The importance—and urgency—of cybersecurity measures have become increasingly visible in recent years. Yearly industry reports from the likes of Verizon, Trustwave, and PwC all express the importance of cybersecurity measures and the costly consequences of cyberattacks. No company wants to become another data breach statistic—but some decision-makers still may not understand the urgency of cybersecurity protection.
That’s why we’ve put together this list of data breach statistics. If you’re struggling to get more budget and funding for your cybersecurity initiatives, you have to be able to convey statistics appropriately. The following eye-opening stats can be used as powerful tools to help you convey the importance of security to your senior executives and board members.
Vulnerability Statistics
“37.2% of U.S. organizations had a botnet grade of ‘B’ or lower”, meaning these organizations have a higher likelihood of experiencing a publicly disclosed data breach.
Source: Global Security Performance: How Do Top Nations Stack Up? from BitSight
“54.8% of companies in the U.S. have a Sender Policy Framework (SPF) grade of C or lower”, having limited means to prevent spoofing emails.
Source: Global Security Performance: How Do Top Nations Stack Up? from BitSight
“Companies with a rating of 400 or lower are five times more likely to have a breach than those with a rating of 700 or more.”
Source: BitSight Security Ratings Correlated To Breaches
“Crypto-style ransomware grew 35 percent in 2015.”
Source: Symantec 2016 Internet Security Threat Report
“Education accounted for 6.6 percent of all reported cybersecurity incidents in 2015.”
Source: 2016 Internet Security Threat Report from Symantec
“99% of computer users are vulnerable to exploit kits (software vulnerabilities).”
Source: Heimdal Security
“59% of employees steal proprietary corporate data when they quit or are fired.”
Source: Heimdal Security
“28% of organizations have experienced an advanced persistent threat attack, and three-quarters have failed to update their third-party vendor contracts to include better protection against APTs.”
Source: 2015 Advanced Persistent Threat Awareness Study, as quoted in Trustwave Security Stats
“63% of businesses don't have a ‘fully mature’ method to track and control sensitive data.”
Source: 2014 State of Risk Report, as quoted in Trustwave Security Stats
Data Breach Statistics
In 2016, there have been 454 data breaches with nearly 12.7 million records exposed.
Source: 2016 Identity Theft Resource Center Data Breach Category Summary
“Nearly three in five Californians were victims of a data breach in 2015 alone.”
Source: California Data Breach Report 2012-2015
“In 93% of breaches, attackers take minutes or less to compromise systems.”
Source: 2016 Data Breach Investigations Report from Verizon
“Four out of five victims [of a breach] don’t realize they’ve been attacked for a week or longer.”
Source: 2016 Data Breach Investigations Report from Verizon
“In 7% of [breach] cases, the breach goes undiscovered for more than a year.”
Source: 2016 Data Breach Investigations Report from Verizon
“63% of confirmed data breaches leverage a weak, default, or stolen password.”
Source: 2016 Data Breach Investigations Report from Verizon
“30% of phishing emails are opened. And about 12% of targets go on to click the link or attachment.”
Source: 2016 Data Breach Investigations Report from Verizon
“In 2015, at least 60% of enterprises will discover a breach of sensitive data.”
Source: Forrester: Planning For Failure, 2015, as quoted in Trustwave Security Stats
“Only 38% of global organizations feel prepared for a sophisticated cyberattack.”
Source: 2015 Global Cybersecurity Status Report from ISACA
“82% of companies with high performing security practices collaborate with others to deepen their knowledge of security and threat trends.”
Source: 2014 US State of Cybercrime Survey from PWC
“In 60% of cases, attackers are able to compromise an organization within minutes.”
Source: 2015 Data Breach Investigations Report from Verizon
“Companies with a rating of 400 or lower were five times more likely to experience a publicly disclosed data breach than companies with a 700 or higher.”
Source: BitSight Security Ratings Correlate to Breaches from BitSight Technologies
Cost Statistics
“80% of analyzed breaches had a financial motive.”
Source: 2016 Data Breach Investigations Report from Verizon
“68% of funds lost as a result of a cyber attack were declared unrecoverable.”
Source: Heimdal Security
"Impact from trade secret theft ranges from 1% to as much as 3% of a nation’s GDP – using the World Bank’s GDP estimate of $74.9 trillion in 2003, loss of trade secrets may range from $749 billion to as high as $2.2 trillion annually."
Source: Global State of Information Security Survey 2015 from PwC
“The U.S. government has spent $100 billion on cybersecurity over the past decade, and has $14 billion budgeted for cybersecurity in 2016.”
Source: The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics from Forbes
“The cyber insurance market—mainly a U.S. market—has grown from $1 billion to $2.5 billion over the past two years, and it is expected to grow dramatically and expand globally over the next five years.”
Source: The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics from Forbes
See Also: Security Ratings For Cyber Insurance
“The forecast average loss for a breach of 1,000 records is between $52,000 and $87,000.”
Source: 2015 Data Breach Investigations Report from Verizon
Ready To Protect Yourself?
Acknowledging that cybersecurity is a major problem (and finding these statistics shocking) is one thing—but understanding what you can do in response is another. So if you’re wondering what you’re supposed to do with this information, you’re in the right place.
Your best bet is to make sure you understand how these metrics relate to your own security performance, and whether you are on the right side of these statistics. For instance, the 2015 Global Cybersecurity Status Report from ISACA states that only “38% of global organizations feel prepared for a sophisticated cyberattack.” Unless you want to be categorized in the 62% that don’t feel prepared for cyberattacks (or aren’t sure if they’re prepared), the best thing you can do is to start monitoring your performance (and your entire business ecosystem’s) and create a benchmark to track changes in your security posture. Creating a performance metric around cyber risk that is specific to your organization will help you protect yourself from being just another number.
