Reduce ransomware by 86 %?

In researching our latest paper on how we can better help our customers defend against Ransomware, I started looking at statistics and how they are used.

IT sales and marketing never miss an opportunity to quote and re-purpose/reuse a statistic or study. I’m no different from anyone else and always on the lookout for an eye-catching number to support why organisations should use our technology.

86% of breaches are financially motivated, according to the 2020 Verizon Data Breach Investigations Report

86% of organizations faced bulk phishing attacks last year, up from 77% the year before. Proofpoint’s 2022 State of the Phish report

86% of business owners believe digital risk will continue to grow – NCSC

Most targeted regions were North America and Europe (86% of total ransomware attacks) – NCC Group Monthly Threat Pulse – January 2022

Programs like the NIST framework or CIS Controls have been proven to substantially reduce the risk of cyber-attacks, in some cases by up to 86%. (CIS).

I’m unsure why 86% seems to crop up so often, especially with so many to choose from?

Statistics and numbers can help in persuasive writing: Headlines with big numbers or eye-catching percentages strive to attract buyers and decision-makers to read this or that article.

In a complex world, the presentation of information in a simple and impactful way is of great benefit to the reader. “3 steps to improve…” feeds our desire to simplify and understand what is, often, a difficult and nuanced environment.

Statistics, however, can be misleading.

By way of illustration, during the recent Covid-19 pandemic, headlines like “Three vaccine doses give 86% efficacy against Omicron variant” seem reassuringly simple. But what does 86% really mean?

On Friday, 14 January 2022, there were 3,238,025 new Omicron cases and 8,425 deaths globally (a case fatality rate of 0.26%). So where does the 86% apply, how is it included in the numbers?

Looking at the clinical research aims & objectives of Covid-19 vaccines (yes, I know – a bit geeky), the efficacy outcome measures relate to serious illness. Not deaths. Not infections. Not hospitalisations. So, is the 86% related to the numbers above in any way, and more importantly, is it of any real benefit to me?

The point is that statistics are mainly used to support the position of the author. As the famous German philosopher, Friedrich Nietzsche circa 1886 posited, “There are no facts, only interpretations.”

Unlike the science community (or perhaps more accurately, some of the science community), many IT studies are observational or a result of a survey. Therefore, the results may be questionable in terms of their derivation and are they achievable in the real world? But, numbers do look impressive on first viewing.

This brings me back to the Ransomware. Whatever the statistics and chances, as far as Ransomware is concerned, there is broad agreement on the top three things you can do to protect your organisation (without statistics this time):

  1. Take regular, off-line data backups
  2. Ensure you patch vulnerabilities in a priority and timely manner
  3. Use and maintenance of antivirus software on all PCs and servers

Many organisations struggle to do steps 2 and 3 as, with the complexity of modern IT systems, it is difficult to do consistently and accurately without the right technology in place (feel free to browse around our site to see how Rebasoft can help).

Why do you need to do this all the time rather than monthly or quarterly? Statistics (there they go again) show that a Ransomware attack happens on average every 11 seconds. Hackers can do a lot in 11 seconds. Having a real-time solution and response can not only just save you 11 seconds, but also a lot of expense and heartache.

In conclusion, I’m 100% behind statistics. I’m more in favour of simple, effective steps that deliver real value to cybersecurity defences.

‘After all, facts are facts, and although we may quote one to another with a chuckle the words of the Wise Statesman, “Lies – damn lies – and statistics,” still there are some easy figures the simplest must understand, and the astutest cannot wriggle out of.’ Attrib: Courney or Disraeli or Mark Twain and many others since…