With global cybercrime damages predicted to cost up to $6 trillion annually by 2021, not getting caught in the landslide is a matter of taking in the right information and acting on it quickly.

We collected and organized over 300 up-to-date cybercrime statistics that highlight:

  • The magnitude of cybercrime operations and impact
  • The attack tactics bad actors used most frequently in the past year
  • How user behavior is changing and how it… isn’t
  • What cybersecurity professionals are doing to counteract these threats
  • How different countries fare in terms of fighting off blackhat hackers and other nation states
  • What can be done to keep data and assets safe from scams and attacks.

Dig into these surprising (and sometimes mind-boggling) internet security statistics to understand what’s going on globally and discover how several countries fare in protecting themselves.

The article includes a handy infographic you can browse to see how each stat is connected to the others, and plenty of visual representations of the most important facts and figures in information security today.

Headline cyber crime statistics for 2018-2019

With the threat landscape always changing, it’s important to understand how cyber attacks are evolving and which security controls and types of training work.

  • Information theft, loss, or attack is now the prevalent type of crime against organisations, overpowering physical theft, which, until 2017, was the most common type of fraud against corporations for a decade (ENISA Threat Landscape Report 2018)
  • There were 137.5 million new malware samples in 2018 (AV Test) and we’re already at 24,55 million new samples in 2019 (and it’s only April, 2019)
  • In 2018, 93% of malware observed was polymorphic, meaning it has the ability to constantly change its code to evade detection (2019 Webroot Threat Report)
  • Over 50% of devices that got infected once were re-infected within the same year (2019 Webroot Threat Report)

In 2018, we found that 93% of malware was only seen on a single PC, and of the machines that were infected, over half (54%) saw more than one infection over the course of the year. More than 39% of consumer endpoints that were infected at least once saw between 2-5 infections in 2018, while the percentage for business endpoints was slightly lower, at 35%.

2019 Webroot Threat Report

1 frequency of successful cyberattacks statistic 2019

Almost two-thirds of IT security professionals believe a successful cyber attack is imminent in 2019.

Imperva 2019 Cyberthreat Defense Report

  • Spain was the hardest hit country by cyber attacks in 2018, with 93.7% of all surveyed companies being compromised at least once last year (Imperva 2019 Cyberthreat Defense Report )

2 countries by cyberattacks in 2019 statistic

Naturally, these facts and figures are just the tip of the iceberg. The deeper we dive into the wealth of information cybersecurity reports now offer, the clearer and more unnerving the picture becomes.

Ransomware statistics 2019

Ransomware infection rates are dropping but almost half of victims pay the ransom.

Ransomware has been the core concern for cybersecurity professionals for years but in 2018 it finally started to decline in volume. However, it doesn’t serve us to get excited about progress just yet, as more and more companies are paying the ransom when they do get hit.

  • In 2018, enterprise ransomware increased by 12%, accounting for 81% of all successful ransomware infections (2019 Internet Security Threat Report by Symantec)
  • Overall, ransomware infection rates declined approximately 60% between March 2017 and December 2018, with intermittent increases across that period” (Microsoft Security Intelligence Report Volume 24); here are some potential factors involved in this:

There are probably many causes for this overall decline, although Microsoft security researchers suspect that a primary factor is that both end users and organisations are becoming more aware of and dealing more intelligently with ransomware threats, including exerting greater caution and backing up important files so they can be restored if encrypted by ransomware Also, as described earlier, cybercriminals are opportunistic.

Microsoft Security Intelligence Report Volume 24

3 new ransomware sample timeline 2017-2018
Secureworks State of Cybercrime Report 2018

4 ransomware top cyberthreat 2019 statistics

What made the ransomware problem worse is that nation states got involved. Investigations proved that the WannaCry and NotPetya ransomware attack campaigns were orchestrated by nation-state actors. They may have started in 2017, but their effect continued throughout 2018. The objective was to destroy information or cause distractions rather than to derive financial benefits.

The ENISA Threat Landscape Report 2018 shows that ransomware is still a huge cause for concern for any type of organization across sectors, irrespective of its size and complexity:

  • 39% of the global data breaches caused by malware were ransomware
  • 17% of the total UK healthcare data breaches were actually ransomware
  • 64% of all major incidents targeting industrial control systems or networks were also ransomware
  • Almost all cybercrime incidents focusing on educational institutions were ransomware – around 70% of them

There is some good news among all these bleak ransomware statistics:

58.8% of the respondents to a security incident were using tools for ransomware prevention and 83% of them claimed that these tools were helpful

ENISA Threat Landscape Report 2018

The same report highlights a few other interesting cyber attacks facts and figures:

  • 5,4 billion WannaCry attacks were blocked in 2017, which is an astounding number by itself
  • With so many blocks, it’s clear that WannaCry was the most common ransomware attack in 2017 at 53.92%, with GandCrab coming in second with 4.92% (boomed in 2018, as we mentioned above)
  • Even if 66% of companies recognize that ransomware is a serious threat, less than 13% of them were prepared for such an attack in 2017
  • In spite of intense focus on preventing these attacks, approximately 1% of the infected endpoints were still attacked by ransomware
  • Ransomware hit 15% of businesses in the top 10 industry sectors, such as education, IT/telecom, entertainment, financial services, construction, government, manufacturing, transport, healthcare, and retail.

What’s more, enterprises accounted for 81% of all ransomware infections the company registered. (2019 Internet Security Threat Report by Symantec)

Individual users weren’t spared either: 158,921 unique users had their computers and data encrypted with malware in Q2 2018.

The threat also targeted mobile platforms: over 20,000 installations of mobile ransomware Trojans were detected in the H1 2018.

In terms of distribution, email is still the preferred vector for spreading encrypting malware:

  • 65% of the ransomware attacks were delivered via email and just 35% via malicious URLs
  • 93% of all phishing emails were related to spreading ransomware
  • 36% of all malicious email in Europe and Japan was related to – you guessed it! – ransomware (ENISA Threat Landscape Report 2018).

During 2018, the chief ransomware distribution method was email campaigns. Enterprises tend to be more affected by email-based attacks since email remains the primary communication tool for organisations.

2019 Internet Security Threat Report by Symantec

The numbers show that ransomware continues to be a growing threat in the healthcare industry. In 2017,  more than 85% of all malware that infected healthcare organisations was ransomware. Without proper defenses in place, the trend is likely to continue. (ENISA Threat Landscape Report 2018)

Cyber-ransom continued to be the leading motivation of hackers and was the reason for 51% of the attacks.

The Trust Factor by Radware

While ransomware infection rates are declining, increasingly more companies choose to pay the ransom. Almost half of organisations hit by ransomware pay to get their data unlocked, further fueling cyber criminal activities.

The percentage of victimized organisations that paid associated ransoms rose considerably this year, from 38.7% to 45.0%” mentions Imperva in their 2019 Cyberthreat Defense Report.

5 organisations pay ransom 2018 statistics

6 key ransomware statistics 2019 evolution

Imperva 2019 Cyberthreat Defense Report

In terms of geographical distribution, ransomware hit Saudi Arabia (87.8%), Turkey (74%), and China (68.7%) the hardest in 2017, according to the Imperva 2019 Cyberthreat Defense Report.

7 countries affected by ransonmware 2018 statistics

Because cybersecurity is a discipline with widespread implications and interdependencies, we’re going to dive into the most prominent attack tactics next. Reports from 2018 and 2017 overflow with data that both concerns companies across industries and addresses particular issues.

Favored cyber attack tactics include cryptojacking (+629%) and encrypted communication (+300%)

Ransomware may have slightly declined in 2018 but cryptojacking attacks increased in volume by 400%, stealing the spotlight (2019 Internet Security Threat Report by Symantec).

Cybercriminals now spread malware that infects victims’ computers and unlawfully uses their processing power to mine cryptocurrency, such as Bitcoin or Monero.

The dropping value of cryptocurrencies may have weakened interest in ransomware but mining for virtual currencies is still hugely relevant.

Cyber criminals are moving from ransomware to cryptojacking. While the growth of ransomware has been slower, threat actors have moved to cryptojacking as it is simpler, more profitable and less risky for them. It is expected that cyber criminals will be leveraging cryptojacking at scale, continue embedding cryptoming capabilities to malware families and mostly focus on targeted ransomware campaigns.

ENISA Threat Landscape Report 2018

In its report, ENISA notes that cryptojacking malware skyrocketed by 629% (from 400,000 samples in Q4 2017 to 2.9 million samples in Q1 2018).

During the first half of 2018, it was estimated that cryptominers have monetized for their users more than US $2.5 billion. Smominru mining botnet that has infected more than 500.000 Windows machines has already mined Monero, valued between US $2,8M and US $3,6M.

It was estimated that an adversary controlling 2,000 victim computer systems with Monero miners could generate US $500 per day or US $182,500 per year.

ENISA Threat Landscape Report 2018

But cryptojacking is not the only attack giving CISOs, CIOs, and IT managers more trouble than they can handle. Statistics show that several threat vectors are cause for concern.

  • Cybercriminals are quick to find ways to get around strengthened security; supply chain attacks grew 78% in 2018 (2019 Internet Security Threat Report by Symantec)
  • Another study corroborates this insight and provides more context: “companies that have experienced 50% or more of their breaches from indirect attacks—targeted at their organization but initiated through partner organisations—are more likely to join or lead efforts to ensure the trustworthiness of the Internet economy” (Accenture – Securing the Digital Economy)
  • Cybercriminal tactics often leverage available information: 63 percent of network intrusions are the result of compromised user passwords and usernames. (Microsoft)
  • Malicious documents are also a well-known infection vector that hasn’t lost its popularity: in its 2018 Annual Cybersecurity Report, Cisco found that, globally, 38% percent of malicious email attachments were Microsoft Office formats such as Word, PowerPoint, and Excel. (Cisco)
  • Archive files, the likes of .zip and .jar, represent around 37% of all malicious file extensions Cisco observed, with malicious PDF files accounting for 14% of the total. (Cisco)

Besides the already classic attack vectors, cybercriminals are also looking to piggyback on the boom in ecommerce and online shopping:

While attacks on household names make headlines, Symantec’s telemetry shows that it is often small and medium sized retailers, selling goods ranging from clothing to gardening equipment to medical supplies, that have had formjacking code injected onto their websites. This is a global problem with the potential to affect any business that accepts payments from customers online.

2019 Internet Security Threat Report by Symantec

The increasing adoption of cloud-based platforms is still leaving cybersecurity professionals playing catch-up:

  • 93% of companies deal with rogue cloud apps usage (Imperva 2019 Cyberthreat Defense Report)
  • 82% of cloud users have experienced security events caused by confusion over who is responsible to secure the implementations (Oracle and KPMG Cloud Threat Report 2019)

8 cloud security statistics 2019
Imperva 2019 Cyberthreat Defense Report

Here are some key statistics that highlight the diversity in malicious tactics and strategies:

  • 35 percent of companies in a global survey were targeted by an SSL or TLS-based attack (Gartner)
  • Fileless attacks were used in 77% of successful compromises in 2018 because they’re increasingly effective at evading detection; as a consequence, the trend is bound to increase (ENISA Threat Landscape Report 2018)
  • Financial trojans may have steadily declined in volume but they’re still one of the biggest threats against consumers; the most prevalent financial trojans of 2018 are Zeus, Emotet, URLzone, Ursnif, and Trickbot (ENISA Threat Landscape Report 2018)
  • Open-source malware is increasingly used by cybercriminals of all levels and backgrounds to make illicit profits because it makes scaling their operations and attribution a lot less challenging (ENISA Threat Landscape Report 2018)
  • In 2018, polymorphic malware accounted for 94% of all malicious executables (2018 Webroot Threat Report)
  • The use of encrypted Command and Control (C2) communication increased by 300% in 2018 (ENISA Threat Landscape Report 2018)

9 top cybersecurity threats 2018 statistics
ENISA Threat Landscape Report 2018

Physical attacks are also on the rise, as cybercrime statistics show:

  • 30% of reported data breaches in retail were caused by payment card skimming attacks (ENISA Threat Landscape Report 2018)
  • 87% of the reported card skimming attacks target petrol stations (ENISA Threat Landscape Report 2018)
  • During 2017, almost 3,600 physical attacks against banking ATMs were reported in Europe, 20% more than in 2016 (ENISA Threat Landscape Report 2018)
  • Black box ATM attacks increased by 307% in Europe, as reported by the European Association for Secure Transactions (EAST), with related losses hiking by 268%, from €0,41 million to €1,51 million

10 physical attacks against ATMs in europe 2018 statistics
ENISA Threat Landscape Report 2018

The numbers are climbing when it comes to internal threats, too: 54% more organisations recorded a growth of insider threats in 2018 (ENISA Threat Landscape Report 2018).

11 cybersecurity insider threat statistics 2018
ENISA Threat Landscape Report 2018

Motivations are also changing, moving from making money through nefarious tactics to collecting data that can be used to cash out on multiple subsequent attacks:

The most likely reason for an organization to experience a targeted attack was intelligence gathering, which is the motive for 96 percent of groups.

2019 Internet Security Threat Report by Symantec

12 top cybersecurity threats against organisations 2019 statistics

 EY – Global Information Security Survey 2018-2019

DDos attacks grow in both strength and frequency

With more unsecured devices connecting to the internet than ever, cybercriminals are taking full advantage of their processing power. Once recruited into botnets, they harness their collective power to launch powerful DDoS attacks that companies can barely survive.

Here are some statistics that illustrate this growing issue:

  • Worryingly, more than 400,000 DDoS attacks are reported each month across the globe. (Calyptix Security)
  • In the first half of 2018, the industry with the highest number of reported DDoS attacks was the wired telecommunications carrier industry, with almost 800,000 attacks during that period. (Calyptix Security)
  • DDoS attacks lasting under 90 minutes made up 55.28% of the total, while those lasting longer accounted for 44.72%. A small 4.62% lasted longer than 20 hours! (ENISA Threat Landscape Report 2018)
  • The average duration of a DDoS attack in 2017 was 318.10 minutes, while the longest attack lasted a shocking 6 days, 5 hours, and 22 minutes (ENISA Threat Landscape Report 2018)

Cyberassaults resulting in a complete outage or service disruption grew by 15%, and one in six organisations reported having suffered a 1Tbps attack.

The Trust Factor by Radware

Phishing grows by 250% and gets difficult to spot

Malicious hackers and scammers are getting craftier at creating and sending phishing emails that trick even the most cautious users. The data shows that this is a constant cause for concern with no sign of slowing down in terms of effectiveness.

  • Scammers and attacks send out 6,4 billion fake emails every day (EY – Global Information Security Survey 2018-2019)
  • Almost 87% percent of the Fortune 500 are vulnerable to phishing, leaving their customers, employees, and brand name exposed to a fraud (Q4 2018: Email Fraud and Identity Deception Trends by Agari)
  • Only 5% of companies have implemented a Quarantine policy to send phishing emails to the spam folder.  (Q4 2018: Email Fraud and Identity Deception Trends by Agari)
  • Verizon reports that 30 percent of phishing emails in the U.S. are opened, with 12 percent of those targeted by these emails clicking on infected links or attachments (Verizon)
  • Phishing social media users tripled during 2017 as attackers leveraged the inherent trust consumers have in these platforms (ENISA Threat Landscape Report 2018)
  • Microsoft reported a huge increase of 250% in phishing emails between January and December 2018, analyzing more than 470 billion email messages every month for this particular threat and for malware. (Microsoft Security Intelligence Report Volume 24)
  • The volumes are enormous even for specific attacks: a single campaign during Q1 2018 sent out 550 million phishing emails over that 3-month period (EY – Global Information Security Survey 2018-2019)
  • The business world is also aware of this gigantic issue: 22% of surveyed decision makers see phishing as the biggest threat (EY – Global Information Security Survey 2018-2019)
  • 30% of phishing sites used HTTPS in 2017 compared to just 5% during 2016, a trend experts believe will continue to grow (ENISA Threat Landscape Report 2018)
  • In 2017, phishing campaigns have been reported to be short-lived: phishing websites typically stayed online for 4-8 hours (ENISA Threat Landscape Report 2018)
  • What’s more, in 2017, phishers used 28% more malicious attachments compared to malicious URLs in the phishing emails they sent (ENISA Threat Landscape Report 2018)
  • 41% of phishing domains include a single character swap, 32% have an additional character, and 13% have added or removed leading or final domain’s characters to confuse and deceive their victims (ENISA Threat Landscape Report 2018)

The ENISA Threat Landscape Report 2018 also mentions that:

The 10 most frequent words in malicious emails during 2017 were:

  • delivery (12.1%),
  • mail (11.8%),
  • message (11.3%),
  • sender (11.2%),
  • your (11.2%),
  • returning (7.6%),
  • failed (7.6%),
  • invoice (6.9%),
  • Images (6.6%),
  • and scanned (6.5%)

Tuesday has been observed as the most popular day for phishers to conduct their campaigns while the least popular day was Friday.

Most frequent words used within BEC phishing emails are:

  • payment (13.8%),
  • urgent (9.1%),
  • Request (6.7%),
  • attention (6.1%),
  • important (4.8%),
  • confidential (2.0%),
  • immediate response (1.9%),
  • transfer (1.8%),
  • important update (1.7%)
  • and attn (1.5%).

The most popular attachment name categories used in the attachments of BEC phishing attacks were:

  • Purchase Order,
  • Payment,
  • Invoice,
  • Receipt,
  • Slip,
  • Bill,
  • Advice
  • and Transfer.

Phishing and other types of email fraud rely heavily on impersonation to make their attacks more effective. Displaying fake display names to deceive victims is preferred by bad actors over typosquatting or domain spoofing.

During July 2018 through October 2018, Agari data indicates 62% of all identity-deception based attacks leveraged display name deception aimed at impersonating a trusted individual or brand—typically an outside vendor, supplier or partner.

Q4 2018: Email Fraud and Identity Deception Trends by Agari

  • The most frequently impersonated brands are Microsoft (35.87% of the time) and Amazon (26.79% of the time). (Q4 2018: Email Fraud and Identity Deception Trends by Agari)

13 email fraud statistics 2019
Q4 2018: Email Fraud and Identity Deception Trends by Agari

  • When it comes to fooling executives, scammers, spammers, and other bad actors leverage the trust people have in Microsoft and Dropbox:

14 email fraud cybersecurity statistics 2019
Q4 2018: Email Fraud and Identity Deception Trends by Agari

Spam gets localized and grows in volume on social media platforms

Channels may change, but spam is one of those attack tactics that’s bound to stick with us for the foreseeable future and quite possibly beyond it.

Spam remains the leading means by which criminals deliver malware. Infections via web exploit kits continued to drop precipitously as browser vendors improved security and the use of technologies like Flash and Java declined.

Secureworks State of Cybercrime Report 2018

  • The average daily spam volume rose to 295,62 billion emails. Compare this to the average of daily legitimate email volume, which is 51,18 billion, and the picture becomes clear. Of the total email volume, legitimate email is just 14.76% while spam makes up the rest of it at 85.23%. (ENISA Threat Landscape Report 2018)
  • 75% of spam most commonly breaks into: health related spam (26.6%), malware delivering spam (25.7%) and spam for online dating sites (21.4%). The remaining 25 percent includes: stock spam (4.6%), fake job offers (3.5%), phishing spam (2.1%), financial spam (1.9%) and adult spam (1.5%). (ENISA Threat Landscape Report 2018)

And it’s not just that spam comes in volumes. It’s also getting localized and, as a result, more convincing.

While one year ago 96% of the spam was in English, the levels of spam in English have fallen to 90%. This indicates a trend that spam is getting more “international” and localized.

ENISA Threat Landscape Report 2018

Cybercriminals are not content with just using the billions of email addresses leaked through data breaches. They’re also validating their lists of potential victims and bypass spam filters in ever clever ways:

Another interesting technique that spammers used during the reporting period was the abuse of subscription forms.

Spammers used a script that auto-filled subscription forms of regular websites and inserted the target email address in the “Email” form as well as a short message with a spam link in the form of the “Name”. Thus, the targets received an automatic “list subscription” confirmation email that contained a spam link instead of their name.

Spammers wanted to fool email filters since usually the content of “list subscription” confirmation emails is normally allowed.

ENISA Threat Landscape Report 2018

  • China and India are home to the most prolific spam bots in the world, serving fake and malicious emails in overwhelming volumes:

15 spam bots cybercrime statistics 2019
ENISA Threat Landscape Report 2018

As you’d expect, spammers have also taken to social media. From fake lotteries and coupons to fictitious giveaways from popular retailers, they’re using past experience to hook unsuspecting victims:

A recent survey reported that 47% of social media users are seeing more spam in their feeds (79% of which believe that spam content on social media includes fake news).

ENISA Threat Landscape Report 2018

Most cybercrime now leverages mobile channels

More devices, more problems. From BYOD to malicious apps with millions of downloads, cybercriminals have plenty of opportunities to exploit, scam, and extort victims in both corporate and private environments.

  • Most cybercrime is now mobile. Over 60% of online fraud is accomplished through mobile platforms. Additionally, 80 percent of mobile fraud is carried out through mobile apps instead of mobile web browsers. (RSA)
  • The bad news is there’s no shortage of online dangers: in 2018, Symantec blocked an average of 10,573 malicious mobile apps per day. Malicious apps most frequently infiltrated into the following categories: Tools (39%), Lifestyle (15%), and Entertainment (7%). (2019 Internet Security Threat Report by Symantec)
  • According to ThreatMatrix, mobile fraud rose 24 percent year-over-year in the beginning of 2018, with over 150 million global attacks in the first half of the year. (ThreatMatrix)
  • The US saw the worst of the mobile fraud risk, with a 44 percent year-over-year increase. (ThreatMatrix)
  • In corporate contexts, decision-makers are aware of the issue: 83% of them said that their organization was at risk from mobile threats and 86% agreed that mobile threats are growing faster than others (Verizon Mobile Security Index 2019)
  • What amplifies the issue is the lack of preparedness: 67% of organisations confessed they are less confident about the security of their mobile assets than other devices in their network (Verizon Mobile Security Index 2019)
  • In spite of these realizations, 48% of companies said they sacrificed mobile security to “get the job done”in 2018 compared to 32% in 2017 (Verizon Mobile Security Index 2019)
  • Consequences are inevitable: 33% of surveyed organisations suffered a compromise involving a mobile device in 2018 whose impact was significant (Verizon Mobile Security Index 2019)
  • 62% of compromised companies described the incident as “major” (Verizon Mobile Security Index 2019)

16 cybersecurity risks mobile devices statistics 2019
EY Global Information Security Survey 2018-2019

  • The largest volume of mobile malware was hosted in 3rd party app stores; most mobile malware was found in the Lifestyle (27%) and Music & Audio (20%) categories (ENISA Threat Landscape Report 2018)
  • Mobile fraud is overtaking web fraud. 65% of fraud transactions start on mobile devices (RSA 2018 Current State of Cybercrime)
  • Since 2015, fraud carried out through mobile apps increased by 600% (RSA 2018 Current State of Cybercrime)
  • Phishing attacks on mobile devices have increased by an average of 85% year-over-year since 2011 (ENISA Threat Landscape Report 2018)
  • Over 26 billion robocalls were made to US phones alone in 2018, which makes for a 46% year-over-year increase in volume (Hiya Robocall Radar 2018 Report)
  • Scam calls that start on mobile channels will represent 80% of all scam calls by the end of 2019 (First Orion Scam Call Trends and Projections Report Fall 2018)

Managing cybersecurity vulnerabilities improves but still troubles companies and countries around the world

Software and hardware vulnerabilities continue to be topics of prime importance for the tech world. Meltdown and Spectre made headlines throughout 2018 and that’s likely to continue in 2019 as well.

Let’s explore some highlights that stand out from the numerous reports cybersecurity companies created on the topic:

  • The number of reported application vulnerabilities in 2017 was more than double the number found in 2016 (2018 Application Security Research Update)
  • What’s more, a whopping 90% of applications had at least one issue outside of the OWASP Top 10 in 2018 and 49% of tested apps had a critical or high-severity weakness that’s also outside this top 10 (2018 Application Security Research Update)
  • Although vulnerabilities increase when integrating or working with third parties, only 15% of organisations have basic security controls in place to deal with this issue (EY Global Information Security Survey 2018-2019)
  • 36% of surveyed organisations are aware of 3rd party vulnerabilities through self-assessments (22%) or independent assessments (14%) but this leaves 64% of companies with zero visibility on this issue (EY Global Information Security Survey 2018-2019)
  • 35% of larger companies have a formal and up-to-date threat intelligence program compared to 25% of smaller organisations (EY Global Information Security Survey 2018-2019)

17 cybersecurity risks statistics 2019
EY Global Information Security Survey 2018-2019

  • 2018 was the third consecutive year when organisations mentioned app development and testing as the most challenging security process for them (Imperva 2019 Cyberthreat Defense Report)
  • On the bright side, 78.7% or organisations considered their organization made improvements in managing vulnerabilities and handling patch management (Imperva 2019 Cyberthreat Defense Report)

Reports show that security vulnerabilities in web apps continue to be the leading cause of security breaches, which puts this issue at the top of CISOs’ tasks lists across the world.

18 top sources data breaches cybersecurity statistics 2019
Deloitte-NASCIO Cybersecurity Survey (2018)

In one incident, the health records of almost 100 million patients worldwide were put at risk by security bugs found in one of the world’s most widely used patient and practice management systems.

EY – Global Information Security Survey 2018-2019

What’s more, the issue is so pervasive that even countries are working on this aspect:

19 web application testing cybersecurity statistics 2019
Deloitte-NASCIO Cybersecurity Survey 2018

In terms of attacks that seek to exploit software and hardware vulnerabilities, tactics abound:

  • 51% of attacks targeting web applications are SQLi attacks (ENISA Threat Landscape Report 2018)
  • Local File Inclusion comes in second place with 34% and Cross-Site Scripting comes in third with 8% (ENISA Threat Landscape Report 2018)
  • Another report puts Cross-Site Scripting at 40% of all web attacks observed in 2017 (2018 Trustwave Global Security Report)
  • In EMEA, 42% of all cyber attacks were focused on compromising web apps (ENISA Threat Landscape Report 2018).

But not all vulnerabilities are related to software or hardware. EY reports in its Global Information Security Survey (2018-2019) that 34% of organisations see careless or unaware employees as their biggest vulnerability.

The volume of IoT attacks remains constant

As the number of IoT devices continue to multiply wildly, so do the security issues associated with it. The numbers speak for themselves.

The number of Internet connected devices is expected to double from 2015 to 2020 to reach 30 billion devices worldwide.

Mozilla Internet Health Report 2018

Other reports suggest that the number of IoT devices installed worldwide from 2015 to 2025 will reach 75,44 billion.

20 iot devices statistics 2019 prediction

  • In the first half of 2018, Kaspersky detected three times as many malware samples targeting smart devices as they did throughout the entire previous year (Kaspersky Lab)
  • Cracking default Telnet passwords was the most popular attack tactic against Iot devices (Kaspersky Lab)
  • Malware from the Mirai family was used in 20.9% of IoT infections (Kaspersky Lab)

21 iot threats cybercrime statistics 2019
Kaspersky Lab

  • In 2018, VPNFilter malware compromised around 500,000 devices worldwide, building a massive network its creators could use to remain anonymous (ENISA Threat Landscape Report 2018)

The overall volume of IoT attacks remained high in 2018 and consistent compared to 2017. Routers and connected cameras were the most infected devices and accounted for 75 and 15 percent of the attacks respectively.

2019 Internet Security Threat Report by Symantec

  • For organizations, the top 3 challenges related to IoT security are knowing their assets (14%), detecting suspicious traffic (12%), and ensuring the security controls match current cybersecurity challenges (11%)  (EY Global Information Security Survey 2018-2019)

22 iot security challenges statistics 2019
EY Global Information Security Survey 2018-2019

23 top iot data breaches statistic 2019
IoT Security Market Report 2017-2022

  • As we’ve seen, default passwords are the core attack tactic, so the biggest IoT security issues that need to be solved are authentication/authorization (32%), followed by access control (15%) and data encryption (14%) (IoT Security Market Report 2017-2022)

24 iot top security issues priority statistic 2019
IoT Security Market Report 2017-2022

  • 48% of businesses are unable to detect if any of their IoT devices are impacted by a security breach (Gemalto The State of IoT Security 2018)
  • 79% believe governments around the world should provide stronger guidelines regarding IoT security (Gemalto The State of IoT Security 2018)
  • 19% use blockchain technology to help secure data flowing through IoT devices, up from 9% in 2017 (Gemalto The State of IoT Security 2018)
  • 97% believe strong IoT security can be a key competitive differentiator (Gemalto The State of IoT Security 2018)
  • 59% consider that IoT security regulations should define and assign responsibility for this particular aspect (Gemalto The State of IoT Security 2018)

25 iot security regulation top issues cybersecurity statistic 2019
Gemalto The State of IoT Security 2018

Social media scams and attacks spread like wildfire

With billions of users and everyday usage skyrocketing, social media platforms became a goldmine for cybercriminals and scammers.

From Cambridge Analytica to huge data breaches, malicious actors of all kinds made headlines almost every day throughout 2018. The reality is that 2019 doesn’t look any better.

Attitudes regarding social media seem to be changing but behaviors aren’t following suit, which leaves bad actors with plenty of opportunities to steal data and defraud users across the globe.

An overwhelming majority of all users (94 percent) refrain from sharing personal information on social media and 95 percent of polled users felt an overall sense of distrust for social media networks. If given the option to “choose the lesser evil,” they’d rather forgo using social media than search engines.

The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes

  • Given that crimes involving social media grew more than 300-fold between 2015-2017 in the US, this is quickly becoming one of the most pressing issues in the tech world (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
  • UK police statistics show social media-enabled crime quadrupled between 2013 and 2018 (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)

Over 1.3 billion social media users have had their data compromised within the last five years and between 45-50% of the illicit trading of data from 2017 to 2018 could be associated with breaches of social media platforms, like LinkedIn and Facebook.

Bromium Into The Web of Profit – Social media platforms and the cybercrime economy

  • The social media issue goes even deeper: 59% feel it’s unethical for social media platforms to tailor newsfeeds (RSA Data Privacy & Security Survey 2019)
  • 67% of UK consumers believe recommendations based on purchase/browsing history are unethical (RSA Data Privacy & Security Survey 2019)
  • Speaking of newsfeeds, did you know that around 30-40% of social media infections come from infected ads? (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
  • Cybercriminals are also leveraging social media to promote their hacking services: around 30-40% of the social media platforms feature accounts offering some form of hacking activities (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
  • No wonder 34% of US adults don’t trust social media companies at all with safeguarding their personal data (Statista)

26 social media trust cybersecurity statistics 2019

  • In 2017, 53% of the most popular fraud-related posts on Facebook led to carding services or credit card fraud (RSA 2018 Current State of Cybercrime)
  • Social media phishing increased by 200% from 2016 to 2017 as attackers seek to collect information shared on these platforms to use in subsequent attacks (ENISA Threat Landscape Report 2018)
  • At least 20% of social media infections stem from add-ons or plugins for social media platforms (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)

Data breaches and leaks expose everyone, becoming the fourth most important global risk for the next decade

So much personal and confidential data has leaked onto the web that it’s becoming a societal issue. Regulators around the world are trying to find solutions for this but, until they do, the onslaught continues.

  • In 2018 there was a total of 1244 data breaches (21% less than in 2017) that exposed 446,52 million records, a staggering 148% increase from 2017. (Statista)
  • “Massive data fraud and theft” ranked as the fourth most important global risk for the next 10 years, followed by cyberattacks at number five (The Global Risks Report 2019 – World Economic Forum)
  • Cybersecurity company RSA predicts mass data breaches will continue to play a large role in cybersecurity threats. (RSA)
  • 43% of data breaches involved small business as victims (Verizon 2019 Data Breach Investigations Report)
  • 33% included social engineering attacks, with phishing, pretexting, and bribery as the most common malicious actions (Verizon 2019 Data Breach Investigations Report)
  • 71% of breaches were financially motivated (Verizon 2019 Data Breach Investigations Report)
  • Errors caused 21% of data breaches in 2018 (Verizon 2019 Data Breach Investigations Report)
  • The most frequently compromised sets of data in breaches are internal information, credentials, personal data, medical information and payment details (Verizon 2019 Data Breach Investigations Report)
  • In 2017, Wikileaks released a stash of over 8,000 classified CIA documents. (New York Times)
  • That same year, hackers released 2GB of emails from French presidential candidate Emmanuel Macron. (Reuters)
  • McAfee finds the average number of records lost to hacking in 2017 was 780,000 per day. (McAfee)
  • As a result of the growing number of data breaches, personal data is easier to buy on the dark web than ever. Bromium reports personal data (social security information, date of birth, residential addresses, etc.) can cost as little s $3. (Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy)
  • A large amount of private and stolen consumer information is being shared online through social media groups built around such activity. Credit card services make up 53% of the topics discussed in such groups, followed very distantly by account takeovers with 16% (RSA)

Malicious cyber-attacks and lenient cybersecurity processes again led to massive breaches of personal information in 2018.

The largest was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1,1 billion registered citizens.

It was reported in January that criminals were selling access to the database at a rate of 500 rupees ($7,3) for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.

The Global Risks Report 2019 – World Economic Forum

  • The most affected industries by breaches targeting payment card data are retail (17%), finance and insurance (13%), and hospitality (12%) (2018 Trustwave Global Security Report)
  • 32% of information security professionals admitted that breaches affected more than half of their systems more than double when compared to 2016 (15%) (Cisco Annual Cybersecurity Report 2018)
  • Besides financial costs, 55% of organisations have had to manage the public scrutiny of a breach (Cisco Annual Cybersecurity Report 2018)
  • 17% of organisations cited losing their customers’ information as their biggest fear (EY Global Information Security Survey 2018-2019)
  • 56% of breaches took several months or longer to discover (Verizon 2019 Data Breach Investigations Report)
  • There’s been a 141% increase in North America, a 22% decrease in Europe, and a 36% decrease in Asia in terms of volume of compromised credentials, and this is just counting the figures reported over the past year (ENISA Threat Landscape Report 2018)
  • Nearly 47% of data breaches in the public sector were discovered years after the initial attack (Verizon 2019 Data Breach Investigations Report)
  • Public institutions suffered the highest volume of attacks: from a total of 23,399 incidents, 330 breaches featured confirmed data disclosure (Verizon 2019 Data Breach Investigations Report)
  • 2 million identities were stolen and used to leave fake comments during a US inquiry into net neutrality (EY Global Information Security Survey 2018-2019)
  • 1,946,181,599 records containing personal and other sensitive data were compromised between January 2017 and March 2018 (EY Global Information Security Survey 2018-2019)
  • $3,62m is the average cost of a data breach in 2018 (EY Global Information Security Survey 2018-2019)
  • In the UK, the average cost of a breach is £3,100 for small businesses £16,100 for medium businesses, and £22,300 for large businesses (ENISA Cyber Security Breaches Survey 2018)
  • The average global cost for a data breach is $7,611 (Verizon 2019 Data Breach Investigations Report)
  • Breaching social media platforms accounted for the highest number of records spilled onto the internet in 2018 (56%).Facebook accounted for over 2.2 billion records and Twitter with 336 million records (ENISA Threat Landscape Report 2018)
  • Healthcare records the largest number of data breaches (27%) with the most severe incident exposing 3,5 million records (ENISA Threat Landscape Report 2018)
  • In healthcare, 60% of attacks that target data are carried out by insiders, higher than any other industry (Verizon 2019 Data Breach Investigations Report)
  • Identity theft remains the main type of data breach with 56% – as has been the case since 2013 (ENISA Threat Landscape Report 2018)

27 data breaches cybersecurity statistic 2019
EY Global Information Security Survey 2018-2019

  • In spite of these appalling statistics, only 17% of organisations report breaches in their information security reports (EY Global Information Security Survey 2018-2019)
  • Another worrisome aspect is that “10% of the UK healthcare organisations have been breached more than 10 times in the last year” (ENISA Threat Landscape Report 2018)
  • 33% of healthcare companies cite careless or unaware employees as the vulnerability that has most increased their risk exposure over the past 12 months (EY Global Information Security Survey 2018-2019)
  • Command and control (C2) is the most common form of attack (47%) in data breach incidents, followed by ransomware with 28% (Verizon 2019 Data Breach Investigations Report)
  • 38% of energy companies admit that it would be unlikely they could detect a sophisticated breach (EY Global Information Security Survey 2018-2019)
  • Surprisingly, device loss accounts for around 50% of all breaches (ENISA Threat Landscape Report 2018)
  • Europol reports external individual malicious actors carried out 73% of the breaches, while 50% were attributed to organised crime groups (ENISA Threat Landscape Report 2018)
  • 84% of data breaches caused by botnets in 2018 were in Finance and Insurance, 10% in Information, and 5% in Professional, Scientific, and Technical Services (Verizon 2019 Data Breach Investigations Report)
  • Data breaches caused by botnet attacks covered 180 countries and territories in 2018 (Verizon 2019 Data Breach Investigations Report)
  • 98.5% of security incidents and 88% of data breaches can be classified in one of the nine patterns information security professional established years ago: POS intrusion, web app attack, insider and privilege misuse, physical theft or loss, miscellaneous errors, crimeware, payment card skimmers, Denial of Service, cyber-espionage (Verizon 2019 Data Breach Investigations Report)

Additionally, our own research at Comparitech highlights that Wall Street swiftly reacts to data breaches. We analyzed how cybersecurity breaches impact stock market prices and found out that:

  • On average, stocks immediately experience a drop of 0.43% in share price following a breach
  • Long-term effects include a much slower upturn in terms of share prices. We observed a 45.6% increase in share prices during the three years prior to breach, and only a 14.8% growth in the three years following the compromise
  • Breached companies recover to NASDAQ’s pre-breach performance level after 38 days on average, but three years after the breach they still underperform the index by a margin of over 40%
  • When they suffer a data breach, financial organizations experience an immediate decline in share price whereas internet businesses (e-commerce, social media, etc.) most frequently endure long-term effects
  • Larger breaches have less of a negative influence on share prices than smaller breaches
  • Breaches involving credit card details and social security numbers register a more significant negative impact on share prices than leaks containing less sensitive info, such as email addresses.

The entire analysis reveals other interesting consequences for breached companies, both in terms of financial aspects and nonfinancial ones, such as reputation and brand trust.

Users are more worried about cybercrime statistics but fail to follow through with protecting their assets

Cybersecurity statistics clearly show that technology has its limitations when it comes to safeguarding assets such as confidential data and money. To truly make strides in better protection from cybercriminals and online crooks, user behavior must be improved as well.

  • Up to 73% of users reuse passwords across their online accounts, which inherently leads to a higher risk of password theft and credential misuse. (RSA Data Privacy & Security Survey 2019)
  • 66% of surveyed users said they simply skim through or do not read End-User License Agreements or other consent forms. (The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
  • Only 47% know which permissions their apps have. (The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
  • 71% of Americans worry about having their personal, credit card or financial information stolen by malicious hackers. (Statista)
  • 78% of people in the UK are most concerned about identity theft resulting in financial loss. (RSA Data Privacy & Security Survey 2019)
  • 96% of people polled for a study mention they care about their privacy, and 93% of them use security software. (The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
  • 42% of Gen Z stated they feared blackmail in 2018. On average, only 34% of all respondents were concerned about this threat. (RSA Data Privacy & Security Survey 2019)
  • 75% of consumers now limit the amount of personal information they share online (RSA Data Privacy & Security Survey 2019)
  • And they do so for good reason: internationally, 36% of people surveyed by RSA said their personal information was compromised in a data breach over the last 5 years, and 45% of US respondents confirmed the same. (RSA Data Privacy & Security Survey 2019)
  • What’s more, 58% of U.S. respondents said they’d consider divesting from companies that disregard protecting their data. (RSA Data Privacy & Security Survey 2019)
  • Surprisingly, 76% of consumers in 21 countries acknowledge the importance of keeping their account information secure, yet many still share their passwords, among other risky behaviors with their data. A further 35% allow at least one device to go unprotected and vulnerable to all forms of viruses and malware. (Symantec)
  • But there’s good news as well: a little over 53% of people now use password managers. ((The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
  • A vast majority of U.S. consumers (80 percent) now have a home internet network. One in ten has also experienced a cyber attack through their home networks. (Hartford Steam Boiler)
  • 72 percent of people globally believe that connected home devices offer hackers new ways to steal data. (Symantec)
  • But the downside is that 41% of people cannot properly identify a phishing email and are often unsure about an email’s legitimacy. (Symantec)
  • Cyberbullying is a primary concern in the US, where 64 percent of parents believe their children are more likely to experience bullying. By comparison, only 31 percent of parents in Germany share this concern. (Symantec)
  • In the past year, nearly 700 million people in 21 countries experienced some form of cybercrime. (Symantec)

The issues are even bigger in an organizational environment, whether private or public:

  • 1 out of 3 employees risk running malware on a work computer (Penetration testing of corporate information systems: statistics and findings 2019 – Positive Technologies)
  • When penetration testers were on the field, they discovered that 1 out of 7 employees engaged in dialog with an imposter and disclosed confidential information (Penetration testing of corporate information systems: statistics and findings 2019 – Positive Technologies)
  • 1 out of 10 employees entered account credentials in a fake authentication form (Penetration testing of corporate information systems: statistics and findings 2019 – Positive Technologies)
  • 1,464 government officials in one state used “Password123” as their password (EY Global Information Security Survey 2018-2019)

GDPR statistics

GDPR came into force on May 25, 2018 and everyone rushed to comply, fearing huge fines and other legal repercussions. Did it work as expected? Let’s check what the numbers have to say.

The UK Information Commissioner’s Office (ICO), for example, received 6,281 data protection complaints between May 25, 2018 (when the new regulation came into force) and July 3, up from 2,417 in the same period the previous year.


  • From May 25, 2018 to mid-March 2019, supervisory authorities in the 31 countries that make up the European Economic Area reported 206,326 cases of GDPR infringement (European Data Protection Board)
  • Issued fines totaled up to 55,955,871 EUR, most of which was the huge fine Google received in France (European Data Protection Board)

28 gdpr cases statistics 2019
European Data Protection Board

  • The National Data Protection Commission in France fined Google 50 million EUR on January 21, 2019 (CNIL France)
  • 52% of the reports have already been closed and 1% face challenges in national courts (European Data Protection Board)

29 gdpr cases cybersecurity statistic 2019
European Data Protection Board

  • 28% more self-reported data breaches were recorded in 2017-2018 compared to the previous year, as a result of the mandatory reporting imposed by the GDPR (ENISA Threat Landscape Report 2018)
  • One of the less fortunate consequences of regulation was GDPR-themed spam:

A large number of GDPR-themed spam emails have been observed during the first quarter of 2018. This spam activity included mostly paid seminars, webinars and workshops related to the new EU’s privacy regulation.

ENISA Threat Landscape Report 2018

  • 49% of organisations in EMEA said that they were not well prepared for GDPR (The Trust Factor by Radware)
  • More than 42,230 complaints from individuals have been registered across Europe (The European Data Protection Board)
  • The privacy regulator in Poland fined a company over £187,000 under GDPR provisions for scraping public data and reusing it commercially without notifying the respective consumers (InfoSecurity Magazine)

30 gdpr complaints uk cybersecurity statistic 2019
GDPR Today

31 gdpr breach notifications uk cybersecurity statistics 2019
GDPR Today

Cost of cybercrime stats

There’s a lot of data to dig into when it comes to the financial toll of cybercrime. Seeing the shocking figures below could help encourage proactive behavior when it comes to cyber defenses.

The big picture view is that up to 0.80 percent of the world’s GDP is now being lost to cybercrime, according to McAfee.

Over the next 5 years, companies in the private sector “risk losing an estimated US$5.2 trillion in value creation opportunities from the digital economy—almost the size of the economies of France, Italy and Spain combined—to cybersecurity attacks.


Though it constitutes a relatively new criminal economy, cybercrime is already generating at least $1,5 trillion in revenues every year.

Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy

It’s perfectly adequate to feel a bit overwhelmed by these figures. Even when looking at yearly developments, the data is a compelling argument for improving cybersecurity strategies.

In just one year, the initial costs attributable to cyberattacks increased 52% to $1,1 million.

The Trust Factor by Radware

The varied ways in which cyber criminals amass these large sums of money range from massive operations to spray-and-pray attacks, the latter targeting a large number of victims in the hope that it will compromise some of them.

Revenue generation in the cybercrime economy takes place at a variety of levels – from large ‘multinational’ operations that can generate profits of over $1 billion; to smaller, small scale operations, where profits of $30,000- $50,000 are more the norm.

Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy

Wondering how they manage to move these huge sums without being caught? Here’s what the studies reveal about money laundering alone:

Around 10% or more of the estimated $1,6-$2 trillion of laundered money being circulated globally can be attributed to revenues derived from cybercrime – totalling up to $200 billion.

Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy

However, malicious hackers and scammers are also spending money, “investing” in assets that can make their attacks more effective:

A zero-day Adobe exploit can cost $30,000.

A zero-day iOS exploit can cost up to $250,000.

Malware exploit kits cost $200-$600 per exploit.

Blackhole exploit kits cost $700 for a month’s leasing, or $1,500 for a year.

Custom spyware costs $200.

One month of SMS spoofing costs $20.

A hacker-for-hire costs around $200 for a small hack.

Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy

Other things for sale on the Dark Web include access to compromised systems and organisations. Price points start at “50 cents to $400 for RDP access, and roughly $1,000 to $20,000 for broader access to a compromised organization” (Secureworks State of Cybercrime Report 2018).

Marketplaces are larger than one might imagine: just 25 Dark Web sites that provided access to tools and information for cybercriminal activities counted over 3 million registered users (ENISA Threat Landscape Report 2018)!

There are approximately 6,300 marketplaces selling ransomware in the dark web with 45,000 product listings.

Telstra Security Report 2018

It also doesn’t help that unscrupulous hosting providers enable cybercriminals to carry out their attacks anonymously by giving them access to anonymised servers and Internet access for as little as $100-300/month (Secureworks State of Cybercrime Report 2018).

While vulnerabilities, tools, and hosting that enable bad actors to exploit them can be pricey, personal data used in attacks come dauntingly cheap:

Today, account credentials may sell for as little as $0.20 up to $15 USD.

RSA 2018 Current State of Cybercrime

Full data profiles that include biographic information and payment card data, don’t break the bank either: they are advertised for prices as low as $10 to $25 (Secureworks State of Cybercrime Report 2018).

32 dark web prices cybercrime statistics 2019
Secureworks State of Cybercrime Report 2018

A different report confirms these prices: “as of March 2018, ca. 500,000 email accounts with passwords were priced at US $90 in the Dark Web” (ENISA Threat Landscape Report 2018).

Statistics about current and future cybersecurity costs abound and cover multiple angles:

  • $2,1 trillion: The total global annual cost of all data breaches by 2019, as suggested by Juniper Research. (Juniper Research)
  • $1,5 trillion: The total revenue cybercriminals coaxed out of their victims worldwide in 2017. (RSA)

33 general cybercrime statistics 2018-2019

  • $15 billion: the value of cryptocurrency stolen from online exchanges between 2012 and 2017 (2018 Trustwave Global Security Report)
  • Business email compromise (BEC) and email account compromise (EAC) led to financial losses of up to $12,5 billion between October 2013 and May 2018, as reported by the FBI (Secureworks State of Cybercrime Report 2018)
  • $5 billion: value of associated losses caused by account takeovers in 2017, when this type of attacks tripled in frequency (RSA 2018 Current State of Cybercrime)
  • $5 billion: is the estimate for damages arising from ransomware attacks in 2017 (Europol Internet Organised Crime Threat Assessment (IOCTA 2018)
  • $3,25 billion: global revenue generated by social media-enabled crimes (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
  • $3,2 billion: this is the level that global smart grid cybersecurity spending will reach by 2026 (source)
  • $1,7 billion: is how much energy utilities spent in 2017 on protecting their systems from cyber attacks. (The Global Risks Report 2019 – World Economic Forum)

Other criminal groups have targeted ATM infrastructure directly.

In March 2018, Europol arrested “Denis K,” a Ukrainian national and alleged malware developer, in Spain for his part in a series of thefts since 2013 that Europol estimated had cost €1 billion to banks in more than 40 countries.

Spain’s Interior Ministry reported at the time that Denis K had personally accumulated about 15,000 bitcoins (roughly $120 million USD, at the time it was reported) from this activity.

Secureworks State of Cybercrime Report 2018

  • $530 million: the cost of the January 2018 Coincheck hack, the biggest cryptocurrency heist to date. (Time Money)
  • 1% of business executives who consider cybercrime the most disruptive fraud lost more than $100 million as a result (Global Economic Crime and Fraud Survey 2018 by PWC)
  • $50 million: the total cost of cybercrime across 237 major companies in 6 countries. (Micro Focus)
  • $13.5 million (944 million rupees) is how much an Indian bank lost “after hackers installed malware on its ATM server that enabled them to make fraudulent withdrawals from cash machines”  (InfoSecurity Magazine)
  • $4.6 million: is how much loss two individuals caused by conducting large-scale CEO fraud. (Europol Internet Organised Crime Threat Assessment – IOCTA 2018)
  • $3.8 million: the average cost of a data breach to a business. (Microsoft)
  • $2.2 million per month: this is how much money cyber criminals can make with just 10 stolen credit cards bought from the underground markets. This is why formjacking is making a fast comeback as a preferred attack tactic (2019 Internet Security Threat Report by Symantec)
  • $2 million: the average cost of a DDoS attack on an enterprise in 2017 (Kaspersky)
  • $729,000 is how much a businessman lost in a scam combining catphishing and whaling (EY Global Information Security Survey 2018-2019)
  • $660,000 per hour: is how much e-commerce fraud causes in losses. (RSA 2018 Current State of Cybercrime)
  • $500,000: is the average damage 53% of attacks cause. (Cisco Annual Cybersecurity Report 2018)

34 financial damage cybercrime statistics 2019

  • $24,439 – the average cost for a Business Email Compromise hack (Verizon 2019 Data Breach Investigations Report)
  • $292: the average fraud value following a cybercriminals’ takeover of a consumer’s mobile banking account. (RSA)

While financial value is a big aspect of the cost of cybercrime, statistics show there are other losses to consider as well:

Cybercrime was more than twice as likely than any other fraud to be identified as the most disruptive and serious economic crime expected to impact organisations in the next two years.

Global Economic Crime and Fraud Survey 2018 by PWC

  • 40% of surveyed specialists see the disruption of operations as the biggest potential consequence of a cyberattack; 39% fear the compromise of sensitive data, and 32% cite damage to product quality. (The Global State of Information Security® Survey 2018 by PWC)

35 cybercrime risk by sector statistics 2019
Imperva 2019 Cyberthreat Defense Report

  • 61% of CEOs believe that security issues associated with the digital economy are far too big for their organization to handle alone; they also mention that increasing cybersecurity budgets won’t solve the issue (Accenture – Securing the Digital Economy)
  • 43% of executives said the actions required to remediate security incidents were “difficult and expensive.” (Verizon Mobile Security Index 2019)
  • 51% mentioned security spending is driven by previous years’ budgets (Cisco Annual Cybersecurity Report 2018)
  • Criminal revenues driven by social media-enabled fraud increased by over 60% in 2018 from the previous year. (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
  • Cybercriminals manage to defraud users on mobile for double the amount they’d normally spend on a genuine transaction on the same channel: $133 – average genuine transaction value, $292 – average fraud value (RSA 2018 Current State of Cybercrime)

Companies spend money because of cybercrime in various ways. For example:

41% of executives surveyed said they spent at least twice as much in 2018 on investigations and related interventions as was lost to cybercrime


Moreover, they also pay for compromises in other ways. A report mentions that “2 in 5 companies reported negative customer experiences and reputation loss following a successful attack” (The Trust Factor by Radware).

Cybersecurity spending trends

Almost everyone falls victim to cyber attacks nowadays. Some companies (about a third) detect attacks on a weekly basis and surveyed companies (93%) admit they’ve experienced a cyberattack in the previous 12 months (The Trust Factor by Radware).

Cybercriminals also have a type: they prefer mid-size enterprises with 5,000-9,999 employees because they’re the most affected (88%) by successful cyber attacks (Imperva 2019 Cyberthreat Defense Report).

  • In spite of this, 44% of 9,500 executives in 122 countries surveyed by PWC say they do not have an overarching information security strategy (The Global State of Information Security® Survey 2018 by PWC)
  • The issue goes deeper than that: 48% of these 9,500 executives confirmed they do NOT have a security awareness training program for their employees (The Global State of Information Security® Survey 2018 by PWC)
  • 54% of them also lack an incident response process to help them cope with potential attacks and compromises (The Global State of Information Security® Survey 2018 by PWC)

36 cybersecurity improvements priorities statistic 2019
EY Global Information Security Survey 2018-2019

  • An attacker resides within a network for an average 146 days before detection. (Source: Microsoft)
  • 86% of executives believe that “taking business resiliency to the next level requires an ambitious new vision for the Internet” (Accenture – Securing the Digital Economy)
  • On average, IT security takes up 12.5% of the overall IT budget (Imperva 2019 Cyberthreat Defense Report)
  • 66% of surveyed executives align security spending with revenues pertaining to each line of business (The Global State of Information Security® Survey 2018 by PWC)
  • Only 1 in 10 organisations can process over 75% of their security event data (Oracle and KPMG Cloud Threat Report 2019)
  • Around 30% of companies who experienced attacks couldn’t identify the motive (The Trust Factor by Radware)
  • Only 35% of organisations have cyber insurance that satisfies their current needs (EY Global Information Security Survey 2018-2019)
  • 43 percent of cyber attacks against businesses worldwide target small companies (Symantec)
  • 55% of organisations only have reactive capabilities in place (EY Global Information Security Survey 2018-2019)
  • However, many entities are trying to achieve more: “77% of organisations are now seeking to move beyond putting basic cybersecurity protections in place to fine-tuning their capabilities” (EY Global Information Security Survey 2018-2019)
  • 41% of business executives confess spending “at least twice as much on investigations and related interventions as was lost to cybercrime” (Global Economic Crime and Fraud Survey 2018 by PWC)
  • Organizational self-awareness is also increasing: fewer than 1 in 10 organisations say their information security function meets their needs “and many are worried that vital improvements are not yet under way” (EY Global Information Security Survey 2018-2019)
  • Only 6% of financial services companies are satisfied with the performance of their cybersecurity program (EY Global Information Security Survey 2018-2019)

Overall, 92% of organisations are concerned about their information security function in key areas. Resources are a key issue: 30% of organisations are struggling with skills shortages, while 25% cite budget constraints.

EY Global Information Security Survey 2018-2019

Some of the missing puzzle pieces include:

  • Better cloud security, as 53% of organisations host at least 50% of their infrastructure in the cloud (Cisco Annual Cybersecurity Report 2018)
  • Upgrading to newer software; for example, 50% of local authorities in the UK rely on unsupported server software (EY Global Information Security Survey 2018-2019)
  • Having a strategy or a program, as 53% of organisations cite their current setup and processes are obsolete in several areas, such as threat intelligence, breach detection, incident response, and data protection, among others (EY Global Information Security Survey 2018-2019)
  • Only 43% of the companies have an enterprise-wide encryption strategy, leaving more than half exposed as data flows through their systems (ENISA Threat Landscape Report 2018)
  • Lagging security awareness training – just 20% of businesses sent any staff to internal or external cyber security training in the last 12 months (ENISA Cyber Security Breaches Survey 2018)
  • Just 27% of UK businesses have a formal cyber security policy or policies in place (ENISA Cyber Security Breaches Survey 2018)
  • Human resource limitations: over 50% of organisations are “re-training existing IT staff to tackle cloud security challenges” (Imperva 2019 Cyberthreat Defense Report)

Cybersecurity statistics point out that companies are working on improvements in several areas:

  • 85% of companies are interested in replacing passwords with new forms of authentication (Oracle and KPMG Cloud Threat Report 2019)
  • 53% are using machine learning for cybersecurity purposes” (Oracle and KPMG Cloud Threat Report 2019)
  • 86% of businesses explored the possibility of using solutions that incorporate machine-learning and artificial intelligence (The Trust Factor by Radware)
  • 51% of surveyed organisations are now investing more in cyber analytics (EY Global Information Security Survey 2018-2019)

37 cybersecurity solutions statistic usage 2019
Imperva 2019 Cyberthreat Defense Report

In order to achieve these improvements and more, organisations worldwide are increasing their spending. However, information security spending numbers show there are many differences across sectors and company sizes.

  • 53% confirm an increase in their budget in 2018 (EY Global Information Security Survey 2018-2019)
  • 76% added to their cybersecurity budget after a serious breach (EY Global Information Security Survey 2018-2019)
  • Larger companies are more likely to increase their information security budgets (EY Global Information Security Survey 2018-2019)

Half of healthcare and Government & Public Sector organisations say they have increased spending on cybersecurity over the past 12 months, while 66% plan to spend more over the next 12 months.

EY Global Information Security Survey 2018-2019

  • When it comes to energy companies, 57% of them have boosted spending on cybersecurity over the past 12 months, and 68% plan to increase investments over the next 12 months (EY Global Information Security Survey 2018-2019)
  • In fact, the average IT security budget went from $11 million to $15 million in 2018 (cca. a 27% rise) (CSO US State of Cybercrime 2018)
  • The same report notice that 15% of companies have an IT security budget of over $10 million while 37% of them have less than $250,000 at their disposal (CSO US State of Cybercrime 2018)

38 cybersecurity spending statistics 2019
EY Global Information Security Survey 2018-2019

Then there are other kinds of challenges that CISOs and CIOs have to deal with:

  • 60% of surveyed organisations cited that “the person directly responsible for information security is not a board member” (EY Global Information Security Survey 2018-2019)

Conversely, only 18% of organisations say that “information security fully influences business strategy plans on a regular basis” (EY Global Information Security Survey 2018-2019).

Organisations in Technology, Media & Entertainment, and Telecommunications have a different perspective. The same report mentions that 53% of them see cybersecurity as an influential force for business decision-making.

39 ciso cybersecurity challenges statistic 2019
Deloitte-NASCIO Cybersecurity Survey (2018)

Cybersecurity jobs growth

Industry estimates show there may be 3.5 million unfilled cybersecurity jobs by 2021 (Cybersecurity Ventures).

The situation is pressing as it is:

Almost 70% of respondents believe that their enterprise’s cybersecurity team is understaffed, with over 20% of respondents indicating that they perceive their enterprise as significantly understaffed.

ISACA State of Cybersecurity 2019, Part 1

  • 39% of companies mention that less than 2% of their total IT staff work in cybersecurity  (EY Global Information Security Survey 2018-2019)
  • 84% of organisations are challenged by IT security skills shortage, up from 81% in 2017 (Imperva 2019 Cyberthreat Defense Report)
  • Women make up only 11% of the infosec workforce worldwide (2017 Global Information Security Workforce Study: Women in Cybersecurity)
  • 715,715 people worked in cybersecurity in the US in 2018 (Cyberseek)
  • There were 313,735 job openings for information security specialists in 2018 across the United States (Cyberseek)
  • The three most requested job titles by companies in the US were in 2018 were: Cyber Security Engineer, Cyber Security Analyst and Network Engineer / Network Architect (Cyberseek)
  • 57% of surveyed companies are considering training their employees to improve their cybersecurity program (Comptia 2018 Trends in Cybersecurity)
  • The average yearly salary for a security engineer in the US is $88,000 and the same role in the UK pays £52,500 ($69,139) a year (Finding your first job in cyber security)
  • An Information Security Analyst made an average yearly salary of $95,510 in 2017  (US Bureau of Labor Statistics)
  • 9 in 10 organizations are contracting managed security service providers (MSSPs) to offload at least one IT security function (Imperva 2019 Cyberthreat Defense Report)
  • 43% of organizations use third party firms occasionally for information security projects (Comptia 2018 Trends in Cybersecurity)
  • 59% of organizations declare that it’s too expensive to outsource cybersecurity to specialized companies (Comptia 2018 Trends in Cybersecurity)
  • 51% of organizations believe they need new or improved security policies to enhance the effectiveness of their security teams (Comptia 2018 Trends in Cybersecurity)

Cybersecurity threats, preparedness and programs by country

It’s clear from the varied outcomes of the studies and surveys above that not all countries are equal when it comes to cybersecurity and internet freedom. Many are poorly equipped to handle cyber attacks, while others are better equipped but more frequently targeted.

This data visualization delves into a number of metrics that demonstrate the variety of threats we face online, looking at which countries deal with the highest number of threats and how they fare in terms of defenses.

This map included in the Global Cybersecurity Index (GCI) 2017 depicts the level of commitment countries across the world have to cybersecurity preparedness.  Dark green indicates highest commitment and red the least.

40 cybersecurity global index statistics 2019

Australia, Canada, Egypt, Estonia and Finland are leading the way, mobilizing resources to build and implement consistent information security strategies country-wide.

Countries such as China, Germany, Iceland, Poland or Peru fall mid-tier, as their cybersecurity programs are in the process of maturing.

At the same time, El Salvador, Lebanon, Sudan, the Vatican, and a long list of other countries are just initiating or establishing their information security programs.

The same report mentions that “only 38% countries have a published cybersecurity strategy and only 11% have a dedicated standalone strategy“.

41 cybersecurity strategy countries statistic 2019
Global Cybersecurity Index (GCI) 2017

The good news is that 61% of these countries have an emergency response team (i.e., CIRT, CSRIT, and CERT) with national responsibility to help them deal with the numerous cyber threats.

42 cybersecurity priorities country statistics 2019
Global Cybersecurity Index (GCI) 2017

The Imperva 2019 Cyberthreat Defense Report mentions that Spain was hardest hit of all countries in 2018, with 93.7% of respondents reporting successful attacks (Imperva 2019 Cyberthreat Defense Report).

North America is the most popular target, accounting for 57% of the breaches and 72% of the records exposed (ENISA Threat Landscape Report 2018).

The same report notes a 36% decrease in the number of incidents in Europe but a simultaneous 28% increase in the volume of records breached, “with UK organisations being the most affected in Europe” (ENISA Threat Landscape Report 2018).

When it comes to breach costs, Canada suffered the biggest direct costs while the United States had the highest indirect costs. A single compromised record in Canada cost US $81 and the same in the US cost $152 (ENISA Threat Landscape Report 2018).

In terms of attack geography, “the US (45,87%), Netherlands (25,74%), Germany (5,33%) and France (4,92%) were the top four source countries for web-based attacks, representing an increase not only for each country compared to Q1 2018 but also to 2017” (ENISA Threat Landscape Report 2018).

43 sources for web attacks cybercrime statistic 2019
ENISA Threat Landscape Report 2018

For most countries, budget and staffing are the top challenges to developing and implementing an effective information security strategy:

44 cybersecurity challenges state level statistic 2019
Deloitte-NASCIO Cybersecurity Survey (2018)

The State of IT Security in Germany 2018

The homonymous report issued by Germany’s Federal Office for Information Security notes a few interesting aspects particular to the country’s cybersecurity program.

When it comes to attack tactics targeting state organisations, email is prevalent:

The most frequently detected attacks on the Federal Administration involve e-mails containing malware. Using automated anti-virus measures, an average of 28,000 e-mails of this kind were intercepted in real time each month before they reached the recipients’ inboxes.

In 2017, German authorities detected an average of 500 malware programs in HTTP traffic each month, which were subsequently blocked.

In 2017, a total of 157 IMMEDIATE notifications were reported to the Central Reporting Office and National IT Situation Centre.

Ransomware was the main topic of the notifications in 2017. There were reports of the exploitation of telephone/video conference systems for malware infections. In the middle of the year a cyber attack took place with the encryption Trojan NotPetya.

Germany has a high awareness level in terms of cybersecurity, with 92% of organisations fully aware that cyber threats are critical dangers to their operations.

Almost 90% of German companies implemented advanced cybersecurity measures, such as segmentation or minimisation of gateways and malware control.

However, most companies still focus on reactive measures. The report states,“these companies report that they are particularly focused on reactive measures to respond to a cyber attack.”

It’s great to see that 97% of internet users in Germany believe internet security is very important. Less follow through.

For example only about 30% read about information security. Just 45% of them act to keep their data safe and only 37% are quick to apply the latest updates.

45 new malware cybercrime statistics 2019

In addition to these huge malware statistics targeting PCs, 690,000 new Android malware programs were detected each month during the same period.

The State of cyber security in Australia 2018

On the other side of the world, the Telstra Security Report 2018 provides an outlook that compares the country’s cyber security performance with global data.

There’s some good news coming from Australia: 97% of surveyed decisions-makers confirmed they have some level of influence over choices made for the company’s cyber security program.

46 cybersecurity budget decision statistic 2019
Telstra Security Report 2018

This may also contribute to the fact that 83% of Australian respondents mentioned that budgets for cyber and IT security are increasing in 2018, the same tendency displayed by 84% of the APAC and Europe.

Australian business prioritize security solutions such as operational technology (65%), CCTV and external video sources (61%), biometric and physical access systems (58%), and BAS, uninterruptible power supply (UPS) and alarming systems (56%).

Their caution is justified because 60% of Australian businesses had their business interrupted by a security breach in the past year.

47 business interruption data breaches cybercrime statistic 2019
Telstra Security Report 2018

In terms of attack tactics, Business Email Compromise (BEC) and phishing attacks are the most prevalent in Australia.

The financial losses in FY2016/17 amounted to A$20 million, an increase of over 230% from A$8,6 million in FY2015/16.

Telstra Security Report 2018

48 phishing cybercrime statistic 2019
Telstra Security Report 2018

In Asia, for example, the two most common attack tactics are virus/malware outbreak and employee error. Interestingly enough,  Europe features a combination of both: phishing attacks and employee errors.

A notorious example from Europe features shipping container company Maersk, which fell victim to a ransomware attack in June 2017. The infection spread through their global network

and impacted shipping across 76 ports.

The fallout from the attack cost them ca. $300 million and forced them to rebuild their entire IT infrastructure.

In the APAC region, companies are interested in user and entity behaviour analytics (57%) and in threat intelligence platforms (56%). In Europe, DevOps for security (55%) and security for IoT (also 55%) are top of mind (Telstra Security Report 2018).

Top cybersecurity threats 2019

Reports of cybercrimes continue to create headlines around the world and this is unlikely to change throughout the year.

Here are some of the predictions being put forward regarding what we can expect to see during the rest of the 2019.

The Global Risks Report 2019 from the World Economic Forum provides a detailed outlook of how things look like for individual users:

  • 83% of consumers expect cyber attacks, data theft, and fraud to increase in 2019
  • 80% of respondents expect business and infrastructure disruption to increase in 2019
  • 64% fear a hike in personal identity theft
  • 63% of individual users cite worrying about losing their privacy to companies as a main concern for 2019
  • 57% of consumers dread the loss of privacy to governments over the course of this year.

When it comes to a perspective on cybercrime trends for 2019, the Europol Internet Organised Crime Threat Assessment (IOCTA) 2018 provides a well-documented outlook:

Within the next five years, we can expect to see continued fragmentation of the Darknet market scene.

While a number of larger, multi-vendor, multi-commodity markets may survive, there will be an increasing number of vendor shops and smaller secondary markets catering to specific nationalities or language groups.

These smaller markets will be less likely to attract the coordinated international law enforcement response that larger markets invite.

Some vendors will abandon web shops altogether and migrate their business to encrypted communications apps, running their shops within private channels/groups91 and automating the trade process using smart contracts and bots92.

Industry and media already reports trend in the abuse of apps like Telegram or Discord, despite the provider’s efforts to curtail such activity.

Gartner predicts that, by 2020, 25 percent of cyber attacks against enterprises will involve IoT devices.

In terms of threats, the World Economic Forum (WEF) 2019 Global Risks Report highlights cybersecurity threats as one of its 5 key areas. It also predicts that “massive data fraud and theft” will constitute the 4th largest global threat over a 10-year horizon, with cyber attacks following in 5th place.

When it comes to cybersecurity spending, the EY Global Information Security Survey 2018-2019 states that 65% or organization foresee an increase in their budget next year.

Some of this budget is planned to be spent on “advanced malware analysis, next-gen firewalls (NGFWs) and deception solutions”, the Imperva 2019 Cyberthreat Defense Report mentions. But the most sought-after technology is biometrics, as the aforementioned report highlights, because it addresses key issues in identity and access management security.

The same report by Imperva cites that 4 in 5 respondents “believe ML and AI technologies are making a difference in the battle to detect advanced cyberthreats”.

7 easy ways to improve your privacy and security online

If you don’t want to be another statistic in next year’s report, we recommend you take a few simple steps toward protecting your privacy and security online.


Turn on your antivirus. There’s a good chance your computer already has antivirus software built in. If it doesn’t, or if you don’t think it’s sufficient, there are plenty of free and paid antivirus programs to avail of.

Modern antivirus programs typically have two methods of finding and removing malware from your system. The first is a simple system scan, in which the antivirus will sift through every file on your computer to look for, quarantine, and remove malware. The second is real-time scanning, in which running processes and downloaded files are scanned as they appear on your computer and flagged accordingly.


Short for virtual private network, a VPN encrypts all of your internet traffic and routes it through a remote server in a location of your choosing.

Commercial VPNs are typically paid subscription services that you can use by installing an app on your device. They have two primary effects.

The first is that all of your data is secured in an encrypted tunnel until it reaches the VPN server. This prevents your ISP and hackers on wifi networks from snooping on any of your internet activity and your traffic’s final destination.

The second is that your IP address, a unique number that can be used to identify your device and location, is masked behind the VPN’s server address. This helps to anonymize your internet activity.

Most commercial VPNs group dozens or even hundreds of users together under a single IP address, making it impossible to trace activity back to a single user.

VPNs can also be used to unblock geo-locked content that’s only accessible from certain countries, such as US Netflix or Hulu.

Secure browser extensions

Your web browser is the window through which you see the internet, and it can do a lot of things, but is also vulnerable to a large number of attacks and exploits.

Fortunately, a few browser extensions can help protect your privacy and improve security online. Here is a shortlist of browser extensions we recommend:

  • HTTPS Everywhere – opts for the SSL-encrypted versions of web pages whenever they are available
  • Disconnect or Privacy Badger – prevents websites from using tracking cookies and similar technologies to monitor your online behavior
  • Ad Block Plus – advertisements are a common attack vector by which to deliver malware and phishing ads to users. A good ad blocker can keep them at bay.
  • NoScript or ScriptSafe – stops Javascript from loading on your browser by default, which prevents drive-by-downloads that can infect your computer with malware


A firewall is an essential defense against unsolicited internet traffic coming or going from your computer.

Firewalls are installed on almost all modern operating systems and NAT firewalls on most routers. Keep them turned on and be selective about programs you allow to “phone home” through the firewall.


Use strong, unique passwords. Task your password generator with creating random, unique passwords for each of your accounts. Relying on a password manager means you don’t have to memorize them or write them down.

If you don’t want to go that route, at least use a combination of upper and lower case letters, numbers, and symbols and try to make it as random as possible.

Never use the same password across all of your accounts. Never use your personal details that a hacker could figure out.

Good passwords will go a long way in protecting your accounts.


Besides a good spam filter, there’s not much protection against phishing attempts. You just have to know how to spot them.

Don’t open links or attachments in unsolicited emails or text messages. Always look for valid HTTPS certificates on websites where you need to input a password or financial information.

If you’re unsure about an email, contact the sender by some other means or ask a question that only they would know to verify their identity.

Never, ever give out passwords or other private information in an email, SMS or instant message.

Read more: Common phishing scams and how to avoid them.

Security updates

Don’t ignore security updates. Even though they can be annoying, not updating your software not only endangers your device, but everyone on your network.

Once a security update has been issued, hackers will deliberately target that software and users who ignore the security updates. So always update as soon as it’s practical.

How to report cybercrime

If you’ve been a victim of cybercrime then you can find more information about reporting it using the links below:


UK: ActionFraud, National Crime Agency

Europe: Europol

Australia: ACORN

Canada: Public Safety Canada