All these topics could be an extended conversation in and of themselves, but I wanted to at least provide this abbreviated cheat-sheet of my general guidelines. This isn't meant to be an exhaustive instruction on all the details and nuances of each step. I'd be happy to arrange a consulation if you're interested in discussing any of these points further:

1. Use strong passwords. This means a length of 8+ with a mixture of letters, capitalization, numbers, symbols, etc. Nothing that can come right out of a dictionary. Don't re-use passwords across multiple sites/services in case one gets hacked (many do every year), and password-managers can be particularly useful if you have trouble coming up with your own system to keep track. I use and can recommend Dashlane, which does cost $40/year but I consider it cheap insurance for the importance of the service it provides and the potential ramifciations of a data breach.
2. Use 2-factor (or "multi-factor") authentication whenever it's available. This added layer of security incorporates your cell phone to ensure that you are you and that if your password gets out there, someone can't just get into your accounts. Google, Facebook, and many banks now offer this.
3. Use good anti-virus software. There's still a place for quality anti-virus/malware software even as the common threats evolve into other forms. You needn't continue to pay the excessive yearly extortion fees asked by the software that got pre-installed on your computer (which was chosen due to deals made on a golf course, not based on merit or value). There are plenty of really good (and probably superior) options out there and several even have free versions. I can recommend Avira or Bitdefender, both have free options available.
4. Use an ad-blocker in your web browser. It's not nice to deprive legit sites of advertising revenue, but the unfortunate reality is that the third-party ad networks do horrible vetting of who advertises on them and result in a huge number of the infections that I see. Not to mention how the advertisements often go obnoxiously overboard, taking over a majority of what's on the screen and making reading the actual site content difficult. An ad blocker helps protect you from malicious/deceptive ads as well as speeds up your web experience.
5. Be wise against phishing. There's no technology silver-bullet here: you need to familiarize yourself with what "phishing" is, how to recognize it and protect yourself from being fooled by it. Many steps such as not following links in emails and instead typing in the website yourself explicity, hovering your mouse over links to identify where it's really going to, and having a careful, keep eye to watch out for deceptive typos in the links.
6. Secure your cell phone account. This goes hand-in-hand with 2-factor authentication. Contact your cell phone carrier and ensure that no changes (such as porting your number) can be made without a secret code or (better yet) you showing up in a store in-person with valid ID.
7. Be wary of public, unsecured wifi. Remember that if you connect to unsecured wifi, your traffic might be able to be snooped on. Many sites themselves use SSL ("https://" vs. "http://") but not all. And note that wifi that has you type in a password into a web browser before you can visit other sites is only protecting the business from unauthorized access... it is not encrypted and not protecting you. And another popular scam is for people to set up rogue, fake open wifi access points named like a legit nearby business to get you to connect to them and then snoop on your traffic. This is particularly a problem in airports and dense urban areas around commercial businesses.
8. Backup, backup, backup. Nothing can take the place of making good backups, on top of everything else. Have a backup method that works for you and finds the right balance for your data needs and risk concerns. You should also have at least one backup method that is "off site" and stores your data somewhere else far from where your computer normally is, in the case of theft or fire. And test your backups to ensure they are happening (if you set them up to be automatic).
9. Use credit cards vs. debit cards. Many people incorrectly believe that debit cards with a "VISA" or "Mastercard" logo provide the same protections and benefits as a real credit card. No matter what your bank or someone else may say, the law is quite clear on this. When dealing with with real credit cards, you're spending the bank's money and they are quite keep about protecting it and getting it back in the case of fraud. The wheels move a lot slower when there's fraud via a debit card and legally the protections you have are much, much less. Use a credit card for all your online purchasing (ideally, all your purchasing, as fraud can happen with physical access too), and make sure you have notifications set up to email/text you whenever a purchase is made. If you absolutely must use a debit card, set up a special, separate account and use your banking app to just move what cash you need at that purchase/day into the account. This will protect you against unexpected purchases as the funds won't even be there.
10. Watch your credit report. It's your responsibility to track your credit report and ensure there isn't incorrect information on there or fraud taking place. Luckily you can do this for free once a year at: https://www.annualcreditreport.com/