One other thing that’s relatively easy to do is set you home router up with specific network SSIDs for separate purposes… Set one up (probably your 2.4 GHz band )as IoT only, so your garage opener app or other home automation equipment doesn’t compromise your whole home. Set up a separate network with a different SSID and password for your computers.
And choose your backup solution carefully, because in the case of ransomware, backups can get polluted with the same malware you’re trying to escape from - and so you restore the backup, only to find that your files are encrypted all over again (or worse, the server doing the backup also gets infected and encrypted.
There are ways to mitigate that risk in a managed network; these broadly work by giving the backup service read permission to get to your files and pull them for backup, but not giving your machine or account any write permissions to ‘push’ data up to the backup server.
To the broader question of state-mandated cyber security, the UK has the National Cyber Security Centre (https://www.ncsc.gov.uk/), which runs a pretty damn rigorous security improvement and accreditaiton programme called ‘CyberEssentials’, however, some of their recent advice has been striking me as a bit weird - for example, they now recommend that user passwords should not be subject to expiry any more, because that causes people to choose more easily guessable passwords and behave in other unsafe ways - I’m not completely sure I accept that, even though they are supposedly an authority in this arena
Somewhat straying from the topic of the OP, but to address this, frequent password changes have long been questioned by those in the security community. It’s taken a long time to overcome habit on those.
I can’t find it right now but someone traced the history on the “90 day password expiration” concept back to its source, and it was highly questionable, based on some non-computer guidance or something.
The agency I work at just changed the policy to “Don’t enforce 90 day password changes on regular user accounts” which seems okay, especially since we log on with smart cards and every 90 days I had to have my password reset because I couldn’t’ remember it, just to change it right then and there. Of course, they don’t have smart card logon set up right, so it’s stupid to begin with.
However, one only needs to watch the scene in Return of the Jedi where the good guys use an “old code but it checks out”. If the Empire changed their codes every 90 days, this wouldn’t have happened 
The 90-day policy was based on the idea that a complex password discovery - dictionary attack with characters added to the end, hitting all possibilities - could take weeks and months. If you password changes before they finish finding a match then the work is wasted. A dictionary attack involves getting a copy of the SAM - the local database of encrypted passwords- and running a comparison between its contents and encrypting each word in the dictionary using the same algorithm. To do so, you already need admin access on the box, so this would typically only be useful to try to discover passwords of others who have logged on - especially the domain administrator. Also, modern PC’s probably don’t need 90 days to do a decent level of encryption testing. And - the other point is with the text-a-code process, decoding the password is relatively useless if the hacker doesn’t also have the one-time-good-for-a-minute code texted to the phone.
Unfortunately the 90-day change and don’t-recycle-10-passwords policy typically leads to predictable passwords - “GetMeIn01”, “GetMeIn02”, “GetMeIn03”, …
I dropped mandatory password changes this summer, but we rolled multi factor authentication out a couple of years ago after my partner had his email compromised.
I am now at the point that if a customer does not want to enable MFA I’ll get them to sign a release form to cover my own ass.
No, it wouldn’t – wouldn’t even have been necessary – the good guys could just have looked at the code written on a Post-it note under the keyboard.
I once had to do computer maintenance which was frequently done when the employee wasn’t at their desk – over lunchtime or meetings. Often we would arrive to do this, and find that the employee had password locked their system. I was soon clued-in by an old-timer that there were 4 places* to look to find their password, and this worked for about 80% of employee workstations.
- The 4 places are:
- a Post-it note under the keyboard
- Written on the last page of their desk calendar
- a note taped on the slide-out desk shelf
- a paper note in the pencil tray of their desk
Good point. Little known fact, if you zoom in on the Emperor’s hand, you can see he has the Death Star’s root password written there.
Another thing you can do is set your router to not allow any new devices to connect to it until you give it the okay. That’s how my work (And home) network are set up and the PCI-DSS people are happy with it. If you try to connect any new (wired or wireless) device to my network, I have to go in to the router, find the device and specifically allow it, otherwise it remains blocked.
It is a PITA when you forget that you have that turned on. I’ve spend more time than I care to admit troubleshooting new devices that seem connected but aren’t behaving like they are, until I remember to tell the router to allow them on the network.
It seems to me that wouldn’t always work. The only way it would work is if the new password is changed to one that the attack has already attempted (and won’t try again). It seems just as likely that you could change it to one that attack still hasn’t guessed yet.