A coalition of chief security officers and former officials from the Cybersecurity and Infrastructure Security Agency (CISA) has launched a new initiative to combat misleading cybersecurity advice, commonly referred to as “hacklore.” This effort aims to dispel myths that distract individuals from real cybersecurity threats, emphasizing practical measures such as installing software patches, using strong passwords, and enabling multi-factor authentication. Notable figures in this initiative include former CISA director Jen Easterly and ex-CISA advisor Bob Lord, who highlighted the urgency of this campaign, particularly as outdated advice tends to resurface during high-traffic shopping seasons. The group also encourages organizations to adopt phishing-resistant multi-factor authentication and develop resilient systems that can withstand user errors, urging software manufacturers to prioritize security in their designs and to maintain comprehensive records of software vulnerabilities.
Why do we care?
What I love about this initiative is that it finally calls out the stuff we all roll our eyes at but somehow still see in client onboarding packets and vendor slide decks. Hacklore has been around forever, and it survives because it sounds like security. “Don’t use public WiFi.” “Clear your cookies.” “Turn off Bluetooth.” None of that moves the needle. It wastes time. And time is the one thing customers and IT providers never have enough of.
So here’s the twist: this coalition isn’t just saying the myths are wrong — they’re showing their homework. Juice jacking doesn’t happen. Public WiFi attacks basically don’t happen because everything is encrypted. Bluetooth attacks are edge-case research. And constant password changes actually make things worse. This is a huge reset of what good advice looks like.
Their replacement guidance is what MSPs have been begging people to pay attention to for years. Patch the important stuff. Use phishing-resistant MFA or passkeys. Use strong, unique passphrases. Use a password manager. And design systems that don’t fall over when someone makes a mistake.
And that last part is the real message: stop blaming users. Build systems that survive reality.
For MSPs, this matters because clients trust you for clarity. If you’re still repeating old myths, you’re eroding that trust. This is your chance to align with evidence-based, national-level guidance and refresh your training materials, onboarding documents, and policy templates. It positions you not as a scold, but as a guide — and that’s the future of security services.