200+ Alarming Cybersecurity Stats & Insights from Security Experts


According to the experts, if your business isn’t preparing for a cybersecurity attack, you may already be in trouble. No, seriously.

Cybercrime has a global reach and comes in multiple forms, such as phishing, ransomware, and nation-state attacks. These digital threats don’t have borders, nor do they have limits.

According to IBM, 17% of organizations said they experienced their first data breach in 2022, and 83% have had more than one breach.

Companies that collect personal information are held criminally and financially accountable for data breaches under laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Below, we compiled a list of 200+ cybersecurity statistics and talked to six cybersecurity professionals about their most shocking cybersecurity statistic and their best tip for businesses.

Who we spoke with:


Richard Bejtlich


Ana Ferreira


Adam Levin

  • Strategist, Author
  • Corelight, Inc.
  • Information Security & Health Senior Researcher

Steve Morgan


Bob Carver


Chuck Brooks

  • Founder @ Cybersecurity Ventures
  • Principal, Threat Intel and Analytics @ Verizon
  • President, Brooks Consulting International
  • Professor, Georgetown University
  • Named “Top Tech Person to Follow” by LinkedIn
Table of Contents
  1. Most Shocking Cybersecurity Stats According To Experts
  2. Cybersecurity Stats Showing a Growing Awareness & Market
  3. Stats on Why & How Cyberattacks Happen
  4. Stats Showing the True Cost of Cybercrime
  5. Stats On the Detection & Recovery From Cyberattacks
  6. Method-Specific Cyberattack Stats (Phishing, Ransomware, etc)
  7. Industry-Specific Cyberattack Stats
  8. Location-Based Cyberattack Statistics
  9. Stats Regarding Business Leaders & Executives
  10. Stats Regarding Cybersecurity Staff & Infrastructure
  11. Small Business Cybersecurity Stats
  12. Cyberattack Stats From the Internet Crime Complaint Center (IC3)
  13. Cyber Insurance Statistics
  14. Cybersecurity Tips From the Experts
  15. Summary

* All figures below are in USD unless otherwise specified

Most Shocking Cybersecurity Stats According To Experts

We asked six top cybersecurity experts and thought leaders worldwide two vital questions to help businesses and consumers prepare themselves for our increasingly digital world.

We’ll cover the second question later in this article, but let’s see how they answered the first:

We asked the experts:

What is the most shocking cybersecurity statistic you know off the top of your head?

Ana-FerreiraAna Ferreira, PhD, CISSP, HCISPP

The statistic that is always on my mind is that only 25% of women integrate the cybersecurity workforce, globally.

Moreover, in Portugal, that statistic is not yet available, but the one that is, is that only 6% of people that finished a high degree in cybersecurity last year (2022) are women, a third less than the previous year.

Richard-BejtlichRichard Bejtlich

This is my all-time favorite security statistic: In 2013, Federal agents notified more than 3,000 U.S. companies that their computer systems had been hacked.

I’m also a big fan of Mandiant’s M-Trends, especially the “dwell time” statistic.

Adam-LevinAdam Levin

More than 50% of us reuse passwords — and that’s just the figure for folks who fess up. With the average internet user having 150 online accounts, a single compromised password can do a lot of damage.

Bottom line: Bad password habits make life easy for hackers and impossible for cybersecurity professionals. If your CFO is using the same password to protect your financial data that they use for their golf score app, your business is going to get hacked.

Steve-MorganSteve Morgan

Global cybercrime damage costs are predicted to reach $10.5 trillion annually by 2025, up from $3 trillion in 2015, according to Cybersecurity Ventures.

BobCarver-Hi-ResBob Carver – CISM, CISSP, MS

It is currently predicted that the cybercrime market will be worth $10.5 Trillion per year by 2025.

Chuck-Brooks-3Chuck Brooks

The most shocking statistic I know is that 43% of all data breaches involve small and medium-sized businesses.

Despite this reality, most small and medium businesses still remain ignorant of what they need to do to better protect themselves from cyber-attacks. In fact, most lack any understanding of basic cyber hygiene. They often do not have cyber-expertise on hand in their companies, and lack multifactor authentication, firewalls, data backups, and any protocols for incident response.

Before we get to our experts’ advice for businesses, let’s look at a bunch more alarming cybersecurity statistics broken down by category.

Cybersecurity Stats Showing a Growing Awareness & Market

Over the past few years, consumers, business owners, and leaders have become increasingly aware of cybersecurity risks and the potential consequences they face if they get hit.

According to the data:

  • 81% of business leaders believe that staying ahead of cybersecurity risks is a constant battle. (Accenture)
  • 74% of individuals believe that remote working has made it easier for cyber criminals to operate. (Norton)
  • 44% of adults feel more at risk of cybercrimes than before the COVID-19 pandemic. (Norton)

The awareness is, in large part, a result of the influx of cyberattacks that have occurred due to criminals, hackers, and other bad actors using cyberspace as a weapon.

These attacks have encouraged more people to implement defensive and preventative measures to protect themselves, their businesses, their livelihood, personal information, and their reputations.

But, according to the statistics, the majority of adults still don’t feel adequately prepared.

  • 58% of adults are more worried about becoming the victim of cybercrime than before. (Norton)
  • 53% of adults admit they do not know how to protect themselves against cybercrime. (Norton)

Cybersecurity Statistics Showing a Growing Market

As awareness increases, the cybersecurity market is also expected to expand substantially. Over the next decade, cybersecurity job openings will be created to fill foreseen and unforeseen needs.

  • In 2021, Microsoft launched a campaign to train and recruit 250,000 people into the cybersecurity workforce by 2025. (Microsoft)

Here are some additional statistics regarding the projected status of the cybersecurity market:

  • The cybersecurity market will be worth $261.3 billion by the end of 2023 and is forecasted to grow at a compound annual growth rate (CAGR) of 8.7% during 2023-2026 to reach $334.6 billion. (GlobalData)
  • In the US, the Bureau of Labor Statistics reports that information security analysts should expect a growth rate of 35%, and it’s the eighth fastest-growing job in the country. (BLS.gov)
  • There will be an estimated 3.5 million cybersecurity job openings in 2025. (Cybersecurity Ventures)
  • In December 2022, there were 755,743 cybersecurity job openings in both the public and private sectors. (Cyberseek)

Stats on Why & How Cyberattacks Happen

So why and how exactly are cybercriminals successfully attacking so many consumers and businesses?

We’ve rounded up a few potential answers for you:

  • Cybercriminals generally have three motivations — criminal, political, or personal. But the primary motivation for 96% of cyberattacks is financial or personal gain. (Verizon)
  • Studies show that human error is the root of 95% of cybersecurity breaches. (WeForum)
  • 21% of consumers were victims of a scam in the past 12 months. (Norton)
  • The third quarter of 2022 saw an increase of 28% in global attacks compared to the same period in 2021. (Checkpoint)
  • The top three cyberattacks organizations are concerned about are ransomware, social engineering, and malicious insider activity. (WeForum)
  • As of 2021, ransomware is 57 times more destructive than in 2015. (Cybersecurity Ventures)
  • 43% of internet users reported that they made an error at work, which caused security repercussions. (Tessian)
  • Third-party cyberattacks have increased from 44% to 61%. (WeForum)
  • Between 75-90% of targeted cyberattacks start with an email. (Roundrobintech)
  • About 20% of data breaches start with stolen login details, and 82% of internet users reuse passwords for multiple accounts. (Explodingtopics)
  • Stolen or compromised credentials were the primary cause of 19% of breaches in 2022. (IBM)

According to data gathered and reported by IBM — of all the breaches that occurred in 2022:

  • 24% were the result of IT failure
  • 21% were the result of human error
  • 19% were supply chain attacks
  • 17% were destructive attacks
  • 11% were ransomware attacks
  • 8% were caused by other malicious attacks

The study goes on to state that the 2022 critical infrastructure breaches were caused by the following attacks or infrastructure failures (IBM):

  • Ransomware attacks – 12%
  • Destructive Attacks – 16%
  • Supply Chain Attacks – 17%
  • Human Error – 22%
  • IT Failures – 25%
  • Other Malicious Attacks – 8%

What makes these numbers even scarier is the time it takes to clean up after a breach occurs:

  • A supply chain breach takes 26 days longer to identify and contain than the average breach. (IBM)
  • 28% of organizations experienced a destructive or ransomware attack. (IBM)

Stats Showing the True Cost of Cybercrime

Crime isn’t cheap, especially when it happens in the digital space; just take a look at the data:

  • The cost of cybercrime worldwide is estimated to be $8 trillion annually in 2023 (Cybersecurity Ventures)
  • According to IBM, breaches caused by stolen or compromised credentials cost, on average, $4.5 million and happen at a frequency of 19% — that’s just the tip of the iceberg.

Cybercriminals go to extreme efforts to perpetrate their crimes, and the resulting breaches can set a company back in its operations and reputation.

One single isolated attack can obliterate a company’s bottom line and force it to close operations forever.

  • The average cost of a data breach in 2022 was $4.35 million. (IBM)

The costs to the company’s personnel can be even greater, including permanent effects on their livelihood.

Cyber criminals run tech-savvy, clever operations and schemes. They take advantage of many individuals, companies, and even governments lacking robust cybersecurity measures.

Below, see a table highlighting the most common causes of breaches and their associated costs, as reported by IBM.

Cause of Breach % of Breaches Cost
Compromised Credentials 19% $4.5 million
Phishing 16% $4.91 million
Cloud Misconfiguration 15% $4.14 million
Vulnerability in Third-Party Software 13% $4.55 million
Malicious Insider 11% $4.18 million
Physical Security Compromise 9% $3.96 million
System Error 7% $3.82 million
Business Email Compromise 6% $4.89 million
Social Engineering 4% $4.1 million
Accidental data loss or loss of device 5% $3.94 million

Additionally, see the table below that compares two of the largest cost categories associated with security breaches from 2022 and 2021 (IBM):

Category of Cost 2022 2021 Examples
Lost Business Costs $1.42 million $1.59 million
  • System downtime
  • Cost of lost customers and cost of attracting new ones
  • Reputation loss
  • Loss in goodwill
Detection and Escalation Costs $1.44 million $1.24 million
  • Forensic and investigative activities
  • Assessments
  • Audit services
  • Crisis management
  • Communications with businesses executives and boards

Another possible threat business owners must consider is a mega breach, which refers to any violation with more than one million compromised records.

If you collect a massive amount of personal information, you’re at risk of becoming a victim of this large-level cybercrime, making the following pieces of data extremely relevant:

  • The average cost of a mega breach of 50 to 60 million records compromised is $387 million. (IBM)
  • Organizations with fully deployed security AI and automation save $3.05 million when breached than organizations without security AI and automation systems. (IBM)

The industry you work in matters to a degree, but a breach in any sector will still be expensive, and those costs will likely continue to grow.

Below, see a table that breaks down the cost of breaches by industry, comparing 2022 to 2021 (IBM).

Sector 2022 2021
Healthcare Industry $10.10 million $9.23 million
Pharmaceutical Industry $5.97 million $5.72 million
Technology Industry $4.97 million $4.88 million
Energy Industry $4.72 million $4.65 million
Services Industry $4.70 million $4.65 million
Industrial Sector $4.47 million $4.24 million
Research Industry $3.88 million $3.60 million
Consumer Sector $3.86 million $3.7 million
Education Industry $3.86 million $3.79 million
Entertainment Industry $3.83 million $3.80 million
Communications Industry $3.62 million $3.62 million
Transportation Industry $3.59 million $3.75 million
Retail Sector $3.28 million $3.27 million
Media Industry $3.15 million $3.17 million
Hospitality Industry $2.94 million $3.03 million
Public Sector $2.07 million $1.93 million

These digital crimes impact more than just your business; they also leech money from the pockets of your consumers. Take a look at what the data suggests:

  • Public cloud breaches cost $4.8 million on average, while hybrid cloud-based model breaches cost a minimum of $3.61 million. (IBM)
  • 60% of breaches in organizations led to an increase in prices passed on to customers. (IBM)
  • Breaches with remote working as a factor cost $1 million more than breaches without remote working as a factor. (IBM)

Increasing Cybersecurity Budgets

Professionals around the globe are adding to their annual budgets to prevent themselves from becoming victims of these digital crimes.

According to research conducted by PWC, technology and security executives expect their cyber budgets to grow in 2022 by the following amounts:

  • 12% expect it will increase by 15% or more 
  • 14% expect it will increase by 11-15%
  • 25% expect it will increase by 6-10%
  • 18% expect it will increase by 5% or less
  • 12% expect no change
  • 15% expect it will decrease

Stats On the Detection & Recovery From Cyberattacks

Believe it or not, data breaches have life cycles which are defined as the time between when the breach is first detected to when it’s contained.

It can take months to years for organizations to fully recover from a cyberattack. Some never bounce back.

Here are some statistics highlighting how long it takes the average business to detect and recover from this digital crime:

  • Victims of cybercrimes lose $318 billion per year, $4,476 per victim per cybercrime. (Comparitech)
  • 71.1 million people are victims of cybercrimes each year worldwide. (Comparitech)
  • Breaches caused by stolen or compromised credentials take 243 days longer to identify and an additional 84 days to contain. (IBM)
  • A shorter data breach life cycle is correlated with lower data breach costs. (IBM)

Based on research conducted by IBM, the lifecycle of data breaches has remained somewhere around 270 days since 2016, as shown in the table below.

Year Avg # of Days to Identify Data Breach Avg # of Days to Contain Data Breach Avg Data Breach Lifecycle
2022 207 70 277 days
2021 212 75 287 days
2020 207 73 280 days
2019 206 73 279 days
2018 197 69 266 days
2017 191 66 257 days
2016 201 70 271 days

When broken down into categories of cyberattack type, stolen credentials and compromised business emails take the longest to recover from, both averaging over 300 days.

Below, compare the average time it takes to identify and contain a breach by the type of initial attack (IBM).

Type of Attack Avg # of Days to Identify Breach Avg # of Days to Contain Breach Avg Breach Lifecycle
Stolen or compromised credentials  243 84 327 days
Business email compromise  234 74 308 days
Phishing  219 76 295 days
Vulnerability in third-party software  214 70 284 days
Malicious insider  216 68 284 days
Physical security compromise 217 63 280 days
Special engineering  201 69 270 days
Accidental data loss or lost device  189 69 258 days
Cloud misconfiguration  183 61 244 days
Other technical misconfiguration  149 67 216 days

Despite the average lifecycle of data breaches remaining somewhat steady over the past several years, the financial impact has only increased.

Even breaches with shorter-than-average life cycles cost businesses millions of dollars each year.

The table below compares the average cost of data breaches based on a life cycle length. (IBM)

Year  Life Cycle > 200 Days Life Cycle < 200 days
2022 $4.86 million $3.74 million
2021 $4.87 million $3.61 million
2020 $4.33 million $3.21 million
2019 $4.56 million $3.34 million
2018 $4.15 million $3.21 million
2017 $3.75 million $2.79 million
2016 $3.61 million $2.54 million

Method-Specific Cyberattack Stats (Phishing, Ransomware, etc)

Cybercrime is a term used to describe many different types of internet crimes. In this section, we’ll focus on the specific types of attack methods criminals use to gain uninvited access to a victim’s personal data and files.

For example, what appears to be a harmless email sent to a mass of users could contain a malicious link. Those unfortunate enough to click on said link would suffer the repercussions of that cyberattack.

On the other end of the spectrum, cyber crimes can also involve acts such as blackmail, extortion, or even identity theft.

This section will describe common types of cyberattacks and give statistics specific to them.

Phishing Attacks

The first common cybercrime we’re covering is phishing, a deceptive crime that impacts many individuals and businesses annually.

In a phishing scam, victims are contacted via email, text message, or phone call by someone intending to trick them into providing personal or sensitive information, like:

  • Bank account details
  • Social security numbers
  • Passwords
  • Financial information

Cybercriminals then take this personal or sensitive information and gain access to the victim’s finances or accounts.

While phishing technically refers to scams through email, variations on this crime include:

  • Vishing: Voice phishing, like when the criminal contacts the victim through a phone call.
  • Smishing: SMS or text messaging scams, like when the criminal contacts the individual via text message.

Here are some shocking phishing statistics highlighting the impacts, consequences, and losses associated with falling victim to this sneaky attack:

  • Over 90% of successful hacking scams begin with a phishing attack. (Infosecinstitute)
  • There were 1,025,968 total phishing attacks in the first quarter of 2022. (APWG)
  • The average cost of a data breach is $4.35 million. (Expertinsights)
  • 94% of malware is sent via email.  (Egress)
  • 85% of phishing attacks target login information. (Exploding Topics)
  • 47% of employees regard distraction as the main reason for falling victim to a phishing scam. (Tessian)
  • 23.2% of all phishing attacks in the third quarter of 2022 were against financial institutions – compared to 23.6% in the first quarter (APWG)
  • The third quarter of 2022 was the worst quarter for phishing attacks APWG ever observed, with 1,270,883 total attacks occurring, a new record. (APWG)

According to APWG, the following list represents the most targeted industries for phishing in the third quarter of 2022:

  • Financial: 23.3% (23.6% in Q1)
  • SAAS/Webmail: 17% (20.5% in Q1)
  • Ecommerce/Retail: 4.1% (14.6% in Q1)
  • Social Media: 11% (12.5% in Q1)
  • Crypto: 2% (6.6% in Q1)
  • Payment: 4% (5% in Q1)
  • Logistics/shipping: 6% (3.8% in Q1)
  • Other: 30% (13.4% in Q1)

While education is important, especially when it comes to fighting cybercrime, phishing takes advantage of individuals who are distracted, making it a risk even to IT and tech-industry workers:

  • Phishing attacks affected online stores the most. (Statista)
  • Taking advantage of the psychological factors caused by COVID, the beginning of April 2020 saw more than 18 million malware and phishing emails. (The Verge)
  • 47% of tech industry workers admit they clicked on a phishing email at work. (Tessian)

The data doesn’t lie. Be vigilant before you click on any links, and train your employees to do the same.

Ransomware Attacks

Another common cybercrime impacting businesses and consumers is ransomware. A cybercriminal using ransomware encrypts someone’s files, denying them access to their information. The criminal then demands a ransom payment in order to give the key to decrypt the data. (Checkpoint)

  • Ransomware is growing to be the most common cybercrime, and the average cost of an attack in 2022 was $4.54 million. (IBM)
  • Ransomware crimes cost businesses and individuals millions of dollars yearly, with as much as 11% of victims paying over $1 million. (Sophos)

Like with other cybercrimes, this attack happens in virtually every industry. Take a look at the percentage of ransom pay-out statistics by sector as reported by Sophos:

  • Total percent of organizations that pay the ransom to restore their data: 46%
  • Lower education (K12/primary/secondary): 53%
  • State/local government: 49%
  • Healthcare: 47%
  • Financial services: 32%
  • Manufacturing and production: 30%

This crime preys upon public sentiment and fear and exploits people’s pocketbooks. Whether the victim is protecting their job, reputation, goodwill, livelihood, or family, it does not matter to the cyber attackers.

The True Cost of a Ransomware Attack

The table below shows the percentage of ransomware victims by industry in the third quarter of 2022 compared to the first quarter (APWG).

Industry Q3 2022 Q1 2022
Manufacturing 17% 25%
Business services 14% 12.2%
Finance 7% 10.2%
Retail and wholesale 10% 8.3%
Construction 9% 6.8%
Healthcare 7% 4.9%
Education 5% 4.9%
Government 4% 4.5%
Legal services 5% 3.2%
Real estate 20% 3.2%
Transportation 4% 3.2%
Other 14% 13.6%

According to the data, the potential cost of this style of cybercrime is only going up:

  • Last year, the average ransomware payment was $812,360. (Sophos)
  • By 2031, ransomware attacks are projected to cost $265 billion globally. (Cybersecurity Ventures)
  • In 2022, IC3 received 2,385 complaints about ransomware, adding up to over $34.3 million in losses. (IC3)
  • Also, in 2022, 66% of organizations were hit by a ransomware attack, a significant increase from 37% in 2020. (Sophos)
  • By 2031, ransomware attacks are expected to occur every 2 seconds. (Cybersecurity Ventures)

Criminals are also willing to go after businesses of any size. Below, see a breakdown of the percent of corporate victims of ransomware by financial earnings from the first quarter of 2022, as recorded by APWG:

  • Less than $10 million – 28.4%
  • $10 million – $50 million – 26.5%
  • $50 million – $100 million – 12.3%
  • $100 million – $250 million – 11.2%
  • $250 million – $500 million – 5.4%
  • $500 million – $1 billion – 5.2%
  • $1 billion – 10.8%

After an attack, most businesses get some data back, but usually, companies with cyber insurance end up faring slightly better than those who don’t invest:

  • 99% of organizations attacked by ransomware get some data back. (Sophos)
  • 83% (4 of 5) of mid-sized organizations’ cyber insurance covers ransomware. (Sophos)
  • 89% of ransomware victims had cyber insurance, but only 70% of organizations that avoided a ransomware attack had cyber insurance. (Sophos)

The data surrounding ransomware is clear: now is the time to implement data backups, secure encryption practices, and proper employee training.

Nation-State Attacks

A nation-state attack is a cyberattack led by a state entity. According to Trellix, nation-states use cyberattacks to “steal information, influence populations, and damage industry, including physical and digital critical infrastructure.”

Their targets? High-profile companies or other government agencies. They attack to steal military or government secrets, enact disinformation or propaganda campaigns, or interrupt their target’s operations.

It may sound like a spy movie, but these crimes are now part of our everyday reality. Here’s a breakdown of the most common targets of nation-state attacks by industry, as recorded by Microsoft:

  • Government: 48%
  • Non-governmental organizations and think tanks: 31%
  • Other: 10%
  • Education: 3%
  • Inter-governmental organizations: 3%
  • IT: 2%
  • Media: 1%
  • Health: 1%
  • Energy: 1%

The interesting thing about nation-state attacks is figuring out how to identify if you were a victim of one. Because these crimes are similar to traditional cyberattacks, it may take time to recognize this specific type of crime.

Below, see how confident organizations feel when it comes to differentiating between a nation-state cyberattack and other cyberattacks (Trellix):

  • 27% of organizations have complete confidence they can tell the difference
  • 36% of organizations have a high level of confidence they can tell the difference
  • 23% have a moderate level of confidence they can tell the difference
  • 12% have a low level of confidence they can tell the difference
  • 2% have no confidence they can tell the difference

The following list represents the percentage of the types of organizations that believe they were the subject of nation-state attacks, according to Trellix:

  • Oil and gas and utilities: 48%
  • Healthcare: 38%
  • Distribution and transport: 36%
  • Government, defense, and armed forces: 51%
  • Banking, financial services, and insurance: 35%
  • Non-critical infrastructure sector: 34%
  • Other critical infrastructure sectors: 32%
  • Media and telecoms: 18%
  • Manufacturing: 17%

Combatting Nation-State Cyberattacks: Is It Possible?

One thing is certain — the leaders of the organizations who survive nation-state attacks want more help from higher authorities:

  • 91% of organizations believe the government should do more to support them against nation-state attacks. (Trellix)
  • 90% of organizations believe the government should do more to protect against nation-state attacks. (Trellix)

But currently, it’s up to the individual business to implement changes and adopt best practices to prevent this high-level crime from occurring again.

According to Trellix, after suffering from a successful nation-state cyberattack:

  • 40% of organizations invested in new cybersecurity tools and technology
  • 40% updated their existing cybersecurity tools and technology
  • 37% reviewed and updated their internal processes
  • 36% set forth additional training for existing cybersecurity staff
  • 34% set forth additional training for existing non-cybersecurity staff
  • 33% recruited new cybersecurity staff
  • 25% fired or suspended staff that was at fault

Making efforts to prevent another attack is vital because 98% of organizations that suffered nation-state-backed cyberattacks found leave-behinds, which attackers leave so they can access the network again later. (Trellix)

To determine the difference between a nation-state cyberattack and other types of cybercrime, organizations implement the following types of tools (Trellix):

  • Cybersecurity partner notification: 49%
  • Cybersecurity tools: 48%
  • In-house assessment by cybersecurity team: 42%
  • Similar nation-state cyberattacks elsewhere: 37%
  • Government agency notification: 37%
  • Press announcement or notification: 30%

Nation-State Attacks: What Data Is Vulnerable

The most vulnerable types of data targeted during nation-state cyberattacks, according to Trellix, include:

  • Cybersecurity data (defense mechanisms and tools): 42%
  • Process and operations data: 41%
  • Personal data (customers, users, citizens): 39%
  • Intellectual data: 38%
  • Business strategy data: 34%
  • Personal data (employees): 31%
  • Financial data: 30%
  • Not sure: 0%

Below see a table outlining the major reasons for nation-state attacks by industry, as reported by Trellix.

Industry Reason for Nation-State Attack
IT/Computer Services Customer personal information
Banking, financial services and insurance Customer and employee personal information
Manufacturing Customer personal information
Oil and gas and utilities The sector itself
Distribution and transport Intellectual property
Media and telecoms Customer personal information
Healthcare Customer personal information
Non-critical infrastructure sector Customer personal information

The general population is seemingly only made partially aware of when this type of cybercrime occurs.

  • Only 61% of organizations inform their stakeholders and publicly announce a nation-state cyberattack within two days of discovering the incident, whereas customer notification was 33%. (Trellix)

The types of information about nation-state cyberattacks that don’t get disclosed to external stakeholders include (Trellix):

  • Weakness in cybersecurity infrastructure: 42%
  • Data affected: 39%
  • Financial cost caused by the attack: 34%
  • Mistakes cybersecurity staff made: 33%
  • Nation suspected to be involved: 29%
  • How long the exposure lasted: 28%
  • Methods used by the actors: 27%
  • The nation that is known to be involved: 24%

Nation-State Attacks: A Global Breakdown

Nation-state cyberattacks happen worldwide and are seemingly perpetrated by criminals in several different nations.

The International Institute for Strategic Studies (IISS) released a report studying the cyber power and capabilities of 15 countries. It released a tiered structure ranking their power, with one being the best.

The IIS Report ranked countries in the following order:

  • Tier 1 — United States
  • Tier 2 — Australia, Canada, China, France, Israel, Russia, and the United Kingdom
  • Tier 3 — India, Indonesia, Iran, Japan, Malaysia, North Korea, and Vietnam

The victimized organizations believe the following nation-states were responsible for the attacks that targeted them based on the information that was exposed or hacked (Trellix):

  • 42% Attackers acted on the behalf of an unknown nation-state
  • 39% Russia
  • 35% China
  • 28% North Korea
  • 22% Western governments
  • 20% Iran
  • 6% Do not know

Other Specific Cyberattacks

A few other types of cybercrimes commonly take place and victimize businesses and individuals, which we briefly cover in the next sections.

Identity Theft

Many of us are familiar with the concept of identity theft, another common form of cybercrime.

Identity theft occurs when a victim’s information gets stolen in order to impersonate them.

  • In February 2021, it was reported that 55 million consumers were victims of identity fraud in the previous 12 months. (Norton)

To combat identity theft, individuals should safeguard their social security numbers, be vigilant about phishing and spoofing schemes, and use unique, complex, and effective passwords.

Business-email Companies (BEC) Cyberattacks:

A BEC attack occurs when a scammer impersonates an employee or other trusted person to trick another employee or individual into sending money. This is usually done through an email sent from a fake or compromised email account. (APWG)

Typically, the criminal aims to trick victims into giving them money or sending personal information.

Below, see a breakdown of the percentage of BEC attacks that affected free webmail providers in the third quarter of 2022 (APWG):

  • Google: 66%
  • Microsoft: 21%
  • Verizon Media: 6%
  • Other: 7%

Tech Support Fraud

Tech support fraud is a form of cybercrime that is rapidly growing year after year. This type of attack happens when scammers trick victims into believing they need tech support to correct fictitious problems that don’t exist.

The scammers are sometimes looking for “payment” for their “tech support service” or for your personal information. (Microsoft)

Below, compare the growth in losses victims have experienced over the past five years for tech support fraud (IC3):

  • 2022 — $806.5 million (IC3 2022 Report)
  • 2021 — $347.6 million
  • 2020 — $146.47 million
  • 2019 — $54 million
  • 2018 — $38.69 million
  • 2017 — $14.8 million

Tech support crimes impact older populations marginally more than younger, more tech-savvy generations.

  • In 2021, for example, 60% of tech support fraud victims were over 60 years old and accounted for 68% of the losses. (IC3)

Social Media Attacks

Cyber attackers can also use social media to carry out phishing attacks and other common cyber crimes by pretending to be trusted people or brands. (Proofpoint)

Social media attacks are growing, with the average company being targeted almost three times a day online, according to APWG.

Below, see what the most common social media threat types were for the first quarter of 2022 (APWG):

  • Impersonation: 47%
  • Fraud: 29%
  • Cyber threat: 24%
  • Data leak: 1%

Social media is a tech industry that has exploded in recent years, and the younger generation operating online is eager to utilize social media for every aspect of their lives.

The more intertwined an individual is to their social media account, the easier it is for a cyber threat to use platforms such as Twitter, Facebook, and Instagram as the conduits to commit crime.

With the advancements in AI technology, criminals can now easily disguise their true identities online and facilitate crimes where individuals think they’re dealing with their boss or a celebrity when, instead, they’re interacting with a sophisticated cyber criminal from the other side of the globe.

Industry-Specific Cyberattack Stats

As we previously mentioned, it doesn’t matter what industry you’re in; as long as you operate in a digital space, you’re vulnerable to cybercrime.

In the next few sections, we compare cybersecurity data for all of the following industries:

  • Education
  • Healthcare
  • Pharmaceutical
  • Government and military

Cyberattacks in Education

For those working in the field of education, cybercrime should be at the forefront of your mind.

  • In the third quarter of 2022, the education and research sector saw an 18% increase in attacks compared to the third quarter in 2021, with an average every week of 2,148 attacks per organization. (Checkpoint)

The education industry was ranked as the sixth-most targeted industry for cyberattacks after the finance, healthcare, information, manufacturing, professional, and public sectors.

  • According to the research, schools are the second-highest target for ransomware attacks. (Impactmybiz)

Take a look at some of the alarming pieces of data indicating that education is a hotbed for cyberattacks, especially if the school’s security infrastructure is vulnerable:

  • Education was the most targeted industry for cyberattacks in the first half of 2022. (Sentinelone)
  • Education ranks as the least secure industry out of 17 sectors. (Impactmybiz)
  • In July 2022, the education industry experienced twice the amount of weekly cyberattacks compared to other industry averages. (Sentinelone)
  • A separate study also reported that in August 2022, the education sector suffered more than twice the weekly attacks of other industries. (Checkpoint)
  • 87% of educational institutions have reported at least one successful cyberattack. (Impactmybiz)
  • 30% of users in the education sector have fallen victim to a phishing scheme. (Impactmybiz)

The solution appears clear, especially to university leaders:

  • 85% of universities agree that more funding needs to be allocated to IT departments to protect critical research. (Impactmybiz)

Investing time, money, and resources into training the IT department at educational institutions to combat, prevent, and limit these cybercrimes is a must. If the industry doesn’t catch up, schools will remain one of the most targeted organizations year after year.

Cyberattacks in Healthcare

Healthcare is another popular and lucrative industry that regularly falls victim to cybercrimes.

  • In 2022, the healthcare sector saw an average of 1,426 attacks per week, a 60% increase from the previous year (Checkpoint).
  • More than 40 million patient records were compromised in data breaches in 2021. (Healthcare IT News)
  • Breaches in the healthcare industry have seen the highest increases for the past 12 years, including a 41.6% increase since 2020. (IBM)
  • This is despite 16% of healthcare providers reporting that they have a “fully functional” security program in place (Chimecentral).
  • The healthcare industry is forecasted to spend $125 billion on cybersecurity for the five-year period of 2020-2025. (Cybersecurity Ventures)
  • 82% of healthcare organizations report that security is a major concern. (Purplesec)

Cyberattacks on Pharmaceutical Companies

Like healthcare, the pharmaceutical industry has also been hit hard by cybercrime over the past few years, with no signs of the attacks slowing down anytime soon.

  • Studies suggest that 53% of data breaches in pharmaceutical companies were caused by malicious activities (Biopharma).

Take a look at the percentage of lost data and how it affected everyone, from the people working in the industry to patients attempting to access their online portals:

  • 28% of pharmaceutical companies lost vital data or intellectual property. (Fortinet)
  • 40% of pharmaceutical companies experienced outages that affected their productivity, safety, compliance, revenue, and/or brand image. (Fortinet)

Reportedly, the intrusions on the pharmaceutical companies happened in the following ways (Fortinet):

  • 40% mobile security breaches
  • 37% phasing
  • 36% hacked removable storage device/media
  • 35% of hackers included SQL, zero-day, man-in-the-middle

Pharmaceutical companies handle and store massive amounts of highly sensitive, confidential information and its billion-dollar industry — a treasure trove for cybercriminals.

More time must be spent training employees, setting up security best practices, and increasing overall cybersecurity awareness, or else the industry will continue to fall victim to digital crimes.

Cyberattacks on Financial Institutions

Financial institutions must also start upping their cybersecurity game, or this industry will continue to be hit by online threats and attacks.

  • Financial companies saw an increase of 238% in cyberattacks in the first half of 2020. (Upguard)
  • Plus, according to HubSecurity, the cost of cyberattacks on these companies is over $18.3 million per year.

Below, see a few more intense statistics highlighting how cybercrime heavily impacts financial institutions:

  • 90% of all financial institutions experienced a ransomware attack in 2020. (HubSecurity)
  • Financial gain is the cause of 86% of data breaches, according to a Verizon study. (CNN)
  • 30% of financial institutions regard nation-state attacks as a top concern. (Purplesec)

Cyberattacks on Government and Military

It’s important to reiterate that cybercrime has no boundaries or limits, and attackers even target government entities and military agencies.

  • In 2022, the government and military sector faced 1,564 attacks per week, up by 20% from 2021. (Checkpoint)

This increasing rate suggests that businesses, individuals, and leaders must take cybersecurity, prevention, training, and best practices far more seriously. The time to prepare yourself, regardless of your industry, is now.

Location-Based Cyberattack Statistics

After looking at all this data, you might wonder where on earth all of these cyberattacks are taking place. The answer? Nearly everywhere.

In the next sections, we look at statistics from the United States and then break down rates by country from the rest of the world.

United States Cybercrime Statistics

The U.S. experiences high numbers of cybercrime each year, impacting both business owners and consumers.

Here’s a brief overview of how many cyberattacks hit the US on average:

  • 30,819 cyberattacks were reported by U.S. federal agencies. (Statista)
  • The leading barrier to an effective cybersecurity program in the United States is a lack of a robust cybersecurity budget from Congress. (Statista)
  • 26.3% of cyber warfare strikes are directed toward the US. (Statista)

In terms of states, some places experience far more attacks than others, with criminals primarily targeting areas with very large metropolitan areas and populations, like California and Texas.

Below, see the top 10 states by the average amount of cybercrime victims (IC3):

  1. California — 80,766
  2. Florida — 42,792
  3. Texas — 38,666
  4. New York — 25,112
  5. Illinois — 14,786
  6. Pennsylvania — 14,741
  7. Ohio — 13,659
  8. Michigan — 13,566
  9. Arizona — 12,112
  10. Virginia — 11,882

Nearly all these states also made the list for the top 10 US states with the highest average victim loss amounts, besides Virginia and Michigan, which fall off the list and are replaced by Alabama and Georgia.

See the full list below (IC3):

  1. California — $2,012.8 million
  2. Florida — $844.9 million
  3. New York — $777 million
  4. Texas — $763.1 million
  5. Georgia — $322.6 million
  6. New Jersey — $284.6 million
  7. Illinois — $266.7 million
  8. Pennsylvania — $250.9 million
  9. Alabama — $247.9 million
  10. Arizona — $241.1 million

Global Cybercrime Statistics

Next, we’re looking at the average number of victims and the accrued losses based on different countries worldwide.

The country with the highest percentage of citizens concerned about falling victim to cybercrime is the U.S., as shown in the data below (Norton).

  1. United States — 88%
  2. Australia — 87%
  3. United Kingdom — 83%
  4. New Zealand — 79%
  5. France — 78%
  6. Japan — 77%
  7. India — 75%
  8. Italy — 73%
  9. Netherlands — 73%
  10. Germany — 70%

This worry makes sense as the U.S. is also where the most expensive losses occur when compared to other countries.

Just take a look at the table below, which shows the countries with the highest average cost for data breaches in 2022 and 2021, according to IBM.

Country 2022 2021
United States $9.44 million $9.05 million
Middle East $7.46 million $6.93 million
Canada $5.64million $5.4 million
United Kingdom $5.05 million $4.67 million
Germany $4.85 million $4.89 million
Japan $4.57 million $4.69 million
France $4.34 million $4.57 million
Italy $3.74 million $3.61 million
South Korea $3.57 million $3.68 million
South Africa $3.36 million $3.21 million
Australia $2.92 million $2.82 million
ASEAN $2.87 million $2.71 million
Latin America $2.8 million $2.56 million
India $2.32 million $2.21 million
Scandinavia $2.08 million $2.67 million
Brazil $1.38 million $1.09 million
Turkey $2.32 million $1.61 million

See a complete breakdown of the average number of hours spent resolving cybercrime by country below (Norton):

  1. India — 10.8 hours
  2. Germany — 9.1 hours
  3. Italy — 8.7 hours
  4. Australia — 8.2 hours
  5. United States — 6.7 hours
  6. Japan — 5.9 hours
  7. France — 5.5 hours
  8. United Kingdom — 4.4 hours
  9. Netherlands — 3.9 hours
  10. New Zealand — 3.7 hours

But the country with the highest percentage of adults who believe they don’t know how to protect themselves from cybercrime is actually Japan, with Italy and France trailing behind. Compare the top 10 countries that land on this list below, as reported by Norton:

  • Australia — 47%
  • France — 63%
  • Germany — 49%
  • India — 52%
  • Italy — 64%
  • Japan — 77%
  • Netherlands — 44%
  • New Zealand — 47%
  • United Kingdom — 46%
  • United States — 40%

Ultimately, it doesn’t matter where in the world you live. Cybercrime truly has no borders and happens on nearly every continent.

Start preparing to protect yourself or your business today, and prevent yourself from becoming a part of the data that appears on lists like these.

Stats Regarding Business Leaders & Executives

CEOs and non-CEO executives are slightly disconnected from how prepared and supported their company and investors feel.

  • 41% of business executives consider cyber resilience an established business property, while only 13% of security-focused executives consider cyber resilience an established priority. (Weforum)
  • 92% of business executives believe cyber resilience is integrated into their enterprise risk management strategies, while 55% of security-focused executives believe it.  (Weforum)
  • 11% of business executives believe regulations have the largest influence on their approach to cybersecurity, while 20% of security-focused executives believe this. (Weforum)

To further highlight this gap between CEOs and non-CEO executives, check out the table below, which compares more of their cyber support views (PWC).

Cybersecurity Belief CEOs who agree non-CEO executives who agree
Believe they ensure adequate resources, funding, and sufficient priority. 37% 30%
Believe they connect with confidence with customers and business partners. 36% 30%
Believe they embed cyber and privacy in key operations and decisions of the organizations. 34% 30%
Believe they reduce uncertainty around rising cyber risks for investors. 34% 29%
Believe they inspire the security team and increase their professional satisfaction. 33% 28%
Believe they clarify roles and responsibilities for cross-functional teaming on cyber. 32% 28%
Believe they create a cyber-proficient culture throughout the organization. 31% 30%
Believe they clarify positions when there are tensions and conflicts among competing values. 30% 28%

The good news?

  • According to PWC, 46% of organizations report an increased engagement of CEOs in cybersecurity matters.

On top of that, more employee training with a cybersecurity focus appears to be taking place across the board, just take a look at the statistics:

  • 43% of organizations report increased employee report rates on phishing tests. (PWC)
  • 43% of organizations report an increased number of cyber and privacy assessments before they implement a project. (PWC)
  • 43% of organizations report improved management of security policy exceptions. (PWC)
  • 43% of organizations report an increased amount of time spent on cybersecurity discussions at board meetings. (PWC)
  • 42% of organizations report an increased assessment of their board’s understanding of cyber matters. (PWC)
  • 42% of organizations report an increased alignment of cyber strategy and business strategy. (PWC)
  • 41% of organizations report an increased percentage of overall risk remediating being completed by allotted deadlines from their security teams. (PWC)

Stats Regarding Cybersecurity Staff & Infrastructure

Cybercrime also takes a heavy toll on business’s staff and infrastructure.

  • Based on research conducted by Weforum, 47% of cyber leaders report having training and skill gaps.

Below, see a list of the top personal cybersecurity concerns of cyber leaders (Weforum):

  • 42% infrastructure breakdown as a result of a cyberattack
  • 24% identity theft
  • 20% ransomware attack
  • 10% loss of personal assets as a result of a cyberattack
  • 4% other

AI, automation, and machine learning are expected to have the largest influence in transforming cybersecurity in the next two years at 48%, while remote/hybrid work environments are expected to have a 28% influence on cybersecurity transformation. (Weforum)

  • Currently, it takes companies with full security AI and automation 74 days less on average to identify and contain a data breach. (IBM)

Some other seemingly successful approaches to upping cybersecurity in the workplace include simplifying various processes and procedures. Take a look at the data reported by PWC:

  • 35% of organizations defined a new mixture of remote/virtual and onsite work
  • 33% of organizations reorganized functions and ways of working
  • 32% of organizations consolidated technology vendors
  • 32% of organizations created an integrated data governance framework
  • 31% of organizations automated standard, repetitive processes
  • 31% of organizations created an integrated dashboard for key metrics
  • 30% of organizations defined or re-aligned the mix of in-house resources and managed services
  • 30% of organizations rationalized technologies, including decommissioning legacy technologies
  • 27% of organizations removed redundancies in processes

Here are a few more statistics showcasing the need for different approaches to cybersecurity and a few infrastructure changes that business report helped them fortify their business efforts:

  • 57% of remote workers report they feel more distracted when working at home than at the office. (Tessian)
  • 76% of cyber leaders report that they employ cyber-resilience practices. (Weforum)
  • 25% of cybersecurity job candidates actually lack the technical skills needed. (Dizzion)
  • 27% of employers report they cannot fill their cybersecurity positions. (Dizzion)
  • 41% of organizations have a zero-trust security model. The 59% who do not have a zero-trust model suffer more than $1 million in beach costs when compared to those who do. (IBM)
  • 79% of critical infrastructure organizations do not employ a zero trust security model and experience an increased cost of $5.4 million in data breaches. (IBM)
  • Almost 75% of organizations had an incident response plan, and 63% say they test that plan on a regular basis. (IBM)
  • Businesses with an incident response plan that was tested on a regular basis saved more than $2.66 million in breach costs compared to those without a plan. (IBM)
  • 38% of organizations reported that their security teams were sufficiently staffed, while 62% said their teams were understaffed. (IBM)

Small Business Cybersecurity Stats

Many small businesses falsely assume they’re too small to fall victim to a cybersecurity attack, but this actually makes them easier targets for hackers and other cybercriminals who know they likely don’t have robust security systems in place.

Below, see some data highlighting exactly how many smaller companies suffer from a breach or cyberattack compared to their expectations.

  • 59% of small businesses do not have measures to repel cybersecurity attacks because they believe their business to be “too small” to be a target. (Digital.com)
  • But 43% of all cyberattacks involve small businesses. (SmallBizTrends)

Cybercriminals often go after newly incorporated businesses that are focusing on attracting capital, managing operations, and developing the necessary funding for expansion and advertising — in other words, small businesses that don’t have cyber insurance and are too busy to pay attention to trending threats in their industry.

Here are some statistics showing how insecurities in the cybersecurity practices of small businesses contribute to digital attacks:

  • 51% of small businesses do not have operations in place against cybersecurity attacks. (Digital.com)
  • 69% of small businesses do not practice strict enforcement of their password policies. (Purplesec)

Organizational Approaches to Cybersecurity

The experts all agree it’s more than time for companies to invest in better cybersecurity protocols and practices. According to the data, some organizations plan to or have already implemented cyber investments that help curb the risk of experiencing an attack.

Below, compare the percentage of organizations that reportedly plan to implement the following types of cyber plans in the future (PWC):

  • Cloud security — 45%
  • Security awareness training and cross-training security operations — 46%
  • Endpoint security — 46%
  • Managed security services — 46%
  • Real-time threat intelligence capabilities — 49%
  • Business continuity/disaster recovery planning — 47%
  • Enterprise identity and access management — 48%
  • Consumer identity and access management — 48% 
  • Enterprise-wide information governance framework — 50%
  • Software-defined access — 48%
  • Third-party risk management processes — 51%
  • Zero trust — 52%

Compare these numbers to the percent of organizations listed below that have already executed the same procedures at full scale (PWC):

  • Cloud security — 35%
  • Security awareness training and cross-training security operations — 36%
  • Endpoint security — 35%
  • Managed security services — 33%
  • Real-time threat intelligence capabilities — 33%
  • Business continuity/disaster recovery planning — 34%
  • Enterprise identity and access management  — 32%
  • Consumer identity and access management — 33%
  • Enterprise-wide information governance framework — 32%
  • Software-defined access — 33%
  • Third-party risk management processes — 32%
  • Zero trust — 28%

But this still begs the question of if these procedures actually work to keep businesses safer while operating online.

Below, see the percentage of organizations who say there have been benefits for their cyber investments based on the same procedures listed above (PWC):

  • Cloud security — 16%
  • Security awareness training and cross-training security operations — 16%
  • Endpoint security — 16%
  • Managed security services — 15%
  • Real-time threat intelligence capabilities — 15%
  • Business continuity/disaster recovery planning — 15%
  • Enterprise identity and access management — 14%
  • Consumer identity and access management — 14% 
  • Enterprise-wide information governance framework — 14%
  • Software-defined access — 14%
  • Third-party risk management processes — 12%
  • Zero trust — 11%

With the growing threat of becoming the victim of new and sophisticated cyberattacks, businesses need to assess their defensive security measures and determine whether and how to improve them. Similarly, those without security measures need to consider implementing them.

The more awareness grows, and people understand the intricacies of such threats, the better poised they become to develop preventive procedures.

Cyberattack Stats From the Internet Crime Complaint Center (IC3)

The Federal Bureau of Investigation (FBI) started the Internet Crime Complaint Center (IC3) in 2000.

Since its onset, IC3 has received complaints involving cybercrimes in numerous fields, such as online fraud, hacking, intellectual property rights issues, theft of trade secrets, online extortion, international money laundering, identity theft, and more (IC3).

The good news?

This has quickly flourished into an easy and safe way for individuals and businesses to lodge complaints and seek possible remediation. IC3 also helps alert the FBI of the possibility of an elaborate cybercrime in the making.

This section will highlight some cybercrime statistics the IC3 has collected in its 2022 and 2021 Annual Reports.

The table below breaks down the number of complaints IC3 has received over the last six years and includes the total costs associated with each corresponding year (IC3):

Year Complaints Cost
2022 800,944 $10.3 billion
2021 847,376 $6.9 billion
2020 791,790 $4.2 billion
2019 467,361 $3.5 billion
2018 351,937 $2.7 billion
2017 301,580 $1.4 billion
  • Notably, in 2022, the number of reported complaints decreased by 5%, but dollar losses increased by 49% (IC3), a massive amount suggesting that victims of such digital crimes will continue to experience greater losses each year.

Remember, not all cyberattacks involve leaked data. For many individuals, the crime feels far more personal.

Just take a look at the types of online crimes individuals reported to IC3 throughout 2021 and 2022:

  • The IC3 received reports of 19,021 victims of confidence fraud and romance scams worth over $735 million in losses. (IC3)
  • Over 18,000 sextortion complaints were filed with the IC3 in 2021, adding up to $13.6 million. (IC3)
  • Cryptocurrency investment fraud increased by 183% between 2021 and 2022, and losses rose from $907 million to $2.57 billion (IC3)
  • In 2021, 34,202 complaints were filed with the IC3 involving cryptocurrency (like Bitcoin, Ethereum, Litecoin, or Ripple), adding up to $1.6 billion in losses. (IC3)
  • In 2022, 32,538 complaints were filed with the IC3 with respect to tech support fraud claims, resulting in losses of over $806 million. This is a significant increase from the 23,903 complaints costing $347 million in losses the year prior. Victims are located in 70 different countries. (IC3)

Contrary to popular belief, anyone from any walk of life can fall victim to this type of criminal activity.

The table below compares the victims of internet crimes by age and shows the average losses in US dollars from 2022 and 2021, as recorded by IC3.

Age Complaints (2022) Losses (2022) Complaints (2021) Losses (2021)
Under 20 years old 15,782 $210.5 million 14,919 $101.4 million
20-29 years old 57,978 $383.1 million 69,390 $431.1 million
30-39 years old 94,506 $1.3 billion 88,448 $937.3 million
40-49 years old 87,526 $1.6 billion 89,184 $1.19 billion
50-59 years old 64,551 $1.8 billion 74,460 $1.26 billion
60+ years old 88,262 $3.1 billion 92,371 $1.68 billion

We’ve also compiled a list of the types of cybercrimes people fall for each year, according to (IC3), which you can see in the table below.

Type of Cybercrime Victims (2022) Victims (2021)
Phishing/Vishing/Smishing/Pharming 300,497 323,972
Non-Payment/Non-Delivery 51,679 82,478
Personal Data Breach 58,859 51,829
Identity Theft 27,922 51,629
Extortion 39,416 39,360
Confidence Fraud/Romance 19,021 24,299
Tech Support 32,538 23,903
Investment 30,529 20,561
BEC/EAC 21,832 19,954
Spoofing 20,649 18,522
Credit Card Fraud 22,985 16,750
Employment 14,946 15,253
Other 9,966 12,346
Terrorism/Threats of Violence 2,224 12,346
Real Estate/Rental 11,727 11,578
Government Impersonation 11,554 11,335
Advanced Fee 11,264 11,034
Overpayment 6,183 6,108
Lottery/Sweepstakes/Inheritance 5,650 5,991
IPR/Copyright and Counterfeit 2,183 4,270
Ransomware 2,385 3,729
Crimes Against Children 2,587 2,167
Malware/Scareware/Virus 762 810

The largest increases in fraud types include spoofing, tech support, and credit card fraud, all of which target individuals more than companies.

For most businesses, the best way to avoid these sneaky and targeted attacks is to build more awareness, educate your employees, and implement proper security practices and procedures.

Cyber Insurance Statistics

The increase in cybercrime has led many companies to buy and implement cyber insurance.

  • The worldwide market for cyber insurance is forecasted to reach $20.43 billion by 2027. (Networkassured)
  • 60% of businesses would reconsider entering an agreement with another organization if that organization did not have cyber insurance. (Blackberry)
  • 68% of IT-decision makers would re-evaluate an agreement due to cybersecurity practices. (Blackberry)

Like auto insurance protects drivers from the financial pitfalls of an accident or medical malpractice insurance protects doctors from a botched surgery, cyber insurance protects individuals and businesses from the economic devastation following a cyberattack.

  • 98% of cybersecurity insurance claims came from small and medium enterprises whose annual revenue is under $2 billion. (RSMUS)
  • 55% of organizations have cyber insurance, and less than 20% have coverage exceeding $600,000. (Blackberry)

However, cyber insurance comes with its own pitfalls. From being too costly, to not finding a broad enough policy, here are some interesting business statistics related to cyber insurance coverage for your consideration:

  • 94% of those with cyber insurance report that the process of applying for coverage has changed (Sophos)
  • 34% say cyber insurance is more expensive (Sophos)
  • 47% say the cyber insurance policies are more complicated (Sophos)
  • 40% say that there are few companies that offer cyber insurance (Sophos)
  • 37% say the process of applying for cyber insurance takes longer than it used to (Sophos)
  • 54% say they need to qualify for higher levels of cybersecurity (Sophos)

Cybersecurity Tips From the Experts

You might wonder, especially after seeing these data points, if it’s possible to protect yourself as a consumer or business from cyberattacks. The good news is that you can learn how to keep yourself and your information safer online by building cyber resilience.

We asked the experts:

What is one tip you’d give businesses to increase their cybersecurity?

Ana-FerreiraAna Ferreira, PhD, CISSP, HCISPP

Empower your employees with cybersecurity knowledge but make them also conscious of the responsibility and impact they have in the pro-active protection not only of the business but also of themselves and their privacy, which can also, in the end, impact their physical and mental integrity.

Richard-BejtlichRichard Bejtlich

The one tip I would give businesses to improve their security is to “monitor as if you’re already compromised because you probably are.” In other words, don’t just prepare for intrusions, but look for the intruders already exploiting your assets.

Adam-LevinAdam Levin

You need to invest in your cybersecurity if you want to improve it. This means employee training, especially for anyone with access to sensitive data. It means sacrificing convenience and requiring strong, unique passwords and multi-factor authentication. It means paying for password management apps and authenticators, work-specific devices, iLoks, regular security audits, and maintaining a zero-trust environment. None of this is free or easy as poor password hygiene – but it is much more affordable than getting hacked.

Steve-MorganSteve Morgan

Every business of every type and size globally should act as if they’ll be hit by a cyberattack tomorrow. Far too many companies still believe it won’t happen to them. When it does, it’s too late.

BobCarver-Hi-ResBob Carver – CISM, CISSP, MS

Regardless of this statistic, developing a Cybersecurity Risk Management Program for companies is like making a custom-made suit or highly tailored dress. One size does not fit all. Many factors need to be addressed according to the specific needs, risk tolerance, and budget availability of the business. There is also no “one and done” in risk management. It is a continual process of re-evaluating and updating your program accordingly.

Chuck-Brooks-3Chuck Brooks

In today’s sophisticated threat environment, cybersecurity can no longer be viewed as an afterthought if businesses are going to survive and thrive. There are a variety of established paths to follow in cyber risk management to fill gaps and bolster defenses. Complacency in the face of growing threats is not one of them.

Developing an understanding and creating an effective cybersecurity operational strategy really depends on a yin-and-yang formula – you need the technical people who understand the street-view challenges of the industry from an engineering perspective, and you need the executives who run P & L to facilitate the operations and go-to-market efforts, to sign off on a clearly defined plan. The themes of the framework should include protecting data, corporate IP, and establishing governance.

In C-Suite terms, what is the price tag for staying in business? In IT terms, this may include operational components of encryption, biometrics, smarter analytics, automated network security, informed risk management software, cyber certifications and training, network monitoring, and incorporating NextGen layered hardware/software technologies for the enterprise network, payload, and endpoint security. Also, access and identity management of connected devices need to be strengthened and enforced through new protocols and processes.


You’ve seen the data and heard from the experts — if you’re not already investing in cybersecurity best practices for your business, you’re at risk of an attack.

The cost of these digital crimes keeps increasing yearly, and there’s no sign of things slowing down anytime soon.

With more and more people operating online, consumers and businesses need to focus on educating themselves, implementing security measures, and protecting their passwords, login credentials, and personal information in the digital sphere.

Take advantage of the cybersecurity market growth and invest in security tools and models to account for the increased sophistication of cybercrime. The payoff of not being attacked or shortening the life cycle of a breach is worth it.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources