There is no shortage of cybersecurity advice for small and medium-sized businesses. Much of it is practical and easy to understand, even without a technical background. But some long-standing recommendations have not kept pace with modern technology, and a few are simply wrong. When outdated guidance continues to circulate, it distracts business owners from the actions that truly reduce risk.
At the Cyber Readiness Institute (CRI), our mission is to provide behavior-focused, practical resources that help SMBs strengthen their cyber readiness. As technology evolves, so must the advice. That’s why we update our Cyber Readiness Program regularly and publish new resources, including our latest Generative AI Guide. It’s also why we support the work of Hacklore.org, a group of security leaders committed to correcting persistent myths about digital risk. (CRI is a founding supporter.)
Below is a summary of common (but outdated) advice identified by Hacklore.org.
The Outdated Advice
- Avoid public Wi-Fi.
Large-scale compromises via public Wi-Fi are exceedingly rare today. Modern websites and apps use encryption to protect data even on open networks, and operating systems warn users about unsafe connections.
- Never scan QR codes.
There is no evidence of widespread crime originating from QR-code scanning itself. The real risk is social engineering, being tricked into visiting a malicious site or sharing sensitive information.
- Never charge devices at public USB ports.
There are no verified cases of so-called “juice jacking” affecting everyday users. Modern devices default to restricted charging modes and require user approval before enabling data transfer.
- Turn off Bluetooth and NFC.
Wireless exploits typically require specialized equipment, close proximity, and unpatched devices. Modern phones and laptops isolate these components and require user consent for pairing.
- Regularly clear cookies.
Deleting cookies does little to improve security or prevent modern tracking, which increasingly relies on techniques beyond cookies.
- Frequently change passwords.
Research shows routine password changes do not meaningfully reduce risk. In fact, they often lead to weaker passwords and reuse across accounts, both of which increase vulnerability.
This advice focuses attention on unlikely threats while diverting energy from actions that meaningfully reduce real-world risk.
What Does Work
For most small businesses, the fundamentals remain the foundation of strong cybersecurity.
- Keep devices and applications updated.
Enable automatic updates on the systems you use to access email, financial accounts, cloud storage, and identity-related apps. Security patches fix known vulnerabilities.
- Enable multi-factor authentication (MFA).
Protect high-value accounts (email, financial systems, file storage, and social media) with MFA. Where available, use passkeys, which rely on built-in device encryption and resist phishing. SMS codes are better than nothing but should be a last resort.
- Use strong passphrases.
A strong passphrase is long (at least 16 characters), unique to each account, and randomly generated. Reusing passwords dramatically increases risk because a breach on one site can compromise others. A short sentence of four or five unrelated words is easier to remember and sufficiently long.
- Use a password manager.
Password managers generate strong passwords, store them securely, and automatically fill them in on legitimate sites, adding protection against phishing. Protect your password manager with a strong master passphrase and MFA, since it safeguards all your credentials.
Conclusion
We urge business leaders, communicators, and policymakers to stop amplifying “hacklore,” catchy but inaccurate cybersecurity advice, and instead promote guidance that is accurate, proportional, and actionable. By focusing on the fundamentals that truly matter, organizations can reduce real risk without unnecessary fear or friction.
CRI joins with Hacklore.org ready to help employers, public agencies, and media outlets share cybersecurity advice grounded in today’s realities.
