You are here

Statistics on screen

40 cybersecurity stats security pros need to know

Jaikumar Vijayan, Freelance writer

The dizzying pace of change within the security landscape makes it difficult for IT practitioners to keep up with emerging threats and best practices for dealing with them.

Industry surveys, vendor reports, and research studies can provide useful information on the state of security, important technology trends, and best practices as applied by other organizations within your sector and across all industry. But as with many things that are security-related, the sheer number of reports and the massive volume of data they contain can be overwhelming.

To help you cut through the noise, we combed through numerous reports to find data that can help you get a better sense of the overall security landscape and how your own measures stack up. The following is a collection of the most relevant data points pertaining to data breaches, emerging threats, software vulnerabilities, compliance-related issues, cybersecurity skills, and several other key topics.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide, based on the 2019 State of Security Operations report. ]

Data breaches

538: Total number of data breaches made public in 2016

The total number of publicly disclosed breaches in 2016 was more than double the 267 disclosed in 2015. Even so, the total number of records that were compromised in these breaches, at just over 11 million, was magnitudes lower than the 160 million records exposed in 2015, when breaches such as those at the U.S. Office of Personnel Management, Anthem, and Premera boosted the total considerably.

Source: Chronology of Data Breaches (Privacy Rights Clearinghouse)

406: Total number of breaches that were the result of hacking by an external party or via malware

Hacking-related breaches outnumbered data breaches resulting from insiders with legitimate access to systems (15) and from unintentional data disclosure (143). A total of 93 data compromises made public between January 1, 2016, and May 15, 2017 stemmed from physical loss of paper documents and lost, stolen, or misplaced laptops and other mobile devices.

Source: Chronology of Data Breaches (Privacy Rights Clearinghouse)

63%: Proportion of confirmed data breaches Verizon investigated in 2016 that involved the use of weak, default, or stolen passwords

Static authentication mechanisms such as usernames and passwords continued to be highly targeted last year. The capture and reuse of credentials was a common practice across sectors and by organized crime groups and nation-state actors alike.

Source: Verizon 2017 Data Breach Investigations Report (Verizon)

376: Number of publicly reported breaches by organizations in the medical/healthcare sector in 2016

The healthcare sector experienced more breaches than any other sector and accounted for 43.6% of all breaches reported in 2016. The sector reporting the least number of breaches in 2016 was banking/credit/financial, with 5.

Source: 2016 Data Breach Reports  (Identity Theft Resource Center)

77%: Number of CISOs who said they were highly concerned about security breaches going undetected

More than 8 in 10 CISOs in the survey (of 300 CISOs) expressed a similarly high level of concern over detected breaches at their organizations going unaddressed. Despite such concerns, 56% of the CISOs believed their company was effective at preventing security breaches, while another 19% said their company was highly effective.

Source: The Global CISO Study (Conducted by Oxford Economics for ServiceNow)

Attack types and motives

247: Number of incidents that Verizon investigated last year in which cyber espionage was the primary motive

A total of 155 of these incidents resulted in confirmed data disclosure. In addition to public-sector organizations, manufacturing companies were a big target of cyber-espionage campaigns in 2016, with 108 confirmed data theft incidents.

Source: Verizon 2017 Data Breach Investigations Report (Verizon)

517: The size, in gigabits per second (Gbps), of the largest distributed denial-of-service (DDoS) attack mitigated by Akamai

The total number of DDoS attacks in the last quarter of 2016 was only a marginal 4% higher than the number of DDoS attacks in the same quarter of 2015. But the number of attacks greater than 100Gbps surged 140%, from 5 to 12, in the same period.

Source: Q4 2016 State of the Internet / Security Report (Akamai Technologies)

70%: Proportion of DDoS attacks in Q4 2016 that generated more than 300Gbps of attack traffic

In many of the attacks, threat actors used insecure Internet of Things (IoT) devices to generate the attack traffic. The largest DDoS attacks in the last quarter of 2016 were enabled by the Spike IoT botnet.

Source: Q4 2016 State of the Internet / Security Report (Akamai Technologies)

38%: Respondents in a PwC survey who reported phishing scams

Phishing emerged as the top vector for security incidents in 2016. The trend is being seen as an indication that cyber criminals are relying less on sophisticated tools to carry out attacks and are instead increasingly attempting to use legitimate administrator tools to gain access.

Source: The Global State of Information Security Survey 2017 (PricewaterhouseCoopers)

74%: Proportion of organizations in a 2017 survey that felt vulnerable to insider threats

The number represents a 7% increase over the number of organizations that felt the same way in 2016. Despite the heightened concern, barely more than 4 in 10 of the organizations had controls in place for detecting and preventing an insider attack.

Source: Insider Attacks Industry Survey (SANS/Haystax Technology)

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]


4,000: The average number of daily ransomware attacks since January 1, 2016

The number represents a 400% jump from the 1,000 attacks per day that occurred in 2015. 

Source: How to Protect Your Networks From Ransomware (U.S. Department of Justice)

30%: Proportion of respondents in an RSA 2017 survey who said their organizations had experienced a ransomware attack

In more than half of the incidents, the victim organizations were able to regain access to their systems in less than eight hours. One in five of the victims said employees were unable to access their systems for between two and three days after a ransomware attack, while 17% were able to recover in one day.

Source: Ransomware Rising (Imperva Software)

79%: Proportion of business victims of ransomware attacks that would not be willing to pay a ransom to avoid downtime

About one in five companies would pay a ransom to regain access to their data to avoid downtime costs. Bad publicity and lost sales are other huge ransomware-related concerns for organizations.

Source: Ransomware Rising (Imperva Software)

The CEO and security spending viewpoint

64%: Proportion of CEOs who said a key differentiator for their companies in coming years would be data security

The survey found that chief executives are especially concerned about data breaches and IT-related outages and disruptions impacting public trust in their company.

Source: 20th Annual Global CEO Survey (PwC)

$101.6 billion: The projected amount organizations will spend on security-related hardware, software, and services in 2020

Security spending will grow at an average rate of 8.3% between 2016 and 2020, or more than twice the rate of overall IT spending in the same period. The organizations making the biggest investments worldwide in security over the next few years will be financial services companies, discrete and process manufacturers, and government.

Source: Worldwide Semiannual Security Spending Guide (IDC)

45%: Proportion of overall security budgets that organizations are estimated to have spent on security-related services in 2016

Security software represented the second-biggest spending area, with identity and access management tools, endpoint security software, and vulnerability management products driving 75% of the spending in this category. Sales of security hardware products generated around $14 billion last year.

Source: Worldwide Semiannual Security Spending Guide (IDC)

5.6%: Proportion of overall IT budget that organizations spend on IT security and risk management, on average

Security spending ranges from 1% to 13% of overall IT budgets and is often a misleading indicator of a security program's effectiveness. Generic comparisons to industry averages and peer organizations could leave an organization either overestimating or underestimating its security capabilities.

Source: Identifying the Real Information Security Budget (Gartner)

Cybersecurity skills

1 in 4: The number of organizations exposed to security threats for six months or more because of a lack of security skills

Nearly 60% of organizations receive 5 applications or fewer for the cyber security jobs that they advertise. Barely 13% receive 20 or more applications, compared to the 60 to 250 applications for other corporate job openings.

Source: State of Cyber Security 2017 (ISACA)

52%: Proportion of respondents in a survey who said practical, hands-on experience was the most important cyber security skill

Amid a deepening skills crisis, 25% of organizations say candidates for cyber security jobs lack technical skills, while 45% believe applicants do not understand business requirements. Nearly 7 in 10 believe that security certifications are more useful than formal cyber security degrees.

Source: State of Cyber Security 2017 (ISACA)

EU General Data Protection Regulation (GDPR)

47%: Organizations worldwide that will not meet the requirements of the EU's GDPR before it goes into effect

More than 8 out of 10 respondents in a survey of 900 business decision makers in the US and seven other countries fear that a failure to meet the new GDPR requirements, which go into effect in May 2018, will have a major impact on their businesses. Some 18% said that noncompliance could put them out of business.

Source: 2017 Veritas GDPR Report (Veritas Technologies)

42%: Proportion of survey respondents who said their biggest concern with the GDPR was not knowing which data to save

Other concerns cited by respondents included accidentally deleting data that might be useful in future, not being able to locate personal data stored internally, and not having the right data-monitoring tools.

Source: 2017 Veritas GDPR Report (Veritas Technologies)

48%: Proportion of organizations in a survey that cited their brand reputation as the biggest concern with data protection regulations

Less than 4 in 10 of the respondents were worried about passing audits pertaining to data protection requirements, while 40% expressed concern about penalties over compliance failures.

Source: Data Governance Inside the Enterprise (Blancco Technology Group)

Security concerns for small and mid-tier companies

61%: Proportion of data breach victims Verizon investigated in 2016 that were businesses with fewer than 1,000 employees

While big breaches tend to involve large companies, small businesses represent a majority of the overall number of breached organizations.

Source: Verizon 2017 Data Breach Investigations Report (Verizon)

82: Percentage who said their internal staff spent 20 to 60 hours a week procuring, implementing, managing security products

Nearly 75% of the mid-tier company respondents said they had between three and five full-time employees to manage their security needs. On average, they spend $178,000 on network security alone, representing about 30% of their total IT security spend.

Source: 451 Research Survey (OPAQ Networks)

8.9%: Projected compound annual growth of network security spending at mid-size companies between 2016 and 2021

Spending on network security among mid-tier companies will grow twice as fast as overall security spending in the next five years. In 2021, businesses with between 500 and 2,500 employees will spend about $3.5 billion on network security products and services, compared to $2.4 billion in 2016.

Source: 451 Research Survey (OPAQ Networks)

Open-source security

96%: Proportion of commercial applications that contain open-source components

Open-source audits on thousands of commercial application show that the average application contains at least 147 unique open-source components. Nearly 7 in 10 (67%) of applications using open-source components have vulnerabilities in them.

Source: 2017 Open Source Security & Risk Analysis Report (Black Duck Software)

4: The average number of years open-source vulnerabilities identified in commercial applications have been public

Applications used by organizations in the financial services sector on average contain 52 open-source vulnerabilities. But retail and e-commerce applications have a higher proportion of high-risk vulnerabilities.

Source: 2017 Open Source Security & Risk Analysis Report (Black Duck Software)

3,623: the total number of unique open-source component vulnerabilities that were reported in 2016

Almost 10 open-source vulnerabilities were reported per day in 2016, representing a 10% increase over 2015. Many of the highest-risk vulnerabilities were reported in commonly used open-source components such as the Spring Framework and Apache Commons Collections.

Source: 2017 Open Source Security & Risk Analysis Report (Black Duck Software)

Android, macOS, and Windows vulnerabilities

523: Total number of unique vulnerabilities reported in Android in 2016

The number of Android flaws in 2016 was more than four times the 125 vulnerabilities discovered in the operating system in 2015 and more than 100 times the number of flaws found in 2009. Out of the 523 flaws discovered last year, about 250 were privilege-escalation vulnerabilities, while 104 enabled DoS attacks.

Source: CVE Details (MITRE Corp.)

215: The number of distinct vulnerabilities in Apple's macOS X in 2016

The number of vulnerabilities discovered in Apple's desktop operating system last year was substantially lower than the all-time high of 444 vulnerabilities found in the operating system in 2015. But with 142 flaws through May 15 this year, 2017 could end up being another bad year for macOS X.

Source: CVE Details (MITRE Corp.)

293: Total number of vulnerabilities that have been reported in Microsoft Windows 10 since its release in 2015

Through May 15, 2017, a total of 78 vulnerabilities have been discovered in the operating system. That puts the OS on track to close the year out with a smaller number of vulnerabilities than in 2016.

Source: CVE Details (MITRE Corp.)

Cloud security

42%: Proportion of respondents who said their organization currently runs security applications in the cloud

Almost half of the respondents—45%—said they are either likely or extremely likely to use cloud services for their security operations in future. The trend is being driven by increased enterprise confidence in cloud services overall, with 57% of respondents saying they believe the cloud is secure. Companies in the technology sector have the highest confidence in the cloud, followed by organizations in the education sector.

Source: Security in the Cloud Survey (Schneider Electric)

63%: The proportion of IT professionals who believe the public cloud is as secure as or more secure than on-premises data centers

Despite improved confidence overall in the security of public cloud services, nearly one-third (31.7%) of all IT administrators remain very concerned about the security of custom apps deployed in the cloud, while 32.3% are moderately concerned.

Source: Custom Applications and IaaS Trends 2017 (Cloud Security Alliance)

63%: Number of respondents who said their biggest concern with deploying custom apps to the public cloud was sensitive data

Other perceived threats to custom apps in cloud environments include third-party account compromise (57%), sensitive data downloads to non-corporate-owned devices (40%), and misuse by end users (28%).

Source: Custom Applications and IaaS Trends 2017 (Cloud Security Alliance)

444: The average number of custom applications deployed at enterprises

IT and DevOps professionals have a relatively high awareness of custom applications in the environment, but IT security professionals are aware of less than 40% of these applications. The data suggests that IT security teams are involved in managing fewer than 4 of 10 of these applications to ensure corporate data is adequately protected.

Source: Custom Applications and IaaS Trends 2017 (Cloud Security Alliance)


100:1: The ratio by which software developers outnumber security professionals in average enterprises

About half of all software developers know security is important but do not pay attention to it all the same because of a lack of time. Some 54% perceive security pros as "nags" who identify vulnerabilities but don't do anything about them.

Source: DecSecOps Community Survey 2017 (Sonatype)

58%: Proportion of developers in a survey of 2,292 people who said they believe security is an inhibitor to DevOps agility

The percentage of developers who feel this way tends to vary by the maturity level of DevOps practices. At organizations with less mature practices, more developers perceive security as an inhibitor. Fewer developers see security this way at organizations with mature DevOps practices. This suggests that such organizations have found a way to integrate security into the development process.

Source: DecSecOps Community Survey 2017 (Sonatype)

47%: The proportion of C-level respondents who said they use security information and event management (SIEM) tools

About 52% said they had intrusion detection tools in place, 48% said they conduct vulnerability assessments, and 51% actively monitor and analyze threat intelligence. Other commonly deployed threat-detection processes in 2016 included threat intelligence subscription services and penetration testing, according to the survey of 10,000 C-level executives and IT directors.

Source: The Global State of Information Security Survey 2017 (PricewaterhouseCoopers)

Internet of Things (IoT)

49%: Percentage who cited security and privacy as primary factors to consider when deploying an IoT environment

Just as security was a primary concern with cloud adoption, so it is with the IoT. Generally, respondents from big firms (46%) are more likely to believe that the benefits of connected devices outweigh security concerns than those in mid-tier firms (33%) and those in small businesses (31%).

Source: Internet of Things Insights and Opportunities (CompTIA)

65%: Number of organizations that perceive malicious hackers and hacking as the biggest threats to IoT security

Slightly more than half of all organizations (52%) see device vulnerabilities as the biggest threat, while 51% view unencrypted data traveling across networks as major IoT-related dangers.

Source: Internet of Things Insights and Opportunities (CompTIA)

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]