Cybersecurity is one of the top priorities for organizations. In the Global Risks Report 2020, the World Economic Forum places Cybersecurity Failure in the highest risk quadrant in its global risks landscape. With the cybersecurity landscape rapidly shifting, it creates unique challenges for security professionals and users to stay informed and take appropriate action. Moreover, the global pandemic has thrust seismic changes upon governments, business, and individuals including new risks related to remote working, hackers attack methods, and the technologies that employees regularly use. Organizations not only must ensure their IT and security technologies protect against these threats and risks, but it is crucial they train their employees as well.

Security awareness training must address the broadest breadth of knowledge about information security, as well as cover specific security awareness training topics. We've gathered the latest cybersecurity and security awareness statistics and reports from 2022, back to 2020, in one place so you can easily access them. This guide provides cybersecurity and security awareness training statistics and trends separated into three sections:

  1. General Cybersecurity Statistics & Trends
  2. Security Awareness Statistics & Trends
  3. Security Awareness Training Statistics & Trends by Industry Vertical

These statistics and trends provide insight into the importance of employee security awareness training, identifies areas that need to be addressed in security awareness training, and even offers justification for developing budgets for security awareness programs.

General Cybersecurity Statistics & Trends


  • Cybersecurity is in the highest risk quadrant in the Global Risks Landscape 2020, ranking for both the highest impact and highest likelihood to occur (Global Risks Report 2020, World Economic Forum)
  • Preventing data breaches is the top IT priority and second security priority for organizations (2020 Cybersecurity Outlook Report, VMware / Carbon Black).
  • The likelihood of arresting a cybercriminal is less than 1% of the total number of malicious cyber incidents reported annually in the United States (To Catch a Hacker, Third Way)

Human Factor

  • 85% of data breaches were due to the "human element" (2021 Data Breach Investigations Report, Verizon)
  • Fear Fatigue, defined as "demotivation to follow recommended protective behaviors, emerging gradually over time and affected by a number of emotions, experiences, and perceptions" was reported by 80% of respondents in a recent survey. Fear fatigue can often lead to careless employee behavior (Still Enduring from Home, Malwarebytes)
  • 43% of employees are "very" or "pretty" certain they have made a mistake at work with security repercussions (The Psychology of Human Error, Tessian)
  • Low security awareness among employees is the top barrier for organizations establishing effective defenses (2021 Cyberthreat Defense Report, CyberEdge Group)
  • The people domain was the weakest of the 3 domains analyzed (people, process, technology) according in the 2021 Hiscox cyber maturity model, yet funding for training decreased 8% (Hiscox Cyber Readiness Report 2021, Hiscox)
  • 55% of IT leaders rely on employees to alert them to cybersecurity incidents, while 89% of incidents led to repercussions for the employees involved, and only 54% of employees are empowered or trusted by the organizations security culture (Egress Insider Data Breach Survey 2021, Egress)
  • An employee opening a phishing email attachment caused the ransomware attack on HSE, Ireland's national health service, which resulted in €100 million overall cost (The Irish Times

Data Breaches

  • Federal wire fraud charges were filed against former Uber chief security officer over alleged cover-up of a cyber attack against Uber in which hackers obtained access to personal details of 57 million users (SC Media)
  • The number of publicly reported data breaches so far in 2021 already exceeds the total number of data breaches in FY 2020 by 17% (2021 Q3 Data Breach Analysis, ITRC)
  • 37 billion records were compromised in 3,932 public reported data breaches in 2020 (2020 Year End Data Breach QuickView Report, RiskBased Security)
  • The number of records compromised in public reported data breaches increased by 141% and far exceeds the most records exposed in a single year since the RBS reporting began in 2005 (2020 Year End Data Breach QuickView Report, RiskBased Security)
  • The average cost of a data breach rose to $4.24 million, the highest in the 17-year history of the report. The country with the highest breach cost remains the United States and healthcare has the highest industry cost of $9.23 million (Cost of a Data Breach Report 2021, Ponemon Institute and IBM Security)
  • The number of healthcare data breaches increased 55.1% in 2020 compared to the prior year (Healthcare Breach Report 2021, Bitglass)
  • Attacks are shifting away from seeking consumer information to targeting business using stolen logins and passwords (2020 Annual Data Breach Report, Identity Theft Resource Center)
  • The average time to identify and contain a data breach was 280 days (Cost of a Data Breach Report 2020, Ponemon Group and IBM Security)

Significant Data Breaches & Cyberattacks in 2022 (to date)

  • On 01/06/2022, FlexBooker disclosed that their Amazon AWS servers were compromised on December 23, 2021, impacting over 3.7 million accounts and exposing PII of users (BleepingComputer)
  • On 01/01/2022, Broward Health disclosed that an intruder gained entry to their network through a third-party medical provider in October 2021. More than 2.3 million people were impacted exposing sensitive PII and PHI (SecurityWeek)
  • A cyberattack forced Bernalillo County, New Mexico's most populous county, to take affected systems offline and close most of its buildings to the public (Infosecurity)

Significant Data Breaches & Cyberattacks in 2021

  • Mimecast, a security vendor, revealed that SolarWinds hacks breached its network (Ars Technica). A malicious SolarWinds update was leveraged to access the company's production grid environment resulting in the download of a limited number of source code repositories; in addition, some Mimecast-issued certificates were compromised by the attackers (ZDNet)
  • A cyber attack against UScellular, the 4th largest mobile network in the US, resulted in the attackers gaining access into the company's CRM housing data for 4.9 million customers including name, plan, usage, billing statement and PIN code (BleepingComputer)
  • 38 million California vehicle registration records were potentially compromised in a ransomware attack on a third-party contract for the California DMV (SFGATE)
  • A Volkswagen and Audi data breach exposed the basic information of more than 3 million customers and shoppers, and for some, PII like drivers' license numbers were exposed (CNN)
  • A cloud misconfiguration of an ElasticSearch database by SocialArks, a major social media site in China, lead to the exposure of 318 million user records (CyberSecurity Magazine)
  • Kaysea was hit by a REvil supply-chain ransomware attack. The results was 1,500 downstream business victims whose networks were managed by MSPs using Kaseya's software (BleepingComputer)
  • Hackers exploited four security flaws in Microsoft Exchange Servers, gaining access to and remote control of 30,000 entities in the United States, 7,000 servers in the United Kingdom as well as other entities organizations worldwide including small and medium businesses and city, county and local governments (Wikipedia)
  • Colonial Pipeline, one of the largest pipelines in the United States, suffered a ransomware attack, paying $4.4 million in ransom and shutting down its pipeline for 11 days (Washington Post)
  • Executive order signed following the cyberattacks against SolarWinds, Microsoft Exchange and Colonial Pipeline puts in place new cybersecurity requirements for government contractors, new security standards for critical software, and requirements for companies to report certain information about cyberbreaches (NPR).
  • CaptureRX exposed 1,656,569 patient records belonging to more than 14 hospitals and healthcare organizations, information exposed included names, birthdates and prescriptions (Becker's Health IT)
  • A cloud-bucket misconfiguration by Hobby Lobby exposed a database containing the PII of 300,000 customers (Threatpost)
  • JBS, the largest meat processing company in the world, was the target of a ransomware attack forcing the shutdown of parts of JBS operations and threatening meat prices (SC Magazine)
  • A T-Mobile data breach exposed the PII of more than 54 million customers, including Social Security numbers, date of birth, driver's licenses. A hacker claimed responsibility due to T-Mobile's "awful" security (CNET)
  • Neiman Marcus disclosed a data breach in May that impacts 4.6 customers including exposure of usernames, passwords and security questions for online accounts (Ars Technica)
  • Twitch security incident exposes source code, but not credentials or full credit card numbers of ACH bank information (The Verge)
  • Sinclair Broadcast Group is the latest organization to suffer a data breach and ransomware attack (ABC News)

Significant Data Breaches & Cyberattacks in 2020

  • A major cyberattack against the United States federal government was reported to be among the worst cyber-espionage incidents ever suffered, impacting more than 200 organizations. Attackers exploited software from Microsoft, SolarWinds, and VMware (Wikipedia).
  • A vision management company, EyeMed, exposed the information of more than a half million records of health plan members from Aetna, Tufts Health Plan and Blue Cross Blue Shield of Tennessee (HIPAA Journal)
  • 142 million personal records that were exposed due to hacking of the MGM Resort and MGM Grand Hotels are for sale on the dark web (Threatpost)
  • Going back to 2013, a data breach in a hotel management booking platform owned by Prestige Software exposed the data from 10 million travelers including name, phone number, national ID numbers, credit card numbers and stay information (CPO Magazine)
  • More than 364,000 patient records were exposed at Magellan Health due to a spear phishing attack (HIPAA Journal)
  • Mathway math app breach exposed the email addresses and hashed passwords of 25 million users that then were put for sale on the dark web marketplace (Security Magazine)
  • 296 GB of US law enforcement data was posted on a searchable portal including audio, videos, emails, intelligence documents and personally identifiable information (Wired)
  • 235 million user profiles from Instagram, TikTok and YouTube were exposed online due to social media scrapping (TechRadar)
  • Marriot International confirmed breach of 5.2 million guests were exposed, making it the second major security incident in less than two years (CNET)
  • Microsoft disclosed that a customer support database with 250,000 entries of anonymized user analytics was exposed in December 2019 (ZDNET)
  • CAM4, an adult streaming website, leaked the information of 11 billion user including full names, email addresses and payment logs (Identity Theft Resource Center)
  • Denmark accidentally exposed the personal identification (CPR) numbers of 1.26 million Danish citizens due to a software error (ZDNET)
  • A massive cyberattack against Mitsubishi Electronic Corp. may have leaked details of a prototype missile (AP News)

Cost of Cybercrime

  • The estimated cost of cybercrime exceeded $1 trillion globally in 2020, more than a 50% increase in two years (The Hidden Costs of Cybercrime, McAfee)
  • In the healthcare industry, the average cost per breached record in 2020 was $499 (Healthcare Breach Report 2021, Bitglass)
  • The global average cost of a data breach in 2020 was $3.86 million dollars with an average cost per record of customer PII of $175 (Cost of a Data Breach Report 2020, Ponemon Group and IBM Security)
  • Phishing was the top cybercrime in the United States in 2020 accounting for more than 30% of all victims; while BEC attacks caused the great victim loss of $1.86 billion dollars (Internet Crime Report 2020, FBI)
  • Account takeover (ATO) fraud skyrocketed over 300% in Q2 2021 compared to Q2 2019 (Q3 2021 Digital Trust & Safety Index, Sift)

Cyber Risks