When the F.U.D. is Wrong

Too bad to be true…

At Rhodian we believe calculating risks and addressing those risks categorically – also known as risk-based cybersecurity – is the best approach to cybersecurity. However, we see a lot of fear, uncertainty, and doubt (FUD) techniques used to drive cybersecurity discussions. It’s especially popular to use statistics in marketing to catch the viewer’s attention and try to get them to “Act Now!” with big, scary numbers. Since humans are naturally risk-averse, cautious creatures, there’s a lot of sway in using FUD techniques. And FUD messaging isn’t totally without merit, since it often reflects the reality of some situations.

However, when FUD is wrong and misleading, it’s often detrimental to actually improving cybersecurity across industries.

 

Correcting the Record

You may have seen this statistic floating around: “60% of small and medium sized businesses will go out of business after a major cyber-attack within 6 months”. This statement has gone viral, to the point that we still see it in use today; but it’s virally wrong. In reality, this statement was mistakenly made during a congressional testimony that was eventually placed into public record. The research company cited has indicated they have no record of making that statement.

“The 2011 statistic that ’60 percent of businesses close within 6 months of a cyberattack’ is not from NCSA [the National Cyber Security Alliance] and its original source cannot be confirmed.”

Michael Kaiser, Exec. Director of the NCSA

So, we decided to break down some FUD and combine that with some actual statistics. A Ponemon Institute research article stated that around 67% of small-and-medium-sized businesses (SMBs) have experienced a cyber-attack in the last year. We feel this number is modest and reasonable given our experience in the industry, and there have been similar findings in other published research articles. If we take the FUD and combine it with reality, we can quickly see a breakdown in the FUD statement and how it’s downright wrong.

 

Statistical Reality

If 67% of businesses have experienced a cyber-attack and 60% of those businesses go out of business, what does that actually look like? According to the Small Business Administration, there are around 34.8 million SMBs in the United States. Let’s take a look at the numbers a bit closer:

  • Number of SMBs in the US: 34.8 Million
  • 67% of those businesses have experienced a cyber-attack: 23.316 Million
  • If 60% of those businesses will go out of business in 6 months: 14 Million out of business
  • Therefore, about 40% of all SMBs would have gone out of business in 6 months
  • Logically, there’s no way this statement can be true. 

Taking it further, SMBs make up 44% of the overall GDP for the United States. If 40% of all SMBs go out of business in 6 months after a cyber-attack, then this means there would be a significant reduction in GDP. Overall, there would be a 17.6% reduction in GDP – an economic disaster – if the above statistics and FUD are true. That just can’t be right.

 

Avoid FUD. Calculate Risk.

We can quickly see these numbers would have catastrophic consequences to our economy and country as a whole.

So, what can we learn from all of this, and does it really matter? Here’s some takeaways that might be a better way to approach cybersecurity:

  • Don’t make decisions about cybersecurity based on fear, uncertainty, or doubt.
  • Calculate risk and address high-risk items first.
  • Small reductions in risk over time add up, find areas in your cyber program you can improve quickly.
  • Be careful and question statistics. FUD sells well, even when it’s wrong.

 

Solutions, not FUD, are available

Time will tell if you become one of the 67% of SMBs that will experience a cyber-attack in the next year, but you don’t need to leave your preparation to chance. You can conduct annual Risk Assessments to better understand your risk inventory and where you stand. You can also partner with a trusted cybersecurity partner to improve (or start) your Cybersecurity Program. Avoid making decisions based off of FUD and wrong statistics. Calculate your risks and decide how to act accordingly.

 

And, of course, you can reach out to us with questions or concerns about your cybersecurity strategy. Rhodian Group is here to help! 

 

This blog article is part of Summer of Cyber 2025, hosted by Rhodian Group and Angela Adams Consulting. Follow along on their social media pages for insightful and informative cybersecurity content throughout the summer!

Related Articles

Ready to learn where your complexities can be removed?
Let's Chat!

Other Articles

When the F.U.D. is Wrong

Too bad to be true… At Rhodian we believe calculating risks and addressing those risks categorically – also known as risk-based cybersecurity – is the best

Read More

Let's Discuss Your Needs

Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.

Let's Discuss Your Needs

Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.