What can statistics about cybersecurity tell you? They can offer some insight into how effective or ineffective the efforts currently are to improve the cybersecurity outlook. As a cybersecurity executive, cybersecurity statistics can prove to be an excellent means of communicating to upper management that your organization should invest in cybersecurity.

Presented below are 15 surprising statistics about cybersecurity, grouped in the following categories:


  • The average cost of a data breach in 2020 (so far) is $3.86 million.

In their 2020 Data Breach report, IBM states that the average cost of a security breach is $3.86 million. This is an alarming statistic because the amount presented by IBM is higher than the amounts they provided in previous years because 2020 has not yet ended. There are numerous possibilities about the cause(s) of the increases. However, the bottom line is that the cybersecurity landscape is not improving.

  • The amount spent on cybersecurity budgets in 2019 was $250, 000 for midmarket organization to $1 million spent by large enterprises.

The 2019 The Security Bottom Line report by Cisco reports that companies are investing in cybersecurity, but the costs are not equal. Companies recognize that cybersecurity is an important investment, but the costs to implement it are often too much. In the same Cisco report, 84% of the CISOs survey participants stated that their organization was only able to afford only a portion of what was considered the minimum required to protect their infrastructure.

  • The cost of cybersecurity insurance is projected to cost organizations $28.6 billion by 2026.

According to a market outlook provided by Allied Market Research, cybersecurity insurance just about hit the $5 million mark in 2018. As more organizations are adding cyber insurance to mitigate potential losses due to a cyberattack, that number is projected to balloon to almost $30 billion by 2026. Cybersecurity insurance is becoming more important as the costs of recovering from a data breach increase. This type of insurance also benefits companies by providing their customer base an assurance that in case there is a data breach, they will receive some protection.

Hear From Our
Happy Clients

Read Our Reviews


  • The most frequent attack to both enterprises and small business is DDos attacks.

The 2019 IT Security Economics report by Kaspersky reports that distributed-denial-of-service DDos attacks are equal-opportunity attackers in the business world. These types of attacks highjack a company’s resources and in most cases requests a ransom to release them. They do not only cause a disruption of business, but are associated with significant costs.

  • Cyberattacks of mobile devices increased by 50% in 2019.

The technology firm ZDNET reported on this statistic in their report on the increase in mobile malware. This is an important statistic because more IT departments are implementing Bring-Your-Own-Device (BYOD) policies. Any vulnerabilities that are associated with a device that connects to a corporate network pass on to the network and increase the chances the network will succumb to a cyberattack. The report highlights the increased usage of online banking as a key to the increase in mobile malware attacks.

  • Malware threats occur most often (94%) via email.

In the early days of technology, malware was most often considered a threat via software. Now that email has become the main method of communication around the world, cybercriminals have changed their tactics. A 2019 report by Verizon outlines the statistics of malware. Despite the numerous ads and training programs that highlight the dangers of clicking on questionable links, people are still falling victim to email malware.


  • 43% of the security breaches of 2019 involved a small business.

As noted in this statistic from the Verizon 2020 Data Breach Investigations Report, the message is clear that cybersecurity is for everyone. Tight budgets and no buy-in from top executives make it difficult to direct funds to cybersecurity, but it should be considered a significant part of your business. The potential impact is not only financial. Your business reputation can also suffer, your business may be disrupted, and your customers or business partners may be impacted. This stat indicates that small business may not be taking

  • Attacks on supply chain providers were up 78% in 2019.

A 2019 report by Symantec that states that cybercrime in the banking industry rose in 2019 to $18.3 million. This probably isn’t a surprise to you since the financial and banking industries are markets that are targeted often. What’s surprising is that supply chain providers are not being added to that list. The increase in supply chain cyberattacks is linked to organizations relying more on multiple third-party vendors to distribute their products. The attacks on the supply industry has become some critical that during the Aspen Institute’s Virtual Cyber Summit, a leader of the FBI warned companies in the United States to about hackers targeting the distribution of the COVID-19 vaccine.

  • From 2016 to 2019, 93% of healthcare organizations have had a data breach.

Healthcare is one of the industries that are most targeted for cyber attacks (companies in finance, government, manufacturing, education, and technology are also heavily targeted). According to a report by Black Book Research, a whopping 93% of healthcare organizations experienced a data breach between 2017 and 2019. In addition, the report states that more than 50% of organizations in the healthcare industry have experienced more than five data breaches within the 2016 and 2019 period. The healthcare/medical industry is an attractive target for cyber criminals because it receives and stores a significant amount of personal data. During health crises, such as the COVID-19 global pandemic, the industry is target even more as cyber criminals attempt to gain access to privileged research data.


The technology company ZDNET reports that the majority of organizations don’t detect a data breach until its been around for more than six months. This is a sobering number. Organizations in the financial industry are privy to a significant amount of personal data and are one of the key targets of cyber criminals. Since a data breach of these organizations can impact a large number of people, their reaction time to an intrusion is critical.

  • Less than 50% of companies in the world feel they are adequately prepared to mitigate their cybersecurity risk.

The accounting firm PriceWaterhouseCoopers conducted a survey of  3,249 executives in business and technology and learned that 55% of them did not have confidence that their investment in cybersecurity would provide their companies the most benefit. One of the most difficult aspects of cybersecurity risk is determining where to allocate your investment. Without an accurate assessment of an organization’s needs, they will likely not provide their organization with the most protection.

  • 33 billion records will be stolen by cybercriminals in 2023.

This projection stems from a report by Juniper Research of 48 leading cybersecurity companies. According to the research, the latest technologies to protect against newer forms of attacks aren’t making it to small businesses that are most vulnerable to cyberattacks. Until small businesses are able to keep up with technologies and the costs associated with mitigating their cybersecurity risks, we’ll likely to continue to see alarming projects like this one.

  • 58% CISOs report that they feel employees ignore cybersecurity policies and guidelines.

The 2020 Cyber Threats Report by netwrix includes an important statistic. One of the most sobering statistics is that employees are not doing their part to help organizations stay safe. However, employees may not be receiving sufficient education (see statistic #15). The important factor in education is content and timeliness. Cybersecurity professionals should assess the knowledge that the employees in their organization require and design a training program that fits that assessment.

  • Only 5% of folders stored on a corporate network are adequately protected.

The 2019 Global Data Risk Report from the Varonis data lab highlights the results of 785 data risk assessments they performed. Protecting all potential entry points is a basic cybersecurity best practice. Project folders that are uncontrolled are easy access for cybercriminals via ransomware or other forms of malware.

  1. The average frequency for employee cybersecurity awareness training in the U.S. is once per year.

According to Statista, an Internet statistics database, employees in the U.S. on average receive cybersecurity awareness training on an infrequent basis. This is a startling statistic, considering the growing number of cyberattacks projected in the future. One of the most significant impacts on the outlook of cybersecurity is human behavior.


As technology for mitigating cybersecurity risks improve, so do the tactics of cyber criminals. Understanding the cybersecurity landscape can help you remain informed about what your organization should consider when you design your cybersecurity policies.

BACS is a professional team of security experts who can help you understand all aspects of your infrastructure and devise a plan that provides the greatest amount of protection at the most reasonable cost.

Would You Like to Discuss IT Services For Your Business?

BACS Consulting Group is here to be your trusted team of technology professionals.

Jeremy Kushner BACS IT

I hope you enjoy reading this blog post.

Download our HIPAA Compliance Checklist to measure if your organization is HIPAA compliant.