34 cybersecurity statistics to lose sleep over in 2023
Here are 34 eye-opening cybersecurity stats from dozens of security experts -- on crime, jobs and trends -- to chew on while developing your 2023 security plan.
Hackers and data miners continue to become more sophisticated, malicious and just plain greedy. Even the general public has become aware of security threats and incidents that splash across news headlines.
In other words, you don't have to be an enterprise IT pro to understand the latest security risks. That's the easy part.
The hard part is understanding who is at risk, why and when you might fall prey to an attack, how pervasive attacks are and what types of threats are most likely to occur. Also important is understanding the costs and consequences associated with attacks, technologies that prevent a cybersecurity attack, and the fallout once an attack or data breach has occurred. The following cybersecurity statistics should help you to understand the risks, ensure network security and -- just in case -- create an incident response plan.
Cybercrime and cybersecurity statistics
Before diving into the specific types of cyber attacks, you need to understand how much data is involved. By 2025, humanity's collective data will reach 175 zettabytes -- the number 175 followed by 21 zeros. This data includes everything from streaming video and dating apps to healthcare databases. Securing all this data is vital.
The main goal for cybercriminals is to acquire information -- name, passwords and financial records, for example -- that is then sold on the dark web. As explained below, attacks can happen at any time and both individuals and organizations are victims:
- Perhaps no cybersecurity trend has been bigger in the last several years than the scourge of attacks related to the supply chain. Cyber incidents, such as the breach at software management vendor SolarWinds and Log4j in the open source world, put organizations around the globe at risk. Analyst firm Gartner predicted that by 2025, 45% of global organizations will be impacted in some way by a supply chain attack.
- The volume of reported vulnerabilities continues to rise. The HackerOne 2022 "Hacker-Powered Security Report" found that ethical hackers were able to discover over 65,000 vulnerabilities in 2022 alone, up by 21% over 2021.
- Cybersecurity measures in place by businesses, governments and individuals are increasingly being rendered obsolete by the growing sophistication of cybercriminals, according to "The Global Risks Report 2022" from the World Economic Forum.
- The cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025, according to Cybersecurity Ventures' "2022 Official Cybercrime Report," sponsored by eSentire.
- While businesses try to protect their own sensitive files from attack, customer information is stored in vulnerable databases all over the world. Identity fraud losses tallied a total of $52 billion and affected 42 million U.S. adults, according to "2022 Identity Fraud Study: The Virtual Battleground" from Javelin Strategy & Research.
- It takes an average of 277 days for security teams to identify and contain a data breach, according to "Cost of a Data Breach 2022," a report released by IBM and Ponemon Institute.
- Cryptojacking is incredibly prevalent, growing by 230% in 2022, according to Kaspersky Lab.
- The same study noted that most hackers earn variable amounts from cryptojacking, with an average of approximately $1,600 per month.
- According to the IBM "Cost of a Data Breach 2022" report, data breaches involving lost or stolen credentials take longer to identify and cost $150,000 more than the average data breach.
- The FBI's Internet Crime Complaint Center reported the volume of complaints in 2021 as 847,376, an all-time high. Total losses from those complaints totaled over $6.9 billion.
Cybersecurity issues and threats
There are many types of security threats. Unlike a breach, a security incident doesn't necessarily mean information has been compromised, only that the information was threatened. The biggest types of security threats are malware, ransomware, social engineering, phishing, credential theft and distributed denial-of service (DDoS) attacks:
- The human element is the most common threat vector; it was the root cause of 82% of data breaches, according to Verizon's "2022 Data Breach Investigations Report." The human element especially plays a role in phishing attacks and stolen credentials. Phishing is often delivered via email; these attacks trick a user into clicking a link or providing information that can lead to exploitation.
- One bright note is malware: Mobile malware infections declined in the third quarter of 2022, to 5.6 million, according to a report from Kaspersky Lab.
- Ransomware attacks are a constant threat affecting all sectors, and it's only getting worse. Kaspersky Lab reported that the percentage of users impacted by targeted ransomware doubled in the first 10 months of 2022.
- Phishing attacks increased by 61% in 2022, according to the "2022 State of Phishing" report from SlashNext. The Anti-Phishing Working Group (APWG) reported that in the third quarter of 2022, it observed a total of 3 million phishing attacks, representing the worst quarter ever observed by the group.
- Among the most pernicious types of email attacks in 2022 was the reemergence of advance fee fraud scams, which rose by over 1,000% in the third quarter of 2022 according to the APWG. In an advance fee fraud scam, an unsuspecting user is promised a windfall if they are able to pay an advance fee upfront.
- The maximum attack bandwidth for DDoS attacks grew by 57% to 957.9 Gbps in the first half of 2022 compared with the second half of 2021, according to Netscout's 2022 "DDoS Threat Intelligence Report," with a total of just over 6 million attacks globally. Across the world, attacks actually decreased by 9% in the Asia-Pacific region. Comparatively, DDoS attack frequency in North America increased by 2%.
- One of the largest DDoS attacks in 2022 was a 2.5 Tbps attack reported by Cloudflare in the third quarter of the year. Cloudflare also reported a rising trend of ransom DDoS attacks, which were up 67% year over year in 2022. In a ransom DDoS attack, the attackers claim they will only stop an attack if they are paid a ransom.
For more on incident response, read the following articles:
How to build an incident response plan, with examples, template
How to create an incident response playbook
13 incident response best practices for your organization
Building an incident response framework for your enterprise
Incident response: How to implement a communication plan
The cost of cybercrime
Cybercrime can affect a business for years after the initial attack occurs. The costs associated with cyber attacks -- lawsuits, insurance rate hikes, criminal investigations and bad press -- can put a company out of business quickly:
- Part of maintaining a high level of security is ensuring non-security employees know how security affects their day-to-day activities. Building a security awareness training program is a necessary part of any company's security strategy. Employees ranging from associates to CEOs are constantly inundated with phishing emails. When you have mobile and IoT devices in your environment, creating a mobile incident response plan is a must. The cost of data breaches will rise from $3 trillion each year to more than $5 trillion in 2024, according to the "State of Cybersecurity Resilience 2021" report from Accenture.
- A single attack -- be it a data breach, malware, ransomware or DDoS attack -- cost companies in the U.S. a median of $18,000 in 2022, up from $10,000 in 2021, with 47% of all U.S. business suffering a cyber attack in some way, according to the "Hiscox Cyber Readiness Report 2022."
- The average total cost of data breaches in 2022 was $4.35 million, according to the IBM/Ponemon Institute report mentioned above. Breaches in the healthcare industry were the costliest at $10.10 million on average. Breaches in the U.S. were the most expensive at $9.44 million.
- Though 43% of attacks are aimed at SMBs, only 14% of these businesses are prepared to defend themselves, according to Accenture.
- Excluding the Department of Defense, the U.S. government has budgeted $10.89 billion on cybersecurity spending for 2023. The Department of Homeland Security is set to receive roughly $2.6 billion in 2023.
- More than 33 billion records will be stolen by cybercriminals by 2023, an increase of 175% from 2018.
- By 2027, global spending on cybersecurity training will reach $10 billion, according to Cybersecurity Ventures. As the number of online users increases, insider threats are as equally significant as threats from outside the enterprise. Training employees to recognize security threats and report them can bolster your cyberdefense strategy.
Headlines from the cybersecurity industry
Plenty of security news broke in 2022. Hackers and cybercriminals ruthlessly attacked businesses and individuals alike. But cybercrimes aren't the only news security experts should consider from 2022. Here's a look at some of the major industry trends related to incident response, attacks and testing:
- According to VMware's 2022 "Global Incident Response Threat Report," 66% of organizations have seen a deepfake The report also found that 65% of organizations reported an increase in cyberattacks after the Russian invasion of Ukraine.
- The FBI's Cyber's Most Wanted list features over 100 individuals and groups that conspired to commit the most damaging crimes against the U.S. These crimes include computer intrusions, wire fraud, identity theft, espionage, trade secret theft and many other offenses.
- China has quietly cornered the virtual private network (VPN) market, said security research firm VPNpro, which didn't want this news kept private. Six Chinese companies own 30% of VPN providers, and 97 of the top VPNs are run by 23 parent companies, many of which are based in countries with lax privacy laws. That's not a great way to keep the private in virtual private network.
- Organizations are conducting more application security testing scans than ever before, according to the Veracode "State of Software Security, Volume 12" report. In 2021, most firms were scanning applications approximately three times a week -- up from three times a year in 2010.
- Managing mobile device security is another challenge. Devices that have been rooted or jailbroken, along with devices that likely had malware installed, are one form of risk. Another mobile risk comes from the growing volume of SMS-based business email compromise According to the Federal Communications Commission, the volume of unsolicited text messages was three times more in 2022 than it was in 2019.
The skills shortage
The cybersecurity industry has an employee and skills shortage. But don't lose heart, faithful security pros: Joseph Blankenship, a research director for security and risk at Forrester Research, suggested organizations look inward for current employees who might be well suited for security careers, and then recruit and train them for those new roles. There might be plenty of individuals out there -- such as networking admins, developers, systems engineers and even security analysts -- with the chops needed for the job.
The U.S. government is also working to improve the recruitment process. The Cybersecurity and Infrastructure Security Agency (CISA) is among the most active government agencies that is recruiting for IT talent. In 2022, the agency had over 150 open cybersecurity positions.
Additional security employment statistics include the following:
- At the end of 2022, there was a security workforce gap of 436,080 jobs in the U.S. and 3.4 million globally, according to the 2022 "(ISC)2 Cybersecurity Workforce Study."
- The "State of Cybersecurity 2022" report from ISACA stated that 62% of organizations feel they are understaffed in terms of cybersecurity professionals. Adding further insult to injury, that study found that 60% of organizations have trouble holding onto qualified cybersecurity staff.
- That same survey reported the primary reason cybersecurity staff leave is that they are recruited by other companies. Other top reasons employees leave, the survey said, are high work stress levels and lack of management support.
- According to Symantec, two-thirds of cybersecurity decision-makers feel like quitting. The skills gap is partly due to the fact that security experts are leaving their jobs at an alarming rate. Symantec also found that four in five security professionals said they are burned out. Survey respondents said they feel set up for failure in a profession where the everyday role is reaching a state of chronic overload.
- Cybersecurity is a high-salary field to work in, particularly in North America. The (ISC)2 study listed the average salary for a cybersecurity professional in North America as $134,800. That figure drops to $93,535 in Europe, Middle East and Africa and falls even lower in Latin America to $22,185.
If the previous statistics have you lying awake in the middle of the night, here's a statistic to help you sleep: According to the "2023 Technology Spending Intentions Survey" by TechTarget's Enterprise Strategy Group, 52% of organizations said they plan on increasing IT spending in 2023, with cybersecurity being a top priority.
"With an expected increase in criminal activity, organizations will need to invest strategically in areas like vulnerability management and security hygiene -- both internally and throughout their supply chain," stated Dave Gruber, cybersecurity principal analyst at Enterprise Strategy Group.
How to fix the top 5 cybersecurity vulnerabilities
Top incident response service providers, vendors and software
5 cybersecurity myths and how to address them