Cybersecurity professionals are painfully aware that cybersecurity risks are a plague on businesses of all sizes, as well as the average online consumer.
Hackers and data miners continue to become more sophisticated, malicious and just plain greedy. Even the general public has become aware of security threats and incidents that splash across news headlines.
In other words, you don't have to be an enterprise IT pro to understand the latest security risks. That's the easy part.
The hard part is understanding who is at risk, why and when you may fall prey to an attack, how pervasive attacks are and what types of threats are most likely to occur. Also important is understanding the costs and consequences associated with attacks, technologies that prevent a cybersecurity attack, and the fallout once an attack or data breach has occurred. The following statistics should help you to understand the risks, ensure network security and -- just in case -- create an incident response plan.
Cybersecurity and cybercrime statistics
Before diving into the specific types of cyber attacks, you need to understand how much data is involved. By 2025, humanity's collective data will reach 175 zettabytes -- the number 175 followed by 21 zeros. This data includes everything from streaming video and dating apps to health care databases. Securing all this data is vital.
This article is part of
The main goal for cybercriminals is to acquire information -- name, passwords and financial records, for example -- that is then sold on the dark web. As explained below, attacks can happen at any time and both individuals and organizations are victims.
- Perhaps no cybersecurity trend was bigger in 2021 than the scourge of supply chain ransomware attacks. Among the biggest attacks was the Colonial Pipeline ransomware attack, which affected the East Coast of the U.S. in May 2021. There were also ongoing issues related to supply chain security stemming from a breach at software management vendor SolarWinds.
- Security attacks increased 31% from 2020 to 2021, according to Accenture's "State of Cybersecurity Resilience 2021" report. The number of attacks per company increased from 206 to 270 year over year.
- Cybersecurity measures in place by businesses, governments and individuals are increasingly being rendered obsolete by the growing sophistication of cybercriminals, according to the 2021 World Economic Forum report on global risks.
- The cost of cybercrime is predicted to hit $10.5 trillion by 2025, according to the latest version of the Cisco/Cybersecurity Ventures "2022 Cybersecurity Almanac."
- Identity fraud losses tallied a total of $56 billion, according to the "2021 Identity Fraud Study" from Javelin Strategy & Research. While businesses try to protect their own sensitive files from attack, customer information is stored in vulnerable databases all over the world.
- It takes an average of 287 days for security teams to identify and contain a data breach, according to the "Cost of a Data Breach 2021" report released by IBM and Ponemon Institute.
- Cryptojacking is incredibly prevalent. Crowdstrike reported that the volume of cryptojacking quadrupled from 2020 to 2021. The Institute for Application Security in Germany found that one out of every 500 Alexa sites hosts mining script.
- The same study noted that most hackers don't earn very much. The average data miner earns less than $6 per day. But high earners can make more than $166,000 on a single hack.
- According to the IBM "Cost of a Data Breach 2021" report, 20% of data breaches were caused at least initially by compromised credentials.
- The FBI's Internet Crime Complaint Center (IC3) reported an all-time high volume of complaints in 2020 at 791,790. Total losses from those complaints was more than $4.1 billion.
Cybersecurity issues and threats
There are many types of security threats. Unlike a breach, a security incident doesn't necessarily mean information has been compromised, only that the information was threatened. Here are statistics about the four biggest types of security threats: malware, ransomware, social engineering and distributed denial-of service (DDoS) attacks.
- Phishing, the most common threat vector, is involved in 36% of data breaches, according to Verizon's "2021 Data Breach Investigations" report. Phishing is often delivered via email, where a user is somehow tricked into clicking a link or providing information that can lead to exploitation.
- Speaking of malware, mobile malware infections saw a small decline in 2021, according to a report from Kaspersky Lab. In the third quarter of 2021, mobile attacks dropped to 9.6 million -- their lowest level in nearly two years.
- Ransomware attacks are a constant threat affecting all sectors. According to Emsisoft's "The State of Ransomware in the US" report, an estimated 2,323 local governments, schools and healthcare providers were directly affected as victims of a ransomware attack in 2021.
- More than 90% of cyber attacks begin as spear phishing emails, according to Trend Micro researchers. Spear phishing is a type of social engineering in which attackers target a specific individual -- or individuals -- within a company through their social media presence and then create a phishing email campaign tailored specifically to that person. It's a major issue that security professionals should be wary of in 2022. "Most firms still do not know where all of the sensitive information is nor what the criticality is, and we continue to see breaches because of it," said Adrian Lane, CTO and security analyst at Securosis.
- The frequency of DDoS attacks grew 11% in the first half of 2021 compared with the first half of 2020, reaching 5.4 million attacks, according to Netscout's "2021 Threat Intelligence Report." Across the world, attacks increased by 479% in Latin America. Comparatively, DDoS attack frequency in the U.S. increased by 7%.
- Among the largest DDoS attacks was a 1.5 TBps (terabytes per second) incident in June 2021, representing a 169% increase in attack bandwidth over the largest attack in the first half of 2020.
- A growing DDoS trend in 2021 was the rise of ransom or extortion DDoS attacks, according to Cloudflare. In a ransom DDoS attack, the attackers claim they will only stop an attack if they are paid a ransom. In the fourth quarter of 2021, Cloudflare reported a 175% increase in the volume of ransom DDoS attacks compared with the third quarter.
The cost of cybercrime
Cybercrime can affect a business for years after the initial attack occurs. The costs associated with cyber attacks -- lawsuits, insurance rate hikes, criminal investigations and bad press -- can put a company out of business quickly.
- Part of maintaining a high level of security is ensuring nonsecurity employees know how security affects their day-to-day activities. Building a security awareness training program is a necessary part of any company's security program. Employees ranging from associates to CEOs are constantly inundated with phishing emails. When you have mobile and internet of things (IoT) devices in your environment, creating a mobile incident response plan is a must. The cost of data breaches will rise from $3 trillion each year to more than $5 trillion in 2024, according to the "State of Cybersecurity Resilience 2021" report.
- A single attack -- be it a data breach, malware, ransomware or DDoS attack -- costs companies of all sizes an average of $200,000, and many affected companies go out of business within six months of the attack, according to insurance company Hiscox.
- The average total cost of data breaches in 2021 was $4.24 million, according to the IBM/Ponemon Institute report. Breaches in the healthcare industry were the costliest -- $9.23 million on average. Breaches in the U.S. were the most expensive at $9.05 million, while the Middle East came in second at $6.93 million.
- Forty-three percent of attacks are aimed at SMBs, but only 14% are prepared to defend themselves, according to Accenture.
- The U.S. government spent $15 billion on cybersecurity in 2019. The Department of Defense received the most funding with nearly $8.5 billion in the budget. Homeland Security received roughly $1.7 billion.
- More than 33 billion records will be stolen by cybercriminals by 2023, an increase of 175% from 2018.
- By 2027, global spending on cybersecurity training will reach $10 billion, according to Cybersecurity Ventures. As the number of online users increases, insider threats are as equally significant as threats from outside the enterprise. Training employees to recognize security threats and report them can bolster your cyberdefense strategy.
Headlines from the cybersecurity industry
Plenty of security news broke in 2021. Hackers and cybercriminals ruthlessly attacked businesses and individuals alike. But cybercrimes weren't the only news security experts should consider from 2021. Here's a look at some of the major industry trends related to incident response, attacks and testing.
- According to VMware's "The State of Incident Response 2021" report, 82% of surveyed organizations are concerned their company is vulnerable to a cyber attack. The report also found that 49% of organizations lack the expertise and tools for adequate incident response.
- The FBI's Cyber's Most Wanted list features more than 70 individuals and groups that have conspired to commit the most damaging crimes against the U.S. These crimes include computer intrusions, wire fraud, identity theft, espionage, theft of trade secrets and many other offenses.
- China has quietly cornered the virtual private network market, said security research firm VPNpro, which didn't want this news kept private. Six Chinese companies own 30% of VPNs, and 97 of the top VPNs are run by 23 parent companies, many of which are based in countries with lax privacy laws. That's not a great way to keep the "private" in virtual private network.
- Organizations are conducting more application security testing scans than ever before, according to the Veracode "State of Software Security v12" report. In 2021, most firms were scanning applications approximately three times a week -- up from three times a year in 2010.
- Managing mobile device security is another challenge. One in 36 devices used in organizations was classified as high risk, according to Symantec. This included devices that were rooted or jailbroken, along with devices that likely had malware installed.
The skills shortage
The cybersecurity industry has an employee and skills shortage. But don't lose heart, faithful security pros! Joseph Blankenship, a senior analyst for security and risk at Forrester Research, suggested organizations look inward for current employees who might be well suited for security careers and then recruit and train them for those new roles. There may be plenty of individuals out there -- such as networking admins, developers, systems engineers and even security analysts -- with the chops needed for the job.
The U.S. government is also working to improve the recruitment process. The CIA is working with the industry to recruit more security pros by promoting diversity through the hiring of more women and minorities. Additional security employment statistics include the following:
- At the end of 2021, there was a security workforce gap of 377,000 jobs in the U.S and 2.7 million globally, according to the "(ISC)2 Cybersecurity Workforce Study, 2021."
- The "ISACA State of Cybersecurity 2021 Part 1" survey states that 61% of organizations feel they are understaffed in terms of cybersecurity professionals. Fifty percent of respondents said applicants were not sufficiently qualified for security positions.
- According to that same survey, a key challenge with filling cybersecurity positions is that only 31% of human resources staff understand their organization's cybersecurity needs. Adding further insult to injury, the study also found that only 27% of recent graduates in cybersecurity education programs are properly prepared for the workforce.
- According to Symantec, two-thirds of cybersecurity decision-makers feel like quitting. Part of the reason for a skills gap is that security experts leave their jobs at an alarming rate. Symantec also found that four in five security professionals said they are burned out. Survey respondents said they feel set up for failure in a profession where the everyday role is reaching a state of chronic overload.
- Cybersecurity is a high-salary field to work in, particularly in North America. The "(ISC)2 Cybersecurity Workforce 2021" study stated that the average salary for a cybersecurity professional in North America was $119,898. That figure drops to $78,618 in Europe and falls even further in Latin America to $32,637.
Now for a little good news. If the previous statistics have you lying awake in the middle of the night, here are a few final stats to help you sleep. Organizations are making security a priority -- 69% are increasing their cybersecurity budgets in 2022, according to the Enterprise Strategy Group's "2022 Technology Spending Intentions Survey." In addition, 85% of surveyed IT decision-makers expect their cybersecurity budgets to increase by up to 50% in 2022, according to a 2022 Kaspersky report on cybersecurity budgets. The top areas of investment for cybersecurity budget in 2022 include cyber insurance, digital forensics, incident response and training.