Fact check: Trump's "Nobody gets hacked" comment

TL;DR

Trump's recent video shows him claim:

"Nobody gets hacked. To get hacked you need someone with 197 IQ, and he needs about 15% of your password, right."

• Video clip here
• Claim is dangerously inaccurate, and could contribute to less security-savvy users viewing it as an excuse to not think about their own security.
• In our experience a large percentage of both end-users and organisations are hacked (including Trump's own hotel chain). IQ plays no role in it.

Fact Check: Nobody gets hacked

Result: Untrue

The 2020 Verizon DBIR report alone collected data on 108,069 breaches, of which 45% featured hacking. Trump's own hotel chain was hacked twice. We work with organisations of all shapes and sizes on a daily basis that have been the victim of a breach and our free CyberScore app is used by countless individuals who have been hacked.

Unfortunately, Trump's assertion simply isn't remotely true.

Fact Check: Hackers have IQs of 197

Result: Untrue

Firstly, it's important to understand that in this context we're referring to cyber criminals and threat actors, not "hackers" (a term that can be used to describe legitimate security professionals, coders etc who are most certainly not criminals).

Very little data exists on the IQ of cyber criminals, however it could certainly be argued that IQ plays little to no role in a successful compromise. There have been plenty of successful hacks performed by individuals with low IQs.

Speaking as a professional penetration tester who has been successful in (legally) compromising hundreds of organisations through a wide range of techniques - I can categorically say that my IQ is far, far less than 197 and it hasn't slowed me down too much.

It's also important to understand that a large number of hacks are performed automatically by scripts and bots.

Fact Check: Hackers need 15% of your password

Result: Untrue

Having 15% of someone's password could be helpful if an attacker's only vector was an offline bruteforce password attack. Typically such an attack is only useful after an initial compromise has already been achieved though.

There are a huge number of different attack vectors that attackers can use to 'hack' an individual or an organisation that have nothing to do with passwords. Don't believe me? Check out the list over at Mitre.

Fact Check: 'He' needs...

Result: Untrue

Optimistically, this may have just been a poor choice of pronoun, but it's absolutely worth pointing out that not all cyber criminals are male.

Conclusion

Trump is categorically wrong on his assertions here. Individuals and organisations regularly get hacked by cyber criminals, and they don't need an IQ of 197 to be successful.

If you're an individual, use a password manager, turn on two-factor authentication when you can and watch out for phishing attacks. You might also want to grab our free CyberScore app.

If you're an organisation, patch your systems, run continuous vulnerability scans, have regular penetration tests and build a mature security culture programme to help your employees keep you and themselves safe from cyber attacks.