I frequently speak out against what I call hacklore, those scary urban legends about cybersecurity that we can’t seem to shake. You know, the things that “everyone knows” you should do to avoid getting hacked, even if there have been no credible cases of people getting compromised that way for the past 5–10 years.
People get hacked every second. Just not that way.
Further, I argue that if I’m wrong about any particular piece of advice, that the industry’s approach should be to pressure the few responsible software makers to fix their defective products rather than to issue endless PSAs to 100s of millions of people. We’ve tried that for decades with no luck! If there are chronic software defects, let’s articulate the technical issues and demand the software manufacturers address them. <ASMR_voice>Secure by Design…</ASMR_voice>
Eventually people resort to the argument that it’s better to be safe than sorry so they want to continue to promote the hacklore. They ask, “What’s the harm‽”
My answer: Promoting hacklore is actively harmful.
Why? It’s been my experience that no matter what people tell you, they are unwilling to spend a few hours per month to keep their devices and online accounts secure. They are also unwilling to spend a few hours per year to stay safe. No matter what they tell you, most people are only willing to spend a few minutes per year to stay safe. No. Matter. What. They. Tell. You.
Every piece of advice you give them that takes away from the most impactful advice is harmful. When you give them advice on how to avoid attacks that are significantly more rare than lightning strikes (or that never happen in the wild), you are stealing mental bandwidth from advice that is directly responsive to the way the hacks actually work.
Ask yourself: If you had 20 minutes per year to work with someone to keep their digital lives safe, what would you teach them? To avoid cafe wi-fi, QR codes, and airport charging stations? Or to use MFA, update their operating systems and apps, and to use a password manager?
Let’s get better as an industry and leave the scary ghost stories for the campfire.
More thoughts here:
