At Rigid Bits we believe calculating risks and addressing those risks categorically is the best approach to cybersecurity. However, we see a lot of fear, uncertainty, and doubt (FUD) techniques used to drive cybersecurity discussions. In reality, using cybersecurity FUD to make cybersecurity decisions would be the inverse of a risk based approach. Quite frankly, there’s a lot of sway using FUD techniques. Sometimes, those techniques are very much worth paying attention to because they often reflect the reality of some situations. However, when FUD is wrong and misleading, it’s often detrimental to actually improving cybersecurity across industries.
Correcting the Record
You may have seen this statistic posted: “60% of small and medium sized businesses will go out of business after a major cyber attack within 6 months”. This statement has gone viral, but it’s virally wrong. In reality, this statement was mistakenly made during a congressional testimony that was eventually placed into public record. The research company cited has indicated they have no record of making that statement.
“The 2011 statistic that ’60 percent of businesses close within 6 months of a cyberattack’ is not from NCSA and its original source cannot be confirmed.”Michael Kaiser, the Alliance
So, we decided to break down some FUD and combine that with some actual statistics. A Ponemon Institute research article stated that 67% of small and medium sized businesses have experienced a cyber attack. We think this number is modest and reasonable given our experience in the industry. If we take the FUD and combine it with reality, we can quickly see a breakdown in the downright wrong FUD statement.
If 67% of businesses have experienced a cyber attack and 60% of those businesses go out of business, what does that actually look like? According to the Small Business Administration, there are 30.2 million small and medium sized businesses in the United States. Let’s take a look at the numbers a bit closer:
- Number of Small and Medium sized businesses in the US: 30.2 Million
- 67% of those businesses have experienced a cyber attack: 20.234 Million
- *60% of those businesses will go out of business in 6 months: 12.14 Million out of business
- *40% of all small and medium sized businesses have gone out of business in 6 months.
- * Indicates inccorect FUD
Taking it further, SMBs make up 44% of the overall GDP for the United States. If 40% of all small businesses go out of business in 6 months after a cyber attack, then this means there would be a significant reduction in GDP. Overall there would be a 17.6% reduction in GDP at a single point in time if the above statistics and FUD are true. That just can’t be right.
Avoid FUD. Calculate Risk.
We can quickly see these numbers would have catastrophic consequences to our economy and country as a whole. So, what can we learn from all of this and does it really matter? Here’s some takeaways that might be a better way to approach cybersecurity:
- Don’t make decisions about cybersecurity based on fear, uncertainty, or doubt.
- Calculate risk and address high risk items first.
- Small reductions in risk over time add up, find areas in your cyber program you can improve quickly.
- Be careful and question statistics. FUD sells well even when it’s wrong.
Solutions, not FUD, are available
Are you one of the 67% of small and mediums sized businesses who have been attacked? You can start your cybersecurity program today with the Cybersecurity Stater Pack. Or, perform a Risk Assessment to determine where you truly stand. Avoid making decisions based off of FUD and wrong statistics. Calculate your risks and decide how to act accordingly.