This type of article needs no introduction: It’s a list of the top cyber security statistics and facts you need to know. We’ll divvy up the content into categories that make sense — everything from total financial and data losses to how these attacks impact organizations and their IT/cybersecurity staff (and everything in between).

Rather than just throw a bunch of data together, we like to provide context with each item on our list of cultivated cyber security statistics. So, keep reading — we’ve got all the cyber security stats you want to know (and those you didn’t know you did).

Note: This article is one that we’ll periodically update with new cyber security stats as they become available.

Let’s discuss it out.

Our Choice of the Top 40 Cyber Security Statistics and Facts For 2023 (So Far)

Before we get started, there’s one quick thing I’d like to mention. Something that’s always important to consider when you’re looking at any list of cybersecurity statistics is that:

  1. The data is going to vary by source, and
  2. Not all cyber incidents and cybercrimes are reported.

Various organizations use different qualifiers and methodologies in their reporting in terms of what may qualify as a cyber incident or data breach. Furthermore, the research is typically based on their own internal systems data, customers monitoring data, or information reported by victims of cybercrimes or survey responses from people within specific industries. And considering it can take weeks, months, or even years for some breaches or cyber attacks to be discovered — if they’re discovered at all — it means that the actual numbers may actually be higher (or lower) than what’s reported.

These are just some of the reasons why you’ll often see different information from one company to the next. With these things in mind, here are your top cyber security statistics for 2022 and 2023:

Cyber Security Statistics: The Growing Costs of Cyber Security Attacks, Crimes and Breaches

Let’s start with the big impact that most of you really want to know: the financial costs. This section will provide a general overview of some of the increasing costs we’re seeing across virtually all industries and geographic regions. It definitely isn’t a pretty picture, but it’s information that everyone — cybersecurity experts, executives, and consumers alike — should know.

1. Reported Potential Losses Exceeded $6.9 Billion for Americans in 2021

We’re coming out swinging with this heavy stat from the FBI’s Internet Crime Complaint Center (IC3). Their 2021 Internet Crime Report shares data relating to cyber crimes reported by the American public. These reported losses were based on 847,376 reported complaints, which equates to an average loss of more than $8,140 per complaint.

This 2021 ported total marks an increase of 7% over the complaints reported in 2020. For a little clarity, that’s 791,790 complaints totaling $4.2 billion in total losses (or what amounts to more than $5,300 per complaint).

Here’s a quick comparison graphic to show the substantial jump in total reported losses over the past five years to the IC3:

Data source: FBI Internet Crime Complaint Center’s Internet Crime Report 2021.

2. The Cost of a Data Breach for U.S. Organizations Tops $9.4 Million

As many know, the U.S. isn’t a country that likes to be outdone — apparently, even when it comes to unfavorable rankings. So, for the 12th consecutive year, IBM ranks the U.S. #1 on the list of countries with the highest average data breach costs. This is according to data from IBM’s 2022 Cost of a Data Breach report.

When you compare the U.S.’s $9.44 million price tag to the global average is $4.35 million, the costs are more than double.

3. The Average Cost of Data Loss Resulting From a Disruptive Cyber Incident Surpasses $1 Million

Data from Dell’s Global Data Protection Index 2022 key findings report shows that the average cost of data loss due to various disruptions, including cyber incidents, was $1,057,895 in 2022. This number is more than the estimated costs of $959,4930 in 2021 and $1,013,075 in 2019.

4. The Price of Insider Threat Incidents Jumps to $15.38 Million Per Incident

It’s no secret that external threats aren’t your only concern. Some threats originate inside your organization’s network, too — and those threats are increasing at an alarming rate. In collaboration with Proof Point, the Ponemon Institute’s 2022 Cost of Insider Threats Global Report shows that the number of insider threats has jumped nearly 45% over the past two years, surpassing $15 million per incident.

Insider threats include everyone in your organization who causes harm through malicious or even negligent actions and behaviors. Someone doesn’t have to do something intentionally bad to fall into the category of insider threats.

5. Australia’s Average Cybercrime Costs Nearly $90,000 for Medium-Size Businesses

Crikey! The Australian Cyber Security Centre (ACSC) says that cybercrime reports increased 13%, receiving more than 76,000 cybercrime reports between July 2021 and June 2022. This equates to nearly nine cybercrime reports every hour. The average cost of one of these cybercrime reports varies depending on organizational size, and the amounts may surprise you:

  • $39,000 for small businesses,
  • $88,000 for medium-sized businesses,
  • $62,000 for large businesses.

6. BEC Attacks lead to ‘Hundreds of Thousands of Dollars’ in Fraudulent Food Purchases

An illustration that talks about the reported losses (largely in powdered milk)
Data source: The joint cyber security advisory released by the FBI, FDA OCI, and USDA.

With looming concerns about economic recessions and food shortages, some cybercriminals are targeting more basic needs via business email compromise (BEC). At the end of December 2022, the FBI, Food and Drug Administration Office of Criminal Investigations (FDA OCI), and U.S. Department of Agriculture (USDA) shared in a joint cybersecurity advisory that cybercriminals used BEC attacks to steal “hundreds of thousands of dollars” in food products and ingredients — namely, powdered milk and other ingredient products.

When you calculate the amounts listed in their advisory, it totals more than $1 million in losses for those targeted suppliers and distributors. Of course, this amount only reflects the reported losses; there may be other instances of other similar BEC attacks with losses that have gone unreported or haven’t been discovered.

Cyber Security Statistics: Other Impacts of Cyber Attacks & Data Breaches in 2022 and 2023

Not all costs of data breaches are strictly financial. Your business and customers can be impacted in other ways as well. This section of our cyber security stats list will explore some of the other impacts cyber attacks and data breaches have on businesses.

7. 33% of Companies Aren’t Taking Cyberwarfare Threats as Seriously as They Should

Many organizations and their employees have a lot of uncertainty in the global landscape regarding the ongoing Russia-Ukraine war. But data from the Armis State of Cyberwarfare and Trends Report 2022-2023 survey of 6,021 IT and cyber security professionals shows that a surprising number of global organizations aren’t concerned that the situation will impact their organizations.

8. Organizations Globally Are Racking Up GDPR Non-Compliance Fines, Which Top 2.7 Billion

Enforcementtracker.com, a website that tracks fines imposed relating to the European Union’s General Data Protection Regulation (GDPR), says that the reported 1,435 GDPR fines have come with a price tag of €2,772,289,077 leading up to January 2023.

The highest individual GDPR non-compliance fine to date? According to enforcementtracker.com, Amazon takes the title with €746 million in July 2021. It’s followed by Meta, which has received multiple individual penalties since 2021.

9. 47% of Consumers Stop Doing Business With Companies That Lose Their Trust

Whether you’re asking for advice, lending money, or choosing a physician, trust is an essential element. It helps determine your actions and make informed decisions. When that trust is damaged or lost, it can change relationships and cause someone to walk away. According to DigiCert, that’s exactly what nearly half of the consumers the certificate authority surveyed said they did with companies that betrayed their trust previously. They halted any business dealings with them and walked away.

DigiCert’s research also shows that if they lost trust in a company:

  • 84% would consider moving their business to another company
  • 57% would most likely make the switch

Now, ask yourself: If 47-84% of your customers were at least considering walking away in the event of, say, a data breach, what would that mean for your business and its bottom line? How long would you last before having to close your doors for good?

10. 50%+ Would Reconsider Their Employment If Their Company Has Been Breached

What is the perception of staff in organizations that have experienced cyber attacks and data breaches? Research from ENCORE and Censuswide (in their report The True Cost of Cyber) shows that more than half indicated they’d “reconsider working for a business that had recently experienced a cyber breach.”

Their U.S. and U.K. survey of 100 c-level execs, 100 chief information security officers, and 500 office workers to see where discrepancies may lie in perceptions about cybersecurity.

Cyber Security Statistics: Data on Cyber Attacks and Data Breaches

In this section of our cyber security stats list for 2023, we’ll go over some of the top cyber attack statistics and data breach statistics that we found that we think would be of interest to you. We thought this would be additional useful information to follow the financial costs of cyber attack events and breaches we already talked about.

11. Leaked Accounts Decreased Nearly 68% YOY From 2021 to 2022

Surfshark, a VPN service provider, reports that their analysis of 2022 data breaches and account leaks shows that there were 310,855,487 accounts leaked in 2022. This is a substantial decrease from the 959,327,963 leaked accounts reported in 2021.

Based on these estimates, it means that roughly 852,000 accounts were breached per day in 2022, or what equates to 591 accounts per minute.

12. >85% of Cyber Attacks in 2022 Were Carried Out via Encrypted Channels

Encryption is an incredible attribute for security. It’s a process that takes plaintext (readable) information and uses highly complex math to transform it into gibberish. (This typically involves using one or two cryptographic keys, depending on the type of encryption involved.) This way, only the appropriate party (i.e., the decryption key holder) can access the encrypted data. But what happens when people use encryption to do bad things?

Zscaler’s ThreatLabz State of Encrypted Attacks 2022 Report shows that more than four in five cyber attacks used encryption to deliver malicious payloads and to access sensitive data. Unfortunately for you and me, these attacks are becoming increasingly sophisticated and more common as well. Threats using encrypted communication channels have increased by 20% year over year.

But what was the most popular type of payload delivered through encrypted channels?

13. Malware Takes the Lead, Serving as the Threat in Nearly 90% of Encrypted Traffic Cyber Attacks

An illustration that shows how malware outpaces ad spyware and phishing in encrypted channel cyber attacks, according to data from Zscaler
Data source: Zscaler’s ThreadLabz State of Encrypted Attacks 2022 report.

Cybercriminals have a few cards up their sleeves when it comes to carrying out encrypted traffic attacks. According to Zscaler’s report, which analyzed billions of encrypted traffic threats between October 2021 and September 2022, using encrypted channels isn’t all they do. Zscaler’s data of 24 billion blocked attacks shows that attackers would use other methods of attack: malware, ad spyware, and/or phishing.

Of those three, malware is the biggest threat by far, representing 90% of the threats

14. Red Flags Were Seen Ahead of Time in 83% of Ransomware Attacks

When it comes to securing your cyber defenses, you always need to be on the lookout for anything out of the ordinary. Even something seemingly small or unimportant can have a major impact on the security of your organization. In their 2023 Threat Report, Sophos reports that eight in 10 survey respondents indicated seeing signs of trouble ahead leading up to ransomware incidents.

The issue here isn’t always a matter of ransomware or cyber threat detection. It’s a matter of recognition. If organizations don’t recognize these issues for what they are and fail to take steps to rapidly mitigate them, then they’re going to find themselves in some hairy situations.

15. Paying For Cybercrime Can Cost Evil-Doers as Little as $6 For a Phishing Kit

Who knew that causing havoc could come at such a cheap price tag? For bad guys, it’s all in a day’s business. Much like vendors at the local market, cybercriminals are on the dark web, hocking their cyber wares and services at low prices to other bad guys. Data from Microsoft’s 2022 Digital Defense Report shows that cybercrime-as-a-service (CaaS) sellers offer phishing kits for as little as you’d pay for a Taco Tuesday special at a local Mexican restaurant.

Yup. A bad guy can pay only $6 and use the kit to get information they can use to hack your organization. Forget the tacos — that knowledge alone is enough to give you indigestion.

16. 78% of Schools in the United Kingdom Have Experienced One or More Cyber Incidents

In the U.K., the situation doesn’t look pretty for the school system. In a new report “Cyber Security Schools Audit 2022” by the U.K.’s National Cyber Security Centre and LGfL, participating schools shared that three-quarters had at least one cyber incident since the previous survey in 2019. Of those, “only” 7% reported experiencing significant disruptions as a result of those incidents. (Yes, we know 7% isn’t great, but it sure beats 15%, 20%, or any other higher statistic.)

But what kinds of incidents are we talking about here? The answer varies from one school to the next, but among the most commonly reported were:

  • Phishing impersonation emails (26%) and
  • Malware infections (26%), including viruses and ransomware, and
  • Preventing access to important data and information (18%)

17. 62% of Incidents Involving System Intrusions Occurred Through Compromised Partners

There’s a phrase from J. R. R. Tolkien’s poem from The Fellowship of the Ring that you’ll commonly see in memes and inspirational quotes online: “Not all those who wander are lost.” When it comes to cybersecurity incidents and attacks, I’ve come up with a variation of it that I think is fitting: “Not everyone who gets compromised is the true target.” Research from Verizon’s 2022 Data Breach Investigations Report (DBIR) shows that nearly two in three cybersecurity incidents involving system intrusions compromised the organization’s partners in order to get to them.

Think back to the 2013 Target data breach. Rather than trying to hack or attack Target directly, the cybercriminals instead focused their attention on attacking an HVAC company that had a contract with Target. They then used the HVAC company’s compromised network credentials to gain access to Target’s systems, where they were able to upload malware to the retail giant’s point-of-sale (PoS) systems.

Now, take a moment and think of a contractor or partner that has been granted access to your network or other IT systems. What were to happen if their account was to become compromised?

Cyber Security Statistics: A Look at the State of the Industry as a Whole

In this section of our cyber security statistics list, we thought it would be helpful to get a high-level perspective of the industry as a whole. Here are some of the most useful and latest cyber security stats we could find:

18. The Global Industrial Cyber Security Market Is Expected to Surpass $49.5 Billion by 2023

It shouldn’t come as a surprise that the cyber security market is a booming industry. Between 2023 and 2030, Meticulous Research expects the industrial cyber security market to increase at a compound annual growth rate (CAGR) of 14.8% between 2023 and 2030. What’s thought to be the driving force of this change? According to the report, it’s “disruptive digital technologies and the increasing frequency & sophistication of cyberattacks.”

“Disruptive digital technologies” sure seems like a nebulous term. Some things that it’s referring to would be advancements in the realms of artificial intelligence, machine learning (ML), and industrial IoT (IIoT). While these technologies can be great for your organization’s productivity and efficiency, they also present risks with zero day vulnerabilities and cybercriminals using them to attack your organization.

19. Privacy Regulations Will Apply to 75% of the World Population’s Personal Data by 2024

By 2024, Gartner predicts that three in four people’s personal data will be protected under some type of privacy regulation. This is great for consumers but presents a nightmare for businesses that aren’t prepared. The research company, which reports that the average privacy budget for large organizations hit $2 million in 2021, anticipates that large organizations will more than double that number to $2.5 million annually by 2024.

According to their press release, this change represents a shift from “compliance ethics to competitive differentiation.” This move really shouldn’t come as a surprise as we’ve seen several privacy regulations crop up over the last several years:

  • European Union’s General Data Protection Regulation (GDPR)
  • Brazil’s General Personal Data Protection Act (LGPD)
  • California’s Consumer Protection Act (CCPA)
  • Turkey’s Personal Data Protection Act (KVKK)

20. 91% of Organizations Report Experiencing At Least One Significant Security Event

Nine in 10 organizations surveyed in Deloitte’s 2023 Future of Cyber report indicate experiencing at least one big cyber security incident or data breach. This is up from the 88% who reported the same in Deloitte’s 2021 survey.

But let’s look at the numbers a little more closely. In this year’s report, more than half (52%) of the respondents said they experienced anywhere between six and 15 of these incidents or breaches. Their survey focused on understanding how cyber has evolved since their 2021 report was released.

21. 60% of the GAO’s 335 Public Recommendations Haven’t Been Implemented

According to its Jan. 23 report, the U.S. Government Accountability Office’s made 335 public recommendations since 2010. In that time, only one-third of the 335 comprehensive cybersecurity strategy and oversight recommendations were implemented as of December 2022.

If everything had gone according to plan, this means that nearly an average of 28 recommendations have been put into action per year. However, what this shows is that just shy of 12 such recommendations were actually implemented each year.

22. Healthcare & Public Health Organizations Were the #1 Ransomware Attack Targets in 2021

The IC3’s 2021 Internet Crime Report indicates that public health and healthcare organizations took the brunt of ransomware attacks in 2021. Of the 649 ransomware attack complaints across 14 critical infrastructure sectors that experienced one or more ransomware attacks, healthcare and public health claimed 148 of them.

Here’s an overview of how these critical infrastructure sectors’ ransomware attacks broke down in 2021:

A bar chart showcasing data relating to the 14 critical infrastructure categories that reported ransomware attacks in 2021
Data source: The FBI IC3’s 2021 Internet Crime Report.

23. 87% of Cyber Security Teams Report Security Tool Integration Issues

The same Force Point/Cybersecurity Insiders research also shows that gaining full visibility of the security landscape continues to elude almost 90% of cyber security professionals. It’s not uncommon for companies to have to utilize a slew of different tools because they don’t integrate. This creates a host of security issues.

24. API-Based Attacks on Automotive Smart Mobility Technologies Increases 380%

Data from Upstream’s 2023 Global Automotive Cybersecurity Report shows that API makes for an increasingly attractive attack vector for attackers. API attacks accounted for 12% of the total incidents they reported.

With the industry’s growth of smart mobility APIs, we can expect to see more cybercriminals taking advantage of this growing attack vector across the industry.

25. 44% of Small & Mid-Size Businesses Lack Current Cybersecurity Incident Response Plans

More than two in five SMBs don’t have a comprehensive, updated IRP in place, according to Devolutions’ State of Cybersecurity in SMBs report for 2022-2023. While this may not seem like a big deal on the surface, it really is. Cyber security incident response plans are critical resources every organization should have in place regardless of size. It’s what will help you know what to do when (not if) smelly things eventually hit the fan.

It’s no secret that many small businesses march to the beat of their own drums. For some, they don’t follow industry best practices because they lack the personnel and financial resources required for implementation. For others, they think that because of their small size, they aren’t a target for cybercriminals. But regardless of the reasons why they “can’t,” there are millions of reasons (think of the costs we mentioned earlier) why they should.

Cyber Security Statistics: Insights from the Top

It’s always useful to have a clearer idea of what your leadership might be thinking when it comes to your organization’s cyber security measures and policies. This way, you can understand their expectations and misconceptions. This section of cyber security stats will explore some of those insightful takeaways.

26. 20% of Cyber Security Executives and Pros Wouldn’t Bet a Chocolate Bar on Their Cyber Security

Ivanti takes a slightly humorous approach to asking an important question: do you trust your organization’s cyber defenses and team to stand up against real cyber threats? According to the company’s 2023 Cybersecurity Status report, one in five respondents wouldn’t even bet a chocolate bar on their organization’s security capabilities.

If you’re not willing to wager the value of a basic vending machine item, then you shouldn’t think your organization is equipped to secure trade secrets, customer information, and other sensitive data against cyber attacks. While this number is depressing, it certainly shows the lack of confidence employees have in their organizations’ cyber defenses…

27. 67% of IT Decision Makers Don’t Think Their Cyber Defenses Can Stand Up to Malware Threats

Oh, boy. Two in three IT decision makers surveyed by Dell Technologies (in the global data protection report we mentioned earlier) between August and October 2022 lack confidence in their organizations’ data security measures when it comes to malware and ransomware.

A whopping 69% of survey respondents are so concerned, they fear that their organizations will experience a big cyber security incident within the next 12 months. This is fewer than the 86% who say their organizations already have experienced “at least one” such disruption within the past year. But still — both numbers are disconcerting and reflect the growing threats within the industry.

Of course, all of these reports require context… as you’ll see, there are some very different sentiments expressed by respondents of various surveys.

28. 92% of CISOs and C-Level Execs Are Overly Confident in Their Organizations’ Security

Research from ENCORE and Censuswide (i.e., The True Cost of Cyber report we mentioned earlier) shows that nine in 10 chief information security officers and other top-level executives feel confident that their organizations are secure “at any given moment.”

29. 52% of Organizations Report Having “High Visibility” of Their Networks

Having visibility of the application, devices, and services running on your network is crucial to cybersecurity initiatives. After all, how can you secure what you don’t know you have? Ivanti’s 2023 Cybersecurity Status report shares data executives and cybersecurity professionals. The insight we want to highlight here is that slightly more than half of their survey respondents believe they have “high visibility” of such things.

Of course, this response makes me wonder whether public key infrastructure (PKI) digital certificates and keys were included in respondents’ considerations when answering the question. Keyfactor reports that 55% of survey respondents for their 2022 State of Machine Identity Management report say they don’t know how many digital certificates and keys they have within their IT environments.

30. 70% of Organizations Report That Cyber is a Frequent Boardroom Discussion

Deloitte’s Future of Cyber 2023 report shares that seven in 10 boards discuss cyber-related concerns regularly, either on a monthly or quarterly basis. On the surface, that’s great! It, ideally, means that boards are having regular discussions about a truly important topic that intimately affects their businesses and customers alike.

The question, though, is how effective these conversations are with regard to bringing about any positive changes. This brings us to our next bit of data….

31. 59% of Directors Don’t Think Their Boards Fully Understand Security Risk Factors

Data from a 2023 PwC survey of more than 3,500 business, security and technology execs shows that nearly three in six directors aren’t confident their boards really “get it” when it comes to cyber risks. The concern is that these leaders don’t have the necessary understanding of the relationships between certain factors and the cyber risks they result in.

But how can someone make changes to improve situations they don’t understand? Simply put, they can’t. But this is where CISOs, CIOs, and other cyber security leaders can step up and help make a change for the better.

32. 49% of Breached Organizations’ Top Dogs Want CISOs to Take the Wheel on Security

CEOs from organizations that have suffered data breaches want CISOs to play a leading role and to “drive collaboration” regarding security initiatives in 2023. Data from the aforementioned PwC survey indicates a shifting preference for inviting chief information security officers to have a seat at the table rather than being the outsider to the conversation.

The idea here is that by having CISOs lead and partner with other leaders, organizations can pave a better path forward through collaboration and more effective security.

33. 62% of Risk & Legal Leaders View Cyber Security and Data Disputes as Risks

Baker McKenzie, a globally renowned law firm, surveyed 600 senior risk and legal leaders from companies with annual revenues surpassing $500 million in multiple countries. Their findings show that cybersecurity and disputes regarding data security are among the top-of-mind concerns for these leaders globally.

Their report includes a meaningful quote from Cyrus Vance, Baker McKenzie’s Global Chair of Cybersecurity:

“We are in a global cybersecurity pandemic, but without a vaccine. Unfortunately, the current forecast in cybersecurity [favors] the criminal and state-sponsored actor over society’s ability to fight them. And it’s not just about extracting money or data. These attacks serve to diminish trust in our most important institutions and sow fear and uncertainty across our population – one of the principal goals of our adversaries.”

Cyber Security Statistics: A Look at Cyber Security and Tech Industry Employment

This section will talk about the topic some of you are most interested in reading: everything relating to hiring, retention, and general employment-related information.

34. 2023 Kicks Off With a Bang — Tech Companies Say They’ll Eliminate ~50,000 Positions

Happy New Year! …You no longer have a job. This is the brutal news tens of thousands of employees find themselves facing in the early weeks of 2023. It’s a genuinely unsettling time to be working in the tech industry.

Here are a few examples of some of the big tech company layoffs announced since the start of the 2023 year:

  • Amazon. In Fall 2022, the distribution company originally reported that it would be reducing its workforce by 10,000. But on Jan. 4, Amazon CEO Andy Jassy shared even more dire news: its plans to eliminate more than 18,000 jobs largely from Amazon Stores and its People, Experience and Technology organization.
  • Coinbase. The cryptocurrency company announced on Jan. 10 that more layoffs (in addition to the ones announced in 2022) would be coming down the pike. They estimate that 950 people would be let go as a result of the crypto market’s downward trend and the overarching global economy issues. As part of the transition, Coinbase says it’ll provide a minimum of 14 weeks’ base pay (more for those with additional years worked), health insurance, and other unspecified benefits.
  • Google. In a Jan. 20 blog post, Alphabet’s CEO (Alphabet is Google’s parent company) announced that the company will be eliminating 12,000 roles in the U.S. and abroad. They’ve announced that they’ll provide pay to employees during the notification period and various severance packages.
  • Microsoft. On Jan. 18, the tech giant announced its plans to reduce its workforce by “approximately 10,000 employees” by the end of fiscal Q3 2023.
  • Salesforce. Salesforce announced Jan. 4 that it would cut 10% of its workforce (just shy of 8,000 positions based on the full-time equivalent headcount published in its Q3 2022 fiscal report), saying it bit off more than it could chew by hiring “too many people.” For U.S. employees, this means employees with receive “a minimum of nearly five months of pay, health insurance, career resources, and other benefits” to help while they seek new employment.

In the fall, Google and other companies like Twitter and Meta (formerly Facebook) also announced their plans to reduce their workforces.

35. 60% of Enterprises Struggle With Retaining Qualified Cyber Security Experts

ISACA’s 2022 State of Cybersecurity Survey states that retention of high-quality cyber security employees is a major concern. It’s not just about getting people to continue working at your company; the more important thing is ensuring that you’re keeping the right butts in the right seats.

There’s massive competition within the industry as companies are seeking the best and brightest talent. Employees having high wage expectations certainly doesn’t help from a hiring perspective, but, historically, prospective talent have had a lot of options to choose from when it comes to selecting their next employer.

But hiring and retention issues aren’t a problem only for hiring managers. They’re a big issue for organizations’ cybersecurity teams as well.

36. 63% of Cybersecurity Teams Are Significantly or Somewhat Understaffed

Much like how it is for other industries, turnover is an issue in cyber security as well. Data from ISACA’s State of Cybersecurity 2022 report shows how bad the situation has gotten for the people on the ground:

  • 15% of organizations report their cybersecurity teams are significantly understaffed, and
  • 47% say their teams are somewhat understaffed.

To make matters worse, 63% of ISACA’s survey respondents indicate that they have open cybersecurity positions available that they’ve been unable to fill.

Cyber Security Statistics: A Look at the Human Side of Cyber Security

There’s more to the “human” aspect of your employees than just hiring, retaining, and firing them. Here are some of the other factors you should consider when making policies and decisions that will affect your IT and cyber security employees.

37. Stress Is One of the Top Five Reasons Cyber Security Professionals Quit

People aren’t only leaving jobs because they’re getting laid off or fired. There are plenty of good reasons why someone would seek out a new role. ISACA’s data shows that being recruited (59%) is the top reason, followed by a lack of financial incentives (48%).

But aside from the most glaring reasons why cyber security pros leave their jobs, there are three other reigning reasons why they’re abandoning their positions and seeking opportunities elsewhere:

  • A dearth of development or promotion opportunities (47%),
  • Increasingly high stress levels (45%)
  • A Lack of support from managers and leadership (34%)

38. 67% of Cybersecurity Incident Responders Say Anxiety and Stress Crop Up During Incidents

A basic graphic that illustrates the toll cyber security incidents take on incident responders' personal lives and relationships in the forms of stress and anxiety
Data source: The IBM Security Incident Responder Survey (from IBM and Morning Consult).

Cyber security incidents are far reaching with their effects extending far beyond the business world for employees. Two in three (67%) cyber security incident responders surveyed by Morning Consult (on behalf of IBM) say their mental health is impacted, resulting in increased stress and anxiety. But those are not the only effects of responding to cybersecurity incidents:

  • 29% of cybersecurity incident responders report impacts on their relationships and social lives outside of work.
  • 30% report experiencing burnout from responding to these incidents.

Here’s a quick overview of the data from Morning Consult/IBM:

A bar chart graphic that showcases the types of impacts cyber security incident responders face over time as a result of the stress and anxiety expeirenced in their roles
Data source: The IBM Security Incident Responder Survey (from IBM and Morning Consult).

39. 33% of Organizations Don’t Provide Cyber Awareness Training to Remote Users

Many companies blame increasing cyber security risks on remote workers and their increasing reliance on remote connectivity. However, instead of doing something to address the situation, Hornetsecurity reports that one-third of companies don’t even bother providing cyber awareness training to their remote users. This is despite the fact that three in four employees who work remotely have access to sensitive and critical data.

Hornetsecurity’s data shows that many IT professionals don’t have a lot of confidence in their organizations’ remote security measures. One of the biggest issues? Uncontrolled file sharing.

40. 84% of Cyber Security Pros Are Overwhelmed By Increasing Security Alerts

Alert fatigue — ever heard of it? The term typically refers to the issue of becoming desensitized to alerts to the point that professionals fail to appropriately respond to them. In IT and cybersecurity, security alerts are unnerving and require a lot of time, mental focus, and patience for individuals and teams to handle. New research from Force Point and Cybersecurity Insiders shows that eight in 10 cybersecurity teams receive too many security alerts and that those alerts are taking a toll on their team members.

Too many alerts can lead to feelings of being overwhelmed, which can affect productivity and make people feel like they’re being pulled in too many directions. According to survey respondents, the issue of being overwhelmed only gets even worse with the more security tools they rely on.

Were you expecting a massive list like last time? Quality over quantity, my friend. We hope that this list of cyber stats provides you with a plethora of useful information about what’s shakin’ within the cybersecurity industry and related considerations.

We’ve seen the damage that intentionally malicious human actions can cause. But threats and security incidents also can result from mere human ignorance, mistakes, and errors. The U.S. Federal Flight Administration (FFA) recently released a statement regarding the January Notice to Air Missions (NOTAM) systems outage that halted thousands of flight departures around the country. Their preliminary review said that contract personnel accidentally deleted files that led to the widespread outage.

While cyber security incidents are ever-increasing concerns, it’s not all doom and gloom. There are things you can do to help protect your organization from many of these growing threats:

  • Follow industry best practices to secure your IT infrastructure, network, and data repositories.
  • Be realistic about your capabilities and vulnerabilities and recognize that your organization isn’t infallible.
  • Implement the use of defense technologies and resources from reputable vendors.
  • Offer in-house or third-party cyber awareness training to reduce employee ignorance and apathy.

Do you have other current cyber security statistics that you’d like to share with me and your fellow readers? I’d love to see them! Be sure to share them in the comments section below.

This article was originally written in May 2020 and has been updated in January 2023 with the latest cyber security statistics.

 

Article published on TheSSLStore by Casey Crane

Related Products