190 Cybersecurity Statistics to Inspire Action This Year [October 2024 Update]

  • October 23, 2024
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Emily Bonnie

Senior Content Marketing Manager

Global cyber attacks continue to rise in 2024, with the average number of cyber attacks per organization per week reaching 1,636 in the second quarter of 2024. This is a 30% year-over-year increase.

As the number of attacks rises, the costs of these attacks rise as well. Cybercrime losses rose to a record high of $12.5 billion in 2023 and are expected to surge to $13.82 trillion by 2028.

Understanding the evolving threat landscape can help you protect your organization from costly attacks and recovery. 

We’ve compiled a list of almost 200 cybersecurity statistics that underscore the importance of a strong risk management program and security posture, particularly for small businesses and the health industry. Read to learn about cybercrime trends, recent attacks, and evolving threats. 

Cybercrime statistics 

Individuals and organizations are increasingly exposed to cybercrime. Take a look at these statistics to get a better sense of the global impact of cybercrime. 

1. An international team of researchers compiled the first ever ‘World Cybercrime Index’ in 2024, which ranks the most significant sources of cybercrime at a national level. Russia tops the list, followed by Ukraine, China, the USA, Nigeria, and Romania. (University of Oxford)

2. In 2023, the United States Internet Crime Complaint Center (IC3) received 880,418 complaints, a record number of complaints from the American public and a nearly 10% increase in complaints received compared to 2022. (FBI)

3. The complaints registered with the IC3 in 2023 had potential losses exceeding $12.5 billion. This represents a 22% increase in losses suffered compared to 2022. (FBI)

4. Investment fraud made up roughly 37% of all money lost in reported complaints in 2023, amounting to $4.57 billion. (Statista)

5. Personal data breaches was another fraud vector associated with significant losses in 2023, amounting to $744 million. (Statista)

6. The most common type of cyber crime reported to IC3 in 2023 was phishing and spoofing, affecting approximately 298 thousand individuals. (Statista)

7. Individuals over the age of 60 accounted for the highest number of recorded cyber crime victims in the United States in 2023, with more than 104,068 complaints. The second-most targeted were individuals between 30 and 39 years, with over 88 thousand complaints. (Statista)

8. Global cybercrime is predicted to cost the world over $10 trillion annually by 2025. (Cybersecurity Ventures)

9. If cybercrime were measured as a country, it would be the world’s third-largest economy. (Cybersecurity Ventures)

10. The estimated cost of cybercrime worldwide has increased for eleven consecutive years an is estimated to reach 15.63 trillion U.S. dollars and therefore a new peak in 2029.(Statista)

11. Cybercrime and other acts of sabotage have cost German companies around 267 billion euros ($298 billion) in the past year, up 29% on the year before. (Reuters)

12. Bitkom surveyed around 1,000 companies from all sectors and found that 90% expect more cyberattacks in the next 12 months, with the remaining 10% expecting the same level of attacks. (Reuters)

Cyber risk statistics

As threat actors become more sophisticated and organizations’ attack surfaces continue to increase, managing cyber risk poses a growing challenge for organizations. Read on to find out how organizations are thinking about cyber risk. 

13. 75% of C-suite executives consider cybersecurity a moderate or serious risk, making it the biggest overall concern among potential business risks. (PwC)

14. Although executives acknowledge the importance of measuring cyber risk, fewer than half do so effectively, with only 15% measuring the financial impact of cyber risks to a significant extent. (PwC)

15. As the complexity of IT environments continues to rise, organizations are integrating a greater number of cybersecurity solutions to manage risk. On average, enterprises already have 53 security solutions in use across their organization. 21% report more than 76 solutions in their cyber stack. (Pentera)

16. Organizations are most concerned with the following cyber threats over the next 12 months:

  • Cloud-related threats (42%)
  • Hack-and-leak operations (38%)
  • Third-party breach (35%)
  • Attacks on connected products (33%)

17. These are also the top cyber threats they feel least prepared to address:

  • Cloud-related threats (34%)
  • Hack-and-leak operations (25%)
  • Third-party breach (28%)
  • Attacks on connected products (31%)

18. 37% of US businesses state that managing third party vendor risk is the biggest data security challenge they currently face. (ISMS.online)

19. Two-thirds (64%) of respondents admit supply chain information security risks are becoming more common. (ISMS.online)

20. The vast majority (79%) of information security professionals we spoke to admit that theoretical risk has translated into at last one material supply chain security incident over the past 12 months. (ISMS.online)

21. Compliance with regulations and industry standards was the second top information security challenge cited by respondents (33%). (ISMS.online)

22. Business continuity (67%) and reputational damage (65%) concern organization leaders more than any other cyber risk. (World Economic Forum)

23. 43% of CISOs who reported a breach reported unplanned downtime as a result, making business continuity the biggest risk of a cyber attack. (Pentera)

24. Partner data (41%) is cited by more of our respondents than any other as being compromised in the past 12 months – highlighting the persistent risks posed by suppliers. (ISMS.online)

25. 73% of organization leaders agree that cyber and privacy regulations are effective in reducing their organizations’ cyber risks in 2023. This is a noticeable increase from 39% who agreed with the same statement in 2022. (World Economic Forum)

AI cybersecurity statistics

Artificial intelligence is set to play an increasingly pivotal role in cybersecurity, with the potential to enable cybercriminals to launch increasingly sophisticated attacks and to empower IT and infosec professionals to defend against them. See how AI is already impacting the industry.

26. Roughly half (51%) of security leaders see AI-powered attacks as the most serious threat they are facing, with 35% adding that they are least prepared to tackle these attacks, compared to other threats. (Keeper Security)

27. Organization leaders said that artificial intelligence (AI) and machine learning (20%), greater adoption of cloud technology (19%) and advances in user identity and access management (15%) will have the greatest influence on their cyber risk strategies over the next two years. (World Economic Forum)

28. Just 26% of overall respondents say they adopted new technologies such as AI, machine learning (ML), and blockchain for security over the past year. (ISMS.online)

29. Three-quarters (76%) of security professionals we asked in the US, UK and Australia believe AI and ML technology is improving information security. (ISMS.online)

30. An overwhelming majority of these security professionals (64%) are increasing their budgets to invest in AI and ML security applications over the coming year. (ISMS.online)

31. 25% of security professionals cite that managing and securing emerging technology like AI and ML is a challenge, which may explain the slow adoption rate. (ISMS.online)

32. 13% of respondents are using information security and compliance to boost secure adoption of these new technologies, but this figure is expected to rise as both technology use and regulatory action becomes more widespread. (ISMS.online)

33. 84% of CIOs and senior IT leaders have started to integrate AI into their tech stack. (Help Net Security)

34. 40% cite that their biggest concern with AI is keeping data secure. (Help Net Security)

35. In a survey of CIOs and senior IT leaders across a variety of vertical markets, one of their top three IT priorities for the second half of 2024 was evaluating and deploying AI across their organization. (Help Net Security)

36. Four in five (81%) implemented AI usage policies for employees, and confidence in these policies is relatively high, with 77% of leaders stating they are either extremely or very familiar with best practices for AI security. (Keeper Security)

Guiding Your Organization's AI Strategy and Implementation

As the use of AI in cybersecurity continues to grow, cybersecurity leaders will play a critical role in harnessing the potential of AI while ensuring its secure and effective implementation. By following these best practices, leaders can effectively implement AI while addressing concerns related to transparency, privacy, and security.

Cybersecurity insider threat statistics 

The largest cybersecurity risk for most businesses is people, not technology. Learn about the cost and impact of insider threat and how organizations are responding. 

37. 74% of organizations say they are moderately to extremely vulnerable to insider threats. (Cybersecurity Insiders)

38. 83% of organizations reported insider attacks in 2024, an increase from 60% in 2023. (Gurucul)

39. 74% of organizations say insider attacks have become more frequent. (Cybersecurity Insiders)

40. The number of organizations experiencing six to 10 insider attacks in the year doubled from 13% in 2023 to 25% in 2024. (Gurucul)

41. More than half of organizations have experienced an insider threat in the last year. 8% of organizations have experienced more than 20 in the last year. (Cybersecurity Insiders)

42. 76% of organizations attribute growing business and IT complexity as the main drivers for increased insider risk. (Gurucul)

43. While 76% of organizations have detected increased insider threat activity over the past five years, less than 30% believe they are equipped with the right tools to handle them. (Securonix)

44. 52% of organizations reveal they do not have the tools to confidently handle insider threats today. (Gurucul)

45. 70% of organizations attribute either technical challenges or cost as the primary obstacles preventing them from implementing effective insider threat management. (Gurucul)

46. When cybersecurity professionals were asked to prioritize the most critical effects of insider attacks, the top three answers were:

47. 22% of cybersecurity professionals said non-compliance with regulations was one of the most critical effects of insider threat at their organization. (Cybersecurity Insiders)

48. 68% of cybersecurity professionals are concerned or very concerned about insider risk as their organizations return to the office or transition to hybrid work. (Cybersecurity Insiders)

49. 90% of cybersecurity professionals said it is equally or more challenging to detect and prevent insider attacks compared to external cyber attacks. (Securonix)

50. When asked what type of insider threat they’re most concerned about, 71% of cybersecurity professionals said compromised accounts/machines, followed by inadvertent data breaches/leaks (66%) and negligent data breaches (64%). (Cybersecurity Insiders)

51. 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months. (Gartner)

52. 74% of employees say they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective. (Gartner)

53. Over 90% of employees who admitted undertaking a range of unsecure actions during work activities knew that their actions would increase risk to the organization but did so anyway. (Gartner)

54. While 66% of organizations feel vulnerable to insider attacks, 41% of organizations have only partially implemented insider threat programs, pointing to a lack of comprehensive activity monitoring and advanced threat management. (Securonix)

55. Half of medium to large enterprises are expected to adopt formal programs to manage insider risk by 2025, up from 10% today. (Gartner)

56. 39% of organizations already have an insider threat program established. (Cybersecurity Insiders)

57. 46% of organizations are planning on establishing an insider threat program, but the time period ranges. 13% said within the next six months or year, respectively. 15% said within two years and 5% said in more than two years. (Cybersecurity Insiders)

58. 56% of insider-related incidents experienced by organizations in a 12-month study conducted by Ponemon Institute were due to negligence, and the average annual cost to remediate the incident was $6.6 million. (Proofpoint and Ponemon Institute)

59. On average, organizations are spending a total of $15.38 million on activities to resolve insider threats over a 12-month period. (Proofpoint and Ponemon Institute)

60. 53% of cybersecurity professionals say detecting insider attacks has become somewhat to significantly harder in the cloud. (Cybersecurity Insiders)

Download free user access review template

User access reviews help in identifying discrepancies and revoking access that is no longer needed, thus minimizing your organization's attack surface that could be exploited by malicious actors. Use this template to kick off the process.

Cybersecurity attacks statistics 

Cyber attacks continue to dominate headlines. Learn what types of attacks your organization should expect and prepare for. 

61. 91 % of business and cyber leaders say they believe a far-reaching and catastrophic cyber event is “at least somewhat likely in the next two years” due to global geopolitical instability. (World Economic Forum)

62. For the fourth year in a row, cyber attacks were reported as the number one cause of outages across organizations. (Veeam)

63. Cyberattacks continue to rise, with 38% of surveyed organizations experiencing an increase compared to the previous year. (ISACA)

64. Half of UK businesses have reported a cyber incident or data breach in the past 12 months. (UK Government)

65. Around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. This was even higher for high-income charities with £500,000 or more in annual income (66%). (UK Government)

66. The UK government's annual report, which surveyed 2000 UK businesses and 1004 charities, found that large businesses were most likely to be hit (74%), followed by medium-sized (70%) and small businesses (58%). (UK Government)

67. Over nine in 10 UK businesses (92%) that experienced an attack or breach said they were able to restore their operations within 24 hours of the incident. (UK Government)

68. On average, it's estimated that the single most disruptive breach from the last 12 months cost each UK business, of any size, approximately £1,205. For medium and large businesses, this was approximately £10,830. (UK Government)

69. The risk of extreme losses from cyber incidents is increasing, with the size of these extreme losses more than quadrupling since 2017 to $2.5 billion. Indirect losses like reputational damage or security upgrades are also substantially higher. (International Monetary Fund)

70. The financial sector has suffered more than 20,000 cyber attacks, causing $12 billion in losses, over the past twenty years. (International Monetary Fund)

71. 75% of software supply chains have experienced cyberattacks in the last 12 months. (Blackberry)

72. Almost three-quarters (74 percent) of attacks originated from members of the software supply chain that companies were unaware of or did not monitor before the breach. (Blackberry)

73. The consequences of supply chain attacks are significant, affecting businesses in multiple ways, including:

  • Financial loss (64%)
  • Data loss (59%)
  • Reputational damage (58%)
  • Operational impact (55%). (Blackberry)

74. Slightly more than half of organizations (51 percent) were able to recover from a software supply chain attack within a week. However, nearly 40 percent of companies took a month to recover. (Blackberry)

75. 10% of business leaders and 13% of cyber leaders feel that they are missing critical people and skills needed to respond to and recover from a cyberattack. (World Economic Forum)

76. Gartner predicts that by 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents. (Gartner)

77. 53% of enterprises report decreasing or stagnating IT security budgets for 2024. This is a major departure from the 2023 outlook in which 92% of enterprises projected an increase in their IT security budgets. (Pentera)

78. When asked about how much they spend on their security in 2023, respondents reported an average budget of $1.27M for IT security. (Pentera)

79. More than a third (39%) said financial allocations for securing supply chain and third-party vendor connections are set to increase by up to 25% in the coming year. (ISMS.online)

80. Ransomware attacks hit an all-time high in March 2023, with 459 recorded attacks.This represents a 91% month-over-month increase and a 62% year-over-year increase. (NCC Group)

81. In a 12-month study by Microsoft, 76% of organizations which suffered ransomware attacks lacked an effective response plan, preventing proper organizational crisis readiness and negatively impacting time to respond and recover. (Microsoft Digital Defense Report)

82. In 2023, ransomware incidents continued to be impactful and costly. After a brief downturn in 2022, ransomware incidents were again on the rise with over 2,825 complaints. This represents an increase of 18% from 2022. (FBI)

83. Reported losses from ransomware incidents rose 74%, from $34.3 million to $59.6 million. (FBI)

84. In Q1 2024, the manufacturing sector was most impacted globally by ransomware attacks, accounting for 29% of published attacks and having almost double the amount of reported attacks YoY. (Checkpoint Research)

85. There were twice the number of ransomware victims in 2023 compared to 2022. (Delinea

86. 35% of US businesses have experienced a deepfake security incident in the last 12 months, ranking the second most common cybersecurity incident in the country. (ISMS.online)

87. Phishing messages were the cause of most cyber-attacks against UK businesses at 84%. (UK Government)

88. Phishing remains the primary method used by attackers to gain initial access to networks, with over 2.6 billion interactions detected by Comcast Business. (Comcast)

Cybersecurity breaches statistics 

As cyber attacks rise, so do the number of attacks resulting in data being lost or compromised. Find out what the leading causes of data breaches are. 

89. In Pentera’s State Of Pentesting 2024 Survey Report, 51% of enterprises reported a breach in the past 24 months. (Pentera)

90. 93% of CISOs who reported a breach cited an impact on the confidentiality, integrity, and/or availability of their IT environment, while only 7% reported no significant impact as a result of the breach. (Pentera)

91. 70% of UK businesses have received fines for data breaches in excess of £100,00 in the last 12 months. (ISMS.online)

92. The proportion of businesses that have experienced a data breach of more than USD $1M has increased significantly, from 27% in 2023 to 36% in 2024. (PwC)

93. As company size increases, so does the average cost of their most damaging breach. Companies with more than $10 billion report breaches of $7.2 million while those companies with less than $1 billion report $1.9 million in damages.  (PwC)

94. For US organizations, data breaches are now at an all-time high. The number of reported data breaches rose to a record 3,205 in 2023, up 78% from 2022 and 72% from the previous high-water mark in 2021. (Identity Theft Resource Center)

95. As of 2024, the average cost of a data breach in the United States amounted to 9.36 million U.S. dollars. (Statista)

96. The global average cost per data breach was 4.88 million U.S. dollars in 2024, an increase from 4.45 million U.S. dollars in the previous year. (Statista)

97. In an analysis of approximately 24,000 security incidents, more than 5,000 of which were confirmed data breaches, nearly three out of four breaches (73%) were attributed to external sources. (Verizon)

98. ​​External actors are consistently more likely to cause data breaches than internal actors, with 80% of breaches being caused by external actors in an analysis by Verizon. (Verizon)

99. 54% of organizations reported experiencing a data breach caused by one of their third parties in the last 12 months. (RiskRecon and Ponemon Institute)

Cybersecurity healthcare statistics 

Healthcare is one of the most targeted industries by threat actors. Take a look at some of the most prevalent threats against this sector below. 

100. 92% of US healthcare organizations surveyed experienced at least one cyber attack in the past 12 month, with almost 70% reporting disruption to patient care due to cyber attacks. (Proofpoint and Ponemon Institute)

101. 68% of respondents said their organizations had an attack against their supply chains in the past two years and 82% said it disrupted patient care, an increase from 77% in 2023. (Proofpoint and Ponemon Institute)

102. The global average cost of a damaging cyber-attack was reported to be $4.4 million, while in the healthcare sector that cost was 25% higher at $5.3 million. (PwC)

103. Nearly half (47%) of all healthcare organization’s respondents reported a data breach of $1M or greater. (PwC)

104. 54% of healthcare IT and security practitioners believe their organizations are vulnerable or highly vulnerable to a ransomware attack. (Proofpoint and Ponemon Institute)

105. 92% of organizations suffered a data loss incident at least twice in the past two years. Around half impacted patient care, and of those, 50% experienced increased mortality rates and 37% saw poorer outcomes due to delays to procedures or tests. (Proofpoint and Ponemon Institute)

106. On average, surveyed organizations experienced 20 data loss and exfiltration incidents in the past two years with employees the root cause. The top three reasons were:

  • Not following security policies (31%)
  • Accidental data loss (26%)
  • Staff sending sensitive information to unintended recipients (21%). (Proofpoint and Ponemon Institute)

107. Email compromise (37%) and ransomware (34%) were the two most common incident types targeting the healthcare industry in 2023 according to Kroll researchers. (Kroll)

108. 64% of healthcare organizations are concerned about medical device security, but only 51% include them in their cybersecurity strategy. (Proofpoint and Ponemon Institute)

109. 53% of healthcare IT and security practitioners said a lack of in-house expertise is a challenge and 46% said they lack sufficient staffing, both of which negatively affect their cybersecurity posture. (Proofpoint and Ponemon Institute)

110. Healthcare is the most likely industry to self-report as having very mature security. Only 3% of healthcare respondents said that they do not trust their organization’s ability to defend against most cyberattacks. (Kroll)

111. 49% of healthcare respondents rated their overall cybersecurity as very mature, more than any other sector and 16 percentage points higher than the survey average. (Kroll)

112. Despite having above-average confidence, 26% of healthcare businesses rank as having low cyber maturity, and healthcare performs badly in comparison to other sectors that scored highly for self-reported security. This reflects a worrying disconnect between how mature organizations believe they are and how mature they really are. (Kroll)

113. When responding to a cyberattack, lost productivity is the highest cost incurred by health care organizations, averaging $1.1 million. (Proofpoint and Ponemon Institute)

114. When asked about top cybersecurity investment priorities over the next 12 months, 42% of business leaders said ongoing improvements in risk posture based on cyber roadmap. (PwC)

Small business cybersecurity statistics

Small businesses are also a common target for threat actors. Find out about common cybersecurity trends, attitudes, and behaviors for this type of business below. 

115. 60% of small businesses say they are concerned about cybersecurity threats. (U.S. Chamber of Commerce)

116. 27% of small businesses say they are one disaster or threat away from shutting down their business. (U.S. Chamber of Commerce)

117. Roughly 7 in 10 small businesses (69%) are worried about a potential cyberattack on their business – a 16-point increase from 2022 and 31-point jump from June 2020. (Nationwide)

118. Small business owners vastly underestimate the cost of recovery following an attack. While 81% believe an attack on their business would cost less than $5K in damages and recovery costs, the average cyber claim for a small business costs $18,000-21,000. (Nationwide)

119. 90% of small and medium-sized enterprises (SMEs) that experienced a serious incident said the cyberattack cost them more than they thought it would. (Cowbell)

120. Cyber attacks cost US small businesses over $8,000 annually. (Hiscox)

121. While the median cost of cyber attacks for one business in a year has dropped from $10,000 in 2022 to $8,300 in 2023, the median number of attacks has risen from 3 to 4. (Hiscox)

122. US small businesses paid over $16,000 in ransoms over the past 12 months. For businesses who paid ransoms, only half (50%) recovered all their data and half (50%) were forced to rebuild systems. Over a quarter of businesses (27%) who paid ransoms were attacked again and 27% went on to be asked for more money by the attacker. (Hiscox)

123. Small business owners also underestimate duration of recovery following an attack. 22% believe they’d be back up and running in a month or less, but the time for recovery can be as long as 75 days. (Nationwide)

124. 81% of the SMEs that experienced a cyber incident say they saw a widespread drop in customer trust. (Cowbell)

125. Nearly a quarter (23%) of small business owners report their business has been a victim to a cyberattack and the vast majority say it jeopardized their company finances and had a moderate or major impact on their customers’ trust. (Nationwide)

126. Businesses with revenues of $100,000 to $500,000 can now expect as many cyber attacks as those earning $1 million to $9 million annually. (Hiscox)

127. Only 55% of SME leaders feel highly confident they’re prepared for a cyberattack. (Cowbell)

128. Two-thirds of small business owners (66%) are confident in their business’s ability to recover from an attack. (Nationwide)

129. SMEs with a cybersecurity strategy were nearly 2x more likely to recover quickly from a cyberattack compared to those without a cybersecurity strategy. (Cowbell)

130. Small business owners are getting smarter, but so are cybercriminals. Although 63% of small businesses in the US are cyber intermediates and 4% are cyber experts when it comes to defending against and avoiding cyber incidents, almost half (41%) have experienced a cyber attack during the past year. (Hiscox)

131. Smaller organizations with fewer than 1,000 employees were less likely to report incidents where they were negatively affected by a cyber incident originating from their suppliers, service providers or business partners (25%) than larger organizations with more than 1,000 employees (39%). (World Economic Forum)

132. 41% of small businesses surveyed do not use data backup recovery and restoration systems. (Hiscox)

133. Half of the smallest organizations by revenue say they either do not have or are unsure as to whether they have the skills they need to meet their cyber objectives. (World Economic Forum)

Cybersecurity job statistics

The industry is currently facing a global talent shortage, which is adding stress to cybersecurity professionals and preventing them from being effective and reducing the risk of a cyberattack. Read how the cybersecurity workforce is being impacted.

134. 66% of cybersecurity professionals indicate that their roles are significantly or slightly more stressful than five years ago. (ISACA)

135. 81% of cybersecurity professionals attribute the higher stress to an increasingly complex threat environment. (ISACA)

136. By 2025, nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors. (Gartner)

137. 57% of organizations report being understaffed, further exacerbating the burden on existing personnel. (ISACA)

138. Though the majority of organizations say their cybersecurity teams are understaffed, hiring has slightly slowed, with 38% of organizations having no open positions, compared to 35% last year. (ISACA)

139. 46% of organizations have non-entry level cybersecurity positions open and 18% have entry-level positions open, compared to 50% and 21% respectively last year. (ISACA)

140. Cybersecurity manager positions drop to 51%, their lowest level ever reported for the State of Cybersecurity Survey. (ISACA)

141. The aging workforce is also a growing issue. For the first time in the 10 years of this annual survey, the largest percentage of respondents are between the ages of 45 and 54 (34%), overtaking respondents between the ages of 35 and 44 (30%). (ISACA)

142. Unfilled cyber positions remain high, with 64% of organizations reporting vacancies at various levels. (ISACA)

143. Filling cyber positions takes considerable time, with 37% of organizations needing 3-6 months to fill entry-level roles and 38% taking the same amount of time for non-entry-level positions. (ISACA)

144. The most significant skills gaps are "soft skills" and "cloud computing," cited by 51% and 42% of respondents, respectively. (ISACA)

145. For the more than half of survey respondents (55%) that reported having difficulties retaining qualified cyber candidates, the main reasons for leaving included:

  • being recruitment by other companies (50%)
  • poor financial incentives (50%)
  • limited promotion and development opportunities (46%)
  • high work stress levels (46%). (ISACA)

Cyber resilience statistics 

Cyber resilience refers to an organization’s ability to anticipate, withstand, recover from, and adapt to attacks and adverse conditions that impact their cyber resources. Read how business leaders are thinking about and building cyber resilience. 

146. The number of organizations that maintain minimum viable cyber resilience is down 30% in 2024. (World Economic Forum)

147. Cyber resilience has risen to the top agenda item for most cyber risk owners (49%), shooting up from 36% last year. (e2e-assure)

148. More than twice as many SMEs as the largest organizations say they lack the cyber resilience to meet their critical operational requirements. (World Economic Forum)

149. 52% of public organizations state that a lack of resources and skills is their biggest challenge when designing for cyber resilience. (World Economic Forum)

150. 32% of business and tech executives said regulatory requirements for operational resilience will have the greatest impact on their organizations’ future revenue growth. (PwC)

151. 95% of business executives and 93% of cyber executives agree that cyber resilience is integrated into their organization’s enterprise risk-management strategies. (World Economic Forum)

152. More than one-third of companies haven’t instituted risk management efforts, and only one-in-four have made cyber-resilience improvements in 2024. (PwC)

153. 76% of business leaders and 70% of cyber leaders agree that having more effective enforcement of regulatory requirements across their sector would increase their organization’s cyber resilience. (World Economic Forum)

154. Nearly half (42%) of the businesses that fell victim to cyber attacks in 2023 implemented additional cybersecurity and audit requirements because of the attacks they faced. (Hiscox)

155. 56% of organization leaders are confident that their organization is cyber resilient. (World Economic Forum)

156. Almost 4 in 5 (78%) IT and security decision-makers said they have confidence in their company’s cyber resilience strategy and its ability to address today’s escalating cyber challenges and threats. (Cohesity)

157. Organizations are likely overestimating their cyber resilience capabilities and maturity, leading to significant business continuity disruptions. When asked what their organization’s ‘targeted optimum recovery time objectives (RTO) to minimize business impact in the event of a cyberattack or incident of compromise’ was, 98% of respondents said their target was within one day, despite only 2% saying they could recover data and restore business processes within this same period. (Cohesity)

158. 44% of leaders report that their organizations either are not cyber resilient or that they are concerned about their organization’s ability to be cyber resilient. (World Economic Forum)

159. 54 % of business and 61% of cyber leaders believe their third-party organizations are slightly or far less resilient than their own organizations. (World Economic Forum)

160. Small to medium-sized enterprises were more likely to consider their third parties to be equal in their cyber-resilience capabilities (38%) than larger organizations (23%). (World Economic Forum)

161. 71% of manufacturing and 69% of transportation respondents report cyber resilience as the primary responsibility of cybersecurity teams, not an enterprise-wide priority. (LevelBlue)

162. Digital transformation proves to be an ongoing barrier to cybersecurity resilience for manufacturing (73%) and transportation (70%) organizations, with both industries struggling to find the external guidance they need. (LevelBlue)

163. 67% of manufacturing and transportation respondents indicate that cybersecurity resilience initiatives are not sufficiently factored into the organization’s budget. In fact, 78% of manufacturing organizations and 73% of transportation organizations report budgets are reactive rather than proactive. (LevelBlue)

164. A third of all cyber leaders still ranked gaining leadership support as the most challenging aspect of managing cyber resilience. (World Economic Forum)

165. Leading organizations more strongly agree that greater digital resilience leads to more innovation (41%), less business disruption (39%), and avoiding compliance penalties (39%). (Splunk)

Cybersecurity awareness statistics 

Knowing what risks you and your organization face and acting responsibly to avoid them can help improve cyber resilience. Take a look at the cybersecurity awareness statistics below to see how individuals and organizations are thinking about cybersecurity and taking action. 

167. Security awareness is often perceived by organizations as a part-time task, with 70% of security awareness practitioners disclosing that they dedicated half or less of their working time to it in 2023. (SANS Institute)

168. Only 14% of security awareness practitioners said that they dedicate 90% or more of their working time to security awareness. (SANS Institute)

169. 75% of respondents said they did have a security awareness budget. However, only 25% knew what their budget was. (SANS Institute)

170. More than 39% of organization leaders agree that “cybersecurity is a key business enabler.” (World Economic Forum)

171. More than half (56%) of cyber leaders meet with business leaders monthly, or more frequently, to discuss cyber-focused topics. (World Economic Forum)

172. 69% of organizations say the top executives have a clear view of how cyber security is being managed. (Hiscox)

173. 66% of manufacturing and transportation respondents believe cybersecurity is an afterthought in their organizations with another 65% of manufacturing and 56% of transportation respondents confirming efforts are often siloed.

174. Only 48% of manufacturing and 53% of transportation executives say cybersecurity is included in broader corporate strategy discussions. (LevelBlue)

175. 59% of small businesses surveyed don’t use security awareness training. (Hiscox)

176. 65% percent of IT professionals said that their cybersecurity awareness training programs need expansion. (ThriveDX)

178. When asked how they had responded to cyber attacks, 39% of experts said they stepped-up employee training (39%). (Hiscox)

179. When employees were questioned about the potential consequences of falling victim to a cyber attack, over half (59%) indicated that they would either receive training and face disciplinary action if they caused another breach (32%) or be required to attend mandatory training (27%). (e2e-assure)

180. Less than a quarter (24%) of employees described themselves as ‘very engaged’ in the training process. (e2e-assure)

181. 76% of workers said concerns to personal online safety would likely engage them with training, as well as if it was more clearly communicated (75%) or involved real life scenarios that workers could apply (also 75%). (e2e-assure)

182. Training that takes place online at a pre-arranged time that is suitable for the worker, is also popular (72%). (e2e-assure)

183. Workers would also be more likely to engage if training was short but regular (53%) over long but less regular (23%). (e2e-assure)

184. 40% of ‘resilient’ respondents (surveyed CISOs and cyber security decision makers who described themselves as resilient) have invested in training, versus 22% ‘not resilient.' (e2e-assure)

185. 38% of ‘resilient’ respondents provide clear communication and policies, versus 22% ‘not resilient.’ (e2e-assure)

186. The majority (73%) of cyber risk owners agree that most cyber attacks come from a lack of employee diligence. (e2e-assure)

187. As a result of employee awareness efforts, 19% of organizations reported better awareness and 14% greater vigilance. (ThriveDX)

188. 45% of organizations are focusing on enhancing their training programs to better prepare employees for the evolving threat landscape. (Keeper Security)

189. The most mature security awareness programs on average have at least 4.18 Full Time Employees (FTEs) dedicated to or helping manage the program. (SANS Institute)

190. 89% of respondents highlight social engineering attacks as their primary, human-related concern. (SANS Institute)

How to protect against cyber attacks

Below are best practices that can help you protect your organization against cyber attacks. 

1. Meet security and compliance standards and regulations

Adhering to regulatory guidelines and industry standards like SOC 2 and HIPAA can not only help you avoid fines and penalties — it can also help you establish strong internal security controls and sustainable security processes that reduce the likelihood of cyber attacks.

Compliance activities, like risk assessments and security awareness training for example, help keep organizations aware of critical business risks, identify redundancies in their software and procedures, and ensure their staff is properly trained to protect sensitive information. 

2. Identify and prioritize risks

There are many methods for identifying and prioritizing risks. One of the most popular is developing key risk indicators (KRIs).

KRIs are a way to proactively track the most important types of risks that could put your business’s primary objectives and priorities in jeopardy. By establishing KRIs and setting tolerance values to track against each risk, KRIs can serve as early warning signs of upcoming crises and provide your organization enough time to mitigate that risk’s potential impact or prevent it from occurring. You can use our free template to get started.

Another popular method is using a risk matrix. To create a risk matrix, you have to compare the likelihood of a potential risk against the impact that your business would face if that risk occurs. For example, a high-priority risk would be an incoming hurricane that’s expected to cause power outages and disrupt business operations.

No matter what method you choose, prioritizing the risks that pose the greatest threat to your organization can enable you to focus your team’s time and resources to minimize their impact.

3. Create a risk management plan 

Once you’ve identified the biggest risks facing your business, you can create a plan for how to manage them. 

A risk management plan should document your organization’s process for regularly identifying, analyzing, and mitigating risks. It should also list clear roles and responsibilities for team members to track potential risks and address them if they were to happen.  

Risk Management Resources Kit

This free risk management resources kit provides essential tools you’ll need to identify, prioritize, and mitigate risk, including policy templates, worksheets, and more.

4. Educate employees

People continue to be one of the greatest threats against an organization. Effectively training your workforce on security and privacy best practices can help reduce the likelihood of security incidents caused by human error.

Ideally, your workforce training program will include interactive training methods such as quizzes, demonstrations, and staging physical security situations. It should also include training for all new employees during onboarding and continuous on-the-job training. 

5. Develop and maintain an information security policy

Policies can also help ensure employees understand and follow security and privacy best practices to protect your organization. Your organization will likely have dozens, including an access control policy, vendor management policy, and more. One of the most important is an information security policy.

An information security policy is a set of rules and guidelines that define how an organization manages and protects its information assets, including its data, systems, and networks. It outlines the objectives, goals, and responsibilities for safeguarding information against unauthorized access, use, disclosure, disruption, modification, or destruction.

It should be distributed to employees for review and updated at least annually to keep up with your organization’s business environment, technologies, and regulatory requirements as they change. 

5. Develop and maintain an incident response and disaster recovery plan

An incident response and disaster recovery plan are other important policies that can help enhance your organization’s information security capabilities and promote a culture of security. An incident response plan can help you respond to security incidents faster and minimize their impact and costs, while a disaster recovery plan can help you recover and restore critical systems, operations, and data to ensure your organization returns to full functionality after an incident.

Like an information security policy, these should be distributed to employees for review and updated at least annually.

6. Use continuous monitoring

Continuous monitoring is a cybersecurity practice that involves ongoing surveillance and analysis of an organization's IT infrastructure, systems, and applications to detect potential security threats and vulnerabilities.

This can help you detect threats in real-time, respond to both vulnerabilities and security incidents faster and more efficiently, and maintain compliance with regulatory requirements.

How Secureframe can help your organization’s cybersecurity efforts

Defending your organization from cyber attacks while navigating an increasingly complex threat and compliance landscape is difficult — so don’t do it alone. 

Secureframe can simplify and streamline your cybersecurity efforts. We can help you automate risk assessments, reduce your third-party risk, simplify policy management, speed up cloud remediation, and conduct continuous monitoring to look for gaps in controls so you can maintain continuous compliance. We can also make training your workforce on the latest security and privacy best practices easy and automatic. 

Plus, our in-house compliance team can give personalized advice based on your company’s unique risks and industry requirements to keep you secure and compliant, even as you scale.

When asked how Secureframe helped them improve, 81% of UserEvidence survey respondents say they reduced the risk of data breaches, with 39% saying they cut that risk by at least half.

To learn more about how Secureframe can help you develop a robust cybersecurity program and reduce the risk of cyber attacks, request a demo today.

About the UserEvidence Survey

The data about Secureframe users was obtained through an online survey conducted by UserEvidence in February 2024. The survey included responses from 44 Secureframe users (the majority of whom were manager-level or above) across the information technology, consumer discretionary, industrials, financial, and healthcare industries.

FAQs

What are the statistics for cyber security in 2023?

The average cost of a data breach reached an all-time high in 2023 of USD 4.45 million, which represents a 2.3% increase from 2022. In 2023, 52% of all breaches involved some form of customer personal identifiable information, such as names and Social Security numbers, making customer PII the most commonly breached record type for the third year in a row. These are just a few statistics that represent the cybersecurity landscape in 2023. You can find more here.

What is 90% of cyber incidents?

According to a few studies, approximately 90% of cyber incidents are due to human error. For example, CybSafe analysis of data from the UK’s Information Commissioner’s Office (ICO) found that 90% of data breaches were caused by user error in 2019. The World Economic Forum's 2022 Global Risks Report stated that 95% of cybersecurity incidents occur due to human error.

What do 80% of cyber attacks involve?

According to a few studies, approximately 80% of cyber attacks involve weak or stolen passwords. For example, according to the 2021 Password Security Report by LastPass, more than 80% of breaches were caused by weak, reused, or stolen passwords.