Security is a practice, not a product

Most people treat personal security as a setup task. You read an article, you turn on two-factor authentication, you install a password manager, you feel good, and you stop. A year later, your recovery email is still a Yahoo account you never check, your password manager contains three Dropbox entries for three accounts you don’t remember, your phone has eleven authenticator app codes from services you stopped using, and you haven’t restored a single file from a backup since the setup day.

None of that is a character flaw. It’s the default. Security is an ongoing practice, and treating it as a product you bought and installed is how even well-intentioned setups end up meaningless a year later.

Why security drifts

There is no version of a personal security setup that stays correct without attention. Drift is built into how the pieces work:

• You sign up for services. Every new account is another credential set, another recovery email, another permission boundary. Over a year, most people sign up for 20-50 new services.
• Services change their security model. Providers roll out new features (passkeys, hardware-key support, new MFA options) and quietly deprecate old ones (SMS-only 2FA, legacy app passwords). Your account stays on whatever you configured — often the older, worse option — until you update it.
• Vendors are acquired, merged, or sunset. Password managers get acquired. Browser extensions change ownership. Cloud providers shut down services. A perfectly-configured account with an abandoned vendor is not a secure account.
• Your life changes. New job, new phone, new laptop, new country, new relationship status. Each change quietly invalidates some of your previous assumptions — your recovery email is with a now-ex-partner; your 2FA codes were on the phone you just sold.
• Software rots. Even software you installed correctly drifts: an extension you trusted gets sold and updated to include tracking; a package you depend on stops receiving security patches.
• Attackers learn. The MFA that was phishing-resistant three years ago may be bypassable by the real-time phishing kits of today. Defenses that were enough five years ago may not be enough now.

None of this is dramatic. It is the normal background entropy of a digital life. The discipline of noticing it and correcting it is what turns “I set things up securely once” into “I am actually secure today”.

What maintenance looks like, concretely

Good security maintenance is boring. It is a set of small periodic tasks, scheduled, done, checked off. NIST’s Cybersecurity Framework calls this continuous monitoring and improvement; ISO 27001 calls it continual improvement. For a personal or small-business setup, it is a one-hour annual review plus a handful of triggers.

The annual review (one hour, once a year)

Put this on your calendar. Pick a memorable date — an anniversary, the start of a new fiscal year, the weekend after your birthday — and keep it.

1. Password manager audit. Open the password manager. For every entry:
   • Is it a service you still use? If not, delete the password after closing the account at the service.
   • Is the password unique? The manager can usually flag reuse.
   • Is the password long enough by current standards (16+ chars random, or 5+ word passphrase)? Rotate if not.
   • Does the entry have MFA set up? Note the ones that don’t.
2. Multi-factor review. For each important account (email, cloud storage, banking, tax, work SSO, password manager itself):
   • Is MFA enabled? Is it phishing-resistant (hardware key or passkey), or is it still SMS/TOTP?
   • Are backup codes printed and stored somewhere sensible?
   • Is the recovery email address still current and protected?
3. Active sessions and devices. On each major account (Google, Apple, Microsoft, etc.), view the list of signed-in devices. Sign out any you don’t recognize or no longer use.
4. Connected apps / third-party integrations. Every major provider has a “third-party apps with access to your account” page. Review and revoke anything you don’t actively use.
5. Shared links audit. For every cloud storage account, look at your list of shared links. Delete anything older than its intended lifetime.
6. Backup restore test. Pick one random file from a backup taken months ago. Restore it. If it works, move on. If it doesn’t, you have just discovered a problem while the house is not on fire — the best possible time.
7. Device patching. Confirm auto-updates are enabled on every device. Manually check for updates on anything that doesn’t auto-update (your router, your NAS, printers, IoT).
8. Vendor health check. For each security-critical vendor (password manager, backup service, cloud storage, VPN if you use one), skim recent news. Are they still well-regarded? Have they had a breach? Has ownership changed? Any vendor that has deteriorated is one to plan to migrate from.

That’s the full review. With practice, it takes an hour.

Triggered updates (do these when they happen)

Some updates don’t wait for the annual review. Act on them when they occur:

• You get a new phone. Re-seed your authenticator app codes, re-sign in to services, make sure the old phone is wiped before sale or recycling.
• You get a new laptop. Set up full-disk encryption from day one. Move credentials via your password manager, not by typing them. Do not import browser passwords casually — that is an infostealer’s favorite target.
• You change jobs. Audit which personal accounts have work email as a recovery address, and switch them. Close any work- adjacent personal accounts you won’t have access to anymore.
• A vendor has a breach. Rotate passwords for that vendor (and anywhere you reused them — if you’ve been using a manager, that should be nowhere). Terminate sessions. Watch for follow-on phishing over the following months.
• A relationship ends. Joint accounts, shared subscriptions, shared Apple/Google families, recovery contacts. All need re-evaluation, often urgently.
• A technology deprecation. When a vendor announces a feature is being removed (SMS 2FA, legacy protocols, specific TLS versions), confirm your setup no longer depends on it.

Quick weekly habits

A few practices worth making automatic:

• Update prompts are not interruptions; they are maintenance. Install OS and browser updates within a few days of release.
• Lock your screen every time you walk away. It’s a three-second habit that closes a category of opportunistic risks.
• When you install something, ask what permissions it wants. A menu-bar utility does not need “Full Disk Access”.

The practice, not the product, principle

Every time a reader asks “what’s the best password manager / MFA app / backup service / VPN?”, the implicit assumption is that choosing the right product is the hard part. The hard part is actually using the product well, over time, as your life and the technology around you change. A mediocre password manager used disciplined will protect you better than the best one forgotten about after setup.

This is true of every specific control we have written articles about. Full-disk encryption is only useful if the recovery key is still findable. E2EE is only useful if you haven’t been tricked into signing in on a compromised device. Backups are only useful if the retention still matches what you care about and you have ever restored from them. A threat model is only useful if it gets revised when your threats change.

The individual articles on this site are about the products and the controls. This article is about the habit around them — the thing that turns a set of controls into actual security. Without it, the rest ages into decoration.

One hour a year. Put it on the calendar. You will thank yourself.