merely disabled) have little insight to your digital life. They may have your mobile phone, your computer, and your e-mail addresses, but these devices may all be locked with passcodes they do not know. You need to think through what they will want to know to be able to access your accounts, money, and correspondence to take over handling of your affairs.

–Consider what is critical. When was the last time you wrote a letter? For most of us, our personal correspondence is all purely digital. When those digital accounts are lost, all that correspondence is lost as well. The same goes for photographs, videos, and personal documents. Think about what of your accounts and data are most critical, and how others might get to them if you are not there to help.

–Have records of your most important files and accounts. For your most important files and accounts, establish some paper records that could be used to get started. A list of your financial accounts and assets is hugely helpful. Also, a list of bills that are configured for e-payment, or that require you to approve e-payment online are helpful. If someone has to take over for you, past due bills and rent or mortgage payments can add up quickly, especially if your income is disrupted at the same time (which it most likely will be).

–Leave instructions. Have instructions on what to do in the event of your incapacitation, and make sure those instructions are in the hands of loved ones and trusted friends. Those instructions should include information like points of contact, locations of assets, lists of bills, online accounts, locations of safety deposit boxes, and points of contacts for friends and family. It may only take a couple of pages, but those pages will be invaluable if things go horribly wrong.