Don’t fall for these 4 cybersecurity myths

67 4 minutes read

Hacking doesn’t work the way it does in the movies, with heroes typing simultaneously to keep out attackers. There are all kinds of misunderstandings about what is, and what isn’t, important when it comes to computer security.

We’ve talked about ways to be more secure online, and have been tackling all kinds of myths and misunderstandings about everything from coffee to batteries. With that in mind here are a few cybersecurity myths and what research and authoritative sources have to say.

Myth: Most hacking is the work of super genius computer nerds

On TV shows, hacking involves a super genius computer person breaking into networks using nothing but their own skills. That can, and does, happen, but it’s generally a lot easier to trick people.

According to the Verizon 2025 Data Breach Investigations Report, a widely respected bit of cybersecurity research that compiled over 22,000 security incidents, real-world threats mostly don’t work that way. The report states that “breaches involving humans were responsible for the majority of the cases we reviewed.”

What does that mean? That 60 percent of major breaches start with some kind of human involvement, as opposed to “fully automated exploit chains or hacking activity leading to a breach.” In other words, most breaches start not with a hacker super genius typing code to gain access but with some sort of trickery.

The most common form of this, according to the report, is using leaked usernames and passwords. Then there’s social engineering, where someone might call, text, or email a person in an attempt to get access. Another persistent problem is human errors.

I’m simplifying here, but the core point is that most security breaches exploit humans instead of tech. The best way to defend yourself, then, is to educate yourself.

Myth: Two-Factor Authentication Is a Waste of Time

Everyone hates adding yet another thing to keep track of, so it’s no wonder a lot of people don’t bother setting up two-factor authentication. With two-factor authentication, a username and password isn’t enough to log in—you need something else. This could be an app on your phone confirming your identity or it could involve a physical USB key. The problem: It’s kind of annoying, which might be why some people are motivated to believe it isn’t actually helpful.

But two-factor authentication is helpful. We talked above about how leaked usernames and passwords are one of the most common ways that breaches happen. Two-factor security means leaked credentials aren’t enough for an outsider to get access. According to the US Cybersecurity and Infrastructure & Security Agency (USCIS), an account with two-factor authentication is 99 percent less likely to be hacked.

Now, it is true that not all two-factor authentication is created equal—some forms, such as SMS authentication, are proven to be less secure than app-based or physical authentication. But the USCIS states that even SMS-based security is better than nothing, so you might as well set it up if it’s the only option. Yes, logging in will be a little more annoying, but not nearly as annoying as a data breach.

Myth: VPNs Are Totally Private

If you want to be private and secure you need a VPN…right? It’s not so simple. These services have their uses but some people seem to think they’re a magic button for security. That’s just not true, according to the Electronic Frontier Foundation.

“VPN providers often overpromise security benefits in advertisements that assert that a VPN is the only tool you need to stop cyber criminals, malware, government surveillance, and online tracking,” the nonprofit research and advocacy organization writes. “But these advertisements vastly oversell the benefits of VPNs. The reality is that VPNs are best suited for one thing: routing your network connection through a different network.”

Now, this isn’t to say that VPNs are useless. They really can protect your internet browsing from your internet service provider (ISP), but they do this by sharing all of your browsing with the VPN provider. That might not matter if you trust the VPN provider, which is why it’s important to do your research.

Myth: Updates Aren’t That Important

Speaking of things that people don’t like doing: installing updates. If you’re like most people, you’ve put off installing an update on your phone or computer because you don’t want to restart it right now, and that’s understandable. But putting off updates for too long isn’t a great idea.

Earlier this year I wrote about why updates are actually important, and the basics aren’t that hard to understand. Every update patches specific security vulnerabilities, which is good, but that also announces to the world ways in which the older version of the software was vulnerable.

A metaphor to keep in mind: Imagine learning that thieves in your town had access to a skeleton key that could open all locks made before 2021, and that thieves had started copying the key and sharing it with each other. Would you replace the lock? Security updates work the same way.