In my last article, we looked at Defence in Depth—the idea of building an “onion” of security around your business. But there is a critical ingredient to that defensive posture that often gets overlooked: Digital Hygiene.
As AI tools become more sophisticated, the “traditional” red flags of phishing are vanishing. We used to look for dodgy grammar or weird email addresses. Today, an AI can generate a perfectly written email that mimics your client’s tone, refers to an actual ongoing project, and arrives exactly when you expect it.
When “being careful” isn’t enough, you need a system that removes the opportunity for human error.
1. The Password Manager: Your First Line of Hygiene
If you are still using the same password for your email and your accounting software—or worse, writing them in a “black book”—you are leaving the door unlocked.
A password manager doesn’t just store passwords; it generates 100-character gibberish that no AI can “guess.”
- The Gold Standard: Tools like Bitwarden (open source and very affordable) or 1Password offer a brilliant balance of security and convenience. They even have browser extensions that “auto-fill” your details.
- The “LastPass” Warning: Not all managers are equal. LastPass has suffered multiple high-profile breaches and is currently (January 2026) seeing a surge in sophisticated phishing attacks targeting its own users. If you’re still there, it might be time to move.
- Platform Defaults: If you’re deep in the Apple ecosystem, Safari/Apple Keychain is excellent and well-integrated. However, avoid the basic password saving features in Chrome or Firefox; they often lack the robust encryption needed for a business threat model.
2. Compartmentalisation: Separate Your Worlds
One of the best ways to mitigate risk is to ensure that if one “compartment” of your life is breached, the others remain safe.
- Personal vs. Work: Keep your personal Netflix and social media passwords in a separate “vault” or account from your business banking and client portals.
- Encrypted Sharing: Never, ever send a password via email or SMS. If you need to share access with a freelancer or partner, use the “secure share” feature within your password manager. It’s encrypted, traceable, and you can revoke access instantly.
3. The Power of Passkeys
If 2026 is the year of anything in security, it’s the year of the Passkey. Passkeys are a “passwordless” login method. Instead of a secret phrase that can be stolen, they use biometrics (like FaceID) or a physical security key.+1
- Why they beat AI: An AI can trick you into typing a password into a fake site. It cannot trick your computer into providing a Passkey to a domain it doesn’t recognise. Passkeys are inherently phishing-resistant because the “secret” never actually leaves your device.
The Security vs. Convenience Trade-off
Let’s be real: the more secure you are, the more “annoying” your digital life becomes. If you have a high-risk profile, you might choose KeePass (which is local-only and very hard to hack, but lacks cloud syncing).
For the “Average Joe or Jane” running an SME, a managed service like Bitwarden is the sweet spot. It’s about not being “that person” who thinks it won’t happen to them. With AI, it’s no longer a matter of if you get a malicious link, but how many you get this week.
The Golden Rule: Don’t let convenience win. A small amount of friction today saves a massive amount of heartbreak tomorrow.
