Cybersecurity Kit to prepare for evolving cyber threats in 2026

Today, an organization experiences about 1,900 cyber attacks per week, according to the latest data from Check Point Research—continuing the upward year-over-year trend seen over the past several years.

The consequences of these attacks are also becoming more severe, with rising cybercrime costs, data loss, and operational disruptions worsening due to increasing supply chain connectedness, geopolitical tensions, and AI use, among other factors.  

Understanding this rapidly evolving landscape is critical to defending against costly attacks and recovering quickly. 

Drawing from the latest research from the Pew Research Center, FBI, Ponemon Institute, Verizon, IBM, and others, this post compiles over 200 of the most current and trusted cybersecurity statistics to help organizations—from small businesses to health care organizations and more—gain a complete picture of today’s threat environment and its implications for their security strategy in 2026. 

Key findings

• Cybercrime losses are projected to hit $15.63 trillion by 2029, up from $10.5 trillion in 2025.
• 71% of chief risk officers expect severe operational disruption in the year ahead due to cyber risks.
• The United States was the most targeted country in 2025, accounting for 24.8% of cyber attacks analyzed by Microsoft.
• Nearly all (98%) security professionals say they have adopted new technologies like AI in the past 12 months or are planning to do so in the next 12.
• Third-party involvement in breaches doubled to 30%, underscoring growing supply chain risk.
• Exploitation of vulnerabilities surged 34%, with zero-days hammering perimeter devices and VPNs.
• Ransomware appeared in 44% of breaches (up 37% year over year), even as median ransom payments fell.
• Data exfiltration was observed in 80% of attacks, confirming data theft as the primary objective for cyber attacks.
• 100% of companies now have AI-generated code, yet 81% of security teams lack visibility into how AI is used across the software development cycle, indicating a looming shadow AI crisis.
• The average annual cost of insider incidents reached $17.4M per organization, with non-malicious insiders driving most events.

With ransomware, supply chain, and insider attacks on the rise and cybercrime losses projected to hit $15.6 trillion by 2029, awareness isn’t optional—it’s your first line of defense. Download our Cybersecurity Awareness Kit to train your team, reduce human error, and strengthen your organization’s resilience before attackers strike.

Cybercrime statistics 

Individuals and organizations are increasingly exposed to cybercrime. Take a look at these statistics to get a better sense of the global impact of cybercrime. 

1. Cybercrime is predicted to cost the world $10.5 trillion USD in 2025, according to the 2025 Official Cybercrime Report. (Cybersecurity Ventures, 2025)

2. If cybercrime were measured as a country, it would be the world’s third-largest economy after the United States and China. (Cybersecurity Ventures, 2025)

3. Cybersecurity Ventures anticipates cybercrime’s explosive growth will begin to level off to 2.5% annually through 2031, when global losses are projected to reach $12.2 trillion per year. (Cybersecurity Ventures, 2025)

4. Because the cost of global cybercrime has risen for 11 consecutive years, Statista projects losses could climb even higher—reaching $15.63 trillion by 2029, surpassing estimates from Cybersecurity Ventures. (Statista, 2025)

5. The first ever “World Cybercrime Index,” compiled by an international team of researchers, ranks Russia, Ukraine, China, the USA, and Nigeria as the top 5 sources of cybercrime at a national level. (University of Oxford, 2024)

6. Russian-speaking cybercriminals dominate the global ransomware industry, with an estimated 75% of ransomware revenue going to actors linked to the Russian-language underground. (Global Initiative, 2025)

7. Roughly three-quarters of US adults have been a victim of an online scam or attack. (Pew Research Center, 2025)

8. According to the latest annual report released in April 2025, the United States Internet Crime Complaint Center (IC3) received 859,532 complaints of suspected internet crime with reported losses exceeding $16 billion. (FBI, 2024)

9. Online scams and other cyber crimes are skyrocketing, with a record $16.6 billion—a 33% year-over-year—in losses reported to the FBI. (FBI, 2024)

10. The top three cyber crimes in the US, by number of complaints reported by victims to IC3, were:

• phishing/spoofing
• extortion
• and personal data breaches. (FBI, 2024)

11. Phishing/spoofing was the top cyber crime reported to the IC3, making up 193,407 complaints. This was 23% of all complaints. (FBI, 2024)

12. Victims of investment fraud, specifically those involving cryptocurrency, reported the most losses to IC3—totaling over $6.5 billion. (FBI, 2024)

13. As a group, people over the age of 60 suffered the most losses at nearly $5 billion and submitted the greatest number of complaints to IC3 at 147,127 complaints. This is a 43% increase in losses and 46% increase in the number of complaints year-over-year. (FBI, 2024)

14. UK businesses who were victims of cyber crime experienced an average of 30 cyber crimes of any kind in the last 12 months (UK Government, 2025)

15. In the UK Government's study, the larger the business, the more likely they were to experience cyber crime, with the following reporting they experienced a cyber crime in the last year:

• 18% of micro businesses
• 25% of small businesses
• 43% of medium businesses
• 52% of large businesses. (UK Government, 2025)

16. More than nine-in-ten Americans say online scams and attacks are a problem in the country, with 79% describing them as a major problem. (Pew Research Center, 2025)

17. Americans most commonly report that online hackers made fraudulent charges on their credit or debit card—with about half of U.S. adults (48%) reporting this has happened to them.  (Pew Research Center, 2025)

18. Bitkom’s annual Economic Protection Study shows that the number of attacks on the German economy has continued to rise, with 87% of companies affected by data theft, espionage or sabotage in the past twelve months, compared to 81% in the previous year.

19. Cybercrime and other acts of sabotage have cost German companies 289 billion euros (approximately $354.99 billion) in the past year, up 8% from the year before. (Bitkom, 2025)

20. Nine in 10 Americans fear AI cybercrime, but have weak security habits. Over 90% of respondents employ only a handful of recommended identity protection practices. (Intelligent CISO, 2025)

Cyber risk statistics

As threat actors become more sophisticated and organizations’ attack surfaces continue to increase, managing cyber risk poses a growing challenge for organizations. Read on to find out how organizations are thinking about cyber risk. 

21. 71% of chief risk officers expect severe organizational disruptions in the year ahead due to cyber risks and criminal activity. (World Economic Forum, 2025) 

22. 60% of business and tech leaders rank cyber risk investment in their top three strategic priorities in response to ongoing geopolitical uncertainty. (PwC, 2026)

23. Given the current geopolitical landscape, roughly half say their organisation is at best only ‘somewhat capable’ of withstanding cyber attacks targeting specific vulnerabilities. Only 6% feel confident across all vulnerabilities surveyed. (PwC, 2026)

24. One in three CEOs cite cyber espionage and loss of sensitive information/intellectual property (IP) theft as the top cyber risk. (World Economic Forum, 2025) 

25. For CISOs, disruption of operations is the top cyber risk they’re concerned about—reported by 45%. (World Economic Forum, 2025) 

26. 72% of leaders report an increase in organizational cyber risks, with ransomware remaining a top concern. (World Economic Forum, 2025) 

27. Cyber-enabled fraud ranks as the second-highest organizational cyber risk for 2025, viewed by CEOs as a significant threat alongside ransomware and supply chain disruptions. (World Economic Forum, 2025) 

28. 41% of leaders state that managing third party vendor risk is one of the biggest information security challenges they currently face—up 4% from last year. (ISMS.online, 2025)

29. Over a fifth (23%) of respondents see supply chain risk as their biggest concern for the year ahead. (ISMS.online, 2025)

30. 60% claim supply chain risks have already become “innumerable and unmanageable.”  (ISMS.online, 2025)

31. 61% of information security professionals said their business has been impacted by a security incident caused by a third-party vendor in the past year. (ISMS.online, 2025)

32. In 2025, 37% of organizations identified compliance with regulations and industry standards as an information security challenge, ranking eighth overall—compared to 2024, when it was cited by 33% of respondents and ranked second overall. (ISMS.online, 2025)

33. Business continuity (67%) and reputational damage (65%) concern organization leaders more than any other cyber risk.  (World Economic Forum, 2025) 

34. 78% of organization leaders agree that cyber and privacy regulations are effective in reducing their organizations’ cyber risks in 2025, up from 74% in 2023. (World Economic Forum, 2025) 

35. The United States remained the most targeted country for cyber threats in 2025, accounting for nearly one in four (24.8%) Microsoft customer impacts worldwide—far surpassing the second most affected country, the United Kingdom (5.6%). (Microsoft, 2025)

36. 97% of organizations plan to unify their application security stack in the next year to combat tool sprawl and manage AI-driven risk. (Cycode, 2026)

Cybersecurity insider threat statistics 

The largest cybersecurity risk for most businesses is people, not technology. Learn about the cost and impact of insider threat and how organizations are responding. 

49. 60% of organizations are highly concerned about employees misusing AI tools, intentionally or unintentionally, to enable or amplify insider threats. (Cogility and Cybersecurity Insiders, 2025)

50. Organizations are most concerned about the these five AI-facilitated insider risks:

• AI-driven phishing and social engineering (69%)
• Automated data exfiltration (61%)
• AI-augmented credential abuse (53%)
• AI-generated malware (46%)
• AI-driven policy & access bypass (40%). (Cogility and Cybersecurity Insiders, 2025)

51. 77% of organizations experienced insider-driven data loss in the past 18 months. (Fortinet, 2025)

52. 21% reported more than 20 insider threat incidents in the past 18 months. (Fortinet, 2025)

53. 41% of respondents reported that their most serious insider incident cost between $1 million and $10 million, while another 9% reported losses even higher. (Fortinet, 2025)

54. There were 7,868 insider incidents in 2025, an increase of 7% year-over-year. (Ponemon Institute, 2025)

55. In 2025, organizations experienced an average of 13 insider events that cost an average of $676,000 per incident. (Ponemon Institute, 2025)

56. Non-malicious insiders were responsible for the overwhelming majority (75%) of insider incidents in 2025, including negligent or mistaken employees (55%) and individuals exploited by external actors (20%). (Ponemon Institute, 2025)

57. Most insider incidents are unintentional: in 2025, 62% were caused by negligent or compromised users and only 16% involved confirmed malicious intent. (Fortinet, 2025)

58. Customer records (53%) and personally identifiable information (47%) were the most common data types involved in significant insider incidents in 2025.  (Fortinet, 2025)

59. 73% of security professionals are most concerned about careless, negligent, or uninformed employees as the leading insider threat risk. (Fortinet, 2025)

60. The top 3 insider threat concerns identified by security professionals in 2025 are:

• Careless, negligent, or uninformed employees (73%)
• Employees handling sensitive data such as PII, PHI, or PCI (62%)
• Departing employees posing data exfiltration risks (55%). (Fortinet, 2025)

61. Remote and hybrid workforces were cited by 75% of security leaders as the top emerging risk expected to amplify insider threats over the next 3–5 years. (Cogility and Cybersecurity Insiders, 2025)

62. AI and automation (69%) and cloud-based collaboration (66%) ranked second and third, respectively, as major drivers increasing insider threat risk. (Cogility and Cybersecurity Insiders, 2025)

63. More than half of respondents (53%) expect advanced social engineering techniques—including phishing and pretexting—to further escalate insider-driven incidents. (Cogility and Cybersecurity Insiders, 2025)

64. The most common business drivers for building insider risk programs include regulatory compliance (53%), the remote and hybrid workforce (46%), and board or customer requirements (42% and 40%). (Ponemon Institute, 2025)

65. Nearly all security leaders (93%) say insider threats are as difficult or harder to detect than external cyberattacks. (Cogility and Cybersecurity Insiders, 2025)

66. Only 23% express strong confidence in stopping insider threats before serious damage occurs. (Cogility and Cybersecurity Insiders, 2025)

67. A significant majority (77%) of organizations lack confidence in their ability to detect and mitigate insider threats, reporting they’re only somewhat, not very, or not confident at all. (Cogility and Cybersecurity Insiders, 2025)

68. Only 27% of organizations have a detailed insider threat response plan. (Cogility and Cybersecurity Insiders, 2025)

69. 69% rely on informal approaches or have no plan at all, leaving most organizations unprepared for insider threats. (Cogility and Cybersecurity Insiders, 2025)

70. Nearly three-quarters (72%) of security leaders admit they lack full visibility into how insiders interact with sensitive data across endpoints, SaaS applications, and GenAI tools—indicating a lack of maturity in insider risk programs. (Fortinet, 2025)

71. 56% are very concerned about sensitive data being shared with tools like ChatGPT, but only 12% feel fully prepared to respond to it. (Fortinet, 2025)

72. 81% of organizations now have or plan to implement an insider risk management program, reflecting growing recognition of insider threats as a critical component of cybersecurity strategy. (Ponemon Institute, 2025)

73. Insider risk programs are maturing, but confidence in tools is low, according to new research from Fortinet. While 64% of organizations claim to have a formal data protection program, 51% report fragmented tool integration. (Fortinet, 2025)

74. 76% of organizations attribute growing business and IT complexity as the main drivers for increased insider risk. (Gurucul and Cybersecurity Insiders, 2024)

75. The #1 barrier preventing organizations from advancing their insider threat management programs is a lack of adequate tools and technologies, cited by 71% of respondents. (Cogility and Cybersecurity Insiders, 2025)

76. Insufficient budgets (69%) and privacy concerns (58%) are cited as the other top barriers preventing organizations from improving their insider threat management programs. (Cogility and Cybersecurity Insiders, 2025)

77. 72% of organizations say their budgets for insider risk or data protection are increasing, and 27% report significant growth over the past year. (Fortinet, 2025)

78. Organizations using AI to detect and prevent insider risks (54%) reported faster investigations, with 70% citing reduced response times as a key benefit. (Ponemon Institute, 2025)

Cybersecurity attacks statistics 

Cyber attacks continue to dominate headlines. Learn what types of attacks your organization should expect and prepare for. 

79. For the fourth year in a row, cyber incidents, including data breaches, ransomware attacks, and IT outages, have been ranked as the top business risk. (Allianz, 2025)

80. Business interruption—often a direct result of cyber attacks and other major disruptions—retained its second-place ranking, with 31% of respondents identifying it as a critical challenge. (Allianz, 2025)

81. Data exfiltration was observed in 80% of attacks in the past year, confirming that accessing and stealing organizational data has become the primary objective for most adversaries, regardless of motivation. (Microsoft, 2025)

82. More than half of cyberattacks with known motives had financial objectives such as extortion or ransom, while only 4% were motivated solely by espionage. (Microsoft, 2025)

83. 7 in 10 organizations were hit by a ransomware attack in the past year. (Veeam, 2025)

84. Of the organizations that suffered a ransomware attack in the past year, only 10% were able to recover more than 90% of their data. (Veeam, 2025)

85. Adversaries have dramatically improved their speed and efficiency, with an average “breakout time”—the time before attackers begin moving laterally within a network—of just 48 minutes. The fastest breakout time was only 51 seconds. (Crowdstrike, 2025)

86. Voice phishing (vishing) skyrocketed by 442% between the first and second halves of 2024. (Crowdstrike, 2025)

87. Around a third of surveyed company employees (32.3%) stated that their credentials were compromised through a phishing attack, making it the leading consequence of cybersecurity incidents worldwide. (Statista, 2025)

88. Government agencies (17%) and information technology (17%) were the most impacted sectors by cyber attacks this year. (Microsoft, 2025)

89. Most cyber attacks in 2025 were concentrated in particular countries, including:

• The United States (24.8%)
• The United Kingdom (5.6%)
• Israel (3.5%)
• Germany (3.3%)
• Ukraine (2.8%). (Microsoft, 2025)

90. 43% of UK businesses reported a cyber incident or data breach in 2025, compared to 50% in 2024. (UK Government, 2025)

91. Around a third of charities (30%) report having experienced some form of cyber security breach or attack in the last 12 months. (UK Government, 2025)

92. The UK government's annual report found that large businesses were most likely to be hit (74%), followed by medium-sized (67%) small businesses (42%), and micro businesses (35%).  (UK Government, 2025)

93. Over nine in 10 UK businesses (92%) that experienced an attack or breach said they were able to restore their operations within 24 hours of the incident. (UK Government, 2025)

94. On average, it's estimated that the single most disruptive breach from the last 12 months cost each UK business, of any size, approximately £1,600, up from £1,205 in last year's report. For medium and large businesses, this was more than double, at approximately £3,350.  (UK Government, 2025)

95. The risk of extreme losses from cyber incidents is increasing, with the size of these extreme losses more than quadrupling since 2017 to $2.5 billion. Indirect losses like reputational damage or security upgrades are also substantially higher. (International Monetary Fund, 2024)

96. The financial sector has suffered more than 20,000 cyber attacks, causing $12 billion in losses, over the past twenty years. (International Monetary Fund, 2024)

97. Nearly one-third of cyber attacks exploit basic weaknesses in an organization’s external perimeter, targeting web-facing assets (18%), remote services (12%), and even supply chain connections (3%) as entry points. (Microsoft, 2025)

98. 75% of software supply chains have experienced cyberattacks in the last 12 months. (Blackberry, 2024)

99. Almost three-quarters (74 percent) of attacks originated from members of the software supply chain that companies were unaware of or did not monitor before the breach. (Blackberry, 2024)

100. The consequences of supply chain attacks are significant, affecting businesses in multiple ways, including:

• Financial loss (64%)
• Data loss (59%)
• Reputational damage (58%)
• Operational impact (55%). (Blackberry, 2024)

101. Slightly more than half of organizations (51 percent) were able to recover from a software supply chain attack within a week. However, nearly 40 percent of companies took a month to recover. (Blackberry, 2024)

102. Phishing messages were the cause of most cyber-attacks against UK businesses at 85%. (UK Government, 2025)

103. In the first half of 2025, identity-based attacks rose by 32%. (Microsoft, 2025)

104. More than 97% of identity attacks are password spray or brute force attacks. (Microsoft, 2025)

105. Threat actors are operating faster than ever—nearly 39% of attacks lasted seven days or less, while another 17% extended only slightly longer, between seven and fourteen days.  (Microsoft, 2025)

Cybersecurity breaches statistics 

As cyber attacks rise, so do the number of attacks resulting in data being lost or compromised. Find out what the leading causes of data breaches are. 

106. The average cost of a data breach reached an all-time high of $4.88 million in 2025, a 10% increase from 2023. (IBM, 2025)

107. For managed service providers (MSPs), the most common consequence of cybersecurity incidents is the exposure of sensitive employee data, cited by 45% of respondents. The second most common consequence is the exposure of sensitive customer data, reported by 39% of MSPs. (Statista, 2025)

108. Third-party involvement in breaches doubled to 30% this year, underscoring growing supply chain and partner ecosystem risks. (Verizon, 2025)

109. Exploitation of vulnerabilities surged by 34% year-over-year, with attackers increasingly targeting perimeter devices and VPNs through zero-day exploits. (Verizon, 2025)

110. Credential abuse (22%) and vulnerability exploitation (20%) remain the top initial attack vectors in confirmed breaches. (Verizon, 2025)

111. Ransomware was present in 44% of breaches, a 37% increase from last year. (Verizon, 2025)

112. 36% of businesses have experienced a data breach of more than USD $1M—up from 27% last year. (PwC, 2024)

113. As company size increases, so does the average cost of their most damaging breach. Companies with more than $10 billion report breaches of $7.2 million while those companies with less than $1 billion report $1.9 million in damages.  (PwC, 2024)

114. 60% breaches involved a human element—a percentage that remained roughly the same as last year. (Verizon, 2025)

Healthcare cybersecurity statistics 

Healthcare is one of the most targeted industries by threat actors. Take a look at some of the most prevalent cybersecurity threats against this sector below. 

115. 65% of the 100 largest US hospitals and health systems have had a recent data breach.  (Cybernews, 2025)

116. Healthcare data breaches reached an all-time high in 2024, with 276,775,457 records compromised – a 64.1% increase from the previous year’s record and equivalent to 81.38% of the United States population. (Cybernews, 2025)

117. 79% of the 100 largest US hospitals and health systems scored D or worse for their cybersecurity efforts, according to the data presented by Cybernews Business Digital Index. (Cybernews, 2025)

118. 30% of the 100 largest US hospitals and health systems have critical vulnerabilities. (Cybernews, 2025)

119. 93% of US healthcare organizations surveyed experienced an average of 43 cyber attacks in the past 12 months. (Proofpoint and Ponemon Institute, 2025)

120. Nearly 3 in 4 (72%) healthcare organizations report patient care disruption due to cyberattacks—a 3% increase year-over-year. (Proofpoint and Ponemon Institute, 2025)

121. The global average cost of a damaging cyber-attack was reported to be $4.4 million, while in the healthcare sector that cost was 25% higher at $5.3 million. (PwC, 2024)

122. Nearly half (47%) of all healthcare organization’s respondents reported a data breach of $1M or greater. (PwC, 2024)

123. The average total cost for the most expensive cyberattack experienced by healthcare organizations was $3.9 million in 2025, down from $4.7 million in 2024. (Proofpoint and Ponemon Institute, 2025)

124. 96% of organizations experienced at least two data loss or exfiltration incidents involving sensitive healthcare data over the past two years. (Proofpoint and Ponemon Institute, 2025)

125. On average, surveyed organizations experienced 18 data loss and exfiltration incidents in the past two years and 55% say it impacted patient care. (Proofpoint and Ponemon Institute, 2025)

126. The top three causes of data loss or exfiltration incidents were:

• Employees not following security policies (35%)
• Privilege access abuse (25%)
• Staff sending sensitive information to unintended recipients (25%). (Proofpoint and Ponemon Institute, 2025)

127. 43% of healthcare IT and security practitioners said a lack of in-house expertise is a challenge and 40% said they lack clear leadership, both of which negatively affect their cybersecurity posture. (Proofpoint and Ponemon Institute, 2025)

128. Healthcare is the most likely industry to self-report as having very mature security. Only 3% of healthcare respondents said that they do not trust their organization’s ability to defend against most cyberattacks. (Kroll, 2024)

129. 49% of healthcare respondents rated their overall cybersecurity as very mature, more than any other sector and 16 percentage points higher than the survey average. (Kroll, 2024)

130. Despite having above-average confidence, 26% of healthcare businesses rank as having low cyber maturity, and healthcare performs badly in comparison to other sectors that scored highly for self-reported security. This reflects a worrying disconnect between how mature organizations believe they are and how mature they really are. (Kroll, 2024)

131. Operational disruptions from system availability issues remain the most expensive consequence of a cyberattack, averaging $1.2 million. (Proofpoint and Ponemon Institute, 2025)

132. When responding to a cyberattack, lost productivity is the second highest cost incurred by health care organizations, averaging $859,000. (Proofpoint and Ponemon Institute, 2025)

133. 44% of health care organizations experienced an attack against its supply chains, a significant decline from 68% in 2024. (Proofpoint and Ponemon Institute, 2025)

134. Of these organizations, on average they experienced four supply chain attacks in the past two years. (Proofpoint and Ponemon Institute, 2025)

135. Despite this decline, 57% still say their organizations are very or highly vulnerable to supply chain attacks. (Proofpoint and Ponemon Institute, 2025)

Small business cybersecurity statistics

Small businesses are also a common target for threat actors. Find out about common cybersecurity trends, attitudes, and behaviors for this type of business below. 

136. Over 46% of small and medium-sized businesses have experienced a cyber attack. (Mastercard, 2025)

137. A landmark 2024 Small Business Impact Survey had a higher estimate, reporting that over 80% of US small businesses have suffered a data or security breach. (Identity Theft Resource Center, 2024)

138. Nearly one in five SMBs that suffered an attack then filed for bankruptcy or closed their business. (Mastercard, 2025)

139. Following an attack, 80% of SMBs said they had to spend time rebuilding trust with clients and partners. (Mastercard, 2025)

140. 86% of SMBs have conducted an active cybersecurity risk assessment and developed a cyberattack prevention plan.  (Mastercard, 2025)

141. Despite this progress, only 23% of SMBs are very satisfied with their cybersecurity plan.  (Mastercard, 2025)

142. Less than one quarter (23%) of SMBs are very confident in their ability to identify potential threats. (Mastercard, 2025)

143. 73% of small business owners say getting employees to take cybersecurity seriously remains a major challenge.  (Mastercard, 2025)

144. Only 25% of SMB leaders feel very confident in their ability to educate employees on cybersecurity best practices.  (Mastercard, 2025)

145. The average financial losses of organizations with fewer than 500 employees that suffered a data or security breach more than doubled  annually to $500,000. (Identity Theft Resource Center, 2024)

146. 27% of small businesses say they are one disaster or threat away from shutting down their business.  (U.S. Chamber of Commerce, 2024)

147. Small and medium-sized businesses (SMBs) were disproportionately affected by ransomware this year, with ransomware present in 88% of their breaches. (Verizon, 2025)

148. 71% of cyber leaders say small organizations have already reached a critical tipping point where they can no longer effectively secure themselves against the escalating complexity of cyber risks. (World Economic Forum, 2025)

149. Small business owners vastly underestimate the cost of recovery following an attack. While 81% believe an attack on their business would cost less than $5K in damages and recovery costs, the average cyber claim for a small business costs $18,000-21,000. (Nationwide, 2024)

150. Small business owners also underestimate the duration of recovery following an attack. 22% believe they’d be back up and running in a month or less, but the time for recovery can be as long as 75 days. (Nationwide, 2024)

151. 80% of small businesses are taking steps to prevent future breaches, including:

• providing staff training (88%)
• investing in security tools (65%)
• and increasing their security budget (67%). (Identity Theft Resource Center, 2024)

151. Small businesses (73%) are less likely to have adopted new technologies such as artificial intelligence, machine learning or blockchain for security already than their larger peers (81%), but more likely to be planning adoption (21% vs 17%). (ISMS.online, 2025)

152. Nearly half (47%) of SMBs updated their cybersecurity solutions to further protect their business. (Verizon, 2025)

153. More than half of SMBs (52%) acknowledge that business growth likely increases the threat of cyberattacks on their business. 

154. Nearly half of the respondents (47%) invested in technologies to improve cybersecurity in the last year, but a quarter of SMBs don’t believe their business is investing enough.

155. Among small businesses investing in technology and software, 36% said they are prioritizing AI and 27% said cybersecurity software. (U.S. Chamber of Commerce, Q3 2025)

Cyber resilience statistics 

Cyber resilience refers to an organization’s ability to anticipate, withstand, recover from, and adapt to attacks and adverse conditions that impact their cyber resources. Read how business leaders are thinking about and building cyber resilience. 

169. 63% of organizations cited a complex and evolving threat landscape as their greatest challenge to achieving cyber resilience. (World Economic Forum, 2025)

170. 54% of large organizations identified supply chain challenges as their top barrier to strengthening resilience. (World Economic Forum, 2025)

171. For small organizations, the leading obstacles to cyber resilience are: a complex and evolving threat landscape, a shortage of skilled cybersecurity professionals, and a lack of incident response preparedness. (World Economic Forum, 2025)

172. Only 7% of large organizations consider their cyber resilience inadequate, down from 13% in 2022, showing steady improvement among enterprise-level entities.  (World Economic Forum, 2025)

173. Cyber resilience has risen to the top agenda item for most cyber risk owners (49%), shooting up from 36% last year. (e2e-assure, 2025)

174. In contrast, 35% of small organizations view their cyber resilience as inadequate—a sevenfold increase since 2022, when only 5% reported the same. (World Economic Forum, 2025)

175. The public sector remains disproportionately affected, with 38% of respondents reporting insufficient resilience, compared with just 10% of medium-to-large private-sector organizations.  (World Economic Forum, 2025)

176. Confidence in national cyber response capabilities varies widely: only 15% of respondents in Europe and North America expressed concern about their country’s ability to handle major cyber incidents, compared to 36% in Africa and 42% in Latin America.  (World Economic Forum, 2025)

177. Regulation is a key driver of cyber resilience, with 78% of CISOs and 87% of CEOs saying their primary motivation for implementing new cyber regulations is to strengthen security posture and mitigate risk.  (World Economic Forum, 2025)

178. In 62% of high-resilience organizations, board members receive regular updates on cyber incidents, threat trends, vulnerabilities, and risk forecasts—compared to just 29% in low-resilience organizations. (World Economic Forum, 2025)

179. High-resilience organizations encourage incident reporting through multiple measures: 76% provide cyber training and awareness, 62% offer support teams to assist with reporting, and 48% maintain anonymous reporting channels. (World Economic Forum, 2025)

180. 62% of manufacturing executives report their organization’s competence in cyber resilience as very high or high. (LevelBlue, 2025)

181. Despite this estimation of high competency, 37% of manufacturing executives say they have experienced a significantly higher volume of cyber attacks than 12 months ago, and 28% have experienced a breach in the past 12 months. (LevelBlue, 2025)

182. 45% of organizations said that implementing new technologies, processes, or procedures will be their top priority over the next 12 months to strengthen cyber resilience. (LevelBlue, 2025)

183. More than one-third (36%) say they are increasing boardroom engagement in cyber-resilience discussions, making it the second-highest priority for improving cyber resilience in the next 12 months. (LevelBlue, 2025)

184. Fewer executives cited the perception of cyber resilience as solely a cybersecurity issue rather than an organization-wide priority as a barrier this year (31%)—down from 43% the year before. (LevelBlue, 2025)

185. Leading organizations more strongly agree that greater digital resilience leads to more innovation (41%), less business disruption (39%), and avoiding compliance penalties (39%). (Splunk, 2024)

186. While an increasing number of CISOs report feeling a significant impact from AI threats, more than 60% now say that they are adequately prepared to defend against these threats—an increase of nearly 15 percent year-over-year, showing that cyber resilience is growing. (Darktrace, 2025)

187. 83% of SMBs reported improvement in cyber resilience in the past 12 months. (Hiscox, 2025)

188. Almost all SMBs (94%) are expecting to increase cyber security and data protection investments in the next 12 months, updating employee cyber training (70%) and hiring additional staff to increase cyber resilience (60%). (Hiscox, 2025)

Cybersecurity awareness statistics 

Knowing what risks you and your organization face and acting responsibly to avoid them can help improve cyber resilience. Take a look at the cybersecurity awareness statistics below to see how individuals and organizations are thinking about cybersecurity and taking action. 

189. Nearly all SMBs who have experienced an attack (96%) believe better awarenessor understanding of cyber attacks and procedures is key to better response times for future breaches. (Hiscox, 2025)

190. 57% of respondents who experienced a cyberattack said that being more aware of potential threats before they occur would help improve response times. (Hiscox, 2025)

191. 56% believe that having a better understanding of what to look for during an attack would also accelerate their ability to respond effectively. (Hiscox, 2025)

192. Nearly half (49%) said that knowing who to report an attack to would improve incident response speed. (Hiscox, 2025)

193. Another 49% said response times could be improved if leadership acted more decisively during an attack. (Hiscox, 2025)

194. During the past 12 months, cyber security remained a high priority for around seven in ten businesses (72%) and charities (68%), in line with the previous two years. (UK Government, 2025)

195. Awareness of UK government initiatives around cybersecurity has seen a steady decline in recent years and remains fairly limited, particularly among micro businesses. Here's how it broke down by campaign:

• Cyber Aware campaign: 24% businesses and 26% charities
• 10 Steps guidance: 12% businesses and 15% charities
• Cyber Essentials: 12% businesses and 15% charities (UK Government, 2025)

196. Security awareness is often perceived by organizations as a part-time task, with 70% of security awareness practitioners disclosing that they dedicated half or less of their working time to it in 2023. (SANS Institute, 2025)

197. Only 14% of security awareness practitioners said that they dedicate 90% or more of their working time to security awareness. (SANS Institute, 2025)

198. 75% of respondents said they did have a security awareness budget. However, only 25% knew what their budget was. (SANS Institute, 2025)

199. 81% of organizations rate cybersecurity as a high priority, keeping it at the top of the list among all technology initiatives. (CompTIA, 2025)

200. 68% also rate their organization as highly capable in cybersecurity, reflecting improved confidence compared to prior years. (CompTIA, 2025)

201. 81% of surveyed organizations consider cybersecurity a high priority. (CompTIA, 2025)

202. To address skills shortages, companies are pursuing multiple strategies, including new hiring (56%), training existing staff (54%), certification programs (48%), and expanded partnerships with third-party providers (46%). (CompTIA, 2025)

203. Lack of time and staffing remain the two biggest challenges limiting industry professionals from building and managing an effective cybersecurity program.(SANS Institute, 2025)

204. When employees were questioned about the potential consequences of falling victim to a cyber attack, over half (59%) indicated that they would either receive training and face disciplinary action if they caused another breach (32%) or be required to attend mandatory training (27%). (e2e-assure, 2025)

205. Less than a quarter (24%) of employees described themselves as ‘very engaged’ in the training process. (e2e-assure, 2025)

206. 76% of workers said concerns to personal online safety would likely engage them with training, as well as if it was more clearly communicated (75%) or involved real life scenarios that workers could apply (also 75%). (e2e-assure, 2025)

207. Training that takes place online at a pre-arranged time that is suitable for the worker, is also popular (72%). (e2e-assure, 2025)

208. Workers would also be more likely to engage if training was short but regular (53%) over long but less regular (23%). (e2e-assure, 2025)

209. 40% of ‘resilient’ respondents (surveyed CISOs and cyber security decision makers who described themselves as resilient) have invested in training, versus 22% ‘not resilient.' (e2e-assure, 2025)

210. 38% of ‘resilient’ respondents provide clear communication and policies, versus 22% ‘not resilient.’ (e2e-assure, 2025)

211. The majority (73%) of cyber risk owners agree that most cyber attacks come from a lack of employee diligence. (e2e-assure, 2025)

212. In 2025, the average global annual salary for individuals working in security awareness is $116,091. (SANS Institute, 2025)

213. The most mature security awareness programs on average have at least 4.18 Full Time Employees (FTEs) dedicated to or helping manage the program. (SANS Institute, 2025)

How to protect against cyber attacks

Below are best practices that can help you protect your organization against cyber attacks. 

1. Meet security and compliance standards and regulations

Adhering to regulatory guidelines and industry standards like SOC 2, NIS2, HIPAA, and CIS Controls can not only help you avoid noncompliance fines and sanctions — it can also help you establish strong internal security controls and sustainable security processes that reduce the likelihood of cyber attacks.

Compliance activities, like risk assessments and security awareness training for example, help keep organizations aware of critical business risks, identify redundancies in their software and procedures, and ensure their staff is properly trained to protect sensitive information. 

2. Identify and prioritize risks

There are many methods for identifying and prioritizing risks. One of the most popular is developing key risk indicators (KRIs).

KRIs are a way to proactively track the most important types of risks that could put your business’s primary objectives and priorities in jeopardy. By establishing KRIs and setting tolerance values to track against each risk, KRIs can serve as early warning signs of upcoming crises and provide your organization enough time to mitigate that risk’s potential impact or prevent it from occurring. You can use our free template to get started.

Another popular method is using a risk matrix. To create a risk matrix, you have to compare the likelihood of a potential risk against the impact that your business would face if that risk occurs. For example, a high-priority risk would be an incoming hurricane that’s expected to cause power outages and disrupt business operations.

No matter what method you choose, prioritizing the risks that pose the greatest threat to your organization can enable you to focus your team’s time and resources to minimize their impact.

3. Create a risk management plan 

Once you’ve identified the biggest risks facing your business, you can create a plan for how to manage them. 

A risk management plan should document your organization’s process for regularly identifying, analyzing, and mitigating risks. It should also list clear roles and responsibilities for team members to track potential risks and address them if they were to happen.  

Download our free risk management resources kit to get the essential tools you’ll need to identify, prioritize, and mitigate risk, including policy templates, worksheets, and more.

Cyber attacks are accelerating—and most organizations aren’t prepared.

The Cybersecurity Awareness Kit gives you the tools to build awareness, identify vulnerabilities, and reduce risk across your organization.

What’s inside:

• 2026 Cybersecurity Checklist — assess your security maturity and close critical gaps
• Cybersecurity risk assessment template — identify and prioritize key risks
• Incident response plan template — improve response times and minimize impact
• Vendor risk management checklist — strengthen your third-party security posture
• Cybersecurity tabletop exercise scenarios — test your team’s readiness for real-world attacks

How Secureframe can help your organization’s cybersecurity efforts

Defending your organization from cyber attacks while navigating an increasingly complex threat and compliance landscape is difficult — so don’t do it alone. 

Secureframe can simplify and streamline your cybersecurity efforts. We can help you automate risk assessments, reduce your third-party risk, simplify policy management, speed up cloud remediation, and conduct continuous monitoring to look for gaps in controls so you can maintain continuous compliance. We can also make training your workforce on the latest security and privacy best practices easy and automatic. 

Plus, our in-house compliance team can give personalized advice based on your company’s unique risks and industry requirements to keep you secure and compliant, even as you scale.

When asked how Secureframe helped them improve, 81% of UserEvidence survey respondents say they reduced the risk of data breaches, with 39% saying they cut that risk by at least half.

To learn more about how Secureframe can help you develop a robust cybersecurity program and reduce the risk of cyber attacks, request a demo today.

This post was originally published in May 2023 and has been updated for comprehensiveness.

About the UserEvidence Survey

The data about Secureframe users was obtained through an online survey conducted by UserEvidence in February 2024. The survey included responses from 44 Secureframe users (the majority of whom were manager-level or above) across the information technology, consumer discretionary, industrials, financial, and healthcare industries.