Released on Nov-24-2025
For the public, employers, journalists and policy makers:
We are a group of current and former chief information security officers (CISOs), security leaders, and practitioners who have seen how compromises happen in the real world in industry, academia, and government. We write to correct a set of persistent myths about digital risk for everyday people and small businesses (as opposed to high-risk individuals) that continue to circulate widely online and in public advice columns.
old advice
Specifically, we aim to retire the following outdated advice:
-
Avoid public WiFi: Large-scale agreements via public WiFi are extremely rare today. Modern products use encryption technologies to protect your traffic even on open networks, and operating systems and browsers now warn users about untrusted connections. Individual VPN services provide little additional security or privacy benefits for most people and do not prevent the most common attacks.
-
Never scan QR codes: There is no evidence that QR-code scanning is causing widespread crime. The real risks are social engineering scams, which are mitigated by existing browser and OS security, and being cautious about the information you give to any website.
-
Never charge the device from a public USB port: There are no verified cases of “juice jacking” affecting everyday users in the wild. Modern devices prompt before enabling data transfer, default to restricted charging modes, and authenticate connected accessories.
-
Turn off Bluetooth and NFC: Wireless exploits in the wild are exceptionally rare and usually require specialized hardware, physical proximity, and unpatched devices. Modern phones and laptops have these components separate and require user consent for pairing.
-
Regularly “Clear Cookies”: Clearing (or deleting) cookies does not meaningfully improve security or stop modern tracking, which now includes identifiers and fingerprinting in addition to cookies.
-
Change password regularly: Changing passwords frequently was a common advice, but there is no evidence that it reduces crime, and it often leads to weak passwords and reuse across accounts.
This type of advice is well-intentioned but misleading. This takes up the limited amount of time people have to protect themselves and diverts attention from actions that actually reduce the likelihood and impact of real compromises.
Sound security guidance must be precise, proportionate and actionable. With that standard in mind, we recommend replacing the above advice with clear, fact-based guidance that helps people and organizations manage real risk while enabling modern, connected use of technology.
recommendations to the public
While the news is often filled with foreign attacks against high-value individuals and organizations, the truth is that for most people the basics are still basic and should be the foundation of any security advice for the everyday individual or small business.
-
Keep important devices and apps updated: Focus your attention on the devices and apps you use to access essential services like email, financial accounts, cloud storage, and identity-related apps. Enable automatic updates wherever possible so that these core devices receive the latest security fixes. And when a device or app is no longer supported with security updates, it’s worth considering an upgrade.
-
Enable multi-factor authentication (“MFA”, sometimes called 2FA): Prioritize protecting sensitive accounts that have real value to malicious actors, such as email, file storage, social media, and financial systems. When possible, consider “passkeys,” a new sign-in technology built into everyday devices that replaces passwords with encryption that resists phishing scams — so even if attackers steal the password, they can’t log in. Use SMS one-time codes as a last resort if other methods are not available.
-
use strong passphrase (not just passwords): passphrase Your important accounts must be “strong”. Have a “strong” password or passphrase tall (16+ characters), Unique (not reused under any circumstances), and randomly generated (Which humans are very bad at doing). Uniqueness is important: Using the same password in more than one place increases your risk dramatically, as a breach at one site can immediately compromise others. A passphrase, such as a short sentence of 4-5 words (spaces are fine), is an easy way to achieve sufficient length. Of course, this is difficult to do for many accounts, which leads us to…
-
use a password manager: A password manager solves this by creating strong passwords, storing them in an encrypted vault, and filling them in for you when you need them. A password manager will keep your passwords entered only on legitimate sites, giving you additional protection against phishing. Password managers can store passwords as well as passkeys. For password managers, use a strong passcodephrase Since it protects all the others, and enables MFA.
Recommendations for organizations
Organizations must create systems that do not fail catastrophically when people make mistakes – especially when they are victimized by malicious actors. Create clear, simple ways for employees to report and escalate suspicious activity and promptly acknowledge those reports so people feel supported, not blamed. If an employee’s mistake causes significant damage to the organization, the system design was brittle – and not flexible as designed. For system administrators, phishing-resistant MFA is required and committing to a plan to eliminate reliance on passwords throughout the organization.
Recommendations for software developers
Finally, to be clear, no software or system is completely secure. New vulnerabilities are discovered every day in modern devices, operating systems, and applications. But how we handle those reports determines the real outcome. The responsibility for preventing harm should not rest on the public or enterprises; It’s up to software makers to fix their faulty code, not up to their billion-plus users to change their behavior.
We call on software makers to take responsibility for software creation Secure by design and secure by default-Designed to be secure before it reaches users and to publish a clear roadmap of how they will achieve that goal. They should ensure that all network traffic is protected with modern encryption protocols and should incentivize independent security researchers through formal, accountable reward programs that include clear safe-harbor protections. Manufacturers must also commit to publishing CVE records – public lists of known software vulnerabilities – that are complete, accurate and timely for all issues that could put users at risk, including internally discovered issues.
conclusion
We urge communicators and decision makers to stop promoting “hacklore” – attractive but inaccurate advice – and instead share guidance that meaningfully reduces harm. We are ready to help public agencies, employers and media organizations reframe cyber security advice so that it is practical, proportionate and based on current realities.
sincerely,
Ben Adida, VotingWorks
Heather Adkins, VP, Cybersecurity Resilience Officer, Google
JJ Aga, CISO, FanDuel
Ian Amit, former CSO Cimpress, Rapid7. Founder and CEO Gombok.ai
Matt Aromatario, Head of Security, Hebbia
Scott Bachand, CISO, RO
Todd Beardsley, Vice President of Security Research, RunZero
Andrew Becherer, CISO, Sublime Security
Geoff Belknap, Deputy CISO, Microsoft
Betsy Bevilacqua, CISO
David Bradbury, CSO, Okta
Bill Burns, former CISO and Trust Officer Informatica, former Netflix
eli bergten
Jack Cable, CEO and Co-Founder, Corridor
Michael Calderin, CISO
Amy Cardwell, former CISO UnitedHealthgroup
Shaun Cassidy, CISO, Asana
Jason Chan, Retired – Former CISO Netflix and VMware
Michael Coates, former CISO Twitter
Bill Corey, CISO Sardine.ai
Neel Daswani, CISO-in-Residence at Firebolt Ventures, former CISO of multiple, billion-dollar public companies
Jacob DePriest, CISO/CIO 1Password
Michael Tran Duff, CISDPO, Harvard University
Kurt Dukes, former NSA IA director and cybersecurity executive
Jane Easterly, former director of CISA
Andy Ellis, former CSO, Akamai
Casey John Ellis, Founder BugCrowd and the Disclose.io Project
Gary Allison, former VP of Trust, Roku
Chris Eng, former Chief Research Officer @ Veracode
Melanie Ensign, CEO, Discernible
Josh Feinblum, former CSO DigitalOcean, Rapid7
Trey Ford, Chief Strategy & Trust Officer, BugCrowd
eva galperin
Yael Grauer, Program Manager, Cybersecurity Research at Consumer Reports
Eric Gross, former security chief of Google
Esteban Gutierrez, CISO
Damien Hasse, CISO, Moveworks
Gary Heaslip, CISO in Residence, Hallcyon.ai
Tyler Healy, CISO, DigitalOcean
Marcus Hutchins, Principal Threat Researcher, Expulsion
Mike Johnson, CISO
Chuck Kessler, CISO, Pendo
Aaron Kimele, CISO, Perforce
Lee Kisner, CISO, VP Engineering, LinkedIn
David Kleidermacher, VP, Android and Made-by-Google Security & Privacy, Google
Sasha Coff, Managing Director of the Cyber Readiness Institute
Tyson Kopczynski, former 2xCISO
Sarah Lazarus, Founder and CISO, Faded Jeans Technology LLC
Katie LeDoux, CISO, Attentive
Nate Lee, Founder, Trustmind, 2x former CISO
Eugene Lederman, Senior Director of Android Security and Privacy Products
Bob Lord, former CISO Yahoo, DNC
Ciaran Martin, University of Oxford and former head of the UK National Cyber Security Center
Keith McCartney, SVP Security & IT, DNNexus
Elle McKenna, Security Leader
Jack Moody, CISO, Kyocera AVX
James Nettesham, CISO, The Block
TC Niedzialkowski, Head of Security and IT Opendoor
Roopa Parameswaran
Helen Patton, Cyber Security Executive Advisor
brian payne
Lisa Plaggemeier, Executive Director, National Cyber Security Alliance
Hannah Poteat, Asst. General Counsel, Privacy and Cyber Security Law
Nils Puhlmann, former CISO at Zynga and Twilio, co-founder Cloud Security Alliance
Alex Rice, Founder and CTO, HackerOne
Jason Richards, CISO
Felix Ritcher, CISO, vice president of security and infrastructure, Complementary Health Care
Chris Rosenraad, CSO DNC
Craig Rosen, former CISO at Cisco AppDynamics and FireEye/Mandiant
Guillaume Ross, former Head of Security @ JupiterOne, Fleet
Marcy Rosen, Senior Legal Director, Zwilligen PLLC
Larkin Ryder, former CSO at Slack, former Head of Compliance at Anthropic
Tony Sager, former NSA executive
Runa Sandvik, Founder, Granit
Bala Sathiyamurthy, CISO
Corey Scott, former CISO LinkedIn, Confluent, Google Devices & Services
Andrew Shikiar, Executive Director and CEO FIDO Alliance
Alex Smolen, former director of security at LaunchDarkly
Matthew Southworth, CSO, Priceline.com
Alex Stamos, CSO, Corridor, former CSO of Facebook, Yahoo and SentinelOne
Andy Steingrueble, CSO, Pinterest
Joe Sullivan, CEO of Ukraine Friends and Joe Sullivan Security LLC
Parisa Tabriz, VP/GM Google Chrome
Matt Thomlinson, CTO Electronic Arts
Per Thorsheim, first 2xCISO, founder of Passwordscon
george totev
Steve Tran, CISO, IUNO
Shawn Vale, CEO Cybersecurity Growth, former CSO/CISO Rapid7, Tricentis
Alexis Wells, GitHub CISO
Jonathan Verrett, Head of Security, Semgrep
Andrew Whaley, Chrome Security
Tarah Wheeler, Chief Security Officer TPO Group
Dave Wong, Director, Mandiant
Josh Yavor, former CISO, Cisco Secure
Saunil Yu, former chief security scientist at Bank of America, chief AI officer at Gnostic
Shawn Zadig, CISO, Yahoo
Stefano Zenaro, Politecnico di Milan
<a href