Did you know 60 percent of small businesses that suffer a cyberattack go out of business within six months? That figure belongs right at the top of any article or report about the importance of cybersecurity – it’s a stark reminder that cyberattacks can be ruinous for victims, especially when they don’t have significant IT budgets or large enough cash reserves to help them absorb the huge financial blows that can be inflicted by a data breach or another type of hack.
There’s just one problem: we have no reason to believe this “fact” is true. I saw it floating around online a couple years ago, always attributed to the National Cyber Security Alliance (NCSA) – a nonprofit that facilitates private-public partnerships on cybersecurity issues. The NCSA is an organization that journalists and bloggers feel comfortable citing – it works with government agencies like the Department of Homeland Security, it’s cited in major media outlets, and its board includes leaders from top companies: the senior director of cyber protection solutions at Raytheon, the head of governance and engagement at AIG, etc.
So when I saw the figure, I was curious about the NCSA’s methodology and any other findings its research may have produced. But I didn’t just fail to find the original study – I also found a statement from the NCSA which read: “The National Cyber Security Alliance (NCSA) has noticed an increase in the sharing and usage of this third-party 2011 statistic: ‘60 percent of businesses close within 6 months of a cyber attack.’ This statistic was not generated from NCSA research, and we cannot verify its original source.” The statement continued:
“NCSA has not actively referenced this statistic for several years, but we discovered that it was included in an outdated infographic on our website. We have removed all of these references and do not recommend its ongoing usage. Members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.”
Despite this disclaimer and the fact that none of the outlets which cited the statistic provided a link to the original source, article after article still blares: “60 percent of small businesses close within 6 months of a cyberattack.” The figure can be found in CNBC, TechRepublic, Inc. Magazine, and dozens of other outlets, and it has even been cited by members of Congress.
The ubiquity of this fake statistic is a reminder that journalists, lawmakers, and activists should always find original sources for the information they cite. In this case, an effort to uncover where the statistic originated would have led them to the NCSA’s website and an explicit warning against its use. But it’s clear that many journalists think citing other outlets is sufficient – in many cases, their articles just linked to other articles that had published the statistic and didn’t even cite the NCSA.
This is a disturbing reminder of how easily false information can be perpetuated, even when organizations like the NCSA are actively working to prevent it from spreading. As former NCSA executive director Michael Kaiser explained, “Our team is working to proactively limit this stat’s further sharing and usage,” but it didn’t make any difference – the stat can still be found all over the Internet in legitimate media outlets, which ensures that it will continue to spread.
According to a 2018 study published by researchers from MIT, falsehoods were 70 percent more likely to be retweeted than accurate information, while false news reached 1,500 people six times faster than the truth. The data in the report support what’s known as the “novelty hypothesis” – the idea that people are more likely to share novel information, which false news often purports to contain. The idea that 60 percent of small businesses go under just six months after a cyberattack is certainly novel – while it’s clear that small businesses are uniquely vulnerable to cyberattacks, those numbers make it sound like any attack is automatically a threat to survival of a company. It’s no wonder that journalists – particularly those who want to inform the public about the dangers of cyberattacks – are eager to cite such a jarring statistic.
Our conversation about fake news often focuses on false information that’s shared maliciously, but content creators, journalists, and researchers also need to be on their guard against falsehoods that are published carelessly. The incentives that drive the production of online content – the relentless campaign for clicks, views, and time-on-page – tempt editors and writers to publish sensational content that will capture and hold the audience’s attention.
This is why it’s even more important to verify what you’re publishing when it’s a powerful piece of evidence that happens to support your narrative.
Credits: Matt Johnson, writer; Pixabay, image