Cybersecurity is one of the top priorities for organizations. In the Global Risks Report 2020, the World Economic Forum places cybersecurity in the highest risk quadrant in its global risks landscape. With the cybersecurity landscape rapidly shifting, it creates unique challenges for security professionals and users to stay informed and take appropriate action. Moreover, the pandemic has thrust seismic changes upon governments, business, and individuals including new risks related to remote working, hackers attack methods, and the technologies that employees regularly use. Organizations not only must ensure their IT and security technologies protect against these threats and risks, but it is crucial they train their employees as well.

Security awareness training must address the broadest breadth of knowledge about information security, as well as cover specific security awareness training topics. We've gathered the latest cybersecurity and security awareness statistics and reports in one place so you can easily access them. This guide provides cybersecurity and security awareness training statistics and trends separated into three sections:

  1. General Cybersecurity Statistics & Trends
  2. Security Awareness Statistics & Trends
  3. Security Awareness Training Statistics & Trends by Industry Vertical

These statistics and trends provide insight into the importance of employee security awareness training, identifies areas that need to be addressed in security awareness training, and even offers justification for developing budgets for security awareness programs.

General Cybersecurity Statistics & Trends

Cybersecurity

  • Cybersecurity is in the highest risk quadrant in the Global Risks Landscape 2020, ranking for both the highest impact and highest likelihood to occur (Global Risks Report 2020, World Economic Forum)
  • Preventing data breaches is the top IT priority and second security priority for organizations (2020 Cybersecurity Outlook Report, VMware / Carbon Black).
  • The likelihood of arresting a cybercriminal is less than 1% of the total number of malicious cyber incidents reported annually in the United States (To Catch a Hacker, Third Way)

Human Factor

  • 85% of data breaches were due to the "human element" (2021 Data Breach Investigations Report, Verizon)
  • 43% of employees are "very" or "pretty" certain they have made a mistake at work with security repercussions (The Psychology of Human Error, Tessian)
  • Low security awareness among employees is the top barrier for organizations establishing effective defenses (2021 Cyberthreat Defense Report, CyberEdge Group)
  • The people domain was the weakest of the 3 domains analyzed (people, process, technology) according in the 2021 Hiscox cyber maturity model, yet funding for training decreased 8% (Hiscox Cyber Readiness Report 2021, Hiscox)

Data Breaches

  • 37 billion records were comprised in 3,932 public reported data breaches in 2020 (2020 Year End Data Breach QuickView Report, RiskBased Security)
  • The number of records compromised in public reported data breaches increased by 141% and far exceeds the most records exposed in a single year since the RBS reporting began in 2005 (2020 Year End Data Breach QuickView Report, RiskBased Security)
  • The average cost of a data breach rose to $4.24 million, the highest in the 17-year history of the report. The country with the highest breach cost remains the United States and healthcare has the highest industry cost of $9.23 million (Cost of a Data Breach Report 2021, Ponemon Institute and IBM Security)
  • The number of healthcare data breaches increased 55.1% in 2020 compared to the prior year (Healthcare Breach Report 2021, Bitglass)
  • Attacks are shifting away from seeking consumer information to targeting business using stolen logins and passwords (2020 Annual Data Breach Report, Identity Theft Resource Center)
  • The average time to identify and contain a data breach was 280 days (Cost of a Data Breach Report 2020, Ponemon Group and IBM Security)

Significant Data Breaches & Cyberattacks in 2020

  • A major cyberattack against the United States federal government was reported to be among the worst cyber-espionage incidents ever suffered, impacting more than 200 organizations. Attackers exploited software from Microsoft, SolarWinds, and VMware (Wikipedia).
  • A vision management company, EyeMed, exposed the information of more than a half million records of health plan members from Aetna, Tufts Health Plan and Blue Cross Blue Shield of Tennessee (HIPAA Journal)
  • 142 million personal records that were exposed due to hacking of the MGM Resort and MGM Grand Hotels are for sale on the dark web (Threatpost)
  • Going back to 2013, a data breach in a hotel management booking platform owned by Prestige Software exposed the data from 10 million travelers including name, phone number, national ID numbers, credit card numbers and stay information (CPO Magazine)
  • More than 364,000 patient records were exposed at Magellan Health due to a spear phishing attack (HIPAA Journal)
  • Mathway math app breach exposed the email addresses and hashed passwords of 25 million users that then were put for sale on the dark web marketplace (Security Magazine)
  • 296 GB of US law enforcement data was posted on a searchable portal including audio, videos, emails, intelligence documents and personally identifiable information (Wired)
  • 235 million user profiles from Instagram, TikTok and YouTube were exposed online due to social media scrapping (TechRadar)
  • Marriot International confirmed breach of 5.2 million guests were exposed, making it the second major security incident in less than two years (CNET)
  • Microsoft disclosed that a customer support database with 250,000 entries of anonymized user analytics was exposed in December 2019 (ZDNET)
  • CAM4, an adult streaming website, leaked the information of 11 billion user including full names, email addresses and payment logs (Identity Theft Resource Center)
  • Denmark accidentally exposed the personal identification (CPR) numbers of 1.26 million Danish citizens due to a software error (ZDNET)
  • A massive cyberattack against Mitsubishi Electronic Corp. may have leaked details of a prototype missile (AP News)

Significant Data Breaches & Cyberattacks in 2021 (to date)

  • Mimecast, a security vendor, revealed that SolarWinds hacks breached its network (Ars Technica). A malicious SolarWinds update was leveraged to access the company's production grid environment resulting in the download of a limited number of source code repositories; in addition, some Mimecast-issued certificates were compromised by the attackers (ZDNet)
  • A cyber attack against UScellular, the 4th largest mobile network in the US, resulted in the attackers gaining access into the company's CRM housing data for 4.9 million customers including name, plan, usage, billing statement and PIN code (BleepingComputer)
  • 38 million California vehicle registration records were potentially compromised in a ransomware attack on a third-party contract for the California DMV (SFGATE)
  • Hackers exploited four security flaws in Microsoft Exchange Servers, gaining access to and remote control of 30,000 entities in the United States, 7,000 servers in the United Kingdom as well as other entities organizations worldwide including small and medium businesses and city, county and local governments (Wikipedia)
  • Colonial Pipeline, one of the largest pipelines in the United Stated, suffered a ransomware attack, paying $4.4 million in ransom and shutting down its pipeline for 11 days (Washington Post)
  • Executive order signed following the cyberattacks against SolarWinds, Microsoft Exchange and Colonial Pipeline puts in place new cybersecurity requirements for government contractors, new security standards for critical software, and requirements for companies to report certain information about cyberbreaches (NPR).
  • CaptureRX exposed 1,656,569 patient records belonging to more than 14 hospitals and healthcare organizations, information exposed included names, birthdates and prescriptions (Becker's Health IT)
  • A cloud-bucket misconfiguration by Hobby Lobby exposed a database containing the PII of 300,000 customers (Threatpost)
  • JBS, the largest meat processing company in the world, was the target of a ransomware attack forcing the shutdown of parts of JBS operations and threatening meat prices (SC Magazine)
  • A T-Mobile data breach exposed the PII of more than 54 million customers, including Social Security numbers, data of birth, driver's licenses. A hacker claimed responsibility due to T-Mobile's "awful" security (CNET)

Cost of Cybercrime

  • The estimated cost of cybercrime exceeded $1 trillion globally in 2020, more than a 50% increase in two years (The Hidden Costs of Cybercrime, McAfee)
  • In the healthcare industry, the average cost per breached record in 2020 was $499 (Healthcare Breach Report 2021, Bitglass)
  • The global average cost of a data breach in 2020 was $3.86 million dollars with an average cost per record of customer PII of $175 (Cost of a Data Breach Report 2020, Ponemon Group and IBM Security)
  • Phishing was the top cybercrime in the United States in 2020 accounting for more than 30% of all victims; while BEC attacks caused the great victim loss of $1.86 billion dollars (Internet Crime Report 2020, FBI)

Cyber Risks