Cybercrime is now a global epidemic — and 2019 looks to be another record-breaking year for data breaches. Cybersecurity Ventures forecasts that global cybercrime will cost $6 trillion annually by 2021.
It’s eye-opening to put this number in perspective: $6 trillion is “exponentially more than the damage inflicted from natural disasters in a year, and more profitable than the global trade of all major illegal drugs combined,” according to Cybersecurity Ventures.
To get a better picture of cybersecurity threats and challenges impacting organizations across industries, we researched for relevant statistics. Here’s what we found:
Impacts of Cybercrime
1. Among risk professionals across 22 industries around the world, cyber incidents (which include cybercrime, data breaches, fines, and IT outages) tied with business interruption as the top risk in 2019. Cyber incidents rose to the top from the No. 5 spot in 2015 and No. 15 in 2013 (Allianz and Allianz).
2. Financial gain remains the top motivation behind breaches, involved in 79% of incidents that have resulted in confirmed disclosure of data (Verizon).
3. A significant number of organizations (77%) have limited cybersecurity and resilience (EY).
4. The average cost of a data breach globally is $3.92 million, or $150 per record in 2019. For comparison, costs were $3.62 million per breach and $141 per record in 2017 (IBM Security/Ponemon and IBM Security/Ponemon). | Click to Tweet this Stat
5. The average cost of a data breach in the United States is more than double the global cost— $8.19 million in 2019 (IBM Security/Ponemon).
6. Breaches caused by malicious actors cost 27% more than those caused by human error and 37% more than those caused by glitches in a system (IBM Security/Ponemon).
7. In 2018, the average cost to remediate successful endpoint attacks grew to $7.12 million from $5 million in 2017 (Ponemon Institute/Barkly).
8. Among victims of data breaches, 43% are small businesses (Verizon).
10. Loss of revenue from disruptions to business operations is tied with loss of customer trust as the biggest impact organizations see from incidents or breaches (Deloitte).
Among midmarket companies, 53% experienced a breach in 2018, according to Cisco. #cybercrime #breach
The Threat Landscape
12. Approximately 44% of respondents said they were breached more than once by the same threat actor using similar tactics, techniques, and procedures (SANS).
13. In 2019, 78% of organizations were affected by a successful cyberattack (CyberEdge Group).
16. During the first half of 2019, 3,813 breaches have been reported, with more than 4.1 billion records exposed. With a 54% increase in the number of breaches and 52% increase in the number of compromised records compared to the same period last year, 2019 is shaping up to be a record year (Risk-Based Security).
17. In 2018, 68% of 3,100 surveyed organizations experienced a cyberattack on their network or endpoints (Sophos).
18. Only 35% of CISOs say that determining the scope of a compromise, containing it, and remediating the damage from exploits is easy (Cisco).
19. More than 40% of organizations receive more than 10,000 security alerts every day. Additionally, organizations only respond to about half of the alerts and fix only 43% of those that turn out to be legitimate (Cisco).
20. Most vulnerabilities take longer than 90 days to patch — fewer than 44% of vulnerabilities are patched within 90 days (Verizon).
22. The top three barriers to effective defenses are too much data to analyze, lack of skilled personnel, and employees’ low-security awareness (CyberEdge Group).
23. Only 30% of incident responders are able to easily identify affected data, and about 40% say they can not accurately and consistently identify details about the threat actor (SANS).
24. More than half of organizations don’t have a strategy for vulnerability identification, threat intelligence, breach detection, incident response, identity and access management, and data protection (EY).
25. Nearly a third of enterprises who had a data breach say it was caused by a third party, but only half of enterprises view their third-party partners as a risk (ISC2).
26. Security analysis is the most time-consuming activity among cybersecurity professionals, followed by security administration, and risk analysis and management (ISC2).
28. Security professionals identify understaffing as their biggest challenge, and nearly a quarter says that the inability to keep up with the workload is a root cause of security incidents (ESG/ISSA).
29. Almost three-quarters of organizations say they’re impacted by the talent shortage and of those that are impacted, 66% increase the workload on existing staff (ESG/ISSA).
30. Almost 40% of organizations say that less than 2% of their IT personnel has a dedicated security focus (EY).
31. Nearly 60% of organizations say they face extreme or moderate risk due to the security talent shortage (ISC2).
33. More than half of organizations (55%) don’t make “protection” an essential part of their strategy and execution (EY).
35. Organizations that have few, if any, personnel dedicated to information security may spend up to 8.8 times more (over three years) to build and operate an in-house security operations center (SOC) with a DIY approach, compared to using a SOC-as-service vendor (Frost & Sullivan).