Some of the biggest myths about hacking have been challenged in a new open letter from leading cyber experts.
The letter, signed by a group of current and former Chief Information Security Officers (CISOs), security leaders, and practitioners, aims to correct common misconceptions about everyday digital risks facing people and small businesses. Meanwhile, it highlights the practical steps that actually can make a difference to device security.
As the national body for cyber clusters, the UKC3 is working with regional ecosystems, government and industry to turn evidence-based advice into accessible guidance, workshops and support for SMEs across the UK.
The open letter is led by Bob Lord, former security chief for Yahoo, Twitter and the Democratic National Committee, who says he has long been frustrated by what he terms ‘hacklore’ – scary-sounding security tips that persist through repetition, even when evidence does not back them up.
He has launched hacklore.org to challenge this kind of cybersecurity folklore, arguing that it distracts people from the simple, proven steps that genuinely cut everyday cyber risk.
Top of the myth list is the idea that you should always avoid public wifi. While a recent report from Google warned that public networks are easily exploited, the experts point out that large-scale attacks via public wifi are now very rare.
Modern apps and services typically use strong encryption, and today’s operating systems and browsers warn users when connections are unsafe.
The letter makes similar points about QR codes, Bluetooth and contactless functions, noting there is no evidence of widespread crime caused by QR-code scanning itself, and that real-world wireless exploits are extremely rare and usually require specialist equipment, physical proximity, and unpatched devices.
The experts also push back on some long-standing ‘best practice’ tips. Frequently changing passwords, for example, can encourage people to choose weaker options and reuse them across accounts – both of which increase risk rather than reduce it.
Other familiar warnings, such as never using public USB charging points, always turning off Bluetooth and NFC, or constantly clearing cookies, are also labelled as distractions from higher-impact protections.
Instead, the experts recommend focusing on a small set of proven measures: keeping devices and apps up to date, turning on multi-factor authentication for sensitive accounts, and moving towards passkeys – a newer sign-in method designed to replace passwords.
They also stress the value of using a reputable password manager to generate strong, unique passwords where needed and to store passkeys securely.
UKC3 co-chair Dr Ismini Vasileiou said: “It’s easy to be overwhelmed by alarming headlines and mixed messages, but most people don’t need to be afraid of everyday tools like public wifi or QR codes.
“What really counts is getting the basics right – keeping devices up to date, switching on multi-factor authentication, and using strong, unique login details. If more individuals and small businesses focused on those simple actions, we’d see a much bigger increase in real-world cyber resilience.
“Alongside this, the programmes and events delivered by our clusters are specifically designed to help organisations of all sizes reduce risk and build resilience. By taking part, leaders can access practical support, ask questions in a safe space, and leave with clear, realistic next steps to strengthen their defences.”
