Data breaches can be frightening — you know they’ll have an impact on your business, but it’s hard to know what the impact will be, exactly.
The good news is that plenty of research has been done on data breaches, attack trends, and cybercrime in general. We’ve gathered some of our favorite research here in this blog post for you.
How big of a problem is cybercrime?
If you’re on this blog, you already know that cybercrime is a problem, but you might now know where it ranks alongside other flavors of criminal activity.
According to The Center for Strategic and International Studies (CSIS), almost $600 billion — nearly 1% of global GDP — is lost to cybercrime each year, and that number is projected to increase to $6 trillion by 2021.
Cybercrime touches us all, even if we aren’t aware of it; two-thirds of people on the internet — including people who work for your companies or partners — have been compromised in some way by cybercriminals, CSIS found.
Bad actors often head to where the money is, targeting banks and other financial institutions, but this year’s COVID-19 pandemic has shown a chilling tendency to prey on people’s fears. When the pandemic began to pick up steam in early 2020, bad actors switched tactics abruptly, using coronavirus-themed phishing campaigns and malicious domains with COVID-related keywords to scam individuals.
Attacks were aimed at organizations as well, the healthcare industry — which suffers from the most costly breaches — is often a target, but the pandemic brought a wave of large attacks against medical companies and healthcare organizations, according to SANS. Remote workers, no longer working behind their organization’s firewalls and often working in rapidly thrown-together platforms and networks, were targeted as well, while security pros scrambled to keep them safe.
As always, good security controls and cyber hygiene — as we’re always writing about in these posts — are critical, but 2020 was an odd year with different challenges. Enough from us. On to the stats!
Cybercrime: just the facts
1. In 2019, the last year for which there is complete data, there were 1,473 data breaches, exposing 164,683,455 sensitive records. (ITR, 2019)
2. In the first three quarters of 2020, there were 846 data breaches, impacting 73 million individuals whose identities have been compromised. (ITR, 2020)
3. Two-thirds of the people online have had their records stolen or compromised by bad actors. (CSIS, 2018)
4. Publicly reported data breaches through September 30, 2020, are down 30% year-over-year. (ITR, 2020)
5. More than 292 million individuals have had their identities compromised so far in 2020, a 60% drop from 2019. (ITR, 2020)
6. Absent a significant uptick in reported data compromises, 2020 is on-trend to see the lowest number of breaches and data exposures since 2015, with a projected breach total of 1,128. (ITR, 2020)
7. The Privacy Rights Clearing House estimates there were 4.8 billion records lost as a result of data breaches in 2016, with hacking responsible for about 60% of these. (CSIS, 2018)
8. The FBI estimated 780,000 records were lost to hacking daily in 2016. (CSIS, 2018)
9. Organized cybercrime entities are joining forces. The likelihood of their detection and prosecution is estimated to be as low as 0.05% in the United States. (WEF, 2020)
10. Cybercrime will be the second most-concerning risk for global commerce over the next decade. (WEF, 2020)
11. In 2021, cybercrime damages might reach US$6 trillion—the equivalent of the GDP of the world’s third-largest economy. (Cybersecurity Ventures, 2018)
12. The total number of breaches in 2019 increased 17% to 1,473 over 2018 after declining 23% the previous year. (SANS, 2020)
13. 164 million sensitive records were exposed in 2019. (SANS, 2020)
The cost of a breach
14. The average cost of a data breach is $3.86 million, a decline from the previous year. (Ponemon, 2020)
15. Almost $600 billion — nearly one percent of global GDP — is lost to cybercrime each year. (CSIS, 2018)
16. The wealthier a country, the greater its losses to cybercrime is likely to be. (CSIS, 2018)
17. The healthcare industry has the highest average data breach costs. (Ponemon, 2020)
18. The average time it takes to contain a data breach is 280 days. (Ponemon, 2020)
19. Companies in the U.S. tend to have the most expensive breaches. (Ponemon, 2020)
20. Customers’ personally identifiable information (PII) was the most frequently compromised type of record in 2019, costing $150 per exposed record. (Ponemon, 2020)
21. One in five companies (19%) that suffered a malicious data breach was infiltrated due to stolen or compromised credentials, increasing the average total cost of a breach for these companies by nearly $1 million to $4.77 million. (Ponemon, 2020)
22. Breaches due to cloud misconfigurations resulted in the average cost of a breach increasing by more than half a million dollars to $4.41 million. (Ponemon, 2020)
23. Breaches of 1 million to 10 million records cost an average of $50 million, more than 25 times the average cost of $3.86 million for breaches of less than 100,000 records. (Ponemon, 2020)
24. Lost business costs accounted for nearly 40% of the average total cost of a data breach. (Ponemon, 2020)
25. The average cost savings of companies with fully deployed security automation is $3.58 million. (Ponemon, 2020)
26. 53% of malicious breaches were believed to be carried out by financially motivated cybercriminals, compared to 13% by nation-state threat actors, 13% by hacktivists, and 21% remaining unknown. (Ponemon, 2020)
27. State-sponsored breaches cost an average of $4.43 million, compared to $4.23 million in financially motivated breaches. (Ponemon, 2020)
28. The average cost of a data breach in the healthcare industry, is $7.13 million, an increase of 10% compared to 2019. (Ponemon, 2020)
29. The average total cost of a breach at enterprises of more than 25,000 employees is $5.53 million, compared to $2.64 million for organizations under 500 employees. (Ponemon, 2020)
30. Cyber incidents cost SMEs an average of $175,000 and large companies an average of $9.1 million. (NetDiligence, 2020)
31. Incidents cost SMEs an average of $208 per exposed record and large companies an average of $0.65 per record. (NetDiligence, 2020)
32. Cybercriminals targeted financial services firms the most, resulting in losses of $245,000 on average for SMEs in that sector and an average of $22.9 million in losses from large financial services companies. (NetDiligence, 2020)
33. Small and midsized professional services were also targeted, resulting in $245,000 worth of claims. (NetDiligence, 2020)
34. Small businesses are likely to be most financially compromised by hackers. (NetDiligence, 2020)
35. While large corporations are likely to be hacked, they’re more likely to lose money to ransomware attacks. (NetDiligence, 2020)
36. The legal costs for SMEs with cyber insurance claims ranged from less than $500 to $5M for defense, and less than $1K to $6.8M for settlements. (NetDiligence, 2020)
37. For large companies, the ranges for defense and settlement were $5K to $5M, and $50K to $6.5M, respectively. (NetDiligence, 2020)
38. Regulatory defense for companies with cyber insurance claims range from $2,000 to $368,000. (NetDiligence, 2020)
39. Regulatory fines for companies with cyber insurance claims range between $5,000 and $3.5 million. (NetDiligence, 2020)
40. The business interruption caused by a breach can cost a company between $200 and $10 million. (NetDiligence, 2020)
41. The cost of crisis services is trending downwards. (NetDiligence, 2020)
42. Malicious actors focused on stealing PHI, PII, and PCI data from large companies. The average records exposed for these three were 56M, 11M, and 663K, respectively; the corresponding average Incident Costs were $4.4M, $16.2M, and $2.4M. (NetDiligence, 2020)
A look at attacks
43. Mass data breaches of personal information continue to decline while cyberattacks are up as threat actors focus on ransomware, phishing, and brute force attacks that use already available identity information to steal company funds and COVID-19 related government benefits. (ITR, 2020)
44. Cyberattacks are the primary cause of data compromises reported in Q3 2020, with phishing and ransomware attacks as the most common attack vectors. (ITR, 2020)
45. IoT threats are expanding and evolving. The first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019. (Microsoft 2020)
46. In 2019, Microsoft blocked over 13 billion malicious and suspicious emails, out of which more than 1 billion were URLs set up for the explicit purpose of launching a phishing credential attack. (Microsoft 2020)
47. Ransomware is the most common reason behind Microsoft’s incident response engagements from October 2019 through July 2020. (Microsoft 2020)
48. The most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware and virtual private network (VPN) exploits. (Microsoft 2020)
49. In past years, cybercriminals focused on malware attacks. More recently, they have shifted their focus to phishing attacks (~70%) as a more direct means to achieve their goal of harvesting people’s credentials. (Microsoft 2020)
50. The top spoofed brands used in phishing attacks are Microsoft, UPS, Amazon, Apple, and Zoom. (Microsoft 2020)
51. Over 70% of human-operated ransomware attacks in the past year originated with Remote Desktop Protocol (RDP) brute force. (Microsoft 2020)
52. Attacks on IoT devices increased by more than 300% in the first half of 2019. (WEF, 2020)
53. In 2018, for the first time ever, a DDoS attack topped 1 Tbps in size, and then, a few days later, a 1.7 Tbps attack occurred. (NetScout, 2019)
54. In 2019, cybercriminals launched “waves” of sophisticated phishing attacks against related targets like healthcare. (SANS, 2020)
55. In 2019, the MS-ISAC observed a 153% increase in state, local, tribal, and territorial (SLTT) reporting of ransomware incidents. (SANS, 2020)
56. Small and medium-sized businesses are increasingly being targeted by cybercriminals. 98% of cyber insurance claims were from SMEs this year. (NetDiligence, 2020)
57. The average ransom demanded by criminals in 2019 was $175,000, up from $47,000 in 2018. (NetDiligence, 2020)
58. The number of ransomware claims has increased dramatically since 2015, from 19 in 2015 to 301 in 2018, and 263 in 2019. (NetDiligence, 2020)
59. The ransom amounts have been increasing, as well. In 2018, ransom amounts crossed the $1M threshold for the first time. In 2019, they crossed the $3M threshold. (NetDiligence, 2020)
60. PII remains the type of data that global security decision-makers most often say has been compromised or breached; IP is also high on the list, coming second in 2018 and third in 2019. Authentication credentials took second place in 2019, mentioned by 35% of decision-makers, up from 27% in 2018. (Forrester, 2020)
61. The most common external attacks in 2019 focused on software vulnerabilities (42%), web applications (35%), and the use of stolen credentials (27%). (Forrester, 2020)
62. Sixty percent of security experts say their organizations experienced a cyberattack. The most frequent attacks involved credential theft (56 percent of respondents) and phishing/social engineering (48 percent of respondents). (Keeper and Ponemon, 2020)
63. Fifty-one percent of security experts say exploits and malware have evaded their organizations’ intrusion detection systems and almost half (49 percent) of respondents say they have evaded their organizations’ anti-virus solutions. (Keeper and Ponemon, 2020)
Non-criminal and internal breaches
64. More and more claims are the result of “record-less” breaches. The proportion of record-less claims increased to 55 % in 2019 (58% for SMEs and 2% for Large Companies). (NetDiligence, 2020)
65. The proportion of claims caused by non-criminal activities has been increasing slightly since 2018, to a high of 29% in 2019. This increase is due mainly to an increase in claims for staff mistakes. (NetDiligence, 2020)
66. Misconfigured cloud storage services are commonplace in 93% of cloud deployments. (Accurics, 2020)
67. 91% of cloud deployments often have at least one open security group. (Accurics, 2020)
68. Misconfigured cloud storage and open security groups were responsible for more than 200 breaches that exposed 30 billion records over the past two years. (Accurics, 2020)
69. Hardcoded private keys are found in 72% of cloud deployments. (Accurics, 2020)
70. 31% of organizations have unused security resources. (Accurics, 2020)
71. Among breaches in 2019, 46% involved insiders like employees and third-party partners. (Forrester, 2020)
72. Nearly half of the breaches in 2019 caused by internal incidents were the result of abuse or malicious intent. (Forrester, 2020)
73. The decrease in malicious intent from 57% in 2018 to 48% in 2019 means that inadvertent misuse is on the rise, from 35% in 2018 to 43% in 2019. (Forrester, 2020)
74. The loss or theft of assets like smartphones and laptops — both personal and company-owned — were involved in 21% of the breaches reported by global security decision-makers in 2019, compared with 15% in 2018. (Forrester, 2020)
COVID’s (and remote work’s) effect on cybercrime
75. In the spring, the FBI’s Internet Crime Complaint Center (IC3) saw complaints quadruple from 1,000 complaints a day to 4,000. (Aspen Institute, 2020)
76. During the first five months of 2020 alone, cyberattacks against the financial sector increased by 238 percent. (Kellermann, 2020)
77. In March, phishing attacks peaked as cybercriminals used anxiety about COVID-19 to steal people’s credentials. (Microsoft 2020)
78. The Federal Trade Commission has received 139,095 reports of COVID-related fraud in 2020, as of the start of December. (FTC, 2020)
79. The FTC received 37,770 reports of COVID-related identity theft in 2020. (FTC, 2020)
80. Total losses associated with online COVID-related fraud were $194 million. (FTC, 2020)
81. Cybercriminals most often perpetrated COVID-related fraud through email, although many incidents of reported fraud occurred via websites and apps. (FTC, 2020)
82. Healthcare organizations experienced a big jump in both the number of breaches and the size of the breaches. Early 2020 reports show an increase in attacks against medical services and related sites during the pandemic. (SANS, 2020)
83. 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs — all related to COVID-19 were detected between January and April 24, 2020. (INTERPOL 2020)
84. Top COVID phishing themes include: top COVID-19 phishing themes include: emails from national or global health authorities, government orders and financial support initiatives, fake payment requests and money reimbursements, offers of vaccine and medical supplies; COVID-19 tracking apps for mobile phones, investments and stock offers, and COVID-19 related charity and donation requests. (INTERPOL 2020)
85. The number of newly registered domains (NRDs) with COVID keywords are growing. In March 2020, 116,357 COVID-19 NRDs were detected, out of which 2,022 were identified as malicious and 40,261 as “high-risk”. In June INTERPOL Cybercrime Directorate’s Global Malicious Domain Taskforce identified and analyzed 200,000 malicious domains affecting more than 80 member countries. (INTERPOL 2020)
86. From February to March 2020, a 569% growth in COVID-related malicious registrations was recorded, including malware and phishing; and a 788% growth in high-risk registrations, including scams, unauthorized coin mining, and domains that have evidence of association with malicious URLs. (INTERPOL 2020)
87. 94% of security pros believe that the COVID-19 crisis increases the cyber threat to enterprise systems and data; 24% view the increased threat as critical and imminent. (Black Hat, 2020)
88. Of cyber threats posed by COVID-19, vulnerabilities in enterprise remote access systems supporting home workers are the chief concern (57%). Increased phishing and social engineering threats also rank highly (51%). (Black Hat, 2020)
89. 72% of security pros are concerned that remote employees will break protocol and expose system and data to new risks. (Black Hat, 2020)
90. Only 15% of security experts believe that cyber operations and threat flow will return to normal after the COVID-19 crisis passes; 84% believe that significant, lasting changes will occur, at least in some industries. (Black Hat, 2020)
91. 71% of security pros believe their organizations were effective at mitigating risks, vulnerabilities, and attacks across the enterprise prior to COVID-19, but only 44 percent believe their organizations were as effective during the COVID-19 pandemic. (Keeper and Ponemon, 2020)
92. Almost half (47 percent) of security experts say it is the inability to control risks created by the lack of physical security in remote workers’ homes and other locations that is a significant concern for their organizations. (Keeper and Ponemon, 2020)
93. Seventy-one percent of security experts are very concerned that remote workers are putting the organization at risk for a data breach and 57 percent of respondents say they are prime targets for those wishing to exploit vulnerabilities. (Keeper and Ponemon, 2020)
94. According to 56 percent of security pros, the time to respond to a cyberattack has significantly increased (21 percent) or increased (35 percent). (Keeper and Ponemon, 2020)
95. Forty-two percent of security experts say their organizations have no understanding of how to protect against cyberattacks due to remote working. (Keeper and Ponemon, 2020)
96. Customer records and financial information are most vulnerable to attacks during the pandemic. (Keeper and Ponemon, 2020)
97. Most likely out of necessity, 59 percent of security pros say access to business-critical applications has significantly increased (26 percent) or increased (33 percent) during the pandemic. On average, organizations have 51 business-critical applications and an average of 56 percent of these are accessed from mobile devices such as smartphones and tablets. (Keeper and Ponemon, 2020)
98. Only 45 percent of v say their organizations’ IT security budget is adequate for managing and mitigating cybersecurity risks caused by remote workers. (Keeper and Ponemon, 2020)
99. Just 39 percent of security experts say their organization has the expertise to manage and mitigate cybersecurity risks caused by remote working. (Keeper and Ponemon, 2020)
100. Despite the increase in security risks as a result of remote working, less than half (47 percent) of security pros say their organizations are monitoring the network 24/7. (Keeper and Ponemon, 2020)
101. Almost one-third (31 percent) of security pros say their organizations do not require their remote workers to use authentication methods. Of the 69 percent of organizations that do require authentication, only 35 percent of security experts say multi-factor authentication is required. (Keeper and Ponemon, 2020)
102. Nearly four in 10 security professionals (38%) consider themselves “burned out” by their work after the events of 2020, up from 30% in 2019. (Black Hat, 2020)
How are organizations responding to cyberthreats?
103. Security and data protection is one of the main drivers of organizations moving their data to the cloud. (Deloitte 2020)
104. 56% of SMBs patch daily or weekly, compared to 58% of large companies. (Cisco 2020)
105. Organizations of all sizes face public scrutiny because of data breaches. (Cisco 2020)
106. 60% of SMBs have more than 20 people devoted to security. (Cisco 2020)
107. 72% of SMBs have employees devoted to threat hunting. (Cisco 2020)
108. 12% of SMBs test their incident response plan every two years, 36% test annually, and 45% test every six months. (Cisco 2020)
109. 84% of SMBs make security awareness training mandatory. (Cisco 2020)
110. 87% of leadership at SMBs agree security is a high-priority. (Cisco 2020)
111. 86% of SMBs say they have clear metrics for testing the efficiency of their security program. (Cisco 2020)
112. In Gartner’s annual CEO Survey, 77% of respondents reported plans to increase investment in digital capabilities, while only 7% planned to decrease investment in risk management. (Gartner, 2020)
113. The median organization contracts with 5,000 third parties and 72% of compliance leaders expect that number to increase by 2022. (Gartner, 2020)
114. When asked what encryption technologies their firm has adopted, global security decision-makers most often cited email (63%), database (60%), and cloud encryption (61%). (Forrester, 2020)
115. Around one in five decision-makers say that their firm plans to implement a number of types of encryption, including email, database, cloud, media, full-disk, and file-level encryption. (Forrester, 2020)
116. Among global security decision-makers, 49% indicated that they have invested in privacy management software to comply with data protection regulations. They also often report investing in data discovery and classification (45%) and other data security controls (44%) to help fulfill their compliance obligations. (Forrester, 2020)
117. Seventy percent of cybersecurity pros believe they will have to respond to a major security breach in their own organization in the coming year, up from 59% in 2018; most do not think they have the staffing or budget to defend adequately against current and emerging threats. (Black Hat, 2020)
118. Security professionals view many of the technologies that they use in enterprises as ineffective. A majority of respondents view only nine technologies as effective. (Black Hat, 2020)
119. Almost two-thirds of enterprises (63%) are willing to consider startups as they seek ways to improve their technology, but they struggle with the large number of security startups and the shortage of time they have to evaluate them. (Black Hat, 2020)
120. Enterprises are also frustrated by the hype associated with some technologies that have been purported to be cybersecurity game-changers. Eighty-three percent of security pros believe the defensive impact of blockchain technology will be limited; 73% think the same thing about artificial intelligence and machine learning. (Black Hat, 2020)
How SecurityScorecard can help
Bad actors will always go after the most vulnerable part of an organization. That’s why they’ve been after remote workers this year. To help monitor your endpoints, consider a solution that monitors your networks continuously, giving you an outside-in view of your company’s security.
Our easy-to-read security ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.

