Updated for 2026

Cybersecurity Statistics
Data, Trends & Benchmarks

A curated collection of the most important cybersecurity statistics from leading research organizations. Use these data points to inform security decisions, justify budgets, and communicate risk to leadership.

$4.88M
The global average cost of a data breach in 2024 reached an all-time high, a 10% increase from the previous year and the largest annual jump since the pandemic.
Source: IBM / Ponemon Institute, Cost of a Data Breach Report 2024
Ransomware

Ransomware Attack Statistics

Ransomware remains the most financially devastating cyber threat facing organizations of all sizes.

$2.73M
Average ransomware payment in 2024, up from $1.54 million in 2023, a 77% year-over-year increase.
Source: Sophos, State of Ransomware 2024
59%
Of organizations were hit by ransomware in 2024, with recovery costs averaging $2.73 million excluding the ransom payment itself.
Source: Sophos, State of Ransomware 2024
$5.13M
Average total cost of a ransomware breach, including downtime, recovery, ransom, legal, and reputational damage.
Source: IBM/Ponemon 2024
80%
Of organizations that paid the ransom were targeted again, often by the same threat actor or an affiliate group.
Source: Cybereason, Ransomware: The True Cost to Business 2024
23 Days
Average downtime caused by a ransomware attack, severely impacting productivity, revenue, and customer trust.
Source: Statista / Coveware, 2024
8%
Of organizations that paid the ransom successfully recovered all of their data. Most received only partial recovery or corrupted files.
Source: Sophos, State of Ransomware 2024
Phishing & Social Engineering

Phishing Attack Statistics

Phishing remains the primary initial access vector for most cyberattacks, exploiting human behavior rather than technical vulnerabilities.

91%
Of all cyberattacks begin with a phishing email, making employee awareness the most critical layer of defense.
Source: Deloitte, 2024
3.4B
Phishing emails are sent every day worldwide, with attackers using increasingly sophisticated AI-generated content.
Source: Radicati Group / AAG-IT, 2024
$4.76M
Average cost of a phishing-initiated data breach, the second most expensive initial attack vector behind stolen credentials.
Source: IBM/Ponemon 2024
36%
Of all data breaches involve phishing as the initial attack vector, outpacing all other methods including vulnerability exploitation.
Source: Verizon DBIR 2024
60%
Reduction in phishing click rates for organizations with regular security awareness training and simulated phishing programs.
Source: KnowBe4, Phishing Industry Benchmarking Report 2024
1,265%
Increase in malicious phishing emails since the launch of generative AI tools, enabling more convincing, personalized attacks at scale.
Source: SlashNext, State of Phishing 2024
Data Breaches

Data Breach Statistics

Data breaches continue to grow in frequency and impact, with stolen credentials and cloud misconfigurations among the top attack vectors.

3,205
Total data breaches reported in the US in 2023, a 78% increase from the previous year and a new all-time record.
Source: Identity Theft Resource Center (ITRC), 2024
277 Days
Average time to identify and contain a data breach. Breaches contained in under 200 days cost $1.02 million less on average.
Source: IBM/Ponemon 2024
$165
Average cost per compromised record in 2024, including detection, notification, response, and lost business costs.
Source: IBM/Ponemon 2024
16%
Of breaches involved stolen or compromised credentials as the initial attack vector, the most common vector for the 4th consecutive year.
Source: IBM/Ponemon 2024
$1.76M
Average savings for organizations with a well-tested incident response plan compared to those without one.
Source: IBM/Ponemon 2024
45%
Of breaches involved cloud-based data, highlighting the critical need for proper cloud security configuration and monitoring.
Source: IBM/Ponemon 2024
Compliance & Regulation

Compliance Statistics

Regulatory compliance is no longer optional. Organizations that fail to meet compliance requirements face steep fines and increased breach costs.

$5.05M
Average cost of a data breach for organizations with high levels of compliance failures, compared to $3.35M for those with low failure rates.
Source: IBM/Ponemon 2024
$2.1M
Maximum HIPAA penalty per violation category per year. HHS OCR has levied over $142 million in HIPAA fines since 2003.
Source: HHS Office for Civil Rights, 2024
73%
Of defense contractors expect to need CMMC Level 2 certification by 2026 to maintain eligibility for DoD contracts.
Source: CMMC-AB / Coalition Projections, 2024
$1.27B
Total GDPR fines issued since 2018, with Meta alone receiving penalties exceeding $1.3 billion in a single enforcement action.
Source: GDPR Enforcement Tracker, 2024
66%
Of organizations report that compliance mandates are the primary driver for their cybersecurity spending increases.
Source: PwC Global Digital Trust Insights 2024
$100K/mo
Potential PCI DSS non-compliance fine for organizations processing credit card payments without meeting required security standards.
Source: PCI Security Standards Council, 2024
Small & Mid-Sized Business

Small Business Cybersecurity Statistics

Small businesses are disproportionately targeted by cybercriminals because they often lack the security resources of larger enterprises.

43%
Of cyberattacks target small businesses, yet only 14% of SMBs rate their ability to mitigate cyber risks as highly effective.
Source: Accenture / Verizon DBIR 2024
60%
Of small businesses that suffer a cyberattack go out of business within 6 months due to financial losses and reputational damage.
Source: National Cyber Security Alliance, 2024
$108K
Median ransomware payment demanded from small businesses, which often cannot afford the downtime that comes with refusing to pay.
Source: Coveware, Q4 2024
51%
Of small businesses have no cybersecurity measures in place at all, relying entirely on consumer-grade protections or nothing.
Source: SCORE / SBA, Small Business Cybersecurity Survey 2024
$2.98M
Average breach cost for organizations with fewer than 500 employees, a 13% increase from the previous year.
Source: IBM/Ponemon 2024
350%
Increase in social engineering attacks targeting small businesses since 2020, with BEC (business email compromise) leading the category.
Source: FBI IC3 Annual Report 2024
Healthcare

Healthcare Cybersecurity Statistics

Healthcare is the most targeted and most expensive industry for data breaches, with patient data fetching premium prices on the dark web.

$9.77M
Average cost of a healthcare data breach in 2024, the highest of any industry for the 14th consecutive year.
Source: IBM/Ponemon 2024
725
Healthcare data breaches reported to HHS in 2023 affecting 500+ individuals, exposing over 133 million records.
Source: HHS Breach Portal, 2024
$408
Cost per compromised healthcare record, nearly 2.5 times the global average across all industries.
Source: IBM/Ponemon 2024
$250
Price of a single stolen healthcare record on the dark web, compared to $5.40 for a stolen credit card number.
Source: Trustwave, 2024
Cost Metrics

Cybersecurity Cost & Investment Statistics

The economics of cybersecurity continue to evolve, with investment in prevention proving far more cost-effective than incident response after the fact.

$215B
Global cybersecurity spending forecast for 2025, a 14.3% increase from the previous year as organizations prioritize defense.
Source: Gartner, 2024
$10.5T
Projected annual cost of cybercrime globally by 2025, more than the GDP of every country except the US and China.
Source: Cybersecurity Ventures, 2024
$2.22M
Average cost savings from extensive use of security AI and automation, reducing breach lifecycle by 108 days on average.
Source: IBM/Ponemon 2024
3.5M
Unfilled cybersecurity jobs worldwide in 2024, a workforce shortage that drives up costs and leaves organizations vulnerable.
Source: ISC2, Cybersecurity Workforce Study 2024
$4.45M
Average cost of a breach for organizations with a critical security skills shortage, $1.76M more than those with sufficient security staffing.
Source: IBM/Ponemon 2024
292 Days
Average breach lifecycle when stolen credentials are the initial vector, the longest of any attack type and 15 days above average.
Source: IBM/Ponemon 2024

About These Statistics

Statistics on this page are compiled from industry-leading research organizations including IBM Security, Ponemon Institute, Verizon, Sophos, FBI IC3, HHS OCR, Gartner, ISC2, and others. Where reports reference multiple years, we cite the most recent available data. All statistics are cited with their original source. This page is updated regularly as new research becomes available. For the most current data specific to your industry and organization size, contact PTG for a personalized risk assessment.

Frequently Asked Questions

Cybersecurity Statistics FAQ

What is the most common type of cyber attack?

Phishing remains the most prevalent attack vector, with 91% of all cyberattacks beginning with a phishing email according to Deloitte research. Approximately 3.4 billion phishing emails are sent worldwide every day. The second most common vector is stolen or compromised credentials, which account for 16% of all data breaches per the IBM/Ponemon 2024 report. Ransomware, while less frequent in volume, is the most financially devastating attack type, with 59% of organizations hit in 2024. A layered cybersecurity strategy is essential for defending against all of these threat vectors.

How often do small businesses experience cyber attacks?

Small businesses are disproportionately targeted by cybercriminals. According to Accenture and the Verizon DBIR 2024, 43% of all cyberattacks target small businesses, yet only 14% of SMBs rate their cyber risk mitigation capabilities as highly effective. Even more alarming, 51% of small businesses have no cybersecurity measures in place at all. The consequences are severe — 60% of small businesses that suffer a cyberattack go out of business within six months. A professional risk assessment is the critical first step in protecting your business.

What is the average ransomware payment?

The average ransomware payment surged to $2.73 million in 2024, a 77% increase from $1.54 million in 2023, according to Sophos. For small businesses, the median demand is $108,000 per Coveware data. However, paying the ransom is rarely advisable — 80% of organizations that paid were targeted again, and only 8% successfully recovered all of their data. The total cost of a ransomware breach, including downtime, recovery, legal fees, and reputational damage, averages $5.13 million. Petronella’s ransomware recovery services help organizations respond effectively and minimize losses.

How quickly do attackers typically gain access after a breach?

Modern attackers can move extremely fast once they gain initial access. According to CrowdStrike, the average breakout time — the time it takes an attacker to move laterally from the initial compromised system to other systems in the network — is just 62 minutes. However, the bigger challenge is detection: the average time to identify and contain a data breach is 277 days per IBM/Ponemon research. When stolen credentials are the initial vector, the lifecycle stretches to 292 days. Organizations that contain breaches in under 200 days save $1.02 million on average, underscoring the value of 24/7 security monitoring.

What percentage of data breaches involve human error?

Human error is a contributing factor in approximately 68% of all data breaches, according to the Verizon Data Breach Investigations Report 2024. This includes clicking phishing links, misconfiguring cloud storage, using weak passwords, falling for social engineering attacks, and accidentally exposing sensitive data. Security awareness training programs can reduce phishing click rates by up to 60% according to KnowBe4. Organizations with regular employee training save an average of $1.49 million per breach. Contact Petronella to implement an effective training program for your team.

Where can I find reliable cybersecurity statistics?

The most widely cited and methodologically rigorous sources for cybersecurity statistics include the IBM/Ponemon Institute Cost of a Data Breach Report (published annually, surveying 600+ organizations), the Verizon Data Breach Investigations Report (analyzing 30,000+ incidents), Sophos State of Ransomware Report, FBI Internet Crime Complaint Center (IC3) Annual Report, and the ISC2 Cybersecurity Workforce Study. For healthcare-specific data, the HHS Office for Civil Rights breach portal is authoritative. We compile and verify statistics from these sources on this page and update it regularly. For data specific to your industry and organization size, schedule a consultation with Petronella.

Take Action

Do Not Become a Statistic

Petronella Technology Group helps businesses protect themselves against the threats behind these statistics. With 23+ years of experience and 2,500+ businesses served, we know how to reduce your risk.

Serving Raleigh, Durham, Chapel Hill, and the Research Triangle since 2002