Blog Data Security

139 Cybersecurity Statistics and Trends [updated 2025]

These cybersecurity statistics for 2025 are grouped by category and include breaches, costs, crime type, compliance, industry-specific stats, & job outlook.
Rob Sobers
12 min read
Last updated October 24, 2025
Cybersecurity statistics

Contents

    Cybersecurity is a day-to-day operation for many businesses, but it’s not a small task to stay on top of what’s been going on over the past year or so.

    We’ve compiled this list of the most important stats and trends, split into bite-sized categories.

    For more in-depth security insights check out our blog and downloadable resources

    1. Critical data breach and hacking statistics
    2. Cybercrime statistics by attack type
    3. AI cybersecurity statistics
    4. Cybersecurity compliance and governance statistics
    5. Security spending and cost stats
    6. Cybersecurity workforce statistics and predictions
    7. Cybersecurity statistics by industry
    8. Cybersecurity statistics FAQ

    30 critical data breach and hacking statistics

    Large-scale, well-publicized breaches are on the rise, suggesting that not only are the number of security breaches going up — they’re increasing in severity, as well.

    Data breaches expose sensitive information that often leaves compromised users at risk for identity theft, ruins company reputations, and makes the company liable for compliance violations.

    See the data breach statistics below to help quantify the effects, motivations, and causes of these damaging attacks.

    Noteworthy hacking statistics

    1. The global average cost of a data breach was $4.44 million in 2025, a slight drop from the record high of $4.88 million in 2024. (IBM)
    2. The average cost of a data breach in the United States was $10.22 million in 2025 – an all time high for any region.
    3. 88 percent of cybersecurity breaches are caused by human error. (Stanford)
    4. The average time to identify a breach is 181 days, continuing a downward trend since 2021. (IBM)
    5. The average lifecycle of a breach in 2025 fell to 241 days, from 258 days in 2024 (from identification to containment). (IBM)
    6. The likelihood that a cybercrime entity is detected and prosecuted in the U.S. remains estimated at around 0.05 percent. (World Economic Forum)
    7. 68 percent of breaches involved a human element in 2025. (Verizon)
    8. In 2024, the Federal Trade Commission received more than 1.2 million reports of identity theft (FTC)
    9. Security breaches in 2024 were up 75% year-over-year, with organizations facing an average of 1,876 attacks per quarter. (Accenture)
    10. Cyber fatigue, or apathy to defending against cyberattacks, now affects 46% of organizations in 2025.. (Accenture)
    11. 64 percent of Americans have never checked to see if they were affected by a data breach. (Varonis)
    12. 56 percent of Americans don’t know what steps to take in the event of a data breach. (Varonis)

    Historic data breaches

    1. Over 560 million Ticketmaster customers had their information stolen in a 2024 breach. (BBC
    2. A 2021 LinkedIn data breach exposed the personal information of 700 million users or about 93 percent of all LinkedIn members. (RestorePrivacy)
    3. An attack on Microsoft in March 2021 affected more than 30,000 organizations in the U.S., including businesses and government agencies. (Microsoft)
    4. In April 2021, a two-year-old vulnerability was discovered that exposed the personal information of more than 533 million users. (Auth0)
    5. Using a single password, hackers infiltrated the Colonial Pipeline Company in 2021 with a ransomware attack that caused fuel shortages across the U.S. (Bloomberg)
    6. Meat processing company JBS was the victim of a ransomware attack that shut down beef and poultry processing plants on four different continents. (Wall Street Journal)
    7. In 2023 T-Mobile disclosed its second data breach of the year involving the theft of 836 customers' personal data, the first data breach affected approximately 37 million customers. (itgovernanace)
    8. In September 2021, Neiman Marcus found an 18-month-old data breach that exposed payment data and other information for 4.6 million shoppers. (Neiman Marcus)
    9. Personal data belonging to more than 100 million Android users was exposed in a 2021 data leak due to misconfigured cloud services. (Check Point)
    10. Trading app Robinhood fell victim to a social engineering attack that compromised the personal data of 5 million users. (Robinhood)
    11. AT&T reported two major data breaches in 2024, including almost 200 million phone numbers and account passwords.
    12. In 2023, X (formerly Twitter) was targeted by a criminal hacker that leaked more than 220 million users email addresses. (IT Governance)
    13. 500 million consumers, dating back to 2014, had their information compromised in the Marriott-Starwood data breach made public in 2018. (CSO Online
    14. The 2019 MGM data breach resulted in hackers leaking records of 142 million hotel guests. (CPO Magazine)
    15. 100,000 groups and more than 400,000 servers in at least 150 countries were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Technology Inquirer
    16. Uber tried to pay off hackers to delete the stolen data of 57 million users and keep the breach quiet. (Bloomberg)
    17. In one of the biggest breaches of all time, three billion Yahoo accounts were hacked in 2013. (New York Times
    18. In 2023 AT&T a breach exposed approximately 9 million customers' personal details. (IT Governance)
    Get started with our world-famous Data Risk Assessment.
    Get your assessment
    inline-cp

    25 cybercrime statistics by attack type

    Cybersecurity issues are diverse and always evolving and new malware and viruses are discovered every day. It’s crucial to have a grasp of the most common types of attacks and where they come from in order to guard against future infiltrations.

    Some of the most common attacks include phishing, whaling, malware, social engineering, ransomware, and distributed denial of service (DDoS) attacks. Read more below to get a sense of the most common cyberattacks.

    Ransomware and malware attack statistics

    1. The average ransomware payout has increased dramatically from $812,380 in 2022 to ≈ $1,000,000 in 2025 (Sophos)
    2. The average cost of a ransomware recovery in 2025 is $1,500,000 (Sophos)
    3. An average of around 24,000 malicious mobile apps are blocked daily on the internet. (Tech Jury)
    4. In 2025, automated traffic (i.e. bots) now accounts for 51% of all web traffic, with bad bots accounting for 37% of total internet traffic. (Imperva)
    5. From November 2021 to October 2022, Microsoft Office applications were the most commonly exploited applications worldwide at 70 percent (Statista).
    6. 94 percent of malware is delivered by email. (Verizon)
    7. Only eight percent of businesses that pay ransom to hackers receive all of their data in return. (Sophos
    8. From November 2021 to October 2022, Microsoft Office applications were the most commonly exploited applications worldwide at 70 percent (Statista).
    9. In the first half of 2022, researchers flagged almost 79 million domains as malicious, based on a newly observed domain dataset. (Akamai
    10. 75 percent of orgs suffered at least one ransomware attack last year. (Infosecurity Mag)
    11. Approximately 20% of all newly observed domains (NODs) that were successfully resolved were flagged as malicious in the first half of 2022. (Akamai)

    Phishing attack statistics

    1. 57 percent of organizations see weekly or daily phishing attempts. (GreatHorn)
    2. Phishing was the initial attack vector in 16% of data breaches – making it the most common initial attack vector in 2025. (IBM)
    3. Roughly 1 in 6 attacks were launched through vulnerable public-facing applications or APIs. (IBM)
    4. Phishing attacks account for more than 80 percent of reported security incidents. (CSO Online)
    5. $17,700 is lost every minute due to a phishing attack. (CSO Online)

    Stats on IoT, DDoS, and other attacks

    1. Use of stolen cards is the most common type of threat, followed by ransomware and phishing. (Verizon)
    2. The number of DDoS attacks increased by 46 % in 2024 vs 2023 (Cloudflare)
    3. Application-layer DDoS attacks increased by 15 percent in the second quarter of 2023. (Cloudflare)
    4. Cybercrime targeting cryptocurrency firms surged 600 % in early 2023 but receded somewhat in 2024 (Chainalysis).
    5. Around 35 % of data breaches in 2023 involved insiders (Verizon).
    6. In 2025, there were on average 820,000 IoT attacks per day. (Deepstrike)
    7. Nearly 58% of IoT attacks occurred with the intent of mining cryptocurrency. (Purplesec)
    8. The average smart home could be at risk of more than 12,000 hacker attacks in one week. (Purplesec)
    9. Over 24 billion passwords were exposed by hackers in 2022, and 64 percent of passwords only contain eight to 11 characters. (Norton)

    8 AI cybersecurity statistics

    1. 16% of all breaches in 2025 involved attackers using AI. (IBM)
    2. Among data breaches with AI attacks, 37% used phishing attacks and 35% used deepfake attacks. (IBM)
    3. 63% of breached organizations had no AI governance policy or were still developing one, highlighting the governance gap around AI adoption (IBM)
    4. 99% of organizations have sensitive data dangerously exposed to AI tools, including gen AI copilots and unsanctioned apps (Varonis)
    5. 83% of executives cite workforce limitations as a barrier to securing AI systems, underscoring how talent shortages impact AI cybersecurity (Accenture)
    6. Only 20% of organizations feel confident in their ability to secure generative AI models (Accenture).
    7. 20% of organizations reported a breach caused by shadow AI, and those breaches added an average of $670,000 to costs (IBM)
    8. 1 in 4 unverified OAuth apps are high-risk AI tools, leaving companies exposed to potential exfiltration or misuse of sensitive data (Varonis)

    22 cybersecurity compliance and governance statistics

    The risks of not securing files are more prevalent and dangerous than ever, especially for companies with a remote workforce. More severe consequences are being enforced as stricter legislation passes in regions across the world defending data privacy. Some stand-outs from recent years include the European Union’s 2018 General Data Protection Regulation (GDPR) and California’s 2020 California Consumer Privacy Act (CCPA).

    Companies should take note of takeaways from the GDPR as more regions around the world are expected to emulate the legislation. It’s crucial to properly set file permissions and remove stale data in order to stay secure. Keeping data classification and governance up to par is instrumental to maintaining compliance with data privacy legislation like HIPAA, SOX, ISO 27001, and more.

    If you’re curious about data security, try a free risk assessment to see where your vulnerabilities lie.

    1. 66 percent of companies say that compliance mandates are driving spending. (CSO Online)
    2. 78 percent of companies expect annual increases in regulatory compliance requirements. (Thomson Reuters)
    3. For large firms, the cost of compliance can approach $10,000 per employee. (Forbes)
    4. Total U.S. HIPAA fines and settlements in 2024 amounted to $9,164,206 – more than double the total from 2023. (Compliancy Group)
    5. So far, data breaches exposed 7 billion records in the first half of 2024. (IT Governance)
    6. On average, every employee has access to around 25,000 sensitive folders. . (Varonis)
    7. 90% of organizations have sensitive files exposed to all employees via M365 Copilot. . (Varonis)
    8. 98% of organizations have employees using unsanctioned apps, including Shadow AI.. (Varonis)
    9. About 60 percent of companies have more than 500 accounts with non-expiring passwords. (Varonis)
    10. More than 77 percent of organizations do not have an incident response plan. (Cybint)

    GDPR cybersecurity statistics

    1. Spain has issued 932 GDPR fines to date, more than any other country. (CMS Law GDPR Tracker)
    2. The cumulative value of GDPR fines reached approximately €5.65 billion by early 2025 (CMS).
    3. Adtech giant Criteo was fined over $42 million in fines for GDPR related violations. (Tech Crunch
    4. In 2024, LinkedIn was fined €310 million under GDPR enforcement (Ireland DPC).
    5. 88 percent of companies spent more than $1 million preparing for the GDPR. (IT Governance)
    6. In the GDPR’s first year, there were 144,000 complaints filed with various GDPR enforcement agencies and 89,000 data breaches recorded. (EDPB
    7. After many US news sites have suffered long term losses after blocking EU users as a response to GDPR. (Oxford University
    8. GDPR fines totalled $63 million in the first year. (eu
    9. Meta was fined $1.3 billion for GDPR violations in 2023. (NYTimes)
    10. In 2023 TikTok was fined for breaching a number of GDPR rules, including failure to keep children's data safe. (Tech Crunch
    11. Spotify were fined over $5 million for breaching GDPR regulations in 2023. (Medium)
    12. 94% of US companies are not prepared to comply with GDPR Requirements. (Spice Works)

    21 security spending and cost stats

    Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity a significant part of their budget. Cybersecurity budgeting has been increasing steadily as more executives and decision-makers realize the value and importance of cybersecurity investments.

    Take a look at these spending statistics and projections for an idea of where cybersecurity costs stand in 2024.

    1. The global average cost of a data breach fell to $4.44M in 2025, down from $4.88M in 2024 (IBM).
    2. The average cost per compromised record was about $160 in 2025 (IBM).
    3. Ransomware/extortion breaches cost $5.08M on average in 2025 (IBM).
    4. US cyber insurance premiums surged 50 percent in 2022, reaching $7.2 billion in premiums collected from policies written by insurers. (Insurance Journal)
    5. When remote work is a factor in causing a data breach, the average cost per breach is $173,074 higher. (IBM)
    6. The global security market value is forecast to reach $424.97 billion in 2030. (Fortune Business Insights)
    7. Security AI reduced breach costs by 34% in 2025, saving $1.9M on average (IBM).
    8. Organizations with a zero-trust approach saw average breach costs $1.76 million less than organizations without. (IBM)
    9. A data breach can cost a company an average of $1.3 million in lost business. (IBM)
    10. Healthcare breach costs dropped 10.6% to $9.77M in 2024 (IBM).
    11. Annually, hospitals spend 64 percent more on advertising in the two years following a breach (American Journal of Managed Care).
    12. Phishing-related breaches are the most expensive initial attack vector, cost $4.9M in 2023 and $4.88M in 2024 (IBM).
    13. Large enterprises spend approximately $2,700 per full-time employee per year on cybersecurity. (SecureAge Technology)
    14. The most expensive component of a cyberattack is information loss, which represents 43% of total costs (IBM)
    15. In 2024, the average total cost of a data breach at a small company was $3.31M, while very large firms averaged $5.42M (IBM).
    16. Data breaches led to an increase in the pricing of business offerings for 57% of companies. (IBM)
    17. In 2024, the United States is the country with the highest average total cost of a data breach at $9.36 million. The Middle East is a close second with $8.75 million (IBM).
    18. Global cybersecurity spending was $87B in 2024 and is projected to grow ~12% in 2025 (IDC).
    19. In 2023 a data breach investigation report stated that 97 percent of threat actors were financially motivated. (Verizon)

    Cybersecurity cost predictions

    1. Worldwide cybercrime costs are estimated to hit $10.5 trillion annually by 2025. (Cybersecurity Ventures)
    2. Global spending on cybersecurity products and services is predicted to reach $1.75 trillion cumulatively for the five-year period from 2021 to 2025. (Cybersecurity Ventures)

    16 cybersecurity workforce statistics and predictions

    As cyberattacks increase in frequency, so too does the demand for cybersecurity professionals. With these increases, many companies’ cybersecurity budgets continue to rise as well. However, the imbalance in skilled cybersecurity workers along with the high demand to fill these positions results in a crippling cybersecurity skills shortage.

    Interested in entering the cybersecurity field? Now is the time — job openings and average salaries are only projected to grow throughout the decade.

    Looking for cybersecurity talent? It may be necessary to come up with creative cybersecurity skills shortage solutions including outsourcing tasks, starting apprenticeships, and partnering with educational and military institutions to find fresh talent.

    1. There are 1,239,018 employees working in cybersecurity in the U.S. as of September 2024. (Cyber Seek)
    2. The global cyber workforce peaked at ~5.5M in 2023 and stayed flat at ~5.47M in 2024. (ISC2)
    3. There are 74 percent more job openings in the cyber security field in 2023 than there were in 2010. (Cyber Seek)
    4. Washington, D.C. has the highest concentration of cybersecurity professionals at more than 8x the national average. (Cyber Seek)
    5. 70 percent of cybersecurity professionals reported that their organizations are understaffed, which has hampered multiple functional and operational elements of cybersecurity. (ISC2)
    6. 54 percent of companies say their IT departments are not sophisticated enough to handle advanced cyberattacks. (Sophos)
    7. Companies with 500-1,499 employees ignore or don’t investigate 27% of all alerts. (Forbes)
    8. Women represent 16.8% of the global cybersecurity workforce, with the U.S. at 18% in 2024. (ISC2)
    9. Cybersecurity engineers are some of the highest-paid positions in the industry, starting at $130K annually on average. (Cybint)
    10. Non-white workers make up 34.3% of the U.S. cyber workforce, up from 24% in 2010. (ISC2)
    11. Cybersecurity employment for positions like information security analysts is predicted to grow 35 percent by 2031. (ISACA)
    12. Cybersecurity unemployment is projected to remain ~0% through 2025 (Cybersecurity Ventures)

    Cybersecurity workforce predictions

    1. The cybersecurity unemployment rate is near zero percent and is projected to remain there for the foreseeable future. (Cybersecurity Ventures)
    2. Information security analyst job positions in the U.S. are expected to grow 32 percent between 2022 and 2032. (Bureau of Labor Statistics)
    3. Computer network architect job positions in the U.S. are expected to grow by 4 percent between 2022 and 2032. (Bureau of Labor Statistics)
    4. Computer programmer job positions in the U.S. are expected to decline 11 percent between 2022 and 2032. (Bureau of Labor Statistics)

    17 cybersecurity statistics by industry

    When it comes to cybersecurity, not all industries are created equal. Industries that store valuable information such as healthcare and finance are usually bigger targets for hackers who want to steal social security numbers, medical records, and other personal data. 

    This doesn’t mean lower-risk industries aren’t victims, too. They’re often targeted due to the likelihood that they’ll have fewer security measures in place and their information will be more easily accessible.

    Try a free 30-minute demo to see how Varonis can help keep your organization’s name out of data breach headlines.

    Healthcare cybersecurity stats

    1. There were over 630 ransomware incidents impacting healthcare worldwide in 2023. (HHS)
    2. The WannaCry ransomware attack cost the U.K.’s National Health Service (NHS) more than $100 million. (Datto)
    3. Cyberattacks caused $15.5M in downtime costs for healthcare in 2023 (Ponemon).
    4. Healthcare accounted for ~32% of all breaches between 2015–2022, and reached record highs in 2023 (HIPAA Journal)

    Finance and crypto cybersecurity stats

    1. Ransomware actors extorted $1.25B in 2023, with payouts dropping to ~$813M in 2024 (Chainalysis)
    2. Financial services have 449,855 exposed sensitive files, 36,004 of which are open to everyone in the organization. This is the highest when comparing industries. (Varonis)
    3. On average, 70 percent of sensitive files in the financial services industry are stale. (Varonis)
    4. On average, a financial services employee has access to nearly 11 million files the day they walk in the door. For large organizations, employees have access to 20 million files. (Varonis)
    5. Financial services businesses take an average of 233 days to detect and contain a data breach. (Varonis)
    6. The average cost of a financial services data breach is $4.45 million. (IBM)
    7. Financial breaches account for 10 percent of all attacks. (Verizon)
    8. 74 percent of financial and insurance attacks compromised personal details (Verizon)

    Government cybersecurity stats

    1. Manufacturing accounted for 65% of industrial ransomware incidents in 2022. (NAM)
    2. 58 percent of nation-state cyberattacks originate from Russia. (Microsoft)
    3. 79 percent of nation-state attackers target government agencies, non-government organizations (NGOs), and think tanks. (Microsoft)

    Enterprise cybersecurity stats

    1. Smaller organizations (one to 250 employees) have the highest targeted malicious email rate at one in 323. (Comparitech)
    2. In Europe, U.K. companies are the most likely to be targeted by phishing attacks, followed by Spain (Slash Next)

    Cybersecurity statistics FAQs

    Below are some of the most frequently asked questions about cybersecurity, with answers supported by cybersecurity statistics and facts.

    Q: Why should I care about cybersecurity?

    A: Our world runs on data, and the integrity of our systems relies on strong cybersecurity measures to protect them. Weak cybersecurity measures can have a massive impact, but strong cybersecurity tactics can keep your data safe.

    Q: What are the types of cyberattacks?

    A: The most common cyberattack methods include phishing and spear-phishing, rootkit, SQL injection attacks, DDoS attacks, and malware such as Trojan horse, adware, and spyware.

    Q: How many cybersecurity attacks are there per day?

    A: On average, hackers attack 26,000 times a day. (Forbes

    Q: How frequent are cyberattacks?

    A: Hackers attack every three seconds. (Forbes

    Q: Where can I find more cybersecurity reports?

    A: Below are some helpful cybersecurity studies, articles, and resources to deepen your knowledge about the cybersecurity landscape.

    Cybercrime is a real threat that should be taken seriously. By assessing your business’s cybersecurity risk, making company-wide changes, and improving data protection, it’s possible to guard your business against most data breaches. Don’t become a statistic — the time to change the culture toward improved cybersecurity is now.

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Rob Sobers
    Rob Sobers Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    what-is-database-activity-monitoring?-dam-explained
    What is Database Activity Monitoring? DAM Explained
    what-is-database-activity-monitoring?-dam-explained
    Daniel Miller
    October 13, 2025
    A critical component of any organization's security strategy, Database Activity Monitoring tools are used by organizations to fulfill compliance criteria and protect sensitive data.
    rethinking-database-security-for-the-age-of-ai-and-cloud
    Rethinking Database Security for the Age of AI and Cloud
    rethinking-database-security-for-the-age-of-ai-and-cloud
    Terry Ray
    October 6, 2025
    Discover the pillars of database security and how Varonis Next-Gen database activity monitoring (DAM) protects sensitive data in AI and cloud environments.
    top-10-cybersecurity-awareness-tips:-how-to-stay-safe-and-proactive
    Top 10 Cybersecurity Awareness Tips: How to Stay Safe and Proactive
    top-10-cybersecurity-awareness-tips:-how-to-stay-safe-and-proactive
    Lexi Croisdale
    October 1, 2025
    With breaches on the rise, it’s crucial to make cybersecurity a priority. Follow these preventative cybersecurity tips for stronger security practices.
    research-reveals-healthcare-orgs-have-90%-of-sensitive-data-exposed-to-ai
    Research Reveals Healthcare Orgs Have 90% of Sensitive Data Exposed to AI
    research-reveals-healthcare-orgs-have-90%-of-sensitive-data-exposed-to-ai
    Lexi Croisdale
    September 24, 2025
    Varonis studied 98 IT environments to assess AI’s impact on healthcare, biotech, and pharma — and how organizations can better protect critical data.