Cybercrime and cybersecurity surveys, studies, and reports from across the globe

Published by on October 25, 2017 in Information Security

Cyber crime surveys and statistics

Cybercrime continues to be a massive problem facing governments, businesses, and the general public worldwide. According to Statista, cybercrime accounted for $1.33 billion (~ GBP £978 million) in damages in 2016 in the US alone. With massive cyberattacks occurring on a regular basis, things are seemingly out of control. The most effective way organizations and individuals can combat cybercrime is through improved cybersecurity. Professionals in this field are in high demand, and rightly so.

It’s also no wonder that organizations across the globe are conducting studies and surveys and compiling in-depth reports all based around these topics. Such organizations include government bodies, multinational professional services firms, and security solution companies, among others. The focus of their studies include perception of cybersecurity and cybercrime, preparedness to tackle threats, and what the future holds.

In honor of National Cyber Security Awareness Month, we’ve rounded up these surveys and studies for easy access. The reports are grouped by region and you’ll also find details about who conducted each one, the number or respondents involved (where applicable), and the main purpose or focus.


ITU Global Cybersecurity Index (2017) [PDF]

A heat map from the ITU cybersecurity survey.
The Heat Map of National Cybersecurity Commitments with dark green being the most committed and red the least. (Source: ITU)

The International Telecommunications Union (ITU) is the United Nations’ specialized agency for information and communication technologies. This index was first launched in 2014 and measures the commitment of ITU Member States towards cybersecurity.

Key findings:

  • Countries around the world continue to be committed to cybersecurity and there is improvement of the cybersecurity agenda in various countries within each region
  • Cooperation could be improved at all levels, within and between regions
  • Commitment in Europe remains high but regions in Africa and the Americas need support

PwC The Global State of Information Security Survey (2017)

PwC is a multinational professional services network based in the UK. In this case, 10,000 business and IT executives were surveyed to find out what they’re focusing on now and in the foreseeable future.

Key findings:

Survey respondents are focusing on four main areas:

  • Adopting safeguards for digital business models
  • Utilizing intelligence and information-sharing programs
  • Security of the Internet of Things (IoT)
  • Managing geopolitical cyberthreats

EY – Global Information Security Survey (2017) [PDF]

An infographic from the EY cybersecurity survey.
A representation of cybersecurity within an organization. (Source: EY)

Ernst & Young (EY) is another multinational professional services firm based in the UK. For this report, they surveyed 1,735 CIOs, CISOs, and other executives from companies across the globe. It evaluates how businesses are performing with respect to their cybersecurity capabilities. It then offers insight into how cyber resilience can be achieved.

Key findings:

  • Overall, organizations appear to be moving in the right direction
  • The pressure of increased regulation has spurred organizations to invest in strengthening their corporate shield
  • Companies are better able to see threats coming than they were three years ago
  • Most organizations aren’t prepared to react to a breach

Cybersecurity Trends Spotlight Report (2017) [PDF]

An attack response time infographic.
This chart shows the time taken to recover from an attack. (Source: Herjavec Group)

The 350,000 member LinkedIn Information Security Community collaborated with Crowd Research Partners to produce this report. It explores cybersecurity trends, and offers benchmark data to help companies evaluate their own performance.

Key findings:

  • Most cybersecurity professionals accept that successful attacks will occur in the near future and are boosting their budgets
  • Some of the largest obstacles faced include lack of skilled workers and low budgets
  • Priorities include improved threat detection, better analytics, and threat blocking
  • Concern over cloud computing, in areas such as data loss and data privacy, remains high
  • There are increasing concerns around Bring Your Own Device (BYOD) initiatives, including data leakage or loss and the downloading of unsafe applications or content

Tenable Global Cybersecurity Assurance Report Card (2017)

Tenable is a cyber exposure company that helps organizations understand and reduce their cyber risk. Its Report Card is in its second year, this year’s being based on findings from a survey of 700 security practitioners. It assigns indices and grades to countries and industries based on awareness and preparedness. Note that the linked article offers an overview of the report findings, but you’ll have to subscribe in order to download a copy of the full report.

Key findings:

  • The average overall score dropped six percent compared to last year and the Global Risk Assessment Index dropped 12 percent
  • Risk assessment for cloud and mobile is one of the biggest enterprise security weaknesses, which is partly explained by increasingly widespread adoption and complex applications
  • The evolution and broadening of the threat landscape poses the largest challenge for security professionals, creating more opportunity for attackers and leaving all organizations vulnerable
  • It’s critical for organizations to understand threats as well as be able to assess their own strengths and weaknesses in the area of cybersecurity

Secureworks State of Cybercrime Report (2017)

A chart showing the growth in the number of ransomware threats.
A chart to show the number of new ransomware threats observed per year. (Source: Secureworks)

Secureworks is a security solutions company that serves businesses across the globe. This report uses the company’s experience with and insight into things like criminal forums and monitoring global criminal activity. It delves into the criminal landscape and the subject of cyber crime as a market economy. Note that the linked article offers an overview of the report findings, but you’ll have to subscribe in order to download a copy of the full report.

Key findings:

  • The amount of losses incurred as a result of Business Email Compromise (BEC) and Business Email Spoofing (BES) increased sharply during 2015 and 2016
  • Ransomware, banking malware, and mobile malware continue to represent significant threats
  • Organized cybercrime can be compared to a business in which there are a range of roles and diverse cash out operations
  • Online crime can be considered a market economy where personal information is a relatively inexpensive commodity and affordable malware makes barrier to entry for cybercriminals low

Fortinet Global Enterprise Security Survey (2017)

IT security spend infographics from the Fortinet cybersecurity survey.
These charts show the average spend on IT security and the increase over last year. (Source: Fortinet)

Fortinet is US-based cybersecurity solutions company. It conducts an annual survey examining the challenges facing IT professionals and the attitudes towards cybersecurity in business.

Key findings:

  • In the past two years, most businesses have experienced a security breach
  • IT security is becoming a significant investment but it’s not being made enough of a priority
  • Cloud security is one area that is getting a lot of attention and planned investment
  • Organizations are overestimating their cybersecurity performance and are not providing employees with ample training in security awareness

ISACA State of Cybersecurity Implications (2016) [PDF]

ISACA is an international association with a focus on IT governance. In conjunction with RSA, they conducted this survey that received a total of 461 respondents. IT professionals from various parts of the globe participated to answer questions on organizational security and preparedness against cyber attacks.

Key findings:

  • Attack methodologies are becoming more sophisticated while the number of data breaches continues to go unchecked
  • Respondents don’t expect attacks to slow and anticipate being prey to an attack in the next year
  • Cybercriminals continue to use social engineering as a means to carry out attacks
  • The escalation of attacks is forcing businesses to take action and increase budgets, but it’s often difficult to fill security positions with skilled workers

RSA Current State of Cybercrime (2016) [PDF]

A representation of mobile channel cybercrime trends.
A representation of the cybercrime trends seen in the mobile channel. (Source: RSA)

RSA is a provider of security solutions to businesses across the globe. This one is not actually a survey itself, but rather a report based on findings from other surveys and the opinions of the authors.

Key findings:

  • With mobile changing the way organizations interact with consumers, the number of fraud attempts through mobile channels is dramatically increasing
  • Ransomware continues to proliferate with virtually no system immune to infection
  • The types of cybercrime taking place are evolving, as is the the way cybercriminals communicate
  • The increasingly widespread adoption of Chip and PIN credit cards means that in-person fraud will continue to give way to Card-Not-Present (CNP) fraud
  • The IoT opens up a whole new world of opportunity for attackers, with the risks remaining largely unknown


CSO US State of Cybercrime (2017)

CSO offers up news, research and analysis on the topics of security and risk management. This survey, conducted in conjunction with the US Secret Service and CERT, provides insight into the threats US businesses face and how companies are responding. 510 respondents include executives from US businesses, government agencies, and law enforcement services. Note the linked article offers an overview of the report findings, but you’ll have to subscribe in order to download a copy of the full report.

Key findings:

  • Companies are taking IT security more seriously, but the majority still see it as an IT issue rather than one of corporate governance
  • Cybersecurity budgets are increasing, with expenditures including new technologies, audits and assessments, new skills, and knowledge sharing
  • Companies are increasingly concerned about security but the large majority believe they are equipped to address threats
  • Although the overall number of attacks has reportedly decreased, the number of damaging incidents has risen

Deloitte-NASCIO Cybersecurity Survey (2016) [PDF]

An infographic showing the top cybersecurity initiatives for 2016.
Top cybersecurity initiatives for 2016. (Source: Deloitte-NASICO)

Deloitte, a US-based professional services firm, conducted this survey in conjunction with NASICO, a non-profit representing CIOs. The survey specifically targets State Chief Information Security Officers to offer a view of what’s happening at the government level.

Key findings:

  • At the governor level, awareness is increasing as CIOs and CISOs provide more frequent reports
  • Cybersecurity is becoming a more integral part of operations as the role of CISO is more commonplace and consistent
  • States that have a formal strategy and solid communication tend to have access to more resources, including funding and talent

PRC What the Public Knows About Cybersecurity (2017)

Pew Research Center is a nonpartisan organization providing information regarding US issues and trends. Instead of focusing on businesses, this study reveals what the American public knows about cybersecurity. 1,055 respondents answered 13 questions testing knowledge of cybersecurity issues and terms.

Key findings:

  • Cybersecurity knowledge among the public varies widely by topic but tends to be lower on technical issues
  • A significant number of people are unsure about the answers to many cybersecurity questions, particularly on topics such as Virtual Private Networks (VPNs) and botnets
  • Younger respondents and those with higher levels of education were more likely to respond correctly

NYSE Cybersecurity and the M&A Due Diligence Process (2016) [PDF]

The Governance Services department of the New York Stock Exchange teamed up with application security company Veracode to produce this report. Focusing on mergers and acquisitions (M&A), they asked 276 public company directors and officers about cyber risk management in an M&A environment. The report also provides benchmarking practices for future dealings.

Key findings:

  • A large majority of organizations state that an acquisition would be seriously affected if the target experienced a high-profile data breach
  • Two thirds of companies audit a target’s software applications as part of their due diligence process
  • A large majority of directors view intellectual property as a top consideration in the due diligence process

Symantec Operationalizing Cybersecurity in Healthcare Organizations (2017) [PDF]

Charts showing IT security budgets as a percentage of total budget.
IT security budgets as a percentage of total budget. (Source: Symantec)

Symantec is a software company specializing in security, storage, and backup solutions. This study, conducted in conjunction with HIMSS Analytics, surveyed 100 C-suite, business, IT, and clinical leaders. It explored how healthcare organizations are dealing with the issue of cybersecurity, including how it’s perceived and the resources being allocated to it.

Key findings:

  • Healthcare organizations continue to be heavily targeted with healthcare becoming the most cyberattacked industry
  • Many industry professionals continue to view cybersecurity as a HIPPA compliance issue
  • Organizations are increasing cybersecurity resources, but it is largely viewed as an IT issue rather than a risk management problem
  • Healthcare organizations need to operationalize cybersecurity strategies in order to defend themselves

KPMG Cyber Healthcare & Life Sciences Survey (2017) [PDF]

KPMG is a multinational professional services company headquartered in the Netherlands. This study involved 200 senior executives from the healthcare and life sciences fields. It examines where organizations are when it comes to cybersecurity, compared to where they should be. Key areas explored are data sharing, vendor management, and medical device implementation.

Key findings:

  • Organizations are improving their cybersecurity strategies, but not enough to keep up with the risks imposed by the new technologies they adopt
  • More than a third of organizations don’t have a CISO which implies they will lack the ability to execute security strategies effectively
  • There needs to be a mindset shift where cybersecurity enables innovation in order to avoid increased vulnerability

ESET/NCSA Survey (2016)

ESET is a security company providing anti-virus and firewall products. This survey was conducted in collaboration with the National Cyber Security Alliance (NCSA) to explore the perceptions and concerns held by the American public regarding the IoT. 1,527 respondents answered questions surrounding cybersecurity awareness and precautions.

Key findings:

  • Half of consumers are discouraged from purchasing IoT devices due to cybersecurity concerns, and many are also concerned about the security of connected appliances, toys, and other systems
  • Most people do not use basic precautionary measures to secure their home router, to which multiple devices are typically connected
  • The vast majority are aware that webcam hacking is an issue but few take steps to protect it

CSI Computer Crime and Security Survey (2011) [PDF]

A chart showing the proportion of targeted attacks.
This chart shows the proportion of attacks believed to be targeted. (Source: CSI)

The Computer Security Institute (CSI) was an IT professional membership organization that was absorbed by UBM in 2011. This report was in its 15th and final year and aimed to provide independent insight into understanding and defending against cyber threats. The 351 respondents were information security professional from a range of industries including consulting, financial services, and education, among others.

Key findings:

  • Malware infection incidents continued to be prevalent while financial fraud incidents decreased
  • Respondents were reluctant to share information about financial losses but they are estimated to have decreased over previous years
  • Most believe that losses are not attributable to malicious insiders but the majority agree that non-malicious insiders could account for some losses
  • Just under half of organizations use cloud computing and around 10 percent protect it with security tools


Cyber Review Consultations Report (2016)

This report was prepared by Nielsen based on a consultation overseen by the Government of Canada. It’s purpose was to provide an overview of challenges and trends and to propose a strategy for cybersecurity in Canada. 2,095 members of the Canadian public took part and answered questions on topics including the evolution of cyber threats and the economic significance of cyber security.

Key findings:

  • The most important areas of focus are privacy, collaboration, and the use of skilled workers
  • Key action areas include increasing public awareness, improving training for security professionals and law enforcement, developing regulations, and increasing resources
  • Other suggested actions include conducting audits, using stronger security measures, and being proactive and transparent
  • Constraints affecting cybersecurity include high costs, lack of information-sharing, no incentives or repercussions, and lack of reporting channels

PwC The Global State of Information Security Survey – Canadian Insights (2017) [PDF]

An inforgraphic to show the key findings of the PwC cybersecurity survey.
An overview of the key findings (Source: PwC)

This is an extension of the PwC survey we mentioned above. It reports specifically on Canadian businesses and how they’re dealing with cybersecurity compared to their global peers.

Key findings:

  • The vast majority of respondents follow a risk-based security framework and most use cloud-based security services
  • To improve cybersecurity, a little over half use Big Data, and most collaborate with others
  • The majority of respondents have purchased some form of cybersecurity insurance


EC Cyber Security Report (2015) [PDF]

The European Commission (EC) produced this report based on a survey of the 28 EU countries. It aims to gauge public opinion of cybersecurity, including experience and perception. Areas covered include internet usage, experience with cybercrime, and concern about this type of crime.

Key findings:

  • EU citizens feel that they are more informed about cybercrime and that they’re able to protect themselves, but a substantial minority feel differently
  • More people are changing their online behavior to mitigate security risks
  • Malicious software has been discovered on the devices of almost half of internet users, and other types of cybercrime have been experienced by a substantial number
  • Internet users are more concerned about experiencing cybercrime and worry that websites and public authorities are not keeping their information secure

CyberROAD Cybercrime Surveys Report (2016) [PDF]

CyberROAD is a research project funded by the EC to help the fight against cybercrime. This report covers three surveys involving a total of 2,200 respondents from the EU and 20 other countries. These included subject specialists, policy makers, and law enforcement personnel, among others. The goal was to investigate the impact of cybercrime in order to advise which areas of research the EU should invest in.

Key findings:

  • Organizations need to have proper cybersecurity plans in place to offer workers guidance and minimize their risk to threats
  • Lack of information-sharing means that many incidents go unreported and are not responded to appropriately
  • Security tends to be reactive instead of proactive, often due to resistance to new ideas
  • Much improvement could be seen if funding was targeted to the appropriate areas

UK Cyber Security Breaches Survey (2017) [PDF]

An infographic showing the percentage of businesses seeking guidance on cybersecurity.
This infographic displays the percentage of businesses seeking guidance on cybersecurity. (Source: UK Gov.)

The UK Government Department for Culture, Media & Sport conducted this survey in conjunction with Ipsos MORI Social Research Institute and the University of Portsmouth. 1,523 interviews were conducted with UK businesses to see how they view cybersecurity and the steps they’re taking to tackle the issue of cybercrime.

Key findings:

  • Businesses are recognizing cybercrime as an increasingly important issue, as exemplified by things such as dedicated senior cybersecurity roles and improved education of board members
  • Businesses could be doing more to protect themselves such as securing wireless networks and creating formal cybersecurity policies
  • Although businesses continue to suffer breaches, reporting remains uncommon

The State of IT Security in Germany (2016) [PDF]

Germany’s Federal Office for Information Security manages computer and communication security for the German government. This reports covers the state of cybersecurity in Germany, including current developments in IT security and vulnerabilities in IT systems.

Key findings:

  • The sophistication and number of different attacks are increasing while conventional defense measures are losing their effectiveness
  • The threat of ransomware is increasing, it needs to be taken seriously, and decisive action should be taken against it
  • Vulnerabilities in software and hardware create easy targets and more effort needs to be made to prevent, detect, and respond to attacks
  • There needs to be improved collaboration between state and business, and Germany should have an active role in European cybersecurity policy


ACSC Threat Report (2017) [PDF]

The Australian Cyber Security Centre (ACSC) is an Australian Government initiative to help harden the country’s networks against threats. This report summarizes what they have observed in terms of cybercrime and security over the past year, including trends, challenges, and responses.

Key findings:

  • Cybercrime is a popular option among criminals due to the potential for large profits with low risk
  • Ransomware is one of the most common cybercrime threats and its success means it’s likely to remain as such
  • Malware expertise is evolving to better target specific devices, including Android smartphones
  • As cybercrime defenses harden, criminals are using increasingly sophisticated social engineering tactics as a means to bypass them
  • Third parties, in particular service providers are increasingly attractive targets for criminals as they can provide access to primary targets

ACSC Cyber Security Survey (2016) [PDF]

This survey serves as a companion to the 2016 version of the above report. It covers both the government and private sectors and aims to provide an overview of how prepared organizations are to meet growing cyber threats. 113 organizations participated, including 68 private sector and 45 government.

Key findings:

  • Most organizations experienced some sort of cyberattack, with more than half experiencing successful ones
  • Most organizations display a high level of resilience but could do more, especially when it comes to preparation for and detection of cyberattacks
  • The number of organizations with response plans in place has increased significantly compared with last year, although review and testing of these plans need to be improved

APRA Cyber Security Survey Results (2016) [PDF]

The Australian Prudential Regulation Authority (APRA) is a government division that regulates the country’s financial services industry. The aim of this survey, which had 41 respondents, was to find out about cybersecurity incidents and their management within APRA-regulated sectors.

Key findings:

  • The varied types of incidents reported show the range of threats is evolving and appropriate defenses need to be maintained
  • Most boards and executive management are updated regularly on cybersecurity, with boards often being the primary governance authority for superannuation organizations
  • Most organizations identified cyber risk as a top enterprise risk but the quality and quantity of identified scenarios varied greatly

Asia Pacific

Telstra Cyber Security Report (2017) [PDF]

A chart to show the top business impacts of security incidents.
This chart shows the top business impacts of security incidents. (Source: Telstra)

Telstra is a large Australian telecommunications and media company. This report is based on a survey of 360 IT professionals from Asia and Australia. It aims to provide insights into the cybersecurity landscape, to help organizations manage and mitigate risks.

Key findings:

  • More than half of businesses have detected a breach at least once per month
  • Ransomware is the most prevalent type of attack and more than half of the organizations experiencing this type of incident paid the ransom
  • Most CXOs are heavily involved in cybersecurity initiatives, perhaps because they are now held more accountable in case of an incident
  • Cloud services have been widely adopted but many organizations are not prepared to handle the cyber risks posed
  • Almost all organizations have increased their IT security spends, demonstrating the perceived importance of this area

ESET State of Cybersecurity in APAC (2017) [PDF]

A chart showing the barriers to cybersecurity experienced by each country surveyed.
This chart shows the barriers to cybersecurity experienced by each country surveyed. (Source: ESET)

Security software company ESET conducted this survey with small and medium-sized businesses in the Asia Pacific region. More than 1,500 stakeholders were surveyed to gain an understanding of their cybersecurity perceptions and activities

Key findings:

  • Companies are increasing efforts to fight cybercrime, with most using antivirus software and firewalls and applying encryption to at least one type of device or information
  • There is still lots of room for improvement with over half experiencing attacks within the last year
  • Only just more than half have policies to inform employees about such breaches and fewer than half have methods to inform clients
  • Businesses need to do more to protect their data with few having basic preventive measures in place


EY – Global Information Security Survey – India Report (2017)

In the global EY survey listed above, out of the 1,735 CXO respondents, 124 were from India. This report breaks out data from these participants to create a view of cybercrime as it relates to Indian businesses.

Key findings:

  • As a result of the occurrence of large cyberattacks, companies are investing more in their corporate shield
  • Organizations are also focusing more on their abilities to see threats coming
  • Most companies continue to lag behind in preparation to react to a breach, and appear to ignore the fact that they more than likely will be or already have been attacked

KPMG Cybercrime Survey Report (2015) [PDF]

An infographic to show the proportion which type of personnel are most vulnerable to cybercrime.
An infographic to show the proportion which type of personnel are most vulnerable to cybercrime. (Source: KPMG)

In 2015, professional services firm KPMG conducted this survey that focused solely on cybercrime in India. It examines industry perception, which area of organizations are affected by cybercrime, and what measures companies are taking. 250 participants included CIOs, CISOs, and CAEs, among other executives from a range of industries.

Key findings:

  • Almost all respondents view cybercrime as a major business threat but fewer than half see it as part of the boardroom agenda
  • A large majority of CXOs believe the Banking, Financial Services, and Insurance (BFSI) sector is a top target for cybercrime and the majority believe directors and management are most vulnerable
  • Most organizations lack cyber risk management strategies, such as risk assessments and incident response plans
  • A large majority of companies have experienced a cyberattack in the past year and most believe there was external involvement

Image credit: NASA

Leave a Reply

Your email address will not be published. Required fields are marked *