The world of cybersecurity is one of the fastest-moving industries in the world–and, with remote work continually on the rise, it’s never been more important to keep your finger on the pulse of current cybersecurity statistics.
In today’s blog, we cover 239 cybersecurity stats you need to know divided by year, industry, and overall significance.
Let’s jump right in:
There are an estimated 800,000 cyberattacks per year in 2023–with that number predicted to continue to rise annually
97% of security breaches are exploiting WordPress plugins
Every 39 seconds, a threat actor targets a business’s cybersecurity infrastructure
An estimated 300,000 new malware are created daily
92% of malware is being delivered via email
In 2023, it’s taking organizations an average of 49 days to identify a cyberattack
Over 4.1 million websites on the Internet have malware
66% of interviewed CIOs plan to continue to increase their investment in cybersecurity
How does this stack up against 2022’s cyber landscape?
Key highlights from this year included:
An estimated 2,200 cyberattacks per day
255 million phishing attacks occurring in a six-month span, with over 853,987 domain names reported for attempted phishing
2.8 billion malware attacks launched in the first half of 2022 alone
60% more malicious DDoS attacks occurring in the first six months of 2022 than the entirety of 2021
1.51 billion IoT breaches were reported in the first six months of 2022
More than 500,000 users were negatively impacted by malicious mining software
Healthcare remained the #1 target for phishing and ransomware cyberattacks
92% of malware was successfully delivered via email
71% of organizations worldwide became victims of ransomware at least once
Starting in 2021, cybercrime saw a 600% increase–largely attributable to the rise of remote work in the wake of the COVID-19 pandemic
In the same vein, remote work increased the cost of the average cybercrime to $137,000
Over half a million of Zoom user accounts were compromised in 2021 alone (with the bulk of these compromised accounts being sold on the dark web)
More than 77% of organizations did not have a cybersecurity incident response plan in place
89% of healthcare organizations experienced a data breach between the start of 2020 and the end of 2021
Only 16% of polled executives stated that they felt well-prepared to handle cybersecurity risks
Ransomware impacted over 70% of Canadian organizations in 2020
Over 25,000 malicious applications were detected on a daily basis
Hackers successfully targeted over 30,000 websites in 2020
Email was responsible for 95% of all malware attacks
43% of all cyberattacks were focused on small businesses
Businesses were out a total of $20 billion in 2020 due to ransomware
More than half of all global data breaches this year were financially motivated
Healthcare organizations reported three times more data breaches than in 2010
In 2020, over 20% of global organizations experienced at least one IoT device breach
63% of all data breaches were the result of compromised passwords or other user credentials
The average time to detect and begin to fix a breach in 2020 was seven months
There were a reported 23,000 denial of service (DoS or DDoS) attacks every 24 hours in 2020
The frequency of security breaches rose by 11%
Global cybercrime cost three million dollars per minute in 2019
Around 88% of organizations globally were targeted by spear-phishing attacks
Enterprise ransomware incidents increased by 19%, alongside a 56% increase in web attacks
In 2023:
Ferrari has stated that their IT systems have suffered a breach this year, with customer emails, addresses, and phone numbers being exploited
Luxury brand BMW had contracts, financial information, and client documentations leaked on the dark web
The TV station Skylink was forced offline by a sophisticated DDoS attack
One of Spain’s largest pharmaceutical chains was the target of a two-week supply chain cyberattack
Public schools across Minneapolis had their employee and student data leak in a ransomware attack that involved payroll info, personal health information, union grievances, misconduct complaints, and much more
Canada’s retail giant, Indigo, suffered financial losses after being slow to recoup after a ransomware attack that shut down their website for close to a week
In 2022:
Twitter was accused of concealing data breaches that impacted millions of users’ data
More than 1.2 million credit card numbers were leaked on the hacking forum BidenCash
11 million people were impacted by the Optus personal and medical cyberattack
Threat actors attempted to sell the data of 500 million WhatsApp users on the dark web
Both Uber and Rockstar had their internal servers compromised
A student loan breach released 2.5 million social insurance numbers
Fintech start-up Revolut had the data of 50,150 user compromised (including names, home and email address, and credit card information)
Globally-popular clothing brand SHEIN were fined a staggering $1.9 million over a data breach that affected 39 million customers
9.7 million peoples’ medical information was stolen in the infamous Medibank data leak
In 2021:
The Florida Water System was breached when a threat actor attempted to poison the water supply using remote access software
Microsoft’s on-premise Microsoft Exchange Servers were threatened by zero-day vulnerabilities, negatively impacting nine government agencies and over 60,000 global private companies
Computer manufacturer Acer in Taiwan were the victims of a $50-million dollar ransomware attack, of which they have publicly admitted to paying $10 million of
Bombardier, a Canadian airplane producer, had the confidential data of their suppliers, customers, and employees exposed
In 2020:
The Marriott International suffered a data breach that impacted the personal information of 5.2 million guests
Australian broadcaster Channel Nine was the target of the country’s largest-ever attack on a media company
A supply chain hack (dubbed the “Solar Winds hack”) compromised a multitude of governments and private company systems across the globe
Smartwatch manufacturer Garmin was forced to shut down several services in the wake of a ransomware attack
Software AG had employee passport scans, emails, financial documents, and internal directories leaked in a successful cyberattack
EasyJet was the target of a ransomware attack that exposed the personal details of over 9 million customers
In 2019:
Las Vegas’s MGM Grand resort had at least 142 million guest records compromised by cyberattacks
Two Texas towns were hit with a sophisticated, coordinated ransomware attack that targeted local governments
Facebook admitted to storing private user data in plain text, making it easily readable and exploitable by Facebook employees
WhatsApp reported a cybersecurity flaw that permitted threat actors to spy on users with government-grade surveillance
Contractor-related breaches impacted the United States Customs and Border Protection, as one of its contractors leaked a database of border traveler photos without permission
One of America’s largest title insurance companies, First American Title Insurance Co., mistakenly made over 885 million mortgage records available online
Between the end of 2023 and the start of 2025, modern data privacy laws will cover the personal info of around 75% of the globe’s population
Organizations that adopt a strong cybersecurity network architecture by 2023 will reduce the financial costs of data breaches by an average of 90%
30% of enterprises will begin to utilize cloud-based Secure Web Gateway (SWG), CLoud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS)
By 2025, 80% of enterprises will unify web, cloud services, and private application access from a single SSE platform
Hybrid and remote work will continue to rise in frequency across all sectors
70% of CEOs will mandate a culture of cybersecurity-focused awareness and resilience
Ahead of the end of 2026, around 50% of C-level executives will build performance requirements related to cybersecurity risk into their employment contracts
Knowing the top cybersecurity stats for your industry is essential to determine where to place your proactive cybersecurity efforts.
We break them down for you below:
38 million medical records were exposed in 2020 via a Microsoft PowerApps portal breach
67% of polled individuals feel that hospital staff should be mandated to be trained on up-to-date cybersecurity measures
In over 39% of healthcare organizations, awareness of a breach only occurred months after the initial incident
Doctors are ranked as high-risk when it comes to phishing scams, with 50% deemed likely to click on suspicious emails
Unauthorized access in hospitals is up 162% since 2019
47% of healthcare breaches originate from third-party insiders
Malicious data breaches are the #1 case of healthcare cyber insurance claims
90% of healthcare-related organizations have suffered at least one security breach in the past three years, with 30% of said breaches happening in large hospitals
During the COVID-19 pandemic, both the US’s Centre for Disease and the UN’s World Health Organization were impersonated by threat actors
67% of healthcare organizations reported being attacked by lookalike domains
The National Health Service was the victim of $100 million dollars in financial losses in the wake of a WannaCry ransomware breach
34% of healthcare-related breaches were due to unauthorized access
Pharmaceutical company Pfizer had a data leak that impacted U.S.’s prescription drug users, which was the result of unsecured cloud storage
The average cost of a data breach is over $10 million dollars in the healthcare industry
95% of general identify theft is made up of stolen hospital records
Healthcare data breaches have had the highest security breach costs for over twelve consecutive years
88% of polled healthcare employees have opened phishing emails
An HIMSS survey reported that 36% of non-acute care employees have said that their companies do not undergo phishing tests
Almost 24% of healthcare employees across the United States have not received Cybersecurity Awareness Training
Healthcare security breaches cost, on average, $408 per record
Every week, the education sector is the target of nearly 2,000 cyberattacks
82% of university representatives say that more funding is required to bolster their cybersecurity
Phishing is the most common type of cyberattack targeting educational organizations
In the July of 2022 alone, Latin America’s school systems saw a 62% increase in cybercrime
64% of polled representatives stated that they do not believe their existing cybersecurity framework is enough to ward off threats
In March 2018, more than 300 universities and colleges globally were exploited by a collective cyberattack that leaked more than 31 terabytes of confidential information
Cyberattacks on the education industry are up 77% since 2021
Schools have a 53% likelihood of paying ransom in the wake of a ransomware attack
40% of universities and colleges took over a month to recover from a data breach
With more and more educational institutions supporting multiple devices for students and staff alike, Cybersecurity Awareness Training has never been more vital
One-third of school districts do not utilize cloud security
50% of polled schools do not have a cybersecurity plan in place
Educational records can go for as high as $254 each on the dark web
87% of educational bodies have experienced at least one cyberattack that was successful
Almost 80% of universities have experienced reputational damage as the result of a cyberattack
41% of higher education security incidents were triggered by successful social engineering attacks
Out of all 17 major industries, education ranked last in terms of preparedness for identifying and remediating cybersecurity threats
79% of financial CISOs have reported that threat actors are utilizing more sophisticated cyberattacks annually
Web attacks have made up almost 50% of the attacks launched on fintech organizations
67% of baking institutions have said that they have faced an increase in cyberattacks since 2019
Credit card compromises have risen a staggering 212% year-over-year
32% of fintech organizations have been the target of “island hopping” attacks
Credential leaks have seen a 129% increase over the past five years
Almost 50% of financial institutions have reported a sharp increase in wire transfer-based attacks and fraud
Threat actors using malicious apps to hijack fintech infrastructures has risen by 102%
70% of polled financial institutions have announced that they are concerned about financially-motivated cyberattacks
Only 32% of CISOs state that they hunt cyberthreats on a monthly basis
31% of finance-related institutions have reported an uptick in home equity loan fraud, with counter incident responses rising to 32%
Nearly 70% of CISOs say that they plan to increase their cybersecurity spending by a minimum of 10%
Cybersecurity breaches in smaller firms (under 50 employees) have doubled since 2019
31% of attorneys state that their clients have left following a data breach due to confidentiality concerns
The average data breach cost in small-to-medium sized law firms is $36,000
In 2020, celebrity law firm Grubman Shire Meiselas & Sacks paid out $365,000 due to a ransomware attack
Around 82% of cyber breaches in the law industry stemmed from phishing emails targeting employees
25% of respondents in 2021 alone reported that their firm had suffered at least one successful cyberattack
The consequences of data breaches for law firms include, but aren’t limited to, the loss of billable hours (reported by 36% of interviewees), cybersecurity consulting fees (31%), and the replacement of hardware and software (18%)
Globally, 72% of both state and local governments attacked by ransomware had had their data encrypted
After Australia’s Victoria state government invested $100,000 to train women in cybersecurity, the Australian federal government followed suite to launch their $9.9 billion REDSPICE initiative (Resilience, Effects, Defence, Space, Intelligence, Cyber Enablers) to bolster their national cyber infrastructure
In 2022, the UK government announced new cybersecurity measures to protect their nuclear weapons systems
Vanatu’s official government sites and online services were compromised by a sophisticated cyberattack in 2022
The United States government is ranked as the #1 most-targeted government for cyberattacks, with a likelihood of 38%
Although we’ve provided a deep-dive of cybersecurity statistics for small-to-midsize businesses already, we’d be remiss if we didn’t recount some of the most important ones here:
4 out of 5 SMBs state that their antivirus software has not stopped malware
Only 16% report feeling secure in their security posture
Nearly 70% of SMBs do not enforce password for multi-factor authentication policies
68% of SMBs store confidential data like email addresses, whereas over half store phone numbers and store billing addresses
Web-based attacks make up most of cyberattacks against SMBs at 49%
Over half of small-to-midsize businesses go out of business within six months of being hit by a successful cyberattack
58% of malware victims are SMBs
70% of SMB owners report not feeling ready for a cyberattack if one hits
43% of the world’s total cyberattacks are targeted at small-to-midsize businesses
Companies are experiencing 31% more cyberattacks, with that percentage growing by the year
Only 4% of enterprises that pay demanded ransoms retrieve their stolen data
Many cybercrime victims are not reporting their cases, lowering the estimated cybercrime enforcement rate down to just 0.05%
40% of polled CEOs reported that hybrid work IT infrastructures were the most difficult aspects of cybersecurity to implement
66% of organizations are expecting to grow their cyber budget, with a third projecting a double-digit cybersecurity spending increase
Over 143 million consumers had their data stolen when Equifax was attacked in 2017, which costed the organization $4 billion in direct financial losses; part of which was, when they were found liable for the breach, being fined $425 million by the Federal Trade Commission
State-sponsored cyberattacks pose an increasing threat to large organizations
Did you know that cybersecurity statistics range drastically from country to country?
Let's examine:
Over 6 in 10 Canadian businesses have at least one designated employee to oversee cyberthreats
38% of organizations partnered with a contractor or consultant to manage cyber-related risks
Only 29% of Canadian businesses frequently patched or updated their operating systems
39% of Canadian businesses in 2021 alone were impacted by a cyberattack where there was no clear motive
Canadian businesses are spending almost three billion dollars more on cybersecurity than ever before
Organizations in Canada that were previously targeted by hackers spent an average of $113,000 more to prevent cyberthreats than their counterparts, with small businesses that were impacted spending 120% than they’re non-impacted equivalents
Businesses that had previously heavily invested in cybersecurity where in markedly better positions to detect and report them vs. businesses that had no prior investment
More than 1 in 10 Canadian businesses have been impacted by ransomware as of 2023
As a country, Canada’s cybersecurity score places it 13th (out of 75)
More than 85% of Canadian businesses are affected by at least one successful cyberattack annually
65% of Canadian employees anticipate being hit by a ransomware attack on their work email or device
On average, Canadian companies are paying $2 million dollars in remediation per cyberattack
In Canada it takes, on average, 168 days for organizations to identify a data breach
Over half of Canadians have been the victim of cybercrime
The UK has the highest number of cybercrime victims per million Internet users
Cybercrime in the UK is up 40% since 2020
Over 80% of organizations in the UK suffered a successful cyberattack between 2021 and 2022
The average cost of a ransomware attack in the United Kingdom is just over one million dollars
77% of UK organizations have cyber insurance
Out of 75 countries, the UK ranks eighth for cybersecurity
The average time for UK organizations to identify a data breach is 181 days
There were over 400,000 reports of cybercrime in 2021 alone
82% of senior UK management see cybersecurity as a high priority
Only 19% of UK organizations issued Employee Awareness Training after a cyberattack
Less than a fifth of UK businesses have a formal incident response plan in place
Between March 2020 and March 2022, there was a 57% increase in consumer fraud
The United States has the highest security breach costs in the world at $8.64 million on average
Washington has 8x the national average of cybersecurity professionals
1 in 10 US organizations don’t have cyber insurance
The US was the victim of 46% of cyberattacks in 2020, which is more than double any other country
In 2020, malware attacks skyrocketed by 359% compared to the year prior
1 in 2 American employees had their Internet accounts breached in 2021
Losses due to cybercrime totalled more than $10.2 billion in 2022
Worldwide, spending within the cybersecurity industry reached $40.8 billion in 2019
2021 saw, on average, $787,671 in direct financial losses every hour due to security breaches
Between May 2020 and May 2021, cybercrime in the Asia-Pacific rose by 168%
Japan experienced a 40% increase in cyberattacks in 2021 compared to 2020
In Q3 2022, there was a 70% uptick in breached accounts compared to Q2 of the same year
Supply chain attacks are becoming a global trend in 2023
54% of companies claim that their IT departments will not be able to handle cyberattacks
“Cybersecurity fatigue” impacts 42% of organizations
43% of security breaches are insider threats
Nearly 40% of all security breaches in 2021 involved phishing
Out of all the email attachment types, the most malicious ones are .doc and .dot, at 37%
(Concerned about the threats listed below? Download a copy of the Ransomware Prevention and Response Checklist here, or view our services list for other in-depth checklists.)
A wide variety of potential cyberthreats should be on your organization's radar.
Out of the most common, here are the numbers you should know:
The average ransomware payment is increasing by 82% year-over-year
81% of cybersecurity experts believe that sophisticated ransomware attacks are on the rise
New variants of ransomware grew by 46% in 2019 alone
Businesses fall victim to a ransomware attack every 14 seconds
Ransomware has become one of the most popular forms of cyberattacks, growing 350% since 2018
The average cost of a ransomware attack in 2023 is $1.85 million
By 2031, a ransomware attack is predicted to happen every two seconds
Ransomware accounts for 10% of all security breaches worldwide
On average, ransomware-related breaches took 49 days longer than other types of breaches to identify and contain
In the first half of 2022 alone, organizations worldwide saw 236.7 million ransomware cyberattacks
82% of organizations report that managing cloud costs are their biggest cloud security challenge
69% of organizations worldwide admitted to experiencing security breaches due to multi-cloud security configurations
More than 80% of all cloud security breaches are because of human elements such as social engineering attacks
89% of businesses negatively impacted by cloud security incidents are startups
81% of organizations in 2023 are using at least one private or public cloud
Over 70% of businesses that use cloud security lack confidence in their security posture
Nearly half of all data breaches in 2023 take place in the cloud
Only 36% of organizations report having vetted new and existing suppliers in the last year
59% of organizations that were the target of a supply chain attack did not have an incident response plan in place
58% of all supply chain attacks are focused on accessing confidential data
50% of supply chain attacks have been attributed to notorious APT groups
In over 50% of supply chain attacks, malware was the chosen attack technique
66% of threat actors focused on the suppliers’ code to compromise customers
Close to 100% of mobile malware targets Android devices
MacOS malware has increased by 165% since 2021
Trojans make up over 51% of all malware
More than 18 million websites are infected malware at a given time every week
34% of organizations impacted by malware took over a week to regain access to key data
Over 90% of financial organizations were targeted by malware in 2018 alone
There are 75x more phishing sites as malware sites in 2023
In 2020, phishing was the #1 complaint for both individuals and businesses
72% of IT professionals reported experiencing smishing attacks in 2021, with that number only growing
The price of the average successful social engineering attack reached $4.1 million in 2022
Social engineering attacks are taking, on average, 270 days to identify and contain
82% of data breaches contain a human element
90% of social engineering attacks target employees vs. technology
CEOs are targeted 57 times per year on average by social engineering threats
Here at Packetlabs, our PTaaS services are 95% manual: this is a testament to our commitment to both quality and security. We strive to ensure that the best test results are delivered to our clients. Our in-depth testing ensures that no stone is left unturned, and even the most minute of weaknesses can be found and eliminated.
Our team comprises highly experienced professionals with some of the industry’s most sought-after certifications, such as CREST, OSCP, CEH, and CISSP.
Contact us today or join our newsletter for cybersecurity education and implementation that goes beyond the checkbox.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.