Global cyber attacks reached an all-time high in the fourth quarter of 2022, jumping to 1,168 a week per organization. That's a 38% increase from 2021.

Understanding the evolving threat landscape can help you protect your organization. 

We’ve compiled a list of more than 70 cybersecurity statistics that underscore the importance of a strong risk management program and security posture, particularly for small businesses and the health industry. Read to learn about cybercrime trends, recent attacks, and evolving threats.

Cybercrime statistics 

Individuals and organizations are increasingly exposed to cybercrime. Take a look at these statistics to get a better sense of the global impact of cybercrime. 

1. 39% of consumers globally were victims of a cybercrime in 2022. (Norton)

2. An estimated 463 million adults in 8 countries experienced a cybercrime in the past 12 months. (Norton)

3. Global consumers who experienced cybercrime in 2022 spent over 3.5 billion hours resolving issues caused by cybercrime. (Norton)

4. 54% of cybercrime victims in 2022 experienced financial loss as a result of cybercrime. (Norton)

5. Phishing schemes were the number one crime type reported to the FBI's Internet Crime Complaint Center in 2022, with 300,497 complaints. (FBI)

6. More than 2,500 advertisements for access brokers —  threat actors who acquire access to organizations and provide or sell this access to other actors— were identified in 2022, a 112% increase from 2021. (Crowdstrike)

Cyber risk statistics

As threat actors become more sophisticated and organizations’ attack surfaces continue to increase, managing cyber risk poses a growing challenge for organizations. Read on to find out how organizations are thinking about cyber risk. 

8. 41% of organizations have experienced three or more critical risk events in the last 12 months. (Forrester)

9. 58% of organizations consider their exposure to cyber attack high or very high. (Hiscox)

10. More than half of organizations that suffered a cyber attack in the past year (55%) see cyber as an area of high risk. Among non-victims the figure is just 36%. (Hiscox)

11. 41% of organizations attacked in the past year say their risk exposure has increased. (Hiscox)

12. More than three out of five organizations (62%) agree that their business is more vulnerable to attack with more employees working from home. (Hiscox)

13. Business continuity (67%) and reputational damage (65%) concern organization leaders more than any other cyber risk. (World Economic Forum)

14. Organization leaders said that artificial intelligence (AI) and machine learning (20%), greater adoption of cloud technology (19%) and advances in user identity and access management (15%) will have the greatest influence on their cyber risk strategies over the next two years. (World Economic Forum)

15. 73% of organization leaders agree that cyber and privacy regulations are effective in reducing their organizations’ cyber risks in 2023. This is a noticeable increase from 39% who agreed with the same statement in 2022. (World Economic Forum)

Cybersecurity insider threat statistics 

The largest cybersecurity risk for most businesses is people, not technology. Learn about the cost and impact of insider threat and how organizations are responding. 

16. A Gartner survey conducted in May and June 2022 among 1,310 employees revealed that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months. (Gartner)

17. 74% of employees say they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective. (Gartner)

18. Over 90% of employees who admitted undertaking a range of unsecure actions during work activities knew that their actions would increase risk to the organization but did so anyway. (Gartner)

19. Half of medium to large enterprises are expected to adopt formal programs to manage insider risk by 2025, up from 10% today. (Gartner)

20. 56% of insider-related incidents experienced by organizations in a 12-month study conducted by Ponemon Institute were due to negligence, and the average annual cost to remediate the incident was $6.6 million. (Proofpoint and Ponemon Institute)

21. On average, organizations are spending a total of $15.38 million on activities to resolve insider threats over a 12-month period. (Proofpoint and Ponemon Institute)

22. The time to contain an insider threat incident increased from 77 days in 2016 to 85 days in 2022, leading organizations to spend the most on containment. (Proofpoint and Ponemon Institute)

23. In 2022, 67% of companies reported experiencing between 21 and more than 40 insider security incidents per year. This is an increase from 60% in 2020. (Proofpoint and Ponemon Institute)

Cybersecurity attacks statistics 

Cyber attacks continue to dominate headlines. Learn what types of attacks your organization should expect and prepare for. 

24. The FBI's Internet Crime Complaint Center reported 800,944 cybersecurity complaints in 2022, with potential losses exceeding $10.3 billion. This represents a 5% year-over-year decrease in the total number of complaints, but a 49% YoY increase in dollar losses. (FBI)

25. The median cost of an attack rose 29% in 2022, to just under $17,000. (Hiscox)

26. 91 % of business and cyber leaders say they believe a far-reaching and catastrophic cyber event is “at least somewhat likely in the next two years” due to global geopolitical instability. (World Economic Forum)

27. 10% of business leaders and 13% of cyber leaders feel that they are missing critical people and skills needed to respond to and recover from a cyberattack. (World Economic Forum)

28. Gartner predicts that by 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents. (Gartner)

29. Organizations experiencing 30 or more attacks in the past year had average cyber security budgets of $10 million or more. (Hiscox)

30. US firms reporting a cyber attack jumped sharply (+7%) in 2022, while attacks costing $25,000 or more have also increased, from 34% to 40%. (Hiscox)

31. Denial of Service (DoS) attacks represented 46% of total incidents in an analysis of 23,896 incidents in 2022 by Verizon. (Verizon)

32. Ransomware attacks hit an all-time high in March 2023, with 459 recorded attacks.This represents a 91% month-over-month increase and a 62% year-over-year increase. (NCC Group)

33. In a 12-month study by Microsoft, 76% of organizations which suffered ransomware attacks lacked an effective response plan, preventing proper organizational crisis readiness and negatively impacting time to respond and recover. (Microsoft Digital Defense Report)

34. In a 2022 study by CrowdStrike, there was a 20% increase in the number of adversaries conducting data theft and extortion campaigns without deploying ransomware. (Crowdstrike)

Cybersecurity breaches statistics 

As cyber attacks rise, so do the number of attacks resulting in data being lost or compromised. Find out what the leading causes of data breaches are. 

35. In an analysis of approximately 24,000 security incidents, more than 5,000 of which were confirmed data breaches, nearly three out of four breaches (73%) were attributed to external sources. (Verizon)

36. ​​External actors are consistently more likely to cause data breaches than internal actors, with 80% of breaches being caused by external actors in an analysis by Verizon. (Verizon)

37. In 2022, 82% of breaches involved the human element. Causes included the use of stolen credentials, phishing, misuse, and human error. (Verizon)

38. Over 30% of data breaches in 2022 involved some type of malware. Ransomware was present in almost 70% of those malware breaches. (Verizon)

39. ​​Ransomware accounted for 25% of data breaches in 2022, an almost 13% increase from 2021. (Verizon)

40. 54% of organizations reported experiencing a data breach caused by one of their third parties in the last 12 months. (RiskRecon and Ponemon Institute)

Cybersecurity healthcare statistics 

Healthcare is one of the most targeted industries by threat actors. Take a look at some of the most prevalent threats against this sector below. 

41. In 2022, 89% of the healthcare organizations experienced an average of 43 attacks in the past 12 months, which equates to almost one attack per week. (Proofpoint and Ponemon Institute)

42. Of the four most common types of attacks against healthcare organizations, ransomware is the most likely to have a negative impact on patient care. In 2022, it led to procedure or test delays in 64% of the organizations and longer patient stays for 59% of them. (Proofpoint and Ponemon Institute)

43. 72% of healthcare IT and security practitioners believe their organizations are vulnerable to a ransomware attack, and 60% say this is the type of attack that concerns them the most. (Proofpoint and Ponemon Institute)

44. In 2022, 56% of healthcare organizations reported experiencing one or more cyberattacks in the past 24 months involving IoMT/IoT devices. Among those, 58% averaged 9 or more cyberattacks during that time. (Cynerio and Ponemon Institute)

45. 64% of healthcare organizations are concerned about medical device security, but only 51% include them in their cybersecurity strategy. (Proofpoint and Ponemon Institute)

46. 45% of healthcare organizations that experienced at least one cyberattack in 2022 reported adverse impacts on patient care, and 53% percent of those reported adverse impacts resulting in increased mortality rates. (Cynerio and Ponemon Institute)

47. 53% of healthcare IT and security practitioners said a lack of in-house expertise is a challenge and 46% said they lack sufficient staffing, both of which negatively affect their cybersecurity posture. (Proofpoint and Ponemon Institute)

48. When responding to a cyberattack, lost productivity is the highest cost incurred by health care organizations, averaging $1.1 million. (Proofpoint and Ponemon Institute)

Small business cybersecurity statistics

Small businesses are also a common target for threat actors. Find out about common cybersecurity trends, attitudes, and behaviors for this type of business below. 

49. Small businesses are three times more likely to be targeted by cybercriminals than larger companies. (Barracuda)

50. The cost of cybercrimes to small businesses reached $2.4 billion in 2021. (FBI)

51. 90% of small and medium-sized enterprises (SMEs) that experienced a serious incident said the cyberattack cost them more than they thought it would. (Cowbell)

52. 81% of the SMEs that experienced a cyber incident say they saw a widespread drop in customer trust. (Cowbell)

53.  Businesses with 10 to 49 employees saw a nearly fourfold rise in the average number of cyber attacks in 2022. (Hiscox)

54. Businesses with revenues of $100,000 to $500,000 can now expect as many cyber attacks as those earning $1 million to $9 million annually. (Hiscox)

55. Businesses with 10 to 49 employees decreased their cyber security budgets in 2022 by almost half, from $411,000 to $225,000. (Hiscox)

56. Only 55% of SME leaders feel highly confident they’re prepared for a cyberattack. (Cowbell)

57. SMEs with a cybersecurity strategy were nearly 2x more likely to recover quickly from a cyberattack compared to those without a cybersecurity strategy. (Cowbell)

58. Smaller organizations with fewer than 1,000 employees were less likely to report incidents where they were negatively affected by a cyber incident originating from their suppliers, service providers or business partners (25%) than larger organizations with more than 1,000 employees (39%). (World Economic Forum)

Cyber resilience statistics 

Cyber resilience refers to an organization’s ability to anticipate, withstand, recover from, and adapt to attacks and adverse conditions that impact their cyber resources. Read how business leaders are thinking about and building cyber resilience. 

59. 95% of business executives and 93% of cyber executives agree that cyber resilience is integrated into their organization’s enterprise risk-management strategies. (World Economic Forum)

60.  76% of business leaders and 70% of cyber leaders agree that having more effective enforcement of regulatory requirements across their sector would increase their organization’s cyber resilience. (World Economic Forum)

61. 56% of organization leaders are confident that their organization is cyber resilient. (World Economic Forum)

62. 44% of leaders report that their organizations either are not cyber resilient or that they are concerned about their organization’s ability to be cyber resilient. (World Economic Forum)

63. 54 % of business and 61% of cyber leaders believe their third-party organizations are slightly or far less resilient than their own organizations. (World Economic Forum)

64. Small to medium-sized enterprises were more likely to consider their third parties to be equal in their cyber-resilience capabilities (38%) than larger organizations (23%). (World Economic Forum)

Cybersecurity awareness statistics 

Knowing what risks you and your organization face and acting responsibly to avoid them can help improve cyber resilience. Take a look at the cybersecurity awareness statistics below to see how individuals and organizations are thinking about cybersecurity and taking action. 

66. More than 39% of organization leaders agree that “cybersecurity is a key business enabler.” (World Economic Forum)

67. More than half (56%) of cyber leaders meet with business leaders monthly, or more frequently, to discuss cyber-focused topics. (World Economic Forum)

68. 69% of organizations say the top executives have a clear view of how cyber security is being managed. (Hiscox)

69. 65% percent of IT professionals said that their cybersecurity awareness training programs need expansion. (ThriveDX)

70. When asked how they had responded to cyber attacks, 39% of experts said they stepped-up employee training (39%). (Hiscox)

71. In 2022, 97% of organizations reported implementing some type of cybersecurity awareness training measures this past year. (ThriveDX)

72. As a result of employee awareness efforts, 19% of organizations reported better awareness and 14% greater vigilance. (ThriveDX)

How to protect against cyber attacks

Below are best practices that can help you protect your organization against cyber attacks. 

1. Meet security and compliance standards and regulations

Adhering to regulatory guidelines and industry standards like SOC 2 and HIPAA can not only help you avoid fines and penalties — it can also help you establish strong internal security controls and sustainable security processes that reduce the likelihood of cyber attacks.

Compliance activities, like risk assessments and security awareness training for example, help keep organizations aware of critical business risks, identify redundancies in their software and procedures, and ensure their staff is properly trained to protect sensitive information. 

2. Identify and prioritize risks

There are many methods for identifying and prioritizing risks. One of the most popular is developing key risk indicators (KRIs).

KRIs are a way to proactively track the most important types of risks that could put your business’s primary objectives and priorities in jeopardy. By establishing KRIs and setting tolerance values to track against each risk, KRIs can serve as early warning signs of upcoming crises and provide your organization enough time to mitigate that risk’s potential impact or prevent it from occurring. 

Another popular method is using a risk matrix. To create a risk matrix, you have to compare the likelihood of a potential risk against the impact that your business would face if that risk occurs. For example, a high-priority risk would be an incoming hurricane that’s expected to cause power outages and disrupt business operations.

No matter what method you choose, prioritizing the risks that pose the greatest threat to your organization can enable you to focus your team’s time and resources to minimize their impact.

3. Create a risk management plan 

Once you’ve identified the biggest risks facing your business, you can create a plan for how to manage them. 

A risk management plan should document your organization’s process for regularly identifying, analyzing, and mitigating risks. It should also list clear roles and responsibilities for team members to track potential risks and address them if they were to happen.  

4. Educate employees

People continue to be one of the greatest threats against an organization. Effectively training your workforce on security and privacy best practices can help reduce the likelihood of security incidents caused by human error.

Ideally, your workforce training program will include interactive training methods such as quizzes, demonstrations, and staging physical security situations. It should also include training for all new employees during onboarding and continuous on-the-job training. 

5. Use continuous monitoring

Continuous monitoring is a cybersecurity practice that involves ongoing surveillance and analysis of an organization's IT infrastructure, systems, and applications to detect potential security threats and vulnerabilities.

This can help you detect threats in real-time, respond to both vulnerabilities and security incidents faster and more efficiently, and maintain compliance with regulatory requirements.

How Secureframe can help your organization’s cybersecurity efforts

Defending your organization from cyber attacks while navigating an increasingly complex threat and compliance landscape is difficult. So don’t do it alone. 

Secureframe can simplify and streamline your cybersecurity efforts. We can help you create risk assessments and plans, manage vendor risk, consolidate audit and risk data and information, and conduct continuous monitoring to look for gaps in controls so you can maintain continuous compliance. We can also make training your workforce on the latest security and privacy best practices easy and automatic. 

Plus, our in-house compliance team can give personalized advice based on your company’s unique risks and industry requirements. 

To learn more about how Secureframe can play an integral part in developing a robust cybersecurity program, request a demo today.