Cybersecurity is a day-to-day operation for many businesses, but it’s not a small task to stay on top of what’s been going on over the past year or so.
We’ve compiled this list of the most important stats and trends, split into bite-sized categories.
For more in-depth security insights check out our blog and downloadable resources.
- Critical data breach and hacking statistics
- Cybercrime statistics by attack type
- Cybersecurity compliance and governance statistics
- Security spending and cost stats
- Cybersecurity workforce statistics and predictions
- Cybersecurity statistics by industry
- COVID-19 cybersecurity statistics
- Cybersecurity statistics FAQ
33 critical data breach and hacking statistics
Large-scale, well-publicized breaches are on the rise, suggesting that not only are the number of security breaches going up — they’re increasing in severity, as well.
Data breaches expose sensitive information that often leaves compromised users at risk for identity theft, ruins company reputations, and makes the company liable for compliance violations.
See the data breach statistics below to help quantify the effects, motivations, and causes of these damaging attacks.
Noteworthy hacking statistics
- The average cost of a data breach was $4.88 million in 2024, the highest average on record. (IBM)
- 88 percent of cybersecurity breaches are caused by human error. (Stanford)
- The average time to identify a breach is 194 days. (IBM)
- The average lifecycle of a breach is 292 days from identification to containment. (IBM)
- The likelihood that a cybercrime entity is detected and prosecuted in the U.S. is estimated at around 0.05 percent. (World Economic Forum)
- 68 percent of breaches involved a human element in 2024. (Verizon)
- In 2022, the Federal Trade Commission received more than 1.1 million reports of identity theft (US News)
- In 2023, security breaches saw a 72 percent increase from 2021, which held the previous all-time record. (Forbes)
- Cyber fatigue, or apathy to proactively defending against cyberattacks, affects as much as 42 percent of companies. (Cisco)
- 64 percent of Americans have never checked to see if they were affected by a data breach. (Varonis)
- The U.S. was the target of 46 percent of cyberattacks in 2020, more than double any other country. (Microsoft)
- 56 percent of Americans don’t know what steps to take in the event of a data breach. (Varonis)
- 97 percent of organizations have seen an increase in cyber threats since the start of the Russia-Ukraine war in 2022. (Accenture)
Historic data breaches
- Over 560 million Ticketmaster customers had their information stolen in a 2024 breach. (BBC)
- A 2021 LinkedIn data breach exposed the personal information of 700 million users or about 93 percent of all LinkedIn members. (RestorePrivacy)
- An attack on Microsoft in March 2021 affected more than 30,000 organizations in the U.S., including businesses and government agencies. (Microsoft)
- In April 2021, a two-year-old vulnerability was discovered that exposed the personal information of more than 533 million users. (Auth0)
- Using a single password, hackers infiltrated the Colonial Pipeline Company in 2021 with a ransomware attack that caused fuel shortages across the U.S. (Bloomberg)
- Meat processing company JBS was the victim of a ransomware attack that shut down beef and poultry processing plants on four different continents. (Wall Street Journal)
- In 2023 T-Mobile disclosed its second data breach of the year involving the theft of 836 customers' personal data, the first data breach affected approximately 37 million customers. (itgovernanace)
- In September 2021, Neiman Marcus found an 18-month-old data breach that exposed payment data and other information for 4.6 million shoppers. (Neiman Marcus)
- Personal data belonging to more than 100 million Android users was exposed in a 2021 data leak due to misconfigured cloud services. (Check Point)
- Trading app Robinhood fell victim to a social engineering attack that compromised the personal data of 5 million users. (Robinhood)
- A 2020 Twitter breach targeted 130 accounts including those of past U.S. presidents and Tesla CEO Elon Musk, resulting in attackers swindling $121,000 in Bitcoin through nearly 300 transactions. (CNBC)
- In 2023, X (formerly Twitter) was targeted by a criminal hacker that leaked more than 220 million users email addresses. (IT Governance)
- 500 million consumers, dating back to 2014, had their information compromised in the Marriott-Starwood data breach made public in 2018. (CSO Online)
- The 2019 MGM data breach resulted in hackers leaking records of 142 million hotel guests. (CPO Magazine)
- In 2018, Under Armour reported that its “My Fitness Pal” app was hacked, affecting 150 million users. (Under Armour)
- 100,000 groups and more than 400,000 servers in at least 150 countries were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Technology Inquirer)
- Uber tried to pay off hackers to delete the stolen data of 57 million users and keep the breach quiet. (Bloomberg)
- In one of the biggest breaches of all time, three billion Yahoo accounts were hacked in 2013. (New York Times)
- In 2020, cybercriminals cloned the voice of a U.A.E. company director to initiate a $35 million bank transfer. (Forbes)
- In 2023 AT&T a breach exposed approximately 9 million customers' personal details. (IT Governance)
29 cybercrime statistics by attack type
Cybersecurity issues are diverse and always evolving and new malware and viruses are discovered every day. It’s crucial to have a grasp of the most common types of attacks and where they come from in order to guard against future infiltrations.
Some of the most common attacks include phishing, whaling, malware, social engineering, ransomware, and distributed denial of service (DDoS) attacks. Read more below to get a sense of the most common cyberattacks.
Ransomware and malware attack statistics
- The average ransomware payout has increased dramatically from $812,380 in 2022 to $1,542,333 in 2023. (SC Magazine)
- The number of ransomware victims in March 2023 was nearly double the number from the previous year. (Forbes)
- More than 300,000 Android users have downloaded banking trojan apps via the Google Play Store. (Threat Fabric)
- An average of around 24,000 malicious mobile apps are blocked daily on the internet. (Tech Jury)
- Nearly half (47.4 percent) of all internet traffic came from bots in 2022, which is a 5.1% increase over 2021 (Imperva)
- From November 2021 to October 2022, Microsoft Office applications were the most commonly exploited applications worldwide at 70 percent (Statista).
- 94 percent of malware is delivered by email. (Verizon)
- The average cost of a ransomware recovery in 2024 is $2.73 million. (Sophos)
- Only eight percent of businesses that pay ransom to hackers receive all of their data in return. (Sophos)
- From November 2021 to October 2022, Microsoft Office applications were the most commonly exploited applications worldwide at 70 percent (Statista).
- In the first half of 2022, researchers flagged almost 79 million domains as malicious, based on a newly observed domain dataset. (Akamai)
- 75 percent of orgs suffered at least one ransomware attack last year. (Infosecurity Mag)
- Approximately 20% of all newly observed domains (NODs) that were successfully resolved were flagged as malicious in the first half of 2022. (Akamai)
Phishing attack statistics
- 57 percent of organizations see weekly or daily phishing attempts. (GreatHorn)
- Phishing was the leading infection vector, identified in 41% of incidents, making it the most common initial attack vector. (IBM)
- 26 percent of phishing attacks exploited public-facing applications. (IBM)
- Phishing attacks account for more than 80 percent of reported security incidents. (CSO Online)
- $17,700 is lost every minute due to a phishing attack. (CSO Online)
Stats on IoT, DDoS, and other attacks
- Use of stolen cards is the most common type of threat, followed by ransomware and phishing. (Verizon)
- DDoS attacks have dominated incidents, with 6,248 DDoS Attacks in 2022. (Verizon)
- Application-layer DDoS attacks increased by 15 percent in the second quarter of 2023. (Cloudflare)
- Incidents aimed at cryptocurrency firms surged by a staggering 600% in the first quarter of 2023, coinciding with a notable 15% upswing in HTTP DDoS attacks. (Cloudflare)
- 19 percent of data breaches involve internal actors. (Verizon)
- The number of IoT attacks in the world reached over 10.54 million in December 2022. (Statista)
- Nearly 58% of IoT attacks occurred with the intent of mining cryptocurrency. (Purplesec)
- The average smart home could be at risk of more than 12,000 hacker attacks in one week. (Purplesec)
- 30 percent of known zero-day vulnerabilities targeted mobile devices in 2021. (Purplesec)
- 43 percent of all breaches are insider threats, either intentional or unintentional. (Check Point)
- Over 24 billion passwords were exposed by hackers in 2022, and 64 percent of passwords only contain eight to 11 characters. (Norton)
21 cybersecurity compliance and governance statistics
The risks of not securing files are more prevalent and dangerous than ever, especially for companies with a remote workforce. More severe consequences are being enforced as stricter legislation passes in regions across the world defending data privacy. Some stand-outs from recent years include the European Union’s 2018 General Data Protection Regulation (GDPR) and California’s 2020 California Consumer Privacy Act (CCPA).
Companies should take note of takeaways from the GDPR as more regions around the world are expected to emulate the legislation. It’s crucial to properly set file permissions and remove stale data in order to stay secure. Keeping data classification and governance up to par is instrumental to maintaining compliance with data privacy legislation like HIPAA, SOX, ISO 27001, and more.
If you’re curious about data security, try a free risk assessment to see where your vulnerabilities lie.
- 66 percent of companies say that compliance mandates are driving spending. (CSO Online)
- 78 percent of companies expect annual increases in regulatory compliance requirements. (Thomson Reuters)
- For large firms, the cost of compliance can approach $10,000 per employee. (Forbes)
- The total amount of HIPAA violation fines and settlements in 2023 was $4,176,500. (Compliancy Group)
- So far, data breaches exposed 7 billion records in the first half of 2024. (IT Governance)
- On average, every employee has access to 11 million files. (Varonis)
- 15 percent of companies found 1,000,000+ files open to every employee. (Varonis)
- 17 percent of all sensitive files are accessible to all employees. (Varonis)
- About 60 percent of companies have more than 500 accounts with non-expiring passwords. (Varonis)
- More than 77 percent of organizations do not have an incident response plan. (Cybint)
GDPR cybersecurity statistics
- Spain issued 212 GDPR fines in 2021 and has issued 3x more fines than any other country. (Lexology)
- GDPR fines totaled 2.1 billion euros in 2023. (Statista)
- Adtech giant Criteo was fined over $42 million in fines for GDPR related violations. (Tech Crunch)
- 88 percent of companies spent more than $1 million preparing for the GDPR. (IT Governance)
- In the GDPR’s first year, there were 144,000 complaints filed with various GDPR enforcement agencies and 89,000 data breaches recorded. (EDPB)
- After many US news sites have suffered long term losses after blocking EU users as a response to GDPR. (Oxford University)
- GDPR fines totalled $63 million in the first year. (GDPR.eu)
- Meta was fined $1.3 billion for GDPR violations in 2023. (NYTimes)
- In 2023 TikTok was fined for breaching a number of GDPR rules, including failure to keep children's data safe. (Tech Crunch)
- Spotify were fined over $5 million for breaching GDPR regulations in 2023. (Medium)
- 94% of US companies are not prepared to comply with GDPR Requirements. (Spice Works)
23 security spending and cost stats
Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity a significant part of their budget. Cybersecurity budgeting has been increasing steadily as more executives and decision-makers realize the value and importance of cybersecurity investments.
Take a look at these spending statistics and projections for an idea of where cybersecurity costs stand in 2024.
- The global average cost of a data breach in 2024 is $4.88 million, a 10 percent increase over last year. (IBM)
- The average per-capita cost of a data breach is $165, one dollar higher than 2022. (IBM)
- The average total cost of a ransomware breach is $5.13 million, 13 percent higher than in 2022. (IBM)
- US cyber insurance premiums surged 50 percent in 2022, reaching $7.2 billion in premiums collected from policies written by insurers. (Insurance Journal)
- When remote work is a factor in causing a data breach, the average cost per breach is $173,074 higher. (IBM)
- The global security market value is forecast to reach $424.97 billion in 2030. (Fortune Business Insights)
- Companies with extensive use of AI and automation security tools cost 2.2 percent less in breach costs. (IBM)
- Organizations with a zero-trust approach saw average breach costs $1.76 million less than organizations without. (IBM)
- A data breach can cost a company an average of $1.3 million in lost business. (IBM)
- Since 2020, healthcare data breach costs have increased 53.3%. (IBM)
- Annually, hospitals spend 64 percent more on advertising in the two years following a breach (American Journal of Managed Care).
- Phishing is the most expensive initial attack vector, costing $4.9 million in 2023 (IBM).
- Large enterprises spend approximately $2,700 per full-time employee per year on cybersecurity. (SecureAge Technology)
- The most expensive component of a cyberattack is information loss, which represents 43% of total costs (IBM)
- The average total cost of a data breach in smaller companies (500 employees or less) increased from $2.92 million in 2022 to $3.31 million in 2022. (IBM)
- The average total cost of a breach in very large companies (more than 25,000 employees) decreased from $5.69 million in 2022 to $5.42 million in 2022. (IBM)
- Data breaches led to an increase in the pricing of business offerings for 57% of companies. (IBM)
- The average total cost of a data breach in Canada decreased by 9 percent from $5.64 million to $5.13 million (IBM)
- In 2024, the United States is the country with the highest average total cost of a data breach at $9.36 million. The Middle East is a close second with $8.75 million (IBM).
- In 2024, spending in the cybersecurity industry is expected to be around $87 billion USD, an 8 percent increase from 2023. (Statista)
- In 2023 a data breach investigation report stated that 97 percent of threat actors were financially motivated. (Verizon)
Cybersecurity cost predictions
- Worldwide cybercrime costs are estimated to hit $10.5 trillion annually by 2025. (Cybersecurity Ventures)
- Global spending on cybersecurity products and services is predicted to reach $1.75 trillion cumulatively for the five-year period from 2021 to 2025. (Cybersecurity Ventures)
21 cybersecurity workforce statistics and predictions
As cyberattacks increase in frequency, so too does the demand for cybersecurity professionals. With these increases, many companies’ cybersecurity budgets continue to rise as well. However, the imbalance in skilled cybersecurity workers along with the high demand to fill these positions results in a crippling cybersecurity skills shortage.
Interested in entering the cybersecurity field? Now is the time — job openings and average salaries are only projected to grow throughout the decade.
Looking for cybersecurity talent? It may be necessary to come up with creative cybersecurity skills shortage solutions including outsourcing tasks, starting apprenticeships, and partnering with educational and military institutions to find fresh talent.
- There are 1,239,018 employees working in cybersecurity in the U.S. as of September 2024. (Cyber Seek)
- The global cybersecurity workforce grew to 4.7 million professionals in 2022, representing an 11.1 percent increase over the previous year. (ISC2)
- As of September 2024 there are nearly 470,000 job openings in the cybersecurity industry. (Cyber Seek)
- There are 74 percent more job openings in the cyber security field in 2023 than there were in 2010. (Cyber Seek)
- Washington, D.C. has the highest concentration of cybersecurity professionals at more than 8x the national average. (Cyber Seek)
- 70 percent of cybersecurity professionals reported that their organizations are understaffed, which has hampered multiple functional and operational elements of cybersecurity. (ISC2)
- 54 percent of companies say their IT departments are not sophisticated enough to handle advanced cyberattacks. (Sophos)
- Companies with 500-1,499 employees ignore or don’t investigate 27% of all alerts. (Forbes)
- The cybersecurity workforce is becoming more diverse, with women representing 24 percent of the workforce in 2022, up from 20 percent in 2021. (ISC2)
- Cybersecurity engineers are some of the highest-paid positions in the industry, starting at $130K annually on average. (Cybint)
- Minorities represented just 19 percent of cybersecurity workers over the age of 50, and 37 percent of those under the age of 30. (ISACA)
- Cybersecurity employment for positions like information security analysts is predicted to grow 35 percent by 2031. (ISACA)
- In 2023, the cybersecurity unemployment rate for the most experienced positions is at zero percent. (Cybersecurity Ventures)
- There are 3.5 million unfilled cybersecurity jobs globally in 2023, enough to fill 50 NFL stadiums. (Cybersecurity Ventures)
Cybersecurity workforce predictions
- The cybersecurity unemployment rate is near zero percent and is projected to remain there for the foreseeable future. (Cybersecurity Ventures)
- By 2025, there will be 3.5 million unfilled cybersecurity jobs globally. (Cybersecurity Ventures)
- Information security analyst job positions in the U.S. are expected to grow 32 percent between 2022 and 2032. (Bureau of Labor Statistics)
- Computer network architect job positions in the U.S. are expected to grow by 4 percent between 2022 and 2032. (Bureau of Labor Statistics)
- Computer programmer job positions in the U.S. are expected to decline 11 percent between 2022 and 2032. (Bureau of Labor Statistics)
18 cybersecurity statistics by industry
When it comes to cybersecurity, not all industries are created equal. Industries that store valuable information such as healthcare and finance are usually bigger targets for hackers who want to steal social security numbers, medical records, and other personal data.
This doesn’t mean lower-risk industries aren’t victims, too. They’re often targeted due to the likelihood that they’ll have fewer security measures in place and their information will be more easily accessible.
Try a free 30-minute demo to see how Varonis can help keep your organization’s name out of data breach headlines.
Healthcare cybersecurity stats
- There were over 630 ransomware incidents impacting healthcare worldwide in 2023. (HHS)
- The WannaCry ransomware attack cost the U.K.’s National Health Service (NHS) more than $100 million. (Datto)
- The cost of downtime to medical organizations due to attacks is estimated to bbe $15.5 million in 2023. (Comparitech)
- 32 percent of all recorded data breaches between 2015 and 2022 were in the healthcare industry. (HIPAA Journal)
Finance and crypto cybersecurity stats
- Cryptocurrency payments to ransomware attackers hit $449.1 million in the first half of 2023. (Reuters)
- Financial services have 449,855 exposed sensitive files, 36,004 of which are open to everyone in the organization. This is the highest when comparing industries. (Varonis)
- On average, 70 percent of sensitive files in the financial services industry are stale. (Varonis)
- On average, a financial services employee has access to nearly 11 million files the day they walk in the door. For large organizations, employees have access to 20 million files. (Varonis)
- Financial services businesses take an average of 233 days to detect and contain a data breach. (Varonis)
- The average cost of a financial services data breach is $4.45 million. (IBM)
- Financial breaches account for 10 percent of all attacks. (Verizon)
- 74 percent of financial and insurance attacks comporimised personal details (Verizon)
- In April 2022, decentralised finance platform Beanstalk Farms lost $180 million in a cryptocurrency heist (CEIP)
Government cybersecurity stats
- Manufacturing accounted for 65% of industrial ransomware incidents in 2022. (NAM)
- 58 percent of nation-state cyberattacks originate from Russia. (Microsoft)
- 79 percent of nation-state attackers target government agencies, non-government organizations (NGOs), and think tanks. (Microsoft)
Enterprise cybersecurity stats
- Smaller organizations (one to 250 employees) have the highest targeted malicious email rate at one in 323. (Comparitech)
- In Europe, U.K. companies are the most likely to be targeted by phishing attacks, followed by Spain (Slash Next)
10 COVID-19 cybersecurity statistics
COVID-19 made an impact on every industry across the globe, and cyberspace is no exception. The global pandemic paved new avenues for cybercriminals to target victims via healthcare, unemployment, remote work, and more.
Below are a few of the most impactful cybersecurity statistics related to the pandemic.
- 27 percent of COVID-19 cyberattacks target banks or healthcare organizations and COVID-19 was credited for a 238 percent rise in cyberattacks on banks in 2020. (Carbon Black)
- Confirmed data breaches in the healthcare industry increased by 58 percent during the pandemic. (Verizon)
- 33,000 unemployment applicants were exposed to a data security breach from the Pandemic Unemployment Assistance program in May. (NBC)
- Americans lost more than $97.39 million to COVID-19 and stimulus check scams. (Atlas VPN)
- In the first month of the pandemic, Google blocked 18 million daily malware and phishing emails related to the coronavirus. (Google)
- 52 percent of legal and compliance leaders are concerned about third-party cyber risks due to remote work since COVID-19. (Gartner)
- 47 percent of employees cited distraction as the reason for falling for a phishing scam while working from home. (Tessian)
- Half a million Zoom user accounts were compromised and sold on a dark web forum during the first month of the pandemic. (CPO Magazine)
- Remote workers have caused a security breach in 20 percent of organizations during the pandemic. (Malwarebytes)
Cybersecurity statistics FAQs
Below are some of the most frequently asked questions about cybersecurity, with answers supported by cybersecurity statistics and facts.
Q: Why should I care about cybersecurity?
A: Our world runs on data, and the integrity of our systems relies on strong cybersecurity measures to protect them. Weak cybersecurity measures can have a massive impact, but strong cybersecurity tactics can keep your data safe.
Q: What are the types of cyberattacks?
A: The most common cyberattack methods include phishing and spear-phishing, rootkit, SQL injection attacks, DDoS attacks, and malware such as Trojan horse, adware, and spyware.
Q: How many cybersecurity attacks are there per day?
A: On average, hackers attack 26,000 times a day. (Forbes)
Q: How frequent are cyberattacks?
A: Hackers attack every three seconds. (Forbes)
Q: Where can I find more cybersecurity reports?
A: Below are some helpful cybersecurity studies, articles, and resources to deepen your knowledge about the cybersecurity landscape.
- IBM’s 2024 Cost of Data Breach Report
- Accenture’s 2023 State of Cyber Resilience Report
- Cisco’s Cybersecurity Reports
- Cybersecurity Venture’s Job Study
- IAPP-EY Annual Governance Report
- McAfee Labs Threats Report
- Symantec Internet Security Threat Report
- RiskBased Data Breach Report
- Varonis’ Data Risk Report
- Verizon’s 2024 Data Breach Investigations Report
Cybercrime is a real threat that should be taken seriously. By assessing your business’s cybersecurity risk, making companywide changes, and improving data protection, it’s possible to guard your business against most data breaches. Don’t become a statistic — the time to change the culture toward improved cybersecurity is now.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.