The 38 cybersecurity stats that matter most

Analyst reports, vendor surveys, and research studies offer a wealth of statistics on the current state of cybersecurity within industry and government. They help organizations get a sense of emerging threats and how their security controls and processes compare against industry best practices and trends. But keeping on top of the topics that really matter can be incredibly hard given the sheer volume and diversity of technology reports and market statistics being churned out these days from myriad sources.

To help you focus on the security stats that really matter, we pored through data from multiple analyst reports, vendor surveys, and research studies. In going through the reports, we focused on surveys and research that brought fresh insight to topics that have been covered in the past or offered new visibility on emerging and important issues.

When choosing data from a survey, we considered issues such as sample size and methodology, to make sure that any data was representative and accurate to the best extent possible. We focused on the data that really mattered while disregarding the obvious and the previously known. 

Our goal was to get you up to speed on the topics and discussions that are helping shape the cybersecurity narrative at the enterprise and government levels. We have organized the data into ten categories, including data breaches, malware trends, encryption, and the skills issue.

Download 93-Page ReportHPE Cyber Risk Report 2016

Here (in no particular order) is a list we have compiled of the 38 cybersecurity stats that matter most.

Data breach stats, by the numbers

223: The total number of publicly reported data breaches in 2015

If the number of breaches that have been disclosed so far in 2016 is added in, the total number of publicly reported breaches since January 2015 increases to 270. That total is actually smaller than the 297 breaches that were publicly reported in 2014 alone, but in terms of scope, 2015’s data breaches were a whole lot bigger.

Source: Chronology of Data Breaches (Privacy Rights Clearinghouse)

159,806,735: The total number of records containing sensitive information that were compromised in 2015

Although the total number of breaches was down, do not let that stat fool you. In terms of scope, 2015's data breaches were bigger and compromised a lot more records. When the first three months of this year are included in the count, the total number of exposed records increases to 160,089,095. That number is well more than double the 67,936,385 records compromised in 2014.

Source: Chronology of Data Breaches (Privacy Rights Clearinghouse)

6,025,821: The total number of records containing sensitive information accidentally compromised

The number is several orders of magnitude greater than the 175,004 records that were compromised as the result of accidental disclosure in 2014. But that’s only because a single breach at the Georgia Secretary of State’s Office accounted for 6 million of those records. Accidental data compromises include data being accidentally published on public websites or sent via mail or fax to the wrong recipients.

Source: Chronology of Data Breaches (Privacy Rights Clearinghouse)

14: The number of publicly disclosed data breaches involving insider abuse

The total number of records containing sensitive data from these incidents was 96,472 for the period from January 2015 through March 2016. The numbers suggest that insider abuse is not as big a contributor to data breaches as is generally perceived.

Source: Chronology of Data Breaches (Privacy Rights Clearinghouse)

98: The average number of days it took for financial companies to detect a data breach in 2015

Retailers took an even longer 197 days to detect a breach, showing that organizations have a long way to go in their ability to detect network intrusions and remediate a breach quickly.

Source: 2016 Cybersecurity Trend Report (Ponemon Institute for Hewlett Packard Enterprise)

Data breaches, by the dollar 

$21,155: The average cost of a data breach, per day

The 252 surveyed participants said they took an average of 46 days to resolve a cyberattack, which translates to spending about $973,000 during the attack remediation stage alone.

Source: 2016 Cybersecurity Trend Report (Ponemon Institute for HPE)

$7.7 million: The average annualized cost to detect, respond to, and mitigate a breach globally

The cost of finding and dealing with breaches globally was 1.9 percent higher than in 2014. The annualized average cost for US companies with global operations was about double the average international price tag, at $15 million.

Source: 2016 Cybersecurity Trend Report (Ponemon Institute for HPE)

Malware and attack trends, by percentage

66%: The proportion of a survey of professionals who identified phishing and social engineering as top threats

About two-thirds of people in a survey of 185 business and technology professionals identified phishing/spearphishing and social engineering as the biggest security threat to their organizations. Insider abuse was next, at 48 percent, followed by targeted attacks and advanced persistent threats (APT), at 47 percent.

Source: 2016 Cybersecurity Trend Report (Ponemon Institute for HPE)

20%: The scope of confirmed data breaches involving social engineering at one large telecom company

About one in five data breaches confirmed by Verizon involved a social engineering element such as phishing. Email was the primary means by which attackers carried out their phishing attacks, followed by in-person deception and phone calls.

Source: Verizon Data Breach Digest

153%: The increase in the number of unique Android malware samples

Security researchers counted a total of 4.5 million Android malware samples in 2015, up sharply from the 2.94 million malware samples counted in 2014. Android is now the second most widely targeted platform after Windows.

Source: HPE Cyber Risk Report 2016

70,000: The total number of unique iOS malware samples in 2015

The number is many times smaller than the number of Android malware samples in the same period. But compared with 2014, iOS malware grew at 230 percent, making it one of the fastest-growing malware categories. The trend suggests that enterprises need to start paying closer attention to the use of iOS-based mobile devices in the workplace.

Source: HPE Cyber Risk Report 2016

140 million: The total number of Windows malware samples in 2015

The number of Windows malware samples dwarfed every other platform category. Even so, the growth in Windows malware was slightly lower than expected, most likely as a result of improved corporate security defenses and successful law enforcement takedowns of large cybercrime networks in 2015.

Source: HPE Cyber Risk Report 2016

C-suite and cybersecurity: The view from the top

61%: The percentage of CEOs who worry about security's impact on company growth

In a survey by PricewaterhouseCoopers of 1,400 CEOs from 83 countries, more than half were somewhat or extremely concerned about cybersecurity issues posing a threat to their company’s growth prospects. Cybersecurity concerns ranked eighth overall as the most pressing concern for CEOs, behind issues such as overregulation, geopolitical uncertainty, and exchange rate volatility.

Source: 19th Annual Global CEO Survey (PwC)

54%: The proportion of C-suite execs who have a CISO 

Only about half of C-suite executives in a PricewaterhouseCoopers global survey of over 10,000 CEOs, CIOs, CFOS, and other key executives reported having a CISO in charge of enterprise security. About half said they had a CSO.

Source: The Global State of Information Security Survey 2016

59%: The segment of respondents who use big data analytics to model cybersecurity threats

In addition, 69 percent of the executives said they were taking advantage of cloud-based security services to bolster their own security. Slightly more than 90 percent said they had adopted at least one framework, and often more than one, including the US National Institute of Standards and Technology (NIST) and ISO 27001, to guide their cybersecurity threat detection and mitigation efforts.

Source: The Global State of Information Security Survey 2016

87%: The proportion of CIOs who see encrypted network traffic as a threat

Nearly nine in ten CIOs in a global survey of 500 information chiefs believe their security defenses are less effective because they can’t inspect encrypted network traffic for attacks. Another 90 percent of CIOs have suffered or expect to experience a data breach in which encrypted traffic is used in the attacks.

Source: 2016 CIO Cybersecurity Report (VansonBourne for Venafi)

86%: The percentage of CIOs who fear encryption keys and digital certificates

Nearly nine out of ten CIOs in the Venafi study fear that stolen encryption keys and digital certificates will be the next big market for hackers.

Source: 2016 CIO Cybersecurity Report (VansonBourne for Venafi)

Government and cybersecurity: For the people...

48%: The percentage of federal government staff who blame IT consolidation and modernization for security problems

Nearly half of respondents in a SolarWinds survey of 200 IT workers and decision makers from the federal government blame IT consolidation and modernization efforts for an increase in security concerns. Many felt that such efforts had resulted in incomplete transitions and a push to use unfamiliar technologies and complex new management platforms.

Source: Federal Cybersecurity Survey (SolarWinds) 

29%: The share of respondents who said budget constraints were the biggest obstacle to improved security

Despite a cybersecurity budget of $12 billion in 2015, federal agencies cited a lack of budget as the biggest barrier to improved security. In addition to budget constraints, other obstacles included technological complexity and a lack of collaboration between internal teams. Notably, about half said foreign governments posed one of the biggest threats to their security.

Source: Federal Cybersecurity Survey (SolarWinds) 

Cybersecurity spend: Follow the money

$75.4 billion: The estimated worldwide spending on cybersecurity in 2015

Government initiatives, mega breaches, and increased legislation were major drivers of growth in security spending, pushing the spend about $4.7 billion higher than in 2014.

Source: Gartner's Forecast Analysis: Information Security, Worldwide, 2Q15 Update 

$19 billion: The proposed federal cybersecurity budget for 2016

The proposed federal spend on cybersecurity for 2016 represents an increase of $5 billion, about a 36 percent boost. The shift reflects heightened concerns over data theft and cyberespionage by nation-state-sponsored threat actors.

Source: White House Cybersecurity National Action Plan

$3.1 billion: The proposed federal budget for modernizing IT, cybersecurity

The Obama administration proposes more than $3 billion in spending in its 2017 budget for modernizing IT and how the government manages cybersecurity.

Source: White House Cybersecurity National Action Plan

Security technology trends

$11.8 billion: The estimated global cloud security market in 2022

Demand for cloud security products and services will grow at a compound annual rate of 12.8 percent between 2015 and 2022. This suggests that enterprises are no longer letting security concerns prevent them from taking advantage of the cloud.

Source: Transparency Market Research

72%: Proportion who have increased spending on network perimeter security in the past five years

In a survey of 1,000 IT professionals conducted by Vanson Bourne on behalf of Gemalto, nearly three-quarters said their organizations have increased spending on network perimeter security over the past five years. The number shows that organizations are continuing to spend money on perimeter security products despite all the concerns about signature-based, network-centric defenses not being good enough anymore.

Source: DSCI Data Security Confidence Index (PDF document)

9%: Portion of IT security budget spent on perimeter technology

Despite concerns about the effectiveness of perimeter security technologies against advanced threats, the security budgets allocated to such tools have remained steady and are expected to continue to do so. In fact, a majority of organizations plan to increase their spending on perimeter security tools over the next 12 months rather than decrease it, as many had expected.

Source: DSCI Data Security Confidence Index (PDF document)

$4.5 billion: The size of the unified threat management (UTM) market by 2019

Interest in UTM projects is being driven by the sheer diversity of internal and external threats that organizations face these days. The single point of control offered by UTM products will drive demand at an 11.5 percent compound annual growth rate for the next several years.

Source: Markets and Markets

40% to 85%: The projected growth in the use of next-generation firewalls

Gartner projects strong growth in the use of next-generation firewalls (NGFWs) to protect enterprise Internet connections between 2015 and the end of 2018. Much of the growth will come from organizations seeking to tap NGFWs to manage users and applications more securely.

Source: Gartner Magic Quadrant for Enterprise Network Firewalls 

88%: Proportion of respondents in survey who say access control and authentication are top spending areas for 2016

Protection and prevention continue to be a top priority for nearly nine out of ten enterprises, according to a SANS Institute report on spending trends. They were followed by advanced malware protection (80 percent) and endpoint protection (75 percent).

Source: SANS Institute IT Security Spending Trends (PDF document) 

Mobile metrics

$5.75 billion: The estimated size of the global mobile security market in 2019

The growing use of smartphones, tablets, and other mobile devices is driving demand for mobile device, application, and content management tools. This projection marks a 380 percent increase, up from $1.51 billion in 2014.

Source: Markets and Markets 

53,844: The average number of mobile devices in enterprises

The proliferation of self-owned and corporate-issued smartphones and tablets has greatly increased the attack surface for threat actors and heightened security challenges for enterprises. Nearly 56 percent of corporate data is now accessible via mobile devices.

Source: The Ponemon Institute for Lookout 

35%: The proportion of IT pros who say they do not have a formal policy for security for corporate data available to mobile devices

Of 720 IT professionals polled by the Ponemon Institute, more than a third said their organizations do not have a formal policy for securing corporate data that is accessible via mobile devices. In addition, 63 percent had no policies pertaining to the type of company data that employees can access and store on their mobile devices.

Source: The Ponemon Institute for Lookout 

$9,485: The amount per device that mobile malware costs a global organization

Mobile risks have a dramatic impact on the bottom line. Included in the estimate are costs related to investigation, help desk, forensics, and diminished productivity. When malware is used to improperly access or steal corporate data, the average per-device cost more than doubles, to $21,042.

Source: The Ponemon Institute for Lookout 

Encryption worries

78%: The percentage of security pros who say their employers are not prepared for theft of digital certificates and encryption keys

More than three-quarters of respondents in a survey of 800 IT security professionals by Venafi felt that their employers were ill informed on what it takes to fully remediate an attack involving the theft of digital certificates and encryption keys.

Source: "Security Pros (Blindly) Trust Keys and Certificates" (Venafi)

64%: The portion of respondents who say they would not be able to respond quickly to an attack on SSH keys

Unsecured encryption keys give attackers an opportunity to impersonate and monitor their targets. Yet a majority of organizations would not know how to respond if someone stole their SSH keys. A majority said it would take up to a week to diagnose, detect, and replace SSH keys on affected hosts. A mere 8 percent said their organizations would replace potentially compromised keys and certificates after a Sony-like attack.

Source: "Security Pros (Blindly) Trust Keys and Certificates" (Venafi)

50% or more: The proportion of attacks that will use SSL/TLS encryption to evade detection

More than half of all attacks will use Secure Sockets Layer/Transport Layer Security encryption to evade detection by network security tools. Yet a majority of enterprises will not have the ability to inspect and block malicious traffic entering the network via SSL/TLS communications. 

Source: Venafi: Threats in SSL/TLS: Gartner White Paper (PDF document)

Cybersecurity skills

46%: Segment of IT pros who say cybersecurity skills in their organization are coming up short

Of 299 IT professionals surveyed by Enterprise Strategy Group (ESG), nearly half claimed a problematic shortage of cybersecurity skills in their organizations.

Source: The Cipher Brief, "A National Security Issue" (Jon Oltsik)

33%: The percentage of IT pros who say cloud security is their biggest skill shortage

About 28 percent of respondents pointed to network security, while 27 percent identified security analytics as the area having the biggest skills deficiency. The data suggests that the cybersecurity skills shortage is a real and deepening issue for organizations of all sizes.

Source: The Cipher Brief, "A National Issue" (Jon Oltsik)

76%: The proportion of IT pros who identified application security as the top area for spending on new security skills

In a SANS Institute survey of 169 IT professionals with budgetary control or with insight into security spending, three-quarters identified application security as the top area for spending on new security skills. Other priority areas include secure access, malware prevention, data protection, and endpoint security.

Source: SANS Institute IT Security Spending Trends (PDF document) 

Which stats are the most important to you? Share the numbers that matter most to your organization's security program.

Download 93-Page ReportHPE Cyber Risk Report 2016

Image credit: Flickr

Topics: Security