Cybersecurity Statistics and Insights 2026
Here is a look at the state of cybersecurity, including key data and insights. Find the details you need to know.
Global Cybercrime Costs and Projections
| Year | Global Cost | Source |
|---|---|---|
| 2023 | $8 trillion | USAID |
| 2024 | $9.5 trillion | Cybercrime Magazine |
| 2025 | $10.5 trillion | Cybersecurity Ventures |
| 2027 | $24 trillion | Statista |
Key Insight: Cybercrime costs are projected to triple from $8 trillion in 2023 to $24 trillion by 2027, which represents an unprecedented escalation.
Cyberattack Frequency and Impact
| Metric | Statistic | Source |
|---|---|---|
| Cyberattack frequency | Every 39 seconds | Clark School study |
| Daily cyberattacks | 2,244 attacks | Clark School study |
| Websites compromised daily | 30,000 | Forbes |
| Attacks against small businesses (2020) | 700,000+ attacks | Various |
| Total damages from SMB attacks (2020) | $2.8 billion | Various |
Key Insight: A cyberattack occurs every 39 seconds globally, with over 30,000 websites compromised daily.
Password and Authentication Statistics
| Metric | Percentage/Statistic | Source |
|---|---|---|
| Users reusing passwords across accounts | 65% | LastPass |
| Hacking incidents involving compromised credentials | 80% | Verizon 2020 |
| Breaches involving weak or stolen credentials | 81% | Verizon DBIR |
| Breaches involving compromised credentials as initial vector | 20% | IBM |
| Average cost per breach with compromised credentials | $4.37 million | IBM |
| Companies with 500+ passwords that never expire | 60% | Varonis |
| Financial services with 1,000+ sensitive files accessible to all | 60%+ | Varonis |
| Organizations broadly using multi-factor authentication | 57% | Microsoft |
| Small businesses implementing multi-factor authentication | 20% | Survey |
Key Insight: Despite 80% of hacking incidents involving compromised credentials and breaches costing $4.37 million on average, 65% of users still reuse passwords and only 57% of organizations broadly implement multi-factor authentication.
Data Breach Costs by Region and Industry
| Category | Average Cost | Source |
|---|---|---|
| Global average data breach | $4.44-4.45 million | IBM/Forbes Advisor |
| United States (all-time high) | $10.22 million | IBM |
| Healthcare industry | $7.42-10.1 million | IBM/CompTIA |
| Healthcare (2022-2024 average) | $9.77 million | IBM |
| Financial sector | $6.08 million | Statista |
| Government sector | $2.55 million | Statista |
| Middle East | $6.52 million | IBM |
Key Insight: Healthcare consistently bears the highest data breach costs at nearly $10 million per incident, while the United States leads globally with breach costs exceeding $10.22 million.
Ransomware Attack Statistics
| Metric | Statistic | Source |
|---|---|---|
| Ransomware damages by 2031 | $265 billion annually | Sprinto |
| Ransomware damages in 2024 | $42 billion | Sprinto |
| Recovery cost from ransomware | $2.73 million average | Sophos |
| Ransomware attacks on companies <1,000 employees | 82% | Various |
| Ransomware attacks on companies <100 employees | 37% | Various |
| Organizations affected by ransomware | 37% | Sophos |
| Ransomware attack frequency by 2031 | Every 2 seconds | Cybercrime Magazine |
Key Insight: Ransomware damages are projected to surge from $42 billion in 2024 to $265 billion by 2031, with attacks expected to strike every 2 seconds, making it one of the fastest-growing cyber threats.
Small Business Vulnerability Statistics
| Metric | Percentage | Source |
|---|---|---|
| Cyber breaches impacting businesses <1,000 employees | 46% | Verizon DBIR |
| SMBs targeted by cyberattacks (2021) | 61% | Various |
| Small businesses with customer data at risk | 87% | Various |
| Small businesses collecting credit card info without security | 27% | Various |
| SMBs with no cybersecurity measures | 51% | Digital.com |
| Small businesses with no cybersecurity budget (<50 employees) | 47% | Various |
| SMBs “not at all concerned” about cyberattacks | 36% | Digital.com |
Key Insight: Despite 61% of SMBs being targeted by cyberattacks, 51% have no cybersecurity measures in place, and 36% remain unconcerned. This shows a dangerous disconnect between threat reality and preparedness.
Attack Vector Distribution
| Attack Type | Percentage | Source |
|---|---|---|
| Malware attacks on small businesses | 18% | March 2022 survey |
| Phishing attacks | 17% | March 2022 survey |
| Data breaches | 16% | March 2022 survey |
| Website hacking | 15% | March 2022 survey |
| DDoS attacks | 12% | March 2022 survey |
| Ransomware | 10% | March 2022 survey |
| Breaches involving compromised credentials | 20% | IBM/Verizon |
| Breaches involving human element | 68% | Verizon 2024 |
| Phishing in reported threats | 80%+ | Various |
Key Insight: Malware and phishing dominate attack vectors at 18% and 17% respectively, while 68% of all breaches involve human factors. This highlights the critical role of user behavior in cybersecurity.
Email and Phishing Attack Statistics
| Metric | Statistic | Source |
|---|---|---|
| Malware delivered via email | 92% | Parachute |
| Phishing emails sent daily | 3.4 billion | Various |
| Credential phishing reports (2023) | 940,000+ | Statista |
| Organizations experiencing phishing attempts (2019) | 88% | Various |
| Cost per phishing attack | $4.9 million | IBM |
| Average phishing email cost per employee | $1,500 annually | Proofpoint |
| Employees opening phishing emails | 30% | PhishLabs |
| Phishing as percentage of cyberattacks | Over 80% | Various |
Key Insight: With 3.4 billion phishing emails sent daily and 92% of malware delivered via email, phishing remains the most prevalent and costly attack vector at $4.9 million per incident.
Human Error in Cybersecurity
| Metric | Percentage | Source |
|---|---|---|
| Breaches caused by human factors (2024) | 68% | Verizon |
| Breaches caused by human factors (2023) | 74% | Verizon |
| Cybersecurity issues with human element | 95% | Survey |
| Breaches from insider threats | 43% | Survey |
| Cloud breaches from misconfiguration/human error (2024) | 31% | Study |
| Cloud breaches from misconfiguration/human error (2023) | 55% | Study |
| Organizations with breaches from security protocol disregard | 74% | 2021 survey |
| Organizations with breaches from phishing | 73% | 2021 survey |
| Breaches prevented without human mistakes | 95% | 2015 study |
Key Insight: Human error remains the dominant vulnerability in cybersecurity, accounting for 68-95% of breaches, with most incidents preventable through proper training and protocols.
Remote Work and Cybersecurity Risks
| Metric | Percentage | Source |
|---|---|---|
| IT leaders believing remote work increases breach risk | 56% | Survey |
| Employees believing remote work reduces or doesn’t increase risk | 61% | Survey |
| IT leaders finding remote work complicates breach prevention | 54% | Survey |
| IT leaders fearing phishing will be harder to stop | 50% | Survey |
| IT leaders concerned about rule-breaking in remote settings | 49% | Survey |
| Security leaders saying remote work increased threat exposure | 67% | Tenable |
Key Insight: While 67% of security leaders acknowledge remote work has increased organizational risk, only 56% of IT leaders view it as problematic.
Vulnerability and Patch Management
| Metric | Statistic | Source |
|---|---|---|
| CVE disclosures per day (2025) | 131/day | Deepstrike |
| CVE database total vulnerabilities | 305,000+ | CVE |
| Global vulnerability disclosures expected (2026) | 31,000-34,000 | Comparecheapssl |
| High-severity vulnerabilities projected (2026) | 13,500-15,000 | Comparecheapssl |
| Critical vulnerabilities exploited within 24 hours | 33% | Comparecheapssl |
| Critical vulnerabilities exploited within first week | 54% | Comparecheapssl |
| Weaponized CVEs in 2024 | 0.91% (204 of 22,254) | SC Magazine |
| Critical/high vulnerabilities unpatched >180 days | 33% | Indusface |
| Enterprises failing to patch critical vulnerabilities within 30 days | 52% | Comparecheapssl |
| Average time to discover a breach | 204 days | IBM |
| Average containment time after discovery | 73 days | IBM |
Key Insight: Despite 54% of critical vulnerabilities being exploited within the first week of disclosure, 52% of enterprises fail to patch within 30 days, and 33% remain unpatched for over 180 days.
Industry-Specific Attack Statistics (2024)
| Industry/Sector | Attack Statistic | Source |
|---|---|---|
| Manufacturing (ransomware targets) | 25% | SecurityIntelligence |
| Manufacturing (vulnerability attack increase) | 459% | Indusface |
| Retail (vulnerability attack increase) | 127% | Indusface |
| Banking/Financial Services (API DDoS increase) | 518% | Indusface |
| Banking/Financial Services (website DDoS increase) | 110% | Indusface |
| Banking/Financial Services (attacks during Operation Sindoor) | 172% spike | Indusface |
| Power and energy (attacks vs average) | 4x more attacks | Indusface |
| Healthcare ransomware vulnerability belief | 54% | Proofpoint |
| Healthcare breach cost (2022-2024) | $9.77 million | IBM |
Key Insight: Banking and financial services experienced a staggering 518% increase in API DDoS attacks, while manufacturing saw a 459% surge in vulnerability exploitation.
DDoS Attack Statistics
| Metric | Statistic | Source |
|---|---|---|
| Global DDoS attacks blocked (H1 2025) | 1.52 billion+ | Indusface |
| Websites experiencing at least one DDoS attack | 70% | Indusface |
| API hosts vs websites (DDoS attacks)2024) | 388% more attacks | Indusface |
| API vs website DDoS traffic volume 2024) | 1403% more | Indusface |
| DDoS attacks (first half 2023) | 7.9 million | Netscout |
| Average DDoS attacks per day 2024) | 44,000 | Netscout |
| Cost per minute of DDoS downtime | $22,000 | Ponemon |
| Small business losses per hour | $8,000-$74,000 | G2 |
| Average DDoS attack duration (2024) | 68 minutes | G2 |
| Largest DDoS attack recorded (2023) | 3.47 Tbps | Akamai |
Key Insight: DDoS attacks are surging, with over 1.52 billion blocked in H1 2025 alone, costing businesses up to $22,000 per minute of downtime, with APIs receiving 1403% more traffic than traditional websites.
API Security Statistics (2024-2025)
| Metric | Statistic | Source |
|---|---|---|
| Global API attack growth (YoY) | 104% | Indusface |
| India API attack growth (YoY) | 126% | Indusface |
| API vulnerability exploitation spike | 13x (1304% increase) | Indusface |
| APIs receiving more attacks than websites | 43% more | Indusface |
| Small/medium business API attack increase | 43% | Indusface |
| SMB API hosts vs enterprise websites | 741% more attacks | Indusface |
| Companies with API security incidents | 41% | VentureBeat |
| Companies delaying API releases due to security | 50%+ | Okoone |
| Data exfiltration as top API security concern | 58% | ai |
| Organizations using penetration testing for APIs | 46% | ai |
Key Insight: API attacks have exploded with a 104% global increase and 13x spike in vulnerability exploitation, while SMB API hosts face 741% more attacks than enterprise websites. This goes to show that APIs are the new primary attack surface.
Bot and Automated Attack Statistics
| Metric | Statistic | Source |
|---|---|---|
| Applications targeted by automated bot activity | 90% | Indusface |
| Bot requests blocked | 64 million | Indusface |
| Bot-generated internet traffic (2023) | 47.4% | Imperva |
| Malicious bot traffic | 32% | Imperva |
| SaaS bot attacks vs other sectors | 10x more | Indusface |
| Cyberattacks from Gorilla botnet | 300,000+ | Various |
| Cost to rent botnet for DDoS | $5 per hour | G2 |
Key Insight: Bots now generate 47.4% of all internet traffic, with 90% of applications targeted, and SaaS experiencing 10x more attacks, while botnet rentals cost as little as $5 per hour.
AI and Machine Learning in Cybersecurity
| Metric | Statistic | Source |
|---|---|---|
| Organizations expecting AI to impact cybersecurity (2026) | 66% | GCO survey |
| Organizations with AI security assessment processes | 37% | GCO survey |
| Small organizations lacking AI safeguards | 69% | GCO survey |
| Adversarial advances via GenAI as top concern | 47% | GCO survey |
| Successful social engineering attacks | 42% | GCO survey |
| Breaches involving AI use by attackers | 16% | IBM |
| AI-driven breach cost | $4.49 million | IBM |
| Organizations without AI governance policy | 63% | IBM |
| AI-generated phishing click-through rate | 54% | arxiv study |
| AI phishing effectiveness vs control | 350% more effective | arxiv study |
Key Insight: While 66% of organizations expect AI to significantly impact cybersecurity, only 37% have assessment processes in place, and 63% lack any AI governance policy.
Zero-Day and Emerging Threat Statistics
| Metric | Statistic | Source |
|---|---|---|
| Zero-day vulnerabilities (Jan-Oct 2025) | 5,755 detected | Indusface |
| Zero-day vulnerabilities (2024) | 3,508 identified | Indusface |
| Zero-day vulnerabilities (2023) | 3,324 discovered | Indusface |
| Exploited vulnerabilities as zero-day/”1-day” (H1 2025) | 32% | Vulncheck |
| Zero-day exploits exploited (2023) | 87 | Mandiant |
| Average time to patch zero-day exploit | 197 days | IBM Security |
| Websites blocked with attacks (H1 2025) | 7+ billion | Indusface |
| Website vulnerability attacks growth | 26% increase | Indusface |
Key Insight: Zero-day discoveries are accelerating dramatically from 3,324 in 2023 to 5,755 in the first 10 months of 2025, with 32% of exploited vulnerabilities being zero-day or “1-day” attacks. This leaves organizations virtually defenseless.
Cloud Security Statistics
| Metric | Percentage/Statistic | Source |
|---|---|---|
| Breaches involving cloud-based data (2024 projection) | 82% | IBM |
| SaaS applications under attack | 38% | SentinelOne |
| Organizations observing increased cloud attack frequency | 80% | SentinelOne |
| Businesses with public cloud security incidents (2024) | 27% | SentinelOne |
| Organizations using multiple cloud providers | 79% | SentinelOne |
| Cloud misconfigurations causing security incidents | 23% | SentinelOne |
| Multi-cloud organizations with visibility issues | 72% | IBM |
| Cloud workloads targeted in cyberattacks | 60%+ | Palo Alto Networks |
| Organizations lacking cloud security assessment processes | 63% | GCO survey |
Key Insight: With 82% of breaches involving cloud-based data and 72% of multi-cloud organizations struggling with visibility issues, cloud security has become the critical battleground, yet 63% of organizations still lack proper assessment processes.
Cybersecurity Workforce and Skills Gap
| Metric | Statistic | Source |
|---|---|---|
| Global cybersecurity skills gap | 3.5-4 million professionals | Cybersecurity Ventures/TechTarget |
| Cybersecurity skills gap by 2030 | 10 million professionals | Cybersecurity Ventures |
| Cybersecurity job market growth (2022-2032) | 32% | Forbes Advisor |
| Organizations with moderate-to-critical skills gaps | 66% | GCO survey |
| Organizations confident in current workforce | 14% | GCO survey |
| Skills gap increase (2024-2025) | 8% | GCO survey |
| Public sector lacking necessary talent | 49% | GCO survey |
| Public sector talent shortage increase from 2024 | 33% | GCO survey |
| Cybersecurity professionals experiencing burnout | 55% | ESG |
Key Insight: The cybersecurity workforce crisis is deepening with a current gap of 4 million professionals projected to reach 10 million by 2030, while 55% of existing professionals experience burnout and only 14% of organizations feel adequately staffed.
Cybersecurity Investment and Spending
| Metric | Amount/Percentage | Source |
|---|---|---|
| Global cybersecurity market (2030 projected) | $538.3 billion | MarketsandMarkets |
| Global cybersecurity spending (2025) | $213 billion | Seceon |
| Cyber insurance market (2026 projected) | $26.94 billion | Grand View Research |
| AI security investment increase (2022-2027) | 146% to $13.8 billion | MarketsandMarkets |
| Healthcare cybersecurity spending (2020-2025) | $125 billion | Cybercrime Magazine |
| Healthcare cybersecurity spending (by 2031 projected) | $125 billion | Fortune Business Insights |
| Average cybersecurity budget (global) | $5.47 million | IBM |
| Financial services compliance costs | $30.9 million | IBM |
| Small businesses spending monthly | <$1,500 (nearly half) | Survey |
| SMBs increasing security spending (2021) | 22% | CNBC/Momentive |
| Cybersecurity investment ROI | $2.71 per $1 spent | McKinsey |
Key Insight: Global cybersecurity spending reached $213 billion by 2025 with an ROI of $2.71 per dollar invested, yet nearly half of small businesses spend less than $1,500 monthly.
Supply Chain and Third-Party Risk Statistics
| Metric | Percentage/Statistic | Source |
|---|---|---|
| Large organizations citing supply chain as biggest resilience barrier | 54% | GCO survey |
| Breaches involving third-party vendors | 30-55% | Verizon DBIR/IBM |
| Third-party vendors with known breaches | 98% | CyberRisk Alliance |
| Businesses with third-party breach (2023) | 61% | Prevalent |
| Supply chain compromise in AI incidents | 30% | IBM |
| Supply chain breach additional cost | $227,000 | IBM |
| Third-party breach resolution time increase | 12.8% | Prevalent |
| Third-party breach cost increase | 11.8% | Prevalent |
| Third-party breach lifecycle | 307 days | Prevalent |
| Organizations facing software supply chain attacks by 2025 | 45% | Gartner |
| Businesses not properly vetting vendors | 54% | zengrc |
Key Insight: Supply chain vulnerabilities have emerged as the top cybersecurity concern with 54% of large organizations identifying it as their biggest barrier, while 98% maintain relationships with vendors that have experienced breaches and third-party incidents take 307 days to resolve.
Ransomware Payment and Recovery Statistics
| Metric | Statistic | Source |
|---|---|---|
| Small businesses paying ransomware demands | 51% | CNBC/Momentive |
| Small businesses paying out of pocket | 24% | CNBC/Momentive |
| Ransomware payments covered by insurance | 27% | CNBC/Momentive |
| SMBs unable to continue if hit by ransomware | 75% | CyberCatch/Momentive |
| Average ransom payment (2023) | $1.54 million | Various |
| Average ransom payment increase from 2022 | 84% increase | Coveware |
| Average ransom payment amount | $570,000 | Coveware |
| LockBit ransomware payments (2025) | $91 million | G2 |
| Organizations globally victimized by ransomware (2023) | 72% | Sprinto |
| Time to identify ransomware attack | 49 days average | IBM |
Key Insight: Ransomware payments have skyrocketed 84% to an average of $570,000, with 51% of small businesses paying demands and 75% unable to continue operations if hit, while the LockBit group alone collected $91 million in 2025.
Cyber Insurance Statistics
| Metric | Percentage/Statistic | Source |
|---|---|---|
| Small businesses with cyber insurance | 17% | Survey |
| Companies purchasing insurance after an attack | 48% | Survey |
| Small businesses unfamiliar with cyber insurance | 64% | Survey |
| Large organizations confident in cyber insurance | 71% | Survey |
| Small organizations confident in cyber insurance | 35% | Survey |
| High-resilience organizations without insurance | 7% | Survey |
| Cyber insurance market growth (to 2026) | $26.94 billion | Grand View Research |
Key Insight: Only 17% of small businesses carry cyber insurance despite its growing importance, with 64% unfamiliar with coverage options and 48% only purchasing after experiencing an attack.
Geopolitical Cyber Threat Statistics
| Metric | Percentage/Statistic | Source |
|---|---|---|
| Organizations with cyber strategies influenced by geopolitical tensions | 59-60% | GCO survey |
| Nation-state attacks originating from Russia | 58% | Microsoft/CompTIA |
| Organizations changing trading/operating policies | 18% | GCO survey |
| Organizations halting operations in certain regions | 17% | GCO survey |
| Organizations changing vendors | 16% | GCO survey |
| CEOs concerned about cyber espionage/IP theft | 33% | GCO survey |
| CISOs concerned about operational disruption | 45% | GCO survey |
| Cyberattacks motivated by political reasons | 19% | Verizon DBIR |
Key Insight: Geopolitical tensions now directly influence cybersecurity strategy in 60% of organizations, with 58% of nation-state attacks originating from Russia and one-third of CEOs citing cyber espionage as their top concern.
Incident Response and Recovery Statistics
| Metric | Statistic | Source |
|---|---|---|
| SMBs taking 24+ hours to recover from attack | 50% | Survey |
| Websites down 8-24 hours after attack | 51% | Survey |
| Small businesses losing crucial data | 40% | Survey |
| Breaches contained in <200 days savings | $1+ million | IBM |
| Organizations with formal incident response plan | 53% | Ponemon Institute |
| Breaches taking >200 days to contain | $5.01 million average cost | IBM |
| Breaches resolved within 200 days | $3.87 million average cost | IBM |
| Overall breach lifecycle | 241 days | IBM |
| AI-powered breach detection/containment time savings | 108 days faster | IBM |
| AI-powered breach cost savings | $1.76 million | IBM |
Key Insight: Half of SMBs take over 24 hours to recover from attacks, while organizations containing breaches in under 200 days save over $1 million compared to longer incidents, with AI-powered detection saving 108 days and $1.76 million.
Security Training and Awareness Statistics
| Metric | Percentage/Statistic | Source |
|---|---|---|
| High-resilience organizations providing cyber training | 76% | Survey |
| Organizations with support teams for reporting | 62% | Survey |
| Organizations with anonymous reporting channels | 48% | Survey |
| Employees completing assigned training | 66% | SANS Institute |
| Organizations revised cybersecurity plan post-COVID | 42% | Survey |
| Security awareness training ROI | $5 return per $1 spent | Infosec Institute |
| Organizations leveraging AI for cyber risk (2023) | 47% | PWC |
| Businesses using compliance technology | 69% | safetica |
| Compliance technology cost savings | $1.45 million average | Survey |
| Regular compliance audit savings | $2.86 million average | Survey |
Key Insight: Security awareness training delivers a 5:1 ROI ($5 return per $1 spent), yet only 66% of employees complete assigned modules, while organizations using compliance technology save an average of $1.45 million.
IoT and Connected Device Statistics
| Metric | Statistic | Source |
|---|---|---|
| IoT devices connected to internet by 2030 (projected) | 50 billion+ | CSO Online |
| New IoT devices connected per second | 127 | Tech Jury |
| IoT malware attacks increase (2023) | 37% globally | Various |
| IoT malware attacks (H1 2023) | 77.9 million+ | Various |
| IoT-based cyberattacks (2023) | 112 million+ | Kaspersky |
| Average cost per IoT attack incident | $330,000 | PSA Certified |
| Smart home devices lacking proper encryption | 80% | Symantec |
| Mobile phones infected by malware | 1 in 50 | Security Magazine |
| Mobile malware targeting Android | 98% | Various |
Key Insight: With 50 billion IoT devices expected by 2030 and 127 new devices connecting every second, IoT attacks surged to 112 million in 2023, while 80% of smart home devices lack proper encryption.
Mobile Device and Application Security
| Metric | Percentage/Statistic | Source |
|---|---|---|
| Phishing attacks targeting mobile devices | 80% | Zimperium |
| Android devices vulnerable to known exploits (2022) | 82% | Various |
| Mobile security market by 2028 | $14.82 billion | Various |
| Phishing sites designed for mobile | 75% | Zimperium |
| Mobile app vulnerabilities on release | 76% | Veracode |
| Smartphone users susceptible to SMS phishing vs email | 6-10x more | Zimperium |
| Applications blocked by Google and Apple | 1.2 million | Various |
| Fraudulent transactions blocked by Apple | $2+ million | Various |
| Mobile security breaches attributed to user behavior | 44% | Verizon |
Key Insight: Mobile devices face disproportionate risk, with 80% of phishing targeting phones, 76% of mobile apps containing vulnerabilities at release, and users 6-10 times more susceptible to SMS phishing than email attacks.
Compliance and Regulatory Statistics
| Metric | Amount/Percentage | Source |
|---|---|---|
| GDPR fines issued (as of March 2025) | 2,245 fines totaling €5.65 billion | Study |
| Average GDPR fine | €2.36 million | Study |
| Maximum GDPR fine for serious violations | €20 million or 4% of global revenue | GDPR |
| Largest GDPR fine (Meta, May 2023) | €1.2 billion ($1.3 billion USD) | CNBC |
| GDPR fines (Jan 2021 – Jan 2022) | €1.1 billion | DLA Piper |
| Data processing violations fines (by Sept 2024) | €2.4 billion+ | Statista |
| DPDP Act maximum penalty (India) | ₹250 crore per instance | Study |
| Data breach cost increase with noncompliance | $220,000 | IBM |
| High noncompliance breach cost | $5.05 million | IBM |
| CISOs citing regulation fragmentation as challenge | 76% | WEF Annual Meeting |
Key Insight: Regulatory penalties are severe with GDPR fines totaling €5.65 billion across 2,245 actions and averaging €2.36 million per violation, while noncompliance adds $220,000 to breach costs and 76% of CISOs struggle with regulatory fragmentation.
Business Email Compromise (BEC) Statistics
| Metric | Statistic | Source |
|---|---|---|
| Average BEC incident cost | $4.2 million | FBI IC3 |
| BEC attacks as percentage of incidents | 34% | Arctic Wolf |
| BEC-based phishing increase (H2 2022 to H1 2023) | 1.6 to 2.5 per 1,000 mailboxes | Study |
| Organizations without MFA experiencing BEC | 80% | Arctic Wolf |
| Employees tricked by executive impersonation (2022) | 52% | Study |
| Employee increase from 2020 | 11% (from 41%) | Study |
| Employees falling for phishing at work (2022) | 26% | Study |
Key Insight: Business Email Compromise attacks cost an average of $4.2 million per incident, with 52% of employees tricked by executive impersonation and 80% of victimized organizations lacking multi-factor authentication.
Cryptocurrency and Financial Fraud Statistics
| Metric | Amount | Source |
|---|---|---|
| Cryptocurrency stolen (2023) | $2+ billion | therecord |
| Identity fraud victims (2022) | 15.4 million U.S. adults | Javelin Strategy |
| Identity fraud losses (2022) | $20 billion | Javelin Strategy |
| Online payment fraud losses (by 2027) | $343 billion | Juniper Research |
| Digital identity fraud losses (2023) | $58+ billion | Javelin Strategy |
| Emails exposed within a year | Nearly 1 billion | AAG |
| Impact rate | 1 in 5 internet users | AAG |
| Credit card numbers sold on black market | 17.5 million | Various |
Key Insight: Cryptocurrency crime reached $2 billion in 2023 while digital identity fraud cost $58 billion, with 15.4 million U.S. adults victimized and losses projected to hit $343 billion by 2027 for online payment fraud alone
Malware Statistics
| Metric | Statistic | Source |
|---|---|---|
| New malware pieces created daily | 300,000 | Various |
| Known malware types | 1.2 billion | Stationx |
| Malware attacks detected (2023) | 6.06 billion | Statista |
| Malware attacks per minute (2023) | 11.5 attacks | Parachute |
| Novel malware samples per minute | 1.7 | Parachute |
| Emotet detection increase (H1 2022 vs H1 2021) | 976.7% | Various |
| Encrypted malware in HTTPS traffic | 93% | WatchGuard |
| Organizations with malware breaches | 17% in 2020 | Various |
Key Insight: With 300,000 new malware variants created daily and 6.06 billion attacks detected in 2023, malware remains pervasive, particularly with 93% now hidden in encrypted HTTPS traffic, evading traditional detection.
Data Exposure and Breach Volume Statistics
| Metric | Statistic | Source |
|---|---|---|
| Data breaches (first half 2025) | 1,732 | ITRC |
| Increase from 2024 first half | 11% | ITRC |
| Percentage of 2024 total breaches | 54.9% | ITRC |
| Data breach increase (past 2 years) | 72% | Forbes Advisor |
| Cam4 breach records exposed (2020) | 10+ billion | Statista |
| AT&T data leak customers affected (2024) | 73 million | Various |
| BBC cloud storage breach employees | 25,000+ | Various |
| Dell data breach customers | 49 million | Various |
| National Public Data breach records | 2.9 billion | Various |
| FBCS breach individuals affected | 4+ million | Various |
| McDonald’s chatbot data exposure | 64 million applicants | Various |
Key Insight: Data breaches increased 72% over two years with 1,732 incidents in just the first half of 2025, including massive exposures like the 2.9 billion record National Public Data breach and Dell’s 49 million customer compromise.
Critical Infrastructure and OT Security
| Metric | Statistic | Source |
|---|---|---|
| Cyberattacks targeting critical infrastructure | 40% | Check Point |
| Organizations facing DNS attacks annually | 7.5 attacks | IDC Report |
| DNS attacks causing application outages | 82% | G2 |
| DNS attacks resulting in data theft | 29% | G2 |
| Organizations experiencing DNS attacks (2021) | 87% | Heimdal Security |
| Average global DNS attack cost | ~$950,000 | Heimdal Security |
| North American DNS attack cost | ~$1 million | Heimdal Security |
| DNS DDoS attacks (Q1 2024) | 1.5 million | Various |
| Medical devices with known vulnerabilities | 50% | Healthcare IT News |
Key Insight: Critical infrastructure faces unprecedented risk with 40% of attacks targeting utilities and transport, while 87% of organizations experienced DNS attacks averaging $950,000 in costs and 50% of medical devices containing known vulnerabilities.
Cybersecurity Resilience and Preparedness
| Metric | Percentage | Source |
|---|---|---|
| Small organizations reporting insufficient resilience | 35% | GCO survey |
| Large organizations reporting insufficient resilience | 5% | GCO survey |
| Public sector with insufficient resilience | 38% | GCO survey |
| Medium-to-large private sector with insufficient resilience | 10% | GCO survey |
| Organizations with cyber risks increased (past 12 months) | 72% | GCO survey |
| Complex threat landscape as top resilience challenge | 63% | GCO survey |
| Latin America lacking confidence in critical infrastructure response | 42% | GCO survey |
| Africa lacking confidence in critical infrastructure response | 36% | GCO survey |
| Europe/North America lacking confidence | 15% | GCO survey |
Key Insight: Cyber inequity is widening dramatically with 35% of small organizations reporting insufficient resilience versus only 5% of large organizations, while regional disparities show 42% of Latin American organizations lack confidence compared to 15% in Europe/North America.
Deepfake and Synthetic Identity Threats
| Metric | Statistic | Source |
|---|---|---|
| Deepfake incidents detected (2023) | 13,000+ | Sumsub |
| Deepfake tool trade increase (Q1 2023 to Q1 2024) | 223% | Accenture |
| CISOs viewing deepfakes as moderate-to-significant threat | 55% | Annual Meeting 2024 |
| Synthetic identity fraud annual cost to lenders | $6+ billion | Experian |
| Users accessing sensitive data on public Wi-Fi | 43% | Norton |
| Users skipping software updates | 39% | Avast |
Key Insight: Deepfake threats surged with over 13,000 incidents in 2023 and a 223% increase in tool availability, while synthetic identity fraud costs lenders $6 billion annually and 55% of CISOs consider deepfakes a significant threat.
Quantum Computing and Future Threats (2024/2025)
| Metric | Percentage/Statistic | Source |
|---|---|---|
| Organizations conducting quantum risk assessments | 40% | 2024 Annual Meeting |
| Cybersecurity experts concerned about quantum impact on encryption | 71% | Deloitte |
| Organizations implementing Zero Trust architecture | 61% | Gartner |
| Insider threat annual cost | $15.4 million average | Ponemon Institute |
| Credential stuffing attempts annually | 193 billion | Akamai |
| Cybercrime victims reporting to law enforcement | 12% | World Economic Forum |
Key Insight: While 71% of cybersecurity experts express concern about quantum computing’s threat to encryption, only 40% of organizations have begun quantum risk assessments, revealing a dangerous preparedness gap for this emerging threat.
Social Engineering Impact Statistics
| Metric | Statistic | Source |
|---|---|---|
| Social engineering in cyberattacks | Over 90% | KnowBe4 |
| Small business employees receiving more social engineering | 350% more than large enterprises | Various |
| Cyberattacks involving social engineering | 98% | Various |
| Successful social engineering attacks | 42% | GCO survey |
| Organizations identify credential stuffing as significant threat | 82% | Netwrix |
| Average organization targeted by social engineering annually | 700+ attacks | Various |
| Security professionals considering social engineering “most dangerous” | 75% | Various |
Key Insight: Social engineering dominates the threat landscape at over 90% of cyberattacks, with small business employees experiencing 350% more attacks than large enterprises and 42% of organizations reporting successful breaches through these tactics.
Cyber Resilience Investment Impact
| Metric | Statistic/Amount | Source |
|---|---|---|
| Organizations using DevSecOps savings per breach | $227,000 | IBM |
| Zero Trust implementation breach cost reduction | $1 million | IBM |
| Security system complexity additional cost | $207,000 | IBM |
| Organizations with dedicated cybersecurity budget | 64% | ESG |
| Small businesses with no budget (<50 employees) | 47% | Survey |
| Small businesses with no budget (50-249 employees) | 35% | Survey |
| Small businesses with no budget (250+ employees) | 18% | Survey |
Key Insight: Strategic cybersecurity investments deliver measurable returns with Zero Trust reducing breach costs by $1 million and DevSecOps saving $227,000, yet 47% of small businesses still lack any dedicated cybersecurity budget.
Breach Detection and Response Timeline
| Metric | Timeline | Source |
|---|---|---|
| Average time to detect a breach | 204-207 days | IBM |
| Average time to contain after detection | 73 days | IBM |
| Combined breach lifecycle | 241-277 days | IBM |
| Time to identify ransomware | 49 days average | IBM |
| Files exfiltrated within initial access | Under 10 minutes | Digital Shadows |
| Time savings with AI detection/containment | 108 days | IBM |
| Virtual patch effectiveness for web attacks | 62% blocked | Indusface |
| Virtual patch effectiveness for API attacks | 71% blocked | Indusface |
Key Insight: Despite advanced technologies, the average breach lifecycle spans 241 days (204 to detect + 73 to contain), while attackers can exfiltrate files in under 10 minutes, though AI-powered systems can reduce response time by 108 days.
Employee Behavior and Email Errors
| Metric | Percentage | Source |
|---|---|---|
| Employees made work mistake risking security (2022) | 36% | Survey |
| Employees made work mistake risking security (2020) | 43% | Survey |
| Employees receiving fraudulent text at work | 56% | Survey |
| Employees complying with text scam request | 32% | Survey |
| Employees tricked by executive phishing (2022) | 52% | Survey |
| Employees tricked by executive phishing (2020) | 41% | Survey |
| Employees falling for phishing (2022) | 26% | Survey |
| Employees falling for phishing (2020) | 25% | Survey |
| Employees emailing wrong external party | 17% | Survey |
| Employees sending wrong attachment externally | 15% | Survey |
Key Insight: While security awareness appears to be improving with employee-reported mistakes declining from 43% to 36%, executive impersonation success rates increased from 41% to 52%, and one-third of employees still comply with fraudulent text message requests.
Consumer Trust and Behavior Post-Breach
| Metric | Percentage/Impact | Source |
|---|---|---|
| U.S. consumers less likely to do business after breach | 55% | Forbes |
| Consumers avoiding brands that mishandle data | 94% | CISCO |
| Organizations losing customers due to email error (2020) | 20% | Survey |
| Organizations losing customers due to email error (2022) | 29% | Survey |
| Employees losing jobs after email error (2020) | 12% | Survey |
| Employees losing jobs after email error (2022) | 21% | Survey |
| Employees not informing IT about email errors (2020) | 16% | Survey |
| Employees not informing IT about email errors (2022) | 21% | Survey |
| Consumers developing “breach fatigue” | 29% | Security.org |
Key Insight: Data breaches severely impact customer loyalty with 55% of consumers avoiding breached companies and 94% shunning brands that mishandle data, while 29% of organizations now lose customers due to email errors (up from 20%).
Age and Department Vulnerability Patterns
| Demographic | Vulnerability Rate | Source |
|---|---|---|
| Employees 18-24 opening phishing emails | 39% | Survey |
| Employees 65+ opening phishing emails | 8% | Survey |
| Phishing susceptibility ratio (young vs old) | 5x more likely | Survey |
| Employees 55+ complying with smishing | 33% | Survey |
| Employees 18-24 complying with smishing | 24% | Survey |
| Marketing department falling for phishing | 41% | Survey |
| Finance department falling for phishing | 21% | Survey |
| Operations department falling for phishing | 12% | Survey |
| Marketing vs operations susceptibility | 4x more likely | Survey |
Key Insight: Younger employees (18-24) are five times more likely to fall for phishing than those over 65, while marketing departments show 4x higher susceptibility than operations.
Reasons for Security Mistakes
| Factor | Percentage | Source |
|---|---|---|
| Making mistakes when tired (2022) | 51% | Survey |
| Making mistakes when tired (2020) | 43% | Survey |
| Making mistakes when distracted (2022) | 50% | Survey |
| Making mistakes when distracted (2020) | 41% | Survey |
| Pressure to send email quickly (2022) | 50% | Survey |
| Pressure to send email quickly (2020) | 34% | Survey |
| Not paying attention | 49% | Survey |
| Fatigue as factor | 42% | Survey |
| Email appearing legitimate (2022) | 54% | Survey |
| Email appearing legitimate (2020) | 43% | Survey |
Key Insight: Security mistakes are increasingly driven by workplace pressure and fatigue, with employees citing pressure to act quickly rising from 34% to 50% and tired-related errors increasing from 43% to 51%.
Cybersecurity Tools Adoption by SMBs
| Tool/Solution | Adoption Percentage | Source |
|---|---|---|
| Antivirus software | 58% adopted/planned | Digital.com |
| Firewalls | 49% | Digital.com |
| VPNs | 44% | Digital.com |
| Password management | 39% | Digital.com |
| Secure payment processing | 38% | Digital.com |
| Multi-factor authentication | 20% implemented | Survey |
| Data encryption | 17% | Survey |
| Using free consumer-grade solutions (<50 employees) | 33% | Survey |
| Using no endpoint security (<50 employees) | 20% | Survey |
Key Insight: SMBs are gradually adopting security tools with 58% using antivirus, but critical protections lag far behind, only 20% implement multi-factor authentication, and just 17% encrypt data, while one-third rely on free consumer-grade solutions.
Post-Attack Response and Changes
| Response Action | Percentage | Source |
|---|---|---|
| Installed antivirus/antimalware | 44% | Digital.com |
| Started using VPN | 43% | Digital.com |
| Hired cybersecurity firm/IT staff | 29% | Digital.com |
| Made no changes | 8% | Digital.com |
| Notified customers about data loss | 35% | Survey |
| Sent apology email | 44% | Survey |
| Organizations revised plan post-COVID | 42% | Survey |
| Organizations increasing spending (2021) | 22% | CNBC/Momentive |
| Organizations keeping same spending | 67% | CNBC/Momentive |
Key Insight: Following cyberattacks, 44% of organizations install antivirus and 43% adopt VPNs, while 29% hire dedicated security staff, but concerningly 8% make no changes at all despite being breached, and 67% maintain unchanged security budgets.
Cybersecurity Market and Spending Trends
| Category | Amount/Growth | Source |
|---|---|---|
| Global IT spending growth (2024) | 8% to $5.1 trillion | Gartner |
| CIOs planning to increase cybersecurity budgets | 80% | Gartner |
| Average spending per employee (2019) | $2,337 | Deloitte |
| Average spending per employee (2020) | $2,691 | Deloitte |
| Large organizations spending $1M+ annually | 50% | Cisco |
| Large organizations spending $250K-$999K | 43% | Cisco |
| Large organizations spending <$250K | 7% | Cisco |
| SMB spending on IT security | 5-20% of IT budget | Survey |
| Organizations with cyber risk in enterprise risk management | 60%+ | Survey |
Key Insight: Cybersecurity investment is surging with global IT spending growing 8% to $5.1 trillion and 80% of CIOs increasing security budgets, while per-employee spending rose from $2,337 to $2,691, yet SMBs still allocate only 5-20% of IT budgets to security.
Cybersecurity Breach Cost Components
| Cost Component | Amount | Source |
|---|---|---|
| Business lost due to cyberattacks | $1.52 million average | IBM |
| Information loss cost | $5.9 million | Accenture |
| Malware attack cost | $2.6 million | Accenture |
| Downtime cost per hour | $3.8 million | Veeam |
| Compliance violation recovery | $14.8 million per incident | Globalscape/Ponemon |
| Full exploit chain for iOS | $2 million | Purplesec |
| Average security incident on SMBs | $826-$653,587 (95% range) | Verizon |
Key Insight: Beyond direct breach costs averaging $4.45 million, organizations face substantial component costs including $1.52 million in lost business, $5.9 million for information loss, $3.8 million per hour of downtime, and up to $14.8 million for compliance violations.
Sector-Specific Cybersecurity Challenges
| Sector | Specific Challenge | Source |
|---|---|---|
| Education (attacks weekly, 2022) | Nearly 2,000 per organization | Survey |
| Education (compromised credentials) | 36% | Survey |
| Education (exploited vulnerabilities) | 29% | Survey |
| Education (institutions hit in 2023) | 56% | Sophos |
| Retail (cyberattack victims extorted) | 50% | Survey |
| Retail (credentials harvested) | 25% | Survey |
| Manufacturing (vulnerability attacks increase) | 459% | Indusface |
| Manufacturing (ransomware victims) | 56% | Survey |
| BFS (77% attacks target vulnerabilities) | 77% | Indusface |
Key Insight: Sector-specific vulnerabilities are stark, education faces nearly 2,000 weekly attacks with 56% of institutions hit, manufacturing saw a 459% surge in vulnerability attacks, and 77% of banking attacks specifically target application vulnerabilities.
Emerging Technology Risks and Adoption
| Technology/Risk | Percentage/Statistic | Source |
|---|---|---|
| Unsanctioned apps in use (Shadow IT) | 47% | Cisco |
| Average security tools per enterprise | 45 tools | Cisco |
| M&A deals delayed due to security concerns | 53% | Forescout |
| Cloud services misconfiguration causing leaks | 45% | McAfee |
| 5G enterprises concerned about attack surfaces | 62% | Palo Alto Networks |
| Fake software updates causing malware | 11% | HP Wolf Security |
| Biometric authentication growth by 2030 | 400% increase | Statista |
| Organizations interacting with vulnerable vendors | 98% | CyberRisk Alliance |
| Breaches caused by external parties (2023) | 83% | Verizon |
Key Insight: Emerging technology adoption outpaces security with 47% of apps unsanctioned, 45% of cloud leaks from misconfiguration, 62% concerned about 5G risks, and 98% of organizations maintaining relationships with compromised vendors.
References
DataGlobeHub makes use of the best available data sources to support each publication. We prioritize sources of good reputation, like government sources, authoritative sources, expert sources, and well-researched publications. When citing our sources, we provide the report title followed by the publication name. Where not applicable, we provide just the publication name.
- Cyber Crime & Security – Statista
- Global Cybersecurity Outlook – World Economic Forum
- Data Breach Investigations Report – Verizon Business
- Cost of a data breach – IBM
- Global Cybersecurity Spending to Hit $213 Billion – Seceon
- Futurespective 2033: cyber threats in 10 years, according to AI – NordLayer
- Thales Cloud Security Study – Thales
- An overview of cyber challenges facing the nation, and actions needed to address them – U.S. Government Accountability Office
- Cybersecurity Statistics – astra
- Key Cybersecurity Statistics: Vulnerabilities, Exploits, and Their Impact – Indusface
- Alarming Small Business Cybersecurity Statistics – StrongDM
- Cyber Security Stats You Should Know About – Simplilearn
- Cybersecurity Statistics and Trends – Varonis
- Cyber Threat Index – Imperva
- Human Error Cybersecurity Statistics – IS Partners
- Cybersecurity Statistics: Unveiling Insights Behind the Numbers – ZeroThreat
- Surprising Cybersecurity Facts & Statistics – DigitalDefynd
