I have a new goal for 2022 and beyond, no more stats!
I promise to stop using statistics, statistics are the cyber security industries fear mongering tactic, you must do something about x because 78% of your industry peers are worried about the risk of x; this is most often not relevant, disingenuous and “over hyping” the reality that organisations face in 2022.
The headlines in the media are filled with that latest stats. Stats sell. The stats are often quoted from the latest reports. People then parrot them around like they’re fact when most of them are complete bullsh*t. People throw them around at cocktail parties. Often when they do I throw out my favourite statistic: 73.6% of all statistics are made up. I say it deadpanned. Often I’ll get some people look at me like, “really?” “It’s true. Nielsen just released the number last month.”I have an idea, an idea so different that it will change the way that cyber security uptake happens with organisations across the globe! And it is so easy and cheap that I must share it immediately .
My experience: In 2016 1,178,133 cars were sold in Australia, Toyota sold a massive 209,610 of those vehicles for an whopping 17.8% market share, impressive for sure. I purchased a Nissan Navara in 2016 (Toyotas are too expensive for my budget), so the Toyota statistic was completely meaningless to me even in my purchasing mode. I am happy though for the Toyota new buyers in that year, but I made a choice to buy what I wanted/needed, no car statistics before or after for me. I knew what I wanted to do, I wanted to buy a ute and I did my research on whether my decisions would be a good one from an engineering and reliability point of view.
In 2007, toothpaste company Colgate ran an ad stating that 80% of dentists recommend their product. Based on the promotion, many shoppers assumed Colgate was the best choice for their dental health But this wasn’t necessarily true. In reality, this is a famous example of misleading statistics. The ad suggested that dentists preferred Colgate over other toothpaste brands. But the survey asked them to list several brands of toothpaste they would recommend. The data only showed that Colgate was one of a number of different brands that dentists liked. Not quite the same claim, was it? .
Another statistic in different industry, here the results were skewed and provided a storyline that made it appear as if something that was “not really accurate” was in fact true, 80% of dentists did not recommend Colgate!
In the cyber security business we are overflowing with astounding statistics for every conceivable problem or niche! Who would know that what they read is possibly not “FACTUAL” nor is it necessarily useful in their situation as a possible client of a cyber security product or solution. These statistics most often do not provide enough information to disseminate fully and make any conclusion.
When I read cyber security statistics the first algorithm I must “apply” is my human “who is the publisher” AI ML (simulated biological) routine, determining who the originator of the survey will provide me the correct “rose tinted” glasses to review and change the survey information to something possibly meaningful but still most likely missing too much information to be useful (thereby committing the results to my mental recycle bin).
Secondly; I must review the statistics for relevance in my particular pursuit, for example do I care that:
- 64% of small businesses do not think they won’t be a target of a cyber breach?
- 80% of small businesses are unaware of what to do if they are breached?
These are made up by the way, but as I have published them they seem believable right? If not I can increase the results by 5 points each. It is my survey!
Possibly I do have a vested interest in knowing this statistic but equally likely I do not care in the slightest, it is highly probable I am one of the 64% (at least more statistically likely than unlikely).
Why is this:
- Most people will not complete a survey, the most interesting people are doing interesting things!
- The people who do complete a survey are: the vendors employees, people who the vendor has asked to complete a survey, people who do care about the topic at hand, people who have had either a very good or very bad experience regarding the topic.
In cyber security all I see are statistics, the noise from statistics is drowning out what needs to be done to improve cyber resilience, instead of relying on what makes products or solutions the best to resolve a vulnerability we are “smacked” in the face with a statistic about what is going wrong!
Statistics are not useful unless the entirety of the source analysis is made completely public and open for all to see.
My Plan to change this
For 2022 as a vendor representative I promise to change the way I present information to my clients.
I promise to no longer use statistics unless those statistics can provide enough context by themselves to be relevant.
Instead I will use example, as an industry professional (still an amateur) I have a wealth of information from current and past connections of real world examples and situations. To help my clients make the right decisions around their cyber resilience strategies I will only provide information that makes sense for their situation.
By doing this it does not stop me asking questions and helping teach awareness in situations where clients may not be aware of what they should be doing, but the warning to me should be:
If the client is not aware of the problem that I am trying to fix, then it is not a problem for them, yet!
Meaning, if a client does not understand what I am explaining to them, then I am not doing a very good job, or they could not implement what I am discussing anyway and a lot of further education needs to occur before revisiting.
So do these things first, even before you have any cyber security awareness and ignore the statistics.
- Have a strong End Point Protection strategy, use a good product. For 80% of the market this can be free or Microsoft Defender.
- Make sure you are regularly patching your Operating systems, automatically is best
- Ensure that you are patching all your apps including server side apps
- If you use iOS devices then do not use AV on them, regardless of whether Apple OS is secure enough or not, an AV solution can not get past Apples security either. If you are using Android then absolutely have an Anti Malware solution running on them.
- Have Email security, whether this is the built in Microsoft or Gmail security or not, make sure you have an email security solution in place.
- Web Security, an upto date CASB solution with good threat intelligence will secure most traffic trying to connect to a Command and control server on the internet, thereby limiting attackers
- Train your users, again and again – most important, do not make it dry education (like weetbix, it is hard to even eat one if its dry!).
- Gamify the process of finding and eliminating phishing emails etc. Gamification and rewards for correctly identifying attempts to Phish etc will help your users actually care about whether they are looking at a phishing dialog or a real one, it will create questions between colleagues too.
Finally embrace a cyber security framework and start building cyber resilience as a strong part of your go forward business strategy.
If 90% of all organisations globally undertake my guidance above, then 99% of all breaches will be eliminated by 2023 – that is my statistic for 2022!