You are here

The 30 cybersecurity stats that matter most

Jaikumar Vijayan, Freelance writer

Keeping on top of the most important trends in cybersecurity can be challenging sometimes—not because of a lack of data, but because of the sheer quantity of it. Analysts, vendors, research outfits, and others produce voluminous amounts of data on breaches, malware trends, emerging threats, spending habits, security budgets, compliance efforts, and myriad other topics.

The data can alert you to things you should be looking out for, how your controls and processes stack up against those of peers, where criminals are focusing their efforts, whether you are spending enough, and how your compliance efforts measure up against others. But how do you separate the data that matters from the data that just adds to the noise?

To help you focus on what matters, TechBeacon went through numerous research reports, vendor analyses, and whitepapers and zeroed in on information that either adds fresh insights or updates you on statistics you may already know.

Get up to speed fast with the stats that matter most to information security pros.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

Data breaches by the numbers

1,579: Total number of publicly disclosed data breaches in 2017

If it seemed as if more organizations disclosed data breaches last year than ever before, it was only because they did. At 1,579, the number of breaches in 2017 was 44.7% higher than the 1,091 disclosed in 2016. Business organizations—such as those in the retail, hospitality, trade, and utilities sectors—accounted for 55% of breaches, followed by the medical and healthcare industry, with 23.7%

Source: 2017 Annual Data Breach Year-end Review (Identity Theft Resource Center)

1,946,181,599: Total number of records containing personal and other sensitive data that have been in compromised between Jan. 1, 2017, and March 20, 2018

As staggeringly large as that number might appear, it is actually smaller than the more than 4.8 billion records exposed in data breaches in 2016. Two breaches that Yahoo disclosed in 2017 accounted for some 1.5 billion of the records exposed last year, while one disclosed by Myspace accounted for another 360 million records.

Source: Chronology of Data Breaches (Privacy Rights Clearinghouse)

75%: Proportion of data breaches caused by external attackers

Contrary to some perceptions, external actors continue to pose a far bigger threat to organizations than do internal ones. Among the external actors, organized cyber-crime groups accounted for more than half (51%) of breaches, while 18% of attacks involved state-affiliated groups. Careless, negligent, and malicious insiders with legitimate access to systems and data caused 25% of breaches.

Source: 2017 Data Breach Investigations Report (Verizon)

71%: Percent of US enterprises in a survey of 1,200 companies that reported suffering at least one data breach

More than 7 in 10 of all organizations in the US were affected by a data breach in some way over the past few years. Some 46% of US organizations experienced a breach incident in the past year, a substantial increase from the 24% that reported one in 2017 and the 20% that said they had suffered a breach in 2016. Worldwide, the numbers are slightly lower, with 67% of the respondents reporting at least one breach.

Source: 2018 Global Threat Report (451 Group for Thales)

$3.62 million: Average cost of a data breach in 2017

While breaches became larger, the average cost of a data breach declined 10% in 2017, to $3.62 million. The average cost associated with lost and stolen records containing sensitive information also declined substantially, to $141 from $158 per record in 2016. At the same time, the number of compromised records per breach increased to 24,000.

Source: 2017 Cost of Data Breach Study (Ponemon Institute)

Detection and incident response

77%: Proportion of respondents in a survey of 2,800 IT professionals who said their organizations do not have a formal cybersecurity incident response plan

Despite heightened concerns over data breaches, more than three-quarters of organizations do not have a formal process for responding to one. Twenty-six percent have only an ad-hoc or informal process, and 27% do not apply their incident response plan consistently across the enterprise.

Source: The Third Annual Study on the Cyber Resilient Organization, March 2018. (Ponemon Institute for IBM Resilient)

191 days: The average length of time it takes for organizations to identify a data breach

A more than six-month gap between when a breach happens and when it is first identified might seem awfully slow. But 191 days is actually an improvement on the average of 201 days it took organizations to detect a breach in 2016.

Source: 2017 Cost of Data Breach Study (Ponemon Institute for IBM Security)

66 days: The average time needed to fully contain a data breach in 2017

The number of days it took for organizations to contain a breach in 2017 ranged from 10 to 164 days, with an average of 66 days. Breaches caused by malicious and criminal attacks generally took longer to contain (77 days) and longer to identify (214 days) than breaches caused by human error (64 and 168 days, respectively).

Source: 2017 Cost of Data Breach Study (Ponemon Institute for IBM Security)

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

Topics for top brass

45%: Percent of respondents in a survey of 9,500 executives from 122 countries who said their corporate board participates actively in setting security budgets

For all the talk about security needing to become a board-level issue, many boards still appear to be relatively uninvolved in their organization's security strategy. Only 39% actively participate in setting security policies, just 36% are involved in the technology selection process, and less than one-third (31%) actively review current security and privacy risks.

Source: The Global State of Information Security Survey 2018 (PwC)

87%: Percentage of enterprises that say they require up to 50% more budget for cybersecurity

Organizations are spending more than ever on security. Yet 7 in 10 say they want at least 25% more spending, and 17% want up to a 50% increase. However, only 12% believe they will actually receive a security budget increase of over 25%. The rest clearly will just have to make do with whatever increases they get.

Source: EY Global Information Security Survey 2017-18

76%: Percent of organizations that would likely increase the resources available for cybersecurity following a breach that causes significant damage

More than three-quarters of organizations said that a significant data breach would be a catalyst for increased spending. But many of those same organizations would be unlikely to increase spending in the event of a breach that causes no harm. Sixty-four percent of organizations say an attack that did not cause harm would not trigger budget increases.

Source: EY Global Information Security Survey 2017-18

29%: Proportion of respondents in a survey of 9,500 executives from 75 industries in 122 countries who said CISOs bear the responsibility for IoT security

Organizations often deploy IoT devices with little thought about the security implications. Only 34% of the survey respondents, for instance, even plan to assess the potential risks to business security from connecting more devices to the Internet. Yet nearly 3 in 10 feel the security organization should be responsible for securing the IoT environment.

Source: The Global State of Information Security Survey 2018 (PwC)

Cyber-attack trends

77%: Percent of attacks on endpoint devices in 2017 that involved the use of fileless malware and exploits

Malware running in memory is a lot harder to detect and stop than malware installed on systems, which is why threat actors have increasingly begun using fileless malware in attacks. Fifty-four percent of the respondents to a survey of 665 IT professionals said their organizations suffered one or more attacks that compromised data and/or infrastructure. Of those attacks, 77% involved fileless malware and exploits.

Source: The 2017 State of Endpoint Security Risk Report (Ponemon Institute for Barkly)

56%: Percentage of organizations in a survey of 1,300 IT decision makers who identified targeted phishing attacks as their biggest current cybersecurity threat

Of all the threats that organizations face these days, phishing attacks continue to be the biggest for many, with 56% identifying it as their top concern. Other threats keeping security managers awake at night include insider threats (51%), ransomware/malware (48%), and unsecured privileged accounts (42%). Forty-two percent of respondents identified threats to data in the cloud as another big issue.

Source: Global Advanced Threat Landscape Report 2018 (Vanson Bourne for CyberArk)

26.2%: Percent of those targeted by ransomware in 2017 who were business users

The purveyors of ransomware last year turned their focus to businesses in a big way. The WannaCry attacks last May, the NotPetya outbreak in June, and the BadRabbit attacks of October were the biggest ransomware exploits targeted at businesses, but there were several others as well. That made 2017 the year of ransomware for enterprises.

Source: Kaspersky Lab

87%: Percent of remote code execution attacks late last year that involved crypto-mining malware

The hijacking of computers for crypto-mining purposes is quickly becoming a major problem for enterprises in much the same way that ransomware became a major threat a couple of years ago. Nearly 90% of all remote code execution attacks last December involved attempts to surreptitiously download crypto-miners.

Source: Imperva

Cybersecurity budgets and spending

86%: Percent of US organizations that plan to increase cybersecurity spending this year

Nearly 9 in 10 companies plan to increase cybersecurity spending this year, up 10% from the 76% that said the same thing in 2017. Worldwide numbers are slightly smaller, with 78% reporting plans to increase spending on cybersecurity, compared to 73% last year.

Source: 2018 Global Threat Report (451 Group for Thales)

$96.3 billion: The total organizations worldwide plan to spend on cybersecurity in 2018

Data breach concerns and fears of threats such as WannaCry and NotPetya will drive cybersecurity spending to yet another high this year. The $96.3 billion that organizations will spend on security products and services this year represents an increase of 8% over 2017 and a more than 17% jump over the $82.2 billion that organizations worldwide spent in 2016.

Source: Gartner

$75.2 billion: Amount that organizations worldwide will spend on infrastructure protection and security services in 2018

Gartner expects IT outsourcing, security testing, and security information and event management to be the fastest-growing segments within the infrastructure protection and services categories this year. The Identity and Access Management segment will see some $4.7 billion in spending this year, and the network security segment will account for $11.7 billion of overall spend.

Source: Gartner

Compliance and government

74%: Percentage of US respondents in a survey of 1,200 organizations that feel adherence to compliance requirements is either "very" effective or "extremely" effective

Notwithstanding the compliance-versus-security debate, nearly three-quarters of organizations in the US think that complying with regulatory and industry mandates such as PCI DSS is a great way to improve security. In contrast, a somewhat smaller 64% of organizations worldwide have a similarly positive view about compliance.

Source: 2018 Global Threat Report (451 Group for Thales)

88%: Percent of 300 CIOs, CPOs, general counsels, and other senior staff at US, UK, and Japanese companies who reported spending more than $1 million on GDPR compliance

Organizations rushing to meet the deadline for complying with the EU's General Data Protection Requirements are spending more on ramping up their privacy and security programs. Of the companies that have completed their preparations, 88% said they spent at least $1 million, and 10% said they spent north of $10 million. Among companies still finishing up, 60% expect to spend at least $1 million on GDPR compliance, and 12% will spend more than $10 million.

Source: PwC

$15 billion: Proposed budget for federal cybersecurity in the FY 2019 budget

The proposed amount is a $583.4 million increase over the FY2018 estimate for federal cybersecurity. As usual, more than half of the amount is for the US Department of Defense, which last year received $8.5 billion in cybersecurity funding.

Source: Cybersecurity Funding—

$971 million: Amount requested by the US Department of Homeland Security for cybersecurity operations in 2018

Out of this amount, the DHS has allocated $437 million to the science and technology directorate for research and development and $279 million on continuous diagnostics and mitigation efforts.

Source: Statista

52%: Percent of respondents in a survey of 200 civilian and Defense Department IT decision makers who view cybersecurity regulations and mandates as hindering risk management

More than half of IT decision makers in federal agencies view mandates such as NIST's Risk Management Framework as complicating their cybersecurity efforts, rather than helping them. On the plus said, 55% said that NIST's Cybersecurity Framework has helped to at least promote a risk management dialog at their organizations.

Source: Federal Cybersecurity Survey, SolarWinds

54%: Percent of IT decision makers at federal agencies who view careless and untrained employees and contractors as posing the biggest security risk

Contrary to perception, careless and negligent insiders often pose a bigger threat to cybersecurity than malicious ones. Concerns over the issue appear to be growing, considering that only 48% cited careless insiders as a security risk in 2016 compared to the 54% who said the same thing in 2017.

Source: Federal Cybersecurity Survey, SolarWinds

Mobile, IoT, and industrial control systems

100%: The percent of organizations from a sample of 850 organizations with at least 500 mobile devices that experienced a mobile attack in 2017

Every organization permitting the use of mobile devices for work experienced some form of an attack, but they didn't always know it. In fact, organizations were attacked 54 times on average. Not all attacks resulted in breaches.

Source: Mobile Cyberattacks Impact Every Business, Check Point Software

54%: Percent of respondents in a survey of 359 cybersecurity practitioners who reported at least one security incident involving an industrial control system in the past 12 months

Concerns over catastrophic security failures at organizations with critical industrial control systems appear to be outweighing the number of actual incidents. Even so, more than half have experienced security incidents involving malware, third parties, and other sources.

Source: The State of Industrial Cybersecurity 2017 (Business Advantage for Kaspersky)

55%: Percent of industrial organizations that allow third parties such as suppliers, partners, and service provides to access their industrial control network

Despite heightened concerns over third-party risks, more than half of industrial organizations permitted outsiders to access critical systems remotely. Unsurprisingly, organizations allowing third-party access also are 63% more likely to experience a cybersecurity breach versus those that do not permit such access.

Source: The State of Industrial Cybersecurity 2017 (Business Advantage for Kaspersky)

40%: Proportion of business leaders in a survey of 9,500 IT professionals who are concerned about a cyberattack on IoT networks and other emerging technologies causing operational disruptions

Despite the potential benefits of automation and robotic systems, many organizational leaders worry about the vulnerability of emerging technologies to cyber threats. In addition to operational outages, data theft is a worry for 39%, and 32% fear that product quality could be affected by a successful cyberattack on emerging technologies.

Source: The Global State of Information Security Survey 2018 (PwC)

61%: Percent of organizations that have deployed some level of IoT technologies, and have had to deal with a security incident related to IoT in the past year

Most security incidents involving IoT networks have resulted from actual attacks, such as malware infiltration (24%) and phishing/social engineering attacks (18%). Over 1 in 10 (11%) IoT security incidents involved device misconfiguration issues, 9% involved privilege escalation, and 6% resulted in credential theft.

Source: Internet of Things Cybersecurity Readiness (Osterman Research for Trustwave)

The  data we added to this list was based on solid research, came from reputable sources, and, most importantly, was unbiased. Put it to work for your organization. 



[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]