Long post, sorry, feel free to skip, this should probably be a blog, mea culpa.
I have a lot of mixed feelings about the entire security industry. Not because I’m “against security”, but because I worked in it 20 years ago. I got my start building and managing firewalls, IDSs, and even a honeypot or two. Then I worked in PCI environment for years and saw how corrupt a system could get. We used to have to send screenshots of our servers showing that they met standards, but not all servers, just the ones that were “in scope”. And “in scope” could mean whatever we wanted it to mean, so if we knew there were systems that wouldn’t pass muster, those were conspicuously not in scope. I discovered that what passes for corporate security was actually a lot of meaningless busy work. (cataloging threats, documenting mitigation steps, etc… doing that for every threat that comes out is a full time job! Wait a minute…)
On the consumer side I’ve spent years watching security systems like antivirus, anti-malware, etc screw up peoples machines while providing little to no tangible value. Security is an industry that thrives on fear. Watch out! Bad guys everywhere! Never been worse! Better buy my tool! Better hire me or your whole company will fail. Fear and ignorance push the security industry, and I find it hard to trust anyone selling me something by trying to scare me into it.
The other side of that coin is that some of the security industries shenanigans are based in fact. There are serious threats out there, and if you leave doors open where they shouldn’t be you put yourself and your company at risk. I can tail the logs of a public file server and see people trying to get in all day, mostly script-kiddies, automated systems knocking at every door they find, testing for known vulnerabilities. But, if you take security seriously from the start and build systems secure by default using current best practices you can sleep soundly at night.
Stay up to date, stay patched, don’t download anything you don’t know what it is. Stay away from sketchy websites. Be extremely careful opening any kind of attachment in an email or message. Know for sure who you are talking to. The rules aren’t that hard to follow. The main threat you have to watch out for is if software you are running that is publicly accessible has a remotely exploitable vulnerability allowing unauthorized execution of arbitrary code.
Also, my memory says it was way worse in the late 90’s early 2000’s when Windows 95 or XP was on everything and viruses and worms actually were everywhere and a real problem for everyday folks. We’ve learned a lot since then.