Most places use passwords as the main method for authenticating yourself. Make sure your password has at least 12 characters, isn't easily guessable, and use different passwords on every site. You can write those passwords down on a sheet of paper and store it in a safe, or save them in a password vault, but don't use a post-it note in a public place or an Excel sheet on your desktop.
Two-factor authentication simply means that you use 2 different ways to authenticate yourself, usually your password and a PIN code. Many sites now offer this option and it's well worth using, since it means no one will be able to impersonate you even if they guess or steal your password. All you need to do is install the Google Authenticator on your mobile phone and use it on any web site that offers it. They usually offer recovery codes for in case you lose your phone.
One method many sites offer is to send you a PIN over SMS as a second factor. If that's the only method they offer, it's better than nothing. But if you can use an authenticator app instead, that is much more secure. Mobile operators are notoriously insecure and could give out your number to anyone with only basic information about you, which means they could receive that PIN to their phone. For services that offer both, such as Gmail, you may need to go in and manually deactivate the SMS option so that it requires the app. Just make sure you save your recovery codes in a secure location.
Most services offer email based account recovery. This means that anyone who controls your email account could reset your password on a multitude of other sites, including perhaps, your bank account. Consider using one email account for public communications, and one secret email account just for signing into important sites.
This should be an obvious one by now, but even if the email looks like it's from a service you use, never click links in emails. If the email says you should go log into your bank account, then open your bank's website yourself and login from there, as opposed to clicking the link. Similarly, if someone calls you and says they are from your bank and starts asking details, hang up and call your bank's number yourself. It's the same principle, going to a known good location rather than taking someone else's word that they are who they say they are.
Software updates can be a pain, especially on desktops, but they include important security patches. Most viruses rely on outdated software to find a way in, and once you're infected, it's very hard to get rid of. Sometimes you don't even need to do anything at all to get infected, like clicking links or running software, if your system is out of date. Basic OS features like file sharing can have bugs which allow viruses in if left unpatched.
These days most software packages are signed. This is especially true on Windows, where double-clicking an installer will show you a popup with information about who created this software. Pay attention to the digital signature. If you downloaded a well known package and it says there is no digital signature, or it's been created by some unknown person, this should raise a red flag. A Microsoft package should say it's been signed by Microsoft, Adobe Photoshop by Adobe, etc. On mobile, you trust Apple or Google to approve software for you, so be careful if you install apps from somewhere other than the App Store or Google Play Store.
Should the worse happen, make sure you backup your files in at least 2 separate locations, one offline and one remote. This can be as simple as copying your important files to a second hard disk and a USB key, then sending the key to a friend, but consider using professional backup software so it's done automatically and you don't forget. Also, remember to routinely test your backups, since if you can't restore your files, your backup is worthless.
Whether you post something on social media, use a cloud service, or a simple web mail service, you need to know who has access to your data and what they will do with it. Be aware that social networking sites make their money by scanning and sharing your information, that cloud services have employees that have some types of access to your files, and email is literally the digital equivalent of a postcard. If you have sensitive information that you want to store online, place it in an encrypted container first, such as an AES encrypted 7-Zip file. That way regardless of who gains access to your data, unless they can break your encryption key they will not be able to see your stuff.
Treading lightly and being aware of what you do is key to being secure online, but that's doubly true when traveling. Custom officers can and do ask people to let them access your tech devices. They will look through your messages, cloud services, social media, and anything else that happens to be installed on your phone or laptop. Consider cleaning up your devices before traveling, disable the fingerprint scanner so only the PIN will unlock your phone, and if you have very sensitive information, keep it off any device you travel with.