Betting on 16%

A quick quiz. What’s higher? 1) The percentage of Americans that correctly understand that the Earth revolves around the Sun, or 2) the percentage of organizations that admitted a phishing attack had penetrated their defenses in 2015. The winner? #2, by a comfortable margin.

In 2012, the National Science Foundation surveyed 2,200 Americans and asked them: “Does the Earth go around the Sun, or does the Sun go around the Earth?” 74% got it right.[1] {Insert your own American educational system joke here.}

In the spring of 2016, a Cloudmark-sponsored study surveyed 300 companies, all with more than 1,000 employees, and 84% admitted that a spear phishing attack had penetrated their security defenses in the last year.[2]

In the world of statistics, 84% is overwhelming. If the weather report says there’s an 84% chance it’s going to rain, how many people take their chances with the 16% and leave the umbrella at home? Candidates need a minimum of 15% in several polls to qualify for Presidential debates this year; if you get 16%, you’re considered barely relevant. If the Vegas odds-makers felt your team had a 16% chance to win on Sunday, you’d earn 7 times your bet if they pulled an upset; no one would take an even bet with a 16% chance to win.

And let’s face it, that 16% is probably lower. Of the 48 companies (16%) surveyed that claimed not to have been successfully spear-phished, how many actually prevented the penetration, and how many simply weren’t targeted in the last 12 months.

Remarkably, however, users of today’s vendor threat monitoring tools are betting on the 16% chance that today’s sophisticated attackers can be prevented from penetrating external network defenses. Vendor threat monitoring technology is currently fixated on the scanning and scoring of a vendor’s external network defenses, IP hygiene, dark web or social media chatter, patching, or SSL/TLS certificate maintenance: information that has very little – or no – relevance to an organization’s ability to prevent a successful phishing attack. It’s difficult to accept, but a firewall is the modern equivalent of the Maginot line.

Mobile phones have replaced landlines. Yahoo news has replaced newspapers. Google maps has replaced the AAA TripTik[3]. Game of Thrones has replaced the Sopranos. And detection has replaced prevention. Whether vendors are prepared to protect a 1^st party’s sensitive data has about 95% to do with what they’re doing behind the firewall and about 5% to do with what they’re doing in front of it.

Or maybe it’s 84% to 16%…but you get the idea.

[1] http://www.npr.org/sections/thetwo-way/2014/02/14/277058739/1-in-4-americans-think-the-sun-goes-around-the-earth-survey-says

[2] https://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-enterprises/

[3] Yes. The author of this blog is old.