How the cybersecurity sector could shake off its reputation for fearmongering

A significant proportion of vendors use unsubstantiated research claims in their marketing campaigns to literally scare up custom. Might the whole industry benefit from a regulatory clampdown on this practice?
A low angle shot of a man, out of focus, using a mobile phone

The global cybersecurity sector will grow by more than 12% this year, according to forecasts by the International Data Corporation, so it’s little wonder that the market is getting crowded with new players seeking some of the £172bn it’s set to turn over in 2023. 

In the UK alone, nearly 2,000 companies are offering cybersecurity products and services. That’s one of the findings of a sectoral analysis published by the Department for Science, Innovation and Technology in April, which also reveals that 55% of that total are micro firms (those with fewer than 10 employees). 

This market is a hotbed of startups, all desperate to distinguish their offerings from the competition and show potential clients that they can keep their systems safe from harm. But are some of these companies exaggerating the threats in their effort to grab attention and win business?

How reliable are vendor-based cybersecurity reports?

Playing on people’s fears and uncertainties is indeed a well-known marketing ploy in the cybersecurity sector. It’s been associated more with smaller entrants seeking a foothold in the market than the established big players. 

Buck Rogers is a cybersecurity expert who has worked in senior roles at the Bank of England, HSBC and BAE Systems. He is now director of the Rohkeus Cyber consultancy and professor of cybersecurity and digital innovation at the University of Gloucestershire.

Rogers believes that “many vendor-based research reports are helpful and give good context, particularly the annual ones produced in partnership with various public bodies. But the rest are just sales dressing masked as fact. They confuse the picture, making it harder for people to work out how to do the right thing or buy the right solution.” 

Where possible, the facts and figures quoted should go through some form of independent challenge

He adds: “There can be a push to sell the latest thing – I get approached a lot. The greater the perception of budget or prestige, the harder the push. This practice is not helpful and it gets tiring.” 

Such aggressive marketing was rife in 2020-21, a time when working from home became the norm in the UK. Ransomware attacks were perceived to be on the increase and employers scrambled to shield their remote workers. Corporate information security chiefs were suddenly bombarded with buzzwords used by vendors to describe the latest vulnerability they had just uncovered and were best placed to address. They were routinely told how exposed their networks were to ransomware and urged to deal with the threat proactively, because such attacks were complex and costly to end.

Despite this, ransomware accounted for only 7% of attacks on British businesses over that period, according to the Cyber Security Breaches Survey 2021 published by the Department for Digital, Culture, Media and Sport. Phishing and impersonating organisations online were actually the most common penetration methods by far.

Exaggerated claims create a less secure cyber environment

The use of fear as a marketing tool in this sector is not new by any means. Back in 2017, Dr Ian Levy, then technical director at the UK’s National Cyber Security Centre, addressed the issue at a security conference convened by Wired.

“The context in which you judge something also determines how you interpret it,” he told delegates. “If you’re told that cybersecurity attacks are perpetrated by winged ninja cyber monkeys that can compromise your machine just by thinking about it, you’re going to have a fear response.”

He added that vendors were “incentivised to make it sound as scary as possible because they want you to buy their magic amulets”. This can persuade organisations to panic-buy inappropriate solutions, only to learn later that the threat being hyped is no more of a danger to their organisation than any other. 

Roger Grimes, a cybersecurity consultant who worked as a senior security architect at Microsoft for more than a decade, notes that this can instil a “cry-wolf mentality” among the affected firms. 

“It can mean that they spend too much time focusing on the wrong details and eventually become numb – until the day they miss a real threat,” he explains. “I worry that we’ll have a massive legacy of security systems that operate in isolation, rather than as a part of a wider security strategy, and cannot adapt to changes in the threat environment.”

The case for vendor reporting standards

Two decades ago, several firms in the US financial services sector were found to have commissioned studies that served purely to market their products. The research reports they were publishing were not clear about their information sources. When the practice was exposed, industry regulators cracked down on it, imposing rules that mandated clear disclosure statements on publications and marketing materials.

Many vendor-based research reports are helpful and give good context. But the rest are just sales dressing masked as fact

Could similar measures help to clean up murky marketing practices in the cybersecurity industry? 

Rogers says: “I’m keen for the boards I advise to move away from the cyber Whac-A-Mole approach – and disclosure rules would certainly help with this. You should be able to pass The Times test, whereby a senior member of staff can read a cyber-based headline in The Times and know enough to see that in context for their organisation. The same thing should apply to any industry-generated threat research reports. Full disclosure would certainly provide this.” 

He believes that the industry could follow the lead of the medical sector, where the funding of any research, “and the impact that has had on the report’s structure, are articulated clearly at the beginning. Where possible, the facts and figures quoted should go through some form of independent challenge.”

Without such checks and balances in place, it seems that any kind of fear-based marketing material could cloud the judgement of security chiefs and actually increase the attack surface. That’s the view of Tony Pepper, co-founder and CEO of Egress, a specialist in email security. 

Writing an article highlighting the key findings of an Egress report entitled Cybersecurity Hype in October 2022, Pepper argued that his industry was “frequently guilty of selling snake oil”, with outcomes often differing from expectations. 

This sharp practice erodes trust in the entire sector, which is particularly unfair on those firms that don’t indulge in it. But, if the appropriate rules were enacted and enforced, startups and established players alike would have a clear framework of standards to work to and be held accountable for doing so. That should in turn lead to a future free from fear and doubt – in vendors’ research materials, at least.