Cybersecurity is one of the top priorities for organizations. In the Global Risks Report 2020, the World Economic Forum places Cybersecurity Failure in the highest risk quadrant in its global risks landscape. With the cybersecurity landscape rapidly shifting, it creates unique challenges for security professionals and users to stay informed and take appropriate action. Moreover, the global pandemic has thrust seismic changes upon governments, business, and individuals including new risks related to remote working, hackers attack methods, and the technologies that employees regularly use. Organizations not only must ensure their IT and security technologies protect against these threats and risks, but it is crucial they train their employees as well.

Security awareness training must address the broadest breadth of knowledge about information security, as well as cover specific security awareness training topics. We've gathered the latest cybersecurity and security awareness statistics and reports from 2022, back to 2020, in one place so you can easily access them. This guide provides cybersecurity and security awareness training statistics and trends separated into three sections:

General Cybersecurity Statistics & Trends
Security Awareness Statistics & Trends
Security Awareness Training Statistics & Trends by Industry Vertical

These statistics and trends provide insight into the importance of employee security awareness training, identifies areas that need to be addressed in security awareness training, and even offers justification for developing budgets for security awareness programs.

General Cybersecurity Statistics & Trends

Cybersecurity

Cybersecurity is in the highest risk quadrant in the Global Risks Landscape 2020, ranking for both the highest impact and highest likelihood to occur (Global Risks Report 2020, World Economic Forum)
Preventing data breaches is the top IT priority and second security priority for organizations (2020 Cybersecurity Outlook Report, VMware / Carbon Black).
The likelihood of arresting a cybercriminal is less than 1% of the total number of malicious cyber incidents reported annually in the United States (To Catch a Hacker, Third Way)

Human Factor

85% of data breaches were due to the "human element" (2021 Data Breach Investigations Report, Verizon)
Fear Fatigue, defined as "demotivation to follow recommended protective behaviors, emerging gradually over time and affected by a number of emotions, experiences, and perceptions" was reported by 80% of respondents in a recent survey. Fear fatigue can often lead to careless employee behavior (Still Enduring from Home, Malwarebytes)
43% of employees are "very" or "pretty" certain they have made a mistake at work with security repercussions (The Psychology of Human Error, Tessian)
Low security awareness among employees is the top barrier for organizations establishing effective defenses (2021 Cyberthreat Defense Report, CyberEdge Group)
The people domain was the weakest of the 3 domains analyzed (people, process, technology) according in the 2021 Hiscox cyber maturity model, yet funding for training decreased 8% (Hiscox Cyber Readiness Report 2021, Hiscox)
55% of IT leaders rely on employees to alert them to cybersecurity incidents, while 89% of incidents led to repercussions for the employees involved, and only 54% of employees are empowered or trusted by the organizations security culture (Egress Insider Data Breach Survey 2021, Egress)
An employee opening a phishing email attachment caused the ransomware attack on HSE, Ireland's national health service, which resulted in €100 million overall cost (The Irish Times

Data Breaches

Federal wire fraud charges were filed against former Uber chief security officer over alleged cover-up of a cyber attack against Uber in which hackers obtained access to personal details of 57 million users (SC Media)
The number of publicly reported data breaches so far in 2021 already exceeds the total number of data breaches in FY 2020 by 17% (2021 Q3 Data Breach Analysis, ITRC)
37 billion records were compromised in 3,932 public reported data breaches in 2020 (2020 Year End Data Breach QuickView Report, RiskBased Security)
The number of records compromised in public reported data breaches increased by 141% and far exceeds the most records exposed in a single year since the RBS reporting began in 2005 (2020 Year End Data Breach QuickView Report, RiskBased Security)
The average cost of a data breach rose to $4.24 million, the highest in the 17-year history of the report. The country with the highest breach cost remains the United States and healthcare has the highest industry cost of $9.23 million (Cost of a Data Breach Report 2021, Ponemon Institute and IBM Security)
The number of healthcare data breaches increased 55.1% in 2020 compared to the prior year (Healthcare Breach Report 2021, Bitglass)
Attacks are shifting away from seeking consumer information to targeting business using stolen logins and passwords (2020 Annual Data Breach Report, Identity Theft Resource Center)
The average time to identify and contain a data breach was 280 days (Cost of a Data Breach Report 2020, Ponemon Group and IBM Security)

Significant Data Breaches & Cyberattacks in 2022 (to date)

On 01/06/2022, FlexBooker disclosed that their Amazon AWS servers were compromised on December 23, 2021, impacting over 3.7 million accounts and exposing PII of users (BleepingComputer)
On 01/01/2022, Broward Health disclosed that an intruder gained entry to their network through a third-party medical provider in October 2021. More than 2.3 million people were impacted exposing sensitive PII and PHI (SecurityWeek)
A cyberattack forced Bernalillo County, New Mexico's most populous county, to take affected systems offline and close most of its buildings to the public (Infosecurity)

Significant Data Breaches & Cyberattacks in 2021

Mimecast, a security vendor, revealed that SolarWinds hacks breached its network (Ars Technica). A malicious SolarWinds update was leveraged to access the company's production grid environment resulting in the download of a limited number of source code repositories; in addition, some Mimecast-issued certificates were compromised by the attackers (ZDNet)
A cyber attack against UScellular, the 4^th largest mobile network in the US, resulted in the attackers gaining access into the company's CRM housing data for 4.9 million customers including name, plan, usage, billing statement and PIN code (BleepingComputer)
38 million California vehicle registration records were potentially compromised in a ransomware attack on a third-party contract for the California DMV (SFGATE)
A Volkswagen and Audi data breach exposed the basic information of more than 3 million customers and shoppers, and for some, PII like drivers' license numbers were exposed (CNN)
A cloud misconfiguration of an ElasticSearch database by SocialArks, a major social media site in China, lead to the exposure of 318 million user records (CyberSecurity Magazine)
Kaysea was hit by a REvil supply-chain ransomware attack. The results was 1,500 downstream business victims whose networks were managed by MSPs using Kaseya's software (BleepingComputer)
Hackers exploited four security flaws in Microsoft Exchange Servers, gaining access to and remote control of 30,000 entities in the United States, 7,000 servers in the United Kingdom as well as other entities organizations worldwide including small and medium businesses and city, county and local governments (Wikipedia)
Colonial Pipeline, one of the largest pipelines in the United States, suffered a ransomware attack, paying $4.4 million in ransom and shutting down its pipeline for 11 days (Washington Post)
Executive order signed following the cyberattacks against SolarWinds, Microsoft Exchange and Colonial Pipeline puts in place new cybersecurity requirements for government contractors, new security standards for critical software, and requirements for companies to report certain information about cyberbreaches (NPR).
CaptureRX exposed 1,656,569 patient records belonging to more than 14 hospitals and healthcare organizations, information exposed included names, birthdates and prescriptions (Becker's Health IT)
A cloud-bucket misconfiguration by Hobby Lobby exposed a database containing the PII of 300,000 customers (Threatpost)
JBS, the largest meat processing company in the world, was the target of a ransomware attack forcing the shutdown of parts of JBS operations and threatening meat prices (SC Magazine)
A T-Mobile data breach exposed the PII of more than 54 million customers, including Social Security numbers, date of birth, driver's licenses. A hacker claimed responsibility due to T-Mobile's "awful" security (CNET)
Neiman Marcus disclosed a data breach in May that impacts 4.6 customers including exposure of usernames, passwords and security questions for online accounts (Ars Technica)
Twitch security incident exposes source code, but not credentials or full credit card numbers of ACH bank information (The Verge)
Sinclair Broadcast Group is the latest organization to suffer a data breach and ransomware attack (ABC News)

Significant Data Breaches & Cyberattacks in 2020

A major cyberattack against the United States federal government was reported to be among the worst cyber-espionage incidents ever suffered, impacting more than 200 organizations. Attackers exploited software from Microsoft, SolarWinds, and VMware (Wikipedia).
A vision management company, EyeMed, exposed the information of more than a half million records of health plan members from Aetna, Tufts Health Plan and Blue Cross Blue Shield of Tennessee (HIPAA Journal)
142 million personal records that were exposed due to hacking of the MGM Resort and MGM Grand Hotels are for sale on the dark web (Threatpost)
Going back to 2013, a data breach in a hotel management booking platform owned by Prestige Software exposed the data from 10 million travelers including name, phone number, national ID numbers, credit card numbers and stay information (CPO Magazine)
More than 364,000 patient records were exposed at Magellan Health due to a spear phishing attack (HIPAA Journal)
Mathway math app breach exposed the email addresses and hashed passwords of 25 million users that then were put for sale on the dark web marketplace (Security Magazine)
296 GB of US law enforcement data was posted on a searchable portal including audio, videos, emails, intelligence documents and personally identifiable information (Wired)
235 million user profiles from Instagram, TikTok and YouTube were exposed online due to social media scrapping (TechRadar)
Marriot International confirmed breach of 5.2 million guests were exposed, making it the second major security incident in less than two years (CNET)
Microsoft disclosed that a customer support database with 250,000 entries of anonymized user analytics was exposed in December 2019 (ZDNET)
CAM4, an adult streaming website, leaked the information of 11 billion user including full names, email addresses and payment logs (Identity Theft Resource Center)
Denmark accidentally exposed the personal identification (CPR) numbers of 1.26 million Danish citizens due to a software error (ZDNET)
A massive cyberattack against Mitsubishi Electronic Corp. may have leaked details of a prototype missile (AP News)

Cost of Cybercrime

The estimated cost of cybercrime exceeded $1 trillion globally in 2020, more than a 50% increase in two years (The Hidden Costs of Cybercrime, McAfee)
In the healthcare industry, the average cost per breached record in 2020 was $499 (Healthcare Breach Report 2021, Bitglass)
The global average cost of a data breach in 2020 was $3.86 million dollars with an average cost per record of customer PII of $175 (Cost of a Data Breach Report 2020, Ponemon Group and IBM Security)
Phishing was the top cybercrime in the United States in 2020 accounting for more than 30% of all victims; while BEC attacks caused the great victim loss of $1.86 billion dollars (Internet Crime Report 2020, FBI)
Account takeover (ATO) fraud skyrocketed over 300% in Q2 2021 compared to Q2 2019 (Q3 2021 Digital Trust & Safety Index, Sift)

Cyber Risks

Vulnerabilities were up almost 10% in the NIST National Vulnerability Database (NVD) in 2021 (Security Boulevard)
Cyber incidents are one of the top three business risks (Allianz Risk Barometer, Allianz)
Analysis of proxy statements and Form 10-K filings revealed only 29% of Fortune 100 companies used education and training to mitigate cybersecurity risk, up 11% from 2018 (What companies are disclosing about cybersecurity risk, EY)
Twenty-four percent of C-suite executives and 54% of small business owners say they have no regular training on information security procedures or policies (Data Protection Report 2020, Shred-it)
20% of employees said their IT department provided no tips for working remotely (2020 WFH Employee Cybersecurity Threat Index, Morphisec)

Security Awareness Statistics & Trends

Phishing

Phishing reached monthly record in Q3 2021 with Attacks Doubling since Early 2020 (Phishing Activity Trends Report, 3^rd Quarter 2021, APWG)
3 Billion spoofed emails are sent every day (Email Fraud Landscape: Spring 2021, Valimail)
Phishing was part of 36% of all data breaches (2021 Data Breach Investigations Report, Verizon)
Phishing attacks doubled in 2020 with October shattering monthly records (Phishing Activity Trends Report, 4^th Quarter 2020, APWG)
Phishers themselves register the domain names of more than 50% of the phishing websites (malicious registrations), but the number is probably even bigger due to over-redaction of data in WHOIS (Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing, Interisle Consulting Group)
One in four employees say they clicked on a phishing email at work; being distracted was the main reason given for clicking on a phishing email (The Psychology of Human Error, Tessian)
Deception techniques used by phishers to fool users include: domain names chosen to avoid detection, encryption that provides a false sense of security, and deceptive email addresses that spoof trusted organizations and contacts (Phishing Activity Trends Report, 4^th Quarter 2020, APWG)
The use of HTTPS on phishing sites rose sharply in 2020 with 72% making using of digital certificates and TLS encryption (2020 Phishing and Fraud Report, F5 Networks)
Business email compromise (BEC), or email account compromise (EAC), is one of the financially damaging online crimes (Scams and Safety, FBI)
BEC scam attempts increased 35% in 2020 compared to 2019 (Statista)
BEC cost companies more than $1.8 billion in 2019 with the average cost growing 48% in the first three quarters of 2020 (2020 Annual Data Breach Report, Identity Theft Resource Center)

Remote Workers

Tele-everything is embraced with the adoption of telework continuing to grow (Experts Say the ‘New Normal’ in 2025 Will Be Far More Tech-Driven, Presenting More Big Challenges, PEW Research)
A survey of HR leaders found 90% plan to allow employees to work remotely at least some of the time (Gartner)
20% of organizations faced a security breach as a result of a remote worker (Enduring from home, Malwarebytes)
44% of organizations did not provide cybersecurity training focused on potential threats from remote work (Enduring from home, Malwarebytes)
56% of employees use a personal computer when working from home; 25% don't know the security protocols on their devices; and 20% said their IT department provided no tips for working from home (2020 WFH Employee Cybersecurity Threat Index, Morphisec)
Three-quarters of employees reported that they print work-related documents at home (Data Protection Report 2020, Shred-it)
Remote work increasing the time to identify and contain a data breach according to 76% of respondents Cost of a Data Breach Report 2020, Ponemon Group and IBM Security)
54% of IT leaders surveyed believe remote working increases insider threat (Egress Insider Data Breach Survey 2021, Egress)

Ransomware

Ransomware attacks increased 250% in the first half of 2021 (Global Security Report: Rapid Increase in Ransomware Threats Drives Need for Security Controls That Speed the Kill Chain, Venafi).
Ransomware attacks increased 485% in 2020 compared to 2019 (2020 Consumer Threat Landscape Report, Bitdefender)
The average ransomware payout was greater than $233,000 per event in the Q3 2020 up 31% from the Q2 with ransomware attack vectors being adjusted to the target organization size (Coveware)
Ransomware evolved into multi-faceted extortion and continues to escalate; "name and shame" websites also grew more prevalent (M-Trends 2021, FireEye Mandiant Services)
Ransomware distribution in 2019 was greatest in the energy & utilities vertical (32%) followed by government (14.1%), then manufacturing (13.8%) (2020 Cybersecurity Outlook Report, VMware / Carbon Black). [We anticipate to see Healthcare ransomware much higher in 2020 and 2021 – ed. Security Mentor]

Identity Theft

Identity fraud scams cost U.S. customers $43 billion in losses in 2020 (2021 Identity Fraud Study: Shifting Angles, Javelin)
Education and awareness are key components of effective fraud prevention for consumer (2021 Identity Fraud Study: Shifting Angles, Javelin)
The top personally identifiable information (PII) exposed in data breaches is Social Security Number (SSN), followed by PHI, then email and password (2020 Annual Data Breach Report, Identity Theft Resource Center)
Nearly half of U.S. consumers experienced identity theft (U.S. Identity Theft: The Stark Reality, GIACT)
Identity-related losses were estimated to increase by 42% between 2019 and 2020 (U.S. Identity Theft: The Stark Reality, GIACT)

Computer Security

Windows workstations represent a major cybersecurity risk to organizations with over 35% of in healthcare running unsupported Windows versions (The Enterprise of Things Security Report, Forescout)
90% of enterprise Windows 10 devices are missing critical security updates (2020: The State of Endpoint Resilience™ Report, Absolute)
67% of workers under 30 report using shadow IT (Forcepoint)
One research study found that hackers attack computers every 39 seconds (Clark School, University of Maryland)

Office Security

63% C-Suite executives report their employees have left confidential documents out in the open (Data Protection Report 2020, Shred-it)
Improper document disposal accounted for 14% of data breaches caused by physical attacks (2020 Annual Data Breach Report, Identity Theft Resource Center)
57% of employees still save passwords on sticky notes (Workplace Password Malpractice Report 2021, Keeper Security)

Internet of Things (IoT)

In a recent Microsoft survey, 64% of respondents had low or average confidence that their IoT devices are patched - and the same proportion admitted they did not know if the devices had been compromised (The State of IoT and OT Cybersecurity in the Enterprise, Microsoft)
700% increase in IoT-specific malware compared to pre-pandemic findings (Zscaler)
Cyber attacks against IoT increased 35% in the first half of 2020 (Microsoft Digital Defense Report 2020: Cyber Threat Sophistication on the Rise, Microsoft)
Worldwide there will be 55.7 billion connected devices by 2025 (IDC)
There has been a surge in unauthorized IoT traffic from devices connected to enterprise networks by employees (IoT in the Enterprise 2020, Zscaler)
Four in five IoT devices transfer data plain text instead of using secure SSL (IoT in the Enterprise 2020, Zscaler)
IoT devices continue to lack security hardening. Possible reasons include poor design, lack of support, and even abandonment (2020 Consumer Threat Landscape Report, Bitdefender)

Mobile Security

In 2020, the number of smartphone users worldwide surpassed 3 billion (Statista)
97% of organizations in 2020 faced mobile threats that used multiple attack vectors (Mobile Security Report 2021, Check Point)
Six in ten employees use non-encrypted USB devices at work, while nearly half (48%) of employees lost a US drive without notifying the appropriate authority (State of USB Data Protection [2019], Apricorn)
46% of organizations had at least one employee download a malicious mobile application (Mobile Security Report 2021, Check Point)
Users misplacing devices is responsible for 64% of all mobile device losses (e.g., work, school) while theft is responsible for 36% (Mobile Theft & Loss Report 2020, Prey Project)
63% of mobile applications contained open source security vulnerabilities with an average of 44% of the vulnerabilities considered to be high risk (Peril in a Pandemic: The State of Mobile Application Security, Synopsys)
85% of mobile phishing attacks are outside of email – 17% of attacks are through messaging apps, 16% through social networking apps and 11% through games; that's because it's hard to see the actual URL on a mobile device, there's a flawed perception mobile devices are safe; mobile devices feel personal, and lastly thousands of new mobile aps are published every day (Mobile phishing attacks are scary and on the rise: 85% are outside of email, CyberNews)

Passwords Security and Management

Humans are predictable and so are their passwords: passwords are extremely easy to guess, nearly 24% of people added 1 to the end of their password, keyboard patterns used in passwords are extremely predictable (Unmasked: What 10 million passwords reveal about the people who choose them, WP Engine)
The number of stolen usernames and passwords in circulation has increased by 300% since 2018 (From Exposure to Takeover, Digital Shadows)
66% of people mostly or always use the same password (Psychology of Passwords, LogMeIn)
Based on analyzing more than 15 billion passwords, the top five most used passwords are: 123456, 123456789, qwerty, password, 12345 (The top 10 most common passwords worldwide, CyberNews)
44% of employees reuse passwords across personal & work-related accounts (Workplace Password Malpractice Report 2021, Keeper Security)
51% of individuals and 49% of IT professionals sometimes or frequently share passwords with colleagues (The 2020 State of Password and Authentication Security Behaviors Report, Yubico)
55% of individuals don't use 2FA when they access work-related items with a personal device (The 2020 State of Password and Authentication Security Behaviors Report, Yubico)
62% of employees share passwords by text message and email Workplace Password Malpractice Report 2021, Keeper Security)

Insider Threat

Forrester predicts one-third of security breaches will be caused by insider threats in 2021 (Predictions 202: Cybersecurity, Forrester)
The frequency of insider threat incidents has tripled since 2016 (Cost of Insider Threats Global Report, Ponemon Institute)
Exfiltration of sensitive data using email continues to be the #1 egress vector, followed by web uploads to cloud storage sites (2020 Securonix Insider Threat Report, Securonix)
59% of IT security leaders expect Insider Risks to increase over the next two years 2021 Data Exposure Report, Code42)
The most common types of insider threats in the United States are data exfiltration (62%), privilege misuses (19%), data aggregation/snooping (9.5%) with infrastructure sabotage, circumvention of IT controls and account sharing making up the remainder (Statista).
The total average cost of insider-related incidents is $11.45 million dollars for companies over 1,000 employees; 63% of insider threat incidents related to negligence and 23% related to criminal insiders (2020 Cost of Insider Threats: Global Report, Ponemon Institute).
Financial motivations overwhelmingly drive insider threats who are bad actors (Insider Threat Report [2019], Verizon)
68% of organizations confirmed insider attacks were becoming more frequent (2020 Insider Threat Report, Gurucul)
Based on the survey of 500 IT leaders, 94% of organizations experienced insider data breaches in the last 12 months and human error was the most common cause (Egress Insider Data Breach Survey 2021, Egress)

Web Security

73% of enterprise browsers in North America and Europe are not running the latest browser (Statista)
Menlo Security researchers found that 83% of their users running the latest Chrome build were not running the latest version/patch (Menlo Security)
According to data analyzed by Atlas VPN, Google reported more than 2 million phishing websites in 2020 (Atlas VPN)
The most abused top-level domains change frequently. The most current listing can be found at Spamhaus

Data Protection

On average, a financial services employee has access to almost 11 million files on their first day of work (2021 Data Risk Report: Financial Services, Varonis)
The average healthcare worker has access to 31,000 sensitive files on their first day of work, including HIPPA-protected information, and nearly 20% of all files are open to every employee (2021 Data Risk Report: Healthcare, Pharmaceutical & Biotech, Varonis)
73% of enterprise devices contain sensitive data (2021: Endpoint Risk Report, Absolute)

COVID-19 Pandemic

Employees are 85% more likely today to leak files than prior to the COVID-19 pandemic (2021 Data Exposure Report, Code42)
Since the COVID-19 pandemic began, the United States lost more than $36 billion of the $360 billion CARES Act due to unemployment fraud, with fraudulent claims accounting for 35% to 40% of new applications (CNBC)
Total complaints for Internet crimes in the United States spiked 69% during the pandemic (Internet Crime Report, FBI)
Worldwide there was a 350% increase in phishing websites in the first quarter of 2020, many targeting hospitals and healthcare systems (AP News)
Sensitive data on endpoints has increased 41% since pre-COVID-19 (2020: The State of Endpoint Resilience™ Report, Absolute)

Security Awareness Training Statistics & Trends by Industry

Financial Services Security Awareness Training Statistics & Trends

The Finance and Insurance sectors were the most attacked industries by attack volume (X-Force Threat Intelligence Index 2021, IBM Security)
18% of BEC attacks were made against Financial Services companies, greater than any other sector (Top Industries Targeted by Cyberattacks, Cortex by Palo Alto Networks)
The average cost of a data breach in the Financial Services sector was $5.85 per record the third highest of any sector (Cost of a Data Breach Report 2020, Ponemon Institute)
The proposed federal rule, "Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Provider", would require notification of the occurrence of an incident no later than 306 after it occurred.
Credential stuffing attacks against the financial sector increased 45% in 2020 (Akamai)
44% of breaches were caused by internal actors in 2020, the majority of the actions (55%) were misdelivery, accidentally sending the wrong email to the wrong person, which accounted for 13% of all breaches (2021 Data Breach Investigations Report, Verizon)
Online banking use has risen 23% and mobile banking use by 30% (The Front-to-Back Digital Retail Bank, Boston Consulting Group)
Mobile phishing attacks against the Finance Sector grew 125% in 2020, the largest increase of any industry (Financial Services Threat Report: Cloud and mobile reliance pushes financial services beyond device management, Lookout)
Microsoft Office 365 spoofing campaigns evade Office 365's defenses and target financial institutions, specifically targeted are new CEOs (New Spear Phishing Emails Target C-Suite Executives, Assistants and Financial Departments, Security Magazine)
Only 20% of Financial Services employees think an employee needs to be in the office 3 days per week or more and only 2% of employees would work in an office without a remote option (US Remote Work Survey, PWC)
Account takeover fraud in Fintech exploded by 850% with most attacks focused on crypto and digital wallets. More than $1.9 billion was lost to cryptocurrency crime alone in 2020 (Q3 2021 Digital Trust & Safety Index, Sift)

Healthcare Security Awareness Training Statistics & Trends

48% of hospital executives forced a proactive shutdown in the last 6 months due to ransomware (Perspectives in Healthcare Security, CyberMDX Philips)
As of May 31, 2021, there have been 250 breaches, resulting in the exposure of 17,262,107 records of unsecured health information (DHS Breach Portal), far exceeding the breaches in 2020 if the pace continues
In 2020, there were 439 breaches of Public Health Information, resulting in the exposure of 22,956,029 records of unsecured health information (DHS Breach Portal)
The average cost of a data breach in the Healthcare sector increased 29.5% to $9.23 million in 2021, the highest cost of any sector (Cost of a Data Breach Report 2021, Ponemon Institute)
Significant security incidents plagued healthcare organizations in 2020 in a diversity of ways: 57% or respondents experienced phishing attacks, 21% credential harvesting, 20% social engineering attacks (non-phishing), 20% malware, 16% theft or loss, 14% website or web application attacks, 13% a negligent insider, 11% a breach or leakage and 10% a malicious insider (2020 HIMSS Cybersecurity Survey, HIMSS)
The number of healthcare breaches increased 55% over 2019 (Healthcare Breach Report 2021, Bitglass)
The Cybersecurity & Infrastructure Agency (CISA) issued an alert in October 202 that was "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers" (CISA Alert (AA20-30sA) Ransomware Activity Targeting the Healthcare and Public Health Sector)
Telehealth soared 63.4% in the U.S. in 2020 (Intensive Care Needed for Healthcare Cybersecurity, Unisys)
Attacks on healthcare endpoints in 2020 increased 9,851% from 2019 (2020: A Retrospective Look at Healthcare Cybersecurity, HHS Office of Information Security).
Ransomware attacks targeting healthcare organizations have increased 45% (Check Point)
The University of California SF paid $1.14 million in ransom to save their COVID-19 research (Bloomberg Businessweek)
Approximately 60% of medical devices were at end-of-life with no security patches of upgrades available in 2018 (FDA Partners with SENSATO-ISAO and H-ISAC to Create Open Source Cybersecurity Intelligence Network and Resource, AEHiS)
Education is a key part of BYOD security in healthcare. "Educating and training employees about BYOD threats and security measures should be directed to improve their commitment to protect hospital data, especially PHI" (Hospital Bring-Your-Own-Device Security Challenges and Solutions: Systematic Review of Gray Literature)

Public Sector Security Awareness Training Statistics & Trends

Awareness training is the most adopted enterprise security service by state agencies with a 57% adoption rate (2020 Deloitte-NASCIO Cybersecurity Study)
25% of public organizations said they had a mobile security related compromise in the past year and 70% of public sector organizations said that a security compromise could put lives at risk (Mobile Security Index 2021, Verizon)
86% of respondents surveyed that were targeted with ransomware refused to pay, compared to 46% across all verticals (Infosecurity Magazine)
One-third of public sector organizations had more than 1,000 Internet of Things devices in use, and 7% had more than 10,000 (Mobile Security Index 2021, Verizon)
35% of government agencies spent weeks to discover data loss due to a security incident in the cloud (2021 Cloud Data Security Report, Netwrix)
Cyberattacks on state and local government are up 50% with the average ransom demands rising to a monthly average to nearly half a million dollars (State and Local Government Security Report, BlueVoyant)
Funding for federal government cybersecurity efforts went from $13.15 billion in FY 2017 to 18.78 billion in FY 2021 (Statista)
Almost 25% of state and local government employees use personal unmanaged mobile devices, while almost 9 percent do in the federal government (U.S. Government Threat Report, Lookout)
Top cybersecurity threats challenging the Public Sector in 2021 are: state-sponsored cyberattacks, ransomware, phishing, hacktivists and improper usage & internal attacks (Top 5 Cyber Threats Facing the Public Sector, Institute of Defense and Logistics)

Energy & Utilities Sectors Security Awareness Training Statistics & Trends

The Energy Sector is in the top three sectors reporting cyber attacks (Hiscox Cyber Readiness Report 2021, Hiscox)
The number of cyberattacks on utility companies exploded from 101 in January 2019 to 874 in July 2020 (Worldwide Denial-of-Service Cyberattacks on Utilities Up Seven-Fold This Summer, Data Shows, Morning Consult)
89% of Energy companies have defined their cybersecurity strategy, but only 44% have fully identified and protected their key processes and technological dependencies (Eurasia Review)
Cybersecurity must be at the core of every aspect of companies' digital transformation strategies (Transforming the energy industry with AI, MIT Technology Review Insights)
Globally, the percentage of attacked industrial control systems in the second half of 2020 was 33.4 percent (The Jakarta Post)
43% of energy-sector companies that reported being hit by ransomware paid the ransom, the highest of any sector (Quartz)

Insurance Industry Security Awareness Training Statistics & Trends

The size of the global cyber insurance market by 2025 will be 20 billion, with 75% of organizations purchasing cyber liability insurance, no doubt because cyber incidents are seen as the 3^rd biggest risk to global businesses (Cyber insurance – statistics & facts, Statista)
There is increased demand for cyber insurance; the take-up rate nearly doubled from 2016 – 2020, rising to 47% (Cyber Insurance, United States Government Accountability Office, GAO Report to Congressional Committees).
81% of C-level respondents surveyed feel their company is not adequately protected against cyber threats and 45% believe that employee security awareness and behavior are measures that should be covered by pre-incident services (Cyber insurance: Risks and trends 2020, Munich Re)
2021 predictions are that conditions will again work in favor of cyber criminals; for insurers, business cyber hygiene and employee awareness will be important differentiators (Cyber Risk Outlook 2021: How evolving trends will impact the year ahead, insurancenewsnet.com)
Insurance fraud (excluding health insurance) costs $40 billion dollar a year, and costs the average US family $400 to $700 in increased insurance premiums each year (Pandemic Fires Up Insurance Fraud, Here's What To Watch For, Forbes)
Average ransomware claims increased 300% last year with the average ransom quadrupling; insurers are struggling with how to make the cyber insurance business worth offering (Ransomware claims are roiling an entire segment of the insurance industry, Washington Post)
Insurance companies themselves are targets of cybercriminals; CNA Financial, one of the largest US insurance companies, reportedly paid $40 million after a ransomware attack (One of the biggest US insurance companies reportedly paid hackers $40 million ransom after a cyberattack, Business Insider)

Security Awareness Training Statistics & Trends: 2022 Edition