Some research I recently did for an article turned up a statistic that would have made a nice centerpiece: 60% of small businesses that experience cyberattacks go out of business within six months! If I were a hack writer, I could just have run with it; it’s “confirmed” on plenty of websites. But it smelled phony.
First, what exactly is it counting? It doesn’t even say “successful” cyberattacks. Let’s assume it means that, though. Almost every business falls victim to some malware. The consequences can be small or huge. It might contact a server that no longer exists and do nothing. It might attempt to encrypt files for ransomware but fail. It might mine for cryptocurrency, send spam, or try to enlarge a botnet. Those are all bad but won’t usually destroy the business.
Second, how much of the correlation is causation? Small businesses have high mortality rates in general. It just isn’t plausible that cyberattacks are wiping out huge numbers of small companies.
One site that cites that statistic claims in the next breath that half of all small businesses have suffered a breach in the past year. A breach is worse than an attack; it means that data has actually been lost. But even if we don’t count any additional attacks, simple arithmetic tells us that at least 30% of all small businesses shut down in the past year because of cyberattacks. Someone should have told us this is happening!
Chasing down fake statistics
I decided against using the stat and kept searching for information. Eventually I came across an article looking more carefully at the number. It has several problems:
- Its source is unknown. It’s often attributed to the National Cyber Security Alliance but doesn’t come from there.
- There hasn’t been a massive surge in business failures with the rise of Internet attacks.
- The claims are inconsistent. Rep. Lamar Smith said 60% of the businesses attacked “go bankrupt,” which doesn’t always mean going out of business. The exact claim is always a little different.
Reading about this dubious statistic got me wondering about statistics on lies and damned lies. There’s a popular statistic that the average person lies 100 or 200 times a day. I did a search on “statistics lies per day.” The search results included an article repeating this claim without a source, followed by one saying Donald Trump lies 15 times a day. I guess Donald Trump is a lot more honest than the average American!
Chasing down the “200 lies a day” claim led to one source: a professor named Jerald Gellison. None of the citations say what kind of study he did, whether it was peer-reviewed, or whether anyone else has confirmed the finding. It’s just an assertion. But it’s a claim people love to cite as if it were an established fact. One lie down, 199 to go for the day.
Checking statistical claims
When you find a statistic for an article, think about whether it’s plausible. Is it logically possible? What should you be seeing around you if it’s true? The results may be mostly invisible, but you should think harder if the stat doesn’t line up with other things you know.
Look at the wording. Does it use clearly defined terms, or is it about something vague and hard to quantify?
If there’s a link, follow it. If the linked article relies on another link, keep following the chain till you get to a reliable source. The claim may change from one article to another as writers try to sensationalize their claims. It’s the old game of “telephone.”
If you’re a researcher and not a hack, always treat your sources skeptically. You’ll produce more trustworthy material that way.
I saw it at 64.27% of statistics are fabricated; the precision may make it seem more authoritative, but it means there must be over 8,000,000 samples.