The 9 best ways not to improve your IT security

5 September 2025 ⋅ Back to blog index

In the past six months, I have received all of the following advice from the official cybersecurity office of my academic institution.

  1. Check the sender of emails.
  2. Don't click on links you don't trust. “In a real attack, even a mere click can be enough to trigger (a) downloading and execution of malware, (b) opening of a communication channel with the outside, (c) silent deployment of ransomware.”
  3. Remove unused apps and disable unused features.
  4. Shut down your devices when separated from them for an extended period.
  5. Close wireless interfaces (e.g., Wifi, Bluetooth) when not using them.
  6. Avoid connecting to untrusted Wifi networks. Especially while travelling, avoid Wifi in airports, train stations, cafes, restaurants, hotels, etc.
  7. Before any travel, change all your passwords.
  8. After returning from travel, ask the IT service to verify your devices. Also, change all your passwords again.
  9. “You will soon receive an email containing an invitation to a cybersecurity training. This is email is legitimate; it goes through a secure delivery, validated by the IT service and the cybersecurity office. You can safely click on the invitation link.”

Much of this comes from government-level security guidance. To illustrate how ridiculous0 this is, let me propose the ultimate checklist for your physical security as the government could write it by imitating the one for cybersecurity:

  1. Check the sender of paper letters before opening them.
  2. Avoid looking at someone you don't trust. “In a real attack, even a quick glance at a stranger can be enough to make them feel unmasked in case they are a terrorist and trigger a violent reaction.”
  3. Remove unused objects from your home.
  4. If you leave your passport on your desk, turn it on the side where your photo is not visible.
  5. Turn off electrical switches in your electrical board when you don't use the sockets they control.
  6. Avoid mentally spelling your debit card code in airports, train stations, cafes, restaurants, hotels, etc. Nasty people might read it in your mind.
  7. Before any travel, change the keys of your house.
  8. After returning from travel, ask the police to check your house. Also, change the keys again.
  9. “You will soon receive a call from your bank advisor. This call is legitimate, you don't need to verify their identity.”

End of sarcasm.

These harebrained “security best practices” have apparently penetrated the general public well enough that I my family found me reckless when I recently connected to an airport's Wifi in a foreign country.

Meanwhile, I did not find any of the following sensible and actually important advice given even once:

  1. To check if a website is safe (before or after opening the link, but before doing any action like entering a password), check the domain name. (For my non-tech-savvy readers, this means the part of the Web address until .com, .org or such.)
  2. Don't trust an email's sender address. It can be forged. Don't trust the part of a Web address after the domain name. Don't trust logos. Trust ONLY THE DOMAIN NAME.
  3. Seriously, do check the domain name. Look for misspellings and variations, e.g., wikippedia.org instead of wikipedia.org, git-hub.com instead of github.com, hsbc.org instead of hsbc.com, dwp.uk instead of dwp.gov.uk, etc.
  4. I can't stress this enough. Check the domain name and don't rely on anything else. If you're unsure, do a quick search (e.g., type “github” into Google and check that the first result is github.com, or visit the Wikipedia page if the website has one).
  5. For sensitive websites, check that the connection is HTTPS and not HTTP. Look for a padlock icon on the address bar of your browser. Especially remember this on public networks. Never send a password or any private information to a website in HTTP, and never consult private information either. Don't visit such a site if you are already signed into it either, since your browser will send some cookie to the website as a login token, which could be used to impersonate you. (This is treacherous, since your browser won't remind you that it saved a cookie on your last visit before transmitting it!)
  6. In fact, it's a good idea to turn on “HTTPS-only mode” in your browser settings (this should exist on reasonably recent versions of mainstream browsers). This will make your browser show a warning that you cannot miss before visiting any website in HTTP. You can safely ignore the warning and continue only if you are fine with anybody intercepting all of your communication with the website, e.g., if you are reading the XKCD comic of the day.1
  7. On a public network, your communication with HTTPS websites is safe. The only thing that might not be is the domain name of the website you are visiting. So, e.g., if you don't want anyone to know your sympathy for a political party XYZ, don't visit https://xyz-party.org. On the other hand, visiting its Wikipedia page https://en.wikipedia.org/wiki/XYZ_party is fine since all an attacker could see is en.wikipedia.org. (Note that on your home network, your Internet Service Provider still can record which websites you are visiting. If you're Chinese and party XYZ is an opponent to Xi Jinping, better use a VPN to browse https://xyz-party.org.)

Coming back to the “security best practices” I got in my inbox:

(0) “Check the sender of emails” will inevitably make people think that an email can be trusted to originate from the sender address it appears to be sent from, which it cannot. Most people don't know that you can send an email from any email server you own and pretend it comes from a totally arbitrary email address that you don't have any control over. Yes, phishers don't always bother to do this, but sometimes they do. (They could also make it look like they sent you an email from your own email address, to let you believe they hacked your email account. This actually happened to me as a young teen and I believed it.) Yes, SPF, DKIM and DMARC exist and go a long way, but not all email providers check them in all cases, and they might not refuse the bad emails but just route them to the spam folder. (For example, Gmail has been requiring these since February 2024, but only for servers which send more than 5000 emails to Gmail addresses daily.)

(1) “Don't click on links you don't trust” is pure paranoia. I actually complained about this one, and was pointed to some years-old CVEs. Browser vulnerabilities exist, and they are a serious problem insofar as a single vulnerability can affect some number in the billions of users for popular browsers, but for an individual user, the likelihood of getting hacked through a browser vulnerability is incredibly tiny (especially on an up-to-date browser), many orders of magnitude smaller than the likelihood of getting hacked by an utterly unsophisticated phishing scam. It is uncommon enough to be worthy of mention when a browser CVE is found that even has a single confirmed exploit — while the awareness campaigns performed at my institution have seen about 15% of people enter their institutional login and password in a phishing resistance test. I find it pointless to worry about these vulnerabilities unless you expect to be targeted by military espionage level attacks.

Many of the other points are cast in the same mould. The chief effect of such advice will be to divert users' attention from actually important security measures. If you give a checklist of ten points of which only one really matters, chances are most users will only remember two or three, or feel that these are already enough, and you've lost.

Worse, this sort of FUD is one of the ways (competing with frequent forced password changes) in which “security fatigue” is created. It gives the feeling that if you try to follow all the security guidelines, it's going to be impossible to do anything on the Internet, so you have no choice but to mostly ignore them anyway.

To top it all, point (8) “the email you will soon receive is legitimate” somehow manages to again avoid mentioning the only definitive source of trust in a link, the DOMAIN NAME, and encrusts the idea that you can trust an email if someone told you without even seeing it that you could. Facepalm.

It is already amazingly hard to get people not to fall in the most basic phishing attacks (especially while trying not to exclude the elderly and the less educated from technology even more by making them afraid of every tiny action they might take on a computer). This sisyphean enterprise really doesn't need to be made extra hard by this kind of nonsense in official IT security communications.

0.

I'm sorry for the employees of those institutional and governmental services, who are certainly well-meaning and doing their job as best they can, but it really feels ridiculous to me. For their defense, I've seen this kind of bad advice elsewhere; it seems all too common.

1.

Making HTTPS-only mode practical is the main reason why I think as many websites as possible should switch to HTTPS, for all its technical flaws and for all the racket played by registrars to make it convenient for website owners only if they pay extra fees. It is already hard enough to make non-geeks follow extremely basic and essential security practices like thinking for one second before typing their password on a fake version of their bank website. You just cannot make my elderly grandfather who's struggling with the difference between “Save” and “Save as” buttons pay any amount of attention to a small padlock icon in a browser or understand what it means. The only solution to avoid sensitive information shared over plain HTTP is to make visiting an HTTP website impossible to ignore, by showing a big red fat warning and asking the user to confirm while making sure they read the bold sentence that tells them not to enter their bank password on this site. I really hope major browsers will enable HTTPS-only mode by default as soon as possible.

Comments

Comment by Selim (5 September 2025 at 13:30)

I agree with you on security fatigue and your list of sensible advice.

I understand that not connecting to public wireless networks seems too much for some people.

However, the list of exploited vulnerabilities is longer than the trans-Siberian and the Great Wall of China combined! These are everywhere, from user devices to routers or USB firmware.

This means that a bad actor connected to the same wireless network as 1000s of people in an airport can compromise the the router and access the connected devices and target the vulnerable ones for code injection for example. And no, this is not science fiction.

Cheers, Selim

Leave a comment