Cybersecurity Statistics 2026: 150+ Facts, Trends & Data

Cybersecurity Statistics 2026

Last Updated: April 2026

Cybercrime losses to Americans crossed $21 billion in 2025. That’s the headline from the FBI’s 2025 Internet Crime Report, released April 6, 2026 — the first annual report in which the FBI’s Internet Crime Complaint Center (IC3) received more than one million complaints in a single year. It’s also the most underreported figure in this field: the FBI explicitly notes that IC3 data captures only what gets reported, and most cybercrime does not.

This page compiles 150+ current cybersecurity statistics organized by category — not an undifferentiated list of 300 bullets. Each section includes a brief analysis of what the numbers mean, where figures conflict across sources (and why), and what’s actionable for organizations and individuals. All statistics are sourced to primary reports with dates. Statistics from 2023 or earlier are labeled as such.

---

A Note on Methodology: Why Cybersecurity Statistics Conflict

Before the data: you’ll encounter significantly different figures for the same metrics across different sources. This isn’t poor data quality — it reflects genuine methodological differences worth understanding.

FBI IC3 data reflects what gets reported to the FBI’s voluntary reporting system. IC3 explicitly states that its ransomware loss figures, for example, exclude lost business value, wages, and third-party remediation costs, and do not account for incidents reported directly to FBI field offices. The real financial impact is substantially larger than IC3 figures indicate.

IBM’s Cost of a Data Breach is based on 600 breached organizations in 17 industries studied by Ponemon Institute — a controlled sample with high quality control but not representative of all organizations globally.

Verizon DBIR analyzes 22,000+ security incidents and 12,195 confirmed breaches contributed by partners including law enforcement, forensic firms, and insurers — the largest analyzed dataset, but incident selection depends on which contributors share data.

Cybersecurity Ventures and similar projections are market research estimates built on trend extrapolation, not empirical breach data — useful for macro direction, not precise benchmarks.

Where figures conflict meaningfully in this guide, the conflict is flagged with the source and its limitations.

The Scale of the Problem: Global Cybercrime Costs

FBI IC3 2025: Record Losses, Record Complaints

The FBI’s 2025 Internet Crime Complaint Center Annual Report, released April 6, 2026, set multiple unwanted records:

• Total reported cybercrime losses in 2025: $20.877 billion — a 26% increase from the $16.6 billion reported in 2024 (FBI IC3 2025 Annual Report)
• Total complaints in 2025: 1,008,597 — the first time IC3 has received more than one million complaints in a single year (FBI IC3)
• The previous record was 859,532 complaints in 2024, itself a record at the time
• IC3 has averaged nearly 3,000 complaints per day throughout 2025
• Since IC3’s founding, it has received over 9 million total complaints of malicious activity

The largest loss categories in 2025 (FBI IC3):

• Investment fraud: $8.65 billion — the single largest category by far
• Cyber-enabled fraud (all categories): $17.7 billion in losses across approximately 453,000 complaints
• Business Email Compromise (BEC): $3.046 billion — the most financially destructive enterprise-targeted cybercrime
• Cryptocurrency-related cases: $11+ billion across 181,565 complaints
• Losses among Americans aged 60 and older: $7.7 billion — a 37% year-over-year increase

The critical caveat: FBI IC3 reports only what victims report voluntarily. Cybersecurity Ventures estimated that actual global cybercrime damages will reach approximately $10.8 trillion in 2026, accounting for unreported incidents, indirect costs, and global scope. That figure dwarfs the $21 billion IC3 captures because IC3 only covers US-reported incidents and excludes most indirect costs.

Global Cybercrime Scale

• Total cost of cybercrime globally is forecast to surpass $10.5 trillion in 2026, up from approximately $3 trillion in 2015 (Cybersecurity Ventures — projection based on trend extrapolation, not empirical measurement)
• That would make cybercrime the third-largest “economy” in the world if it were a country, behind only the United States and China
• Global cybercrime costs are growing at approximately 15% annually (Cybersecurity Ventures)
• The CISA’s annual threat landscape reporting identifies ransomware, business email compromise, and supply chain attacks as the dominant financial threats to US critical infrastructure

Business Email Compromise: The Quiet Giant

BEC receives less coverage than ransomware but causes more verified financial damage per incident:

• $3.046 billion in BEC losses in 2025 (FBI IC3), making it the most financially damaging enterprise-targeted cybercrime
• Median BEC loss per incident: approximately $50,000 (FBI IC3 / Verizon DBIR 2025)
• BEC losses in 2024 reached $6.3 billion per FBI data cited in Verizon DBIR — the 2025 IC3 figure of $3.046 billion reflects different categorization methodology
• Pretexting incidents (the social engineering technique behind most BEC) have nearly doubled, overtaking phishing in raw frequency (Verizon DBIR 2025)
• BEC attacks increasingly bypass MFA by targeting financial approval processes directly rather than credentials

Data Breach Costs: What a Breach Actually Costs Organizations

Global Average Breach Cost: Good News and Bad News

IBM’s 2025 Cost of a Data Breach Report — based on research conducted by the independent Ponemon Institute studying 600 breached organizations across 17 industries — delivered mixed findings:

• Global average cost of a data breach in 2025: $4.44 million — down 9% from $4.88 million in 2024 (IBM 2025)
• This marks the first decline in global breach costs in five years
• The improvement is attributed to faster breach detection and containment driven by AI-powered security tools
• Average breach lifecycle (mean time to identify + contain): 241 days — the lowest in nine years, down 17 days from the prior year (IBM 2025)

But the United States is moving in the opposite direction:

• Average cost of a data breach in the United States in 2025: $10.22 million — a record high, up 9% year-over-year (IBM 2025)
• The US has maintained the highest average breach cost of any country for 14 consecutive years in IBM’s annual study
• The gap between global and US breach costs reflects higher regulatory penalties, slower detection in some US sectors, and class-action litigation exposure that doesn’t exist in the same form in other markets

Regional average breach costs (IBM 2025):

• United States: $10.22 million (record high)
• Middle East: $7.29 million
• Benelux (Belgium/Netherlands/Luxembourg): $6.24 million (new to the study in 2024, costs increased 6% in 2025)
• Global average: $4.44 million

Industry-Specific Breach Costs

Healthcare remains the highest-cost breach target by a significant margin:

Industry	Average Breach Cost (2025)	Notes
Healthcare	$7.42 million	Down from $9.77M in 2024; still #1 for 15th consecutive year
Financial services	~$5.9 million	High regulatory exposure drives cost
Technology	~$5.2 million	Large blast radius from single credential compromises
Industrial / Manufacturing	~$4.7 million	Low tolerance for downtime amplifies operational costs
Retail	$3.28 million (2023 baseline; 2025 figures vary)	PII-heavy; supply chain exposure

Sources: IBM Cost of a Data Breach 2025, Cobalt.io sector analysis

Healthcare’s consistently high breach costs reflect several compounding factors: patient personally identifiable information (PII) is among the highest-value data on dark web markets, detection times are longer (279 days average versus 241 global), and operational disruption has direct patient safety implications. Per Cobalt.io citing Ponemon Institute, over 93% of healthcare organizations experienced a cyberattack in 2024, and per the FBI IC3 2025 report, the healthcare and public health sector experienced 460 ransomware attacks and 182 data breaches in 2025 — more than any other of the 16 critical infrastructure sectors.

What Causes Data Breaches (IBM 2025)

Understanding initial access vectors is the most actionable part of breach cost data:

• Phishing: 16% of breaches — overtook stolen credentials as the most common initial attack vector in 2025; average breach cost when phishing is the initial vector: $4.8 million
• Stolen/compromised credentials: 22% of breaches (Verizon DBIR 2025) — the most common initial access method across the DBIR’s larger dataset
• Supply chain compromise: 14% of breaches (IBM 2025) — costliest to resolve at $4.91 million average and 267 days to contain
• Cloud misconfigurations and vulnerabilities: growing vector as enterprises accelerate cloud adoption without proportionate security investment
• Shadow AI (unsanctioned AI tools): 20% of breaches involved shadow AI as a factor (IBM 2025) — a new and rapidly growing category

The shadow AI finding deserves specific attention. IBM’s 2025 report introduces AI-related breach data for the first time, reflecting the accelerating convergence of AI adoption and security risk:

• 97% of organizations that experienced an AI-related security breach lacked proper AI access controls (IBM 2025)
• 63% of breached organizations had no AI governance policy — or were still developing one (IBM 2025)
• Shadow AI breaches cost $670,000 more than the global average ($4.63M vs. $3.96M) and had longer detection times (247 days vs. 241 average)
• Shadow AI breaches disproportionately exposed customer PII (65% of cases vs. 53% global average) and intellectual property (40% vs. 33% global average)
• 1 in 6 breaches involved attackers using AI — most commonly for phishing (37%) and deepfake impersonation (35%) (IBM 2025)

The Cost of Recovery

A breach doesn’t end at containment. IBM’s data consistently shows that operational and reputational costs extend well beyond the initial incident:

• Most breached organizations took more than 100 days to complete recovery after containment (IBM 2025)
• Nearly 50% of breached organizations planned to raise prices to offset breach costs — with nearly one-third planning increases of 15% or more (IBM 2025)
• 31% of breached organizations experienced significant operational disruption following an AI-related breach (IBM 2025)
• Organizations using AI and automation extensively in security saved an average $1.9 million per breach and reduced breach lifecycle by 80 days compared to organizations with no AI in security operations (IBM 2025)
• The top cost-reducing controls from IBM 2025: DevSecOps approach (-$227K), AI/ML security insights (-$224K), security analytics/SIEM (-$212K), threat intelligence sharing (-$212K), and encryption (-$208K)

Data Breach Scale: Records Exposed

• The Identity Theft Resource Center (ITRC) documented 3,205 data compromise incidents in 2023 impacting over 353 million Americans
• Customer PII was the most frequently compromised data type, involved in 53% of breaches (IBM 2025)
• Intellectual property, though stolen less frequently, was the most expensive: $178 per record when compromised (IBM 2025)
• In 2024, approximately 2.8 billion passwords were posted for sale on criminal forums, encrypted messenger groups, and dark web markets (Verizon DBIR 2025)
• 95% of all data breaches involve human error at some point in the attack chain (Mimecast, citing IBM data)

Ransomware Statistics: The Dominant Cybercrime Threat

Ransomware is simultaneously the most publicly visible cyberthreat and the one whose statistics are most systematically distorted. The FBI IC3’s reported ransomware losses ($32 million in 2025) are, by the FBI’s own admission, a substantial undercount — they exclude lost business, wages, operational downtime, and incidents reported directly to FBI field offices rather than IC3. Here is what the data actually shows.

Frequency and Scale

• Ransomware was present in 44% of all data breaches in 2025 (Verizon DBIR 2025) — up sharply from 32% in the 2024 DBIR dataset, a single-year increase that reflects both growing prevalence and improved detection
• IC3 received 3,611 ransomware complaints in 2025 — up from 3,156 in 2024 and 2,825 in 2023, a consistent upward trend (FBI IC3 2025)
• Ransomware attack volume surged 58% in 2025 year-over-year (HIPAA Journal)
• 73% of organizations reported being hit by ransomware at least once in 2024 (Fortinet)
• 78% of companies were hit by ransomware attacks in the past year (CrowdStrike 2026 Global Threats Report)
• 15 organizations are victimized by ransomware daily globally (Halcyon)
• Ransomware attacks on US government bodies in the first half of 2025 increased 65% year-over-year, totaling 208 attacks (Corvus Insurance)
• Between 2018 and 2024, 525 ransomware campaigns targeted US government bodies, causing over $1 billion in downtime losses (Statescoop)

Ransomware Economics: Payments, Demands, and Refusals

The ransomware payment landscape shifted significantly in 2025:

• Median ransom demand in 2025: $1.32 million — down from $2 million in 2024 (Sophos State of Ransomware 2025)
• Median ransom payment in 2025: $1 million — down 50% from $2 million in 2024 (Sophos 2025)
• Median ransom payment per Verizon DBIR 2025: $115,000 — this lower figure reflects the DBIR’s broader incident population including SMB victims, versus Sophos’s larger-organization-skewed sample
• 64% of victim organizations refused to pay ransoms in 2025 — up from 50% two years prior (Verizon DBIR 2025)
• Among organizations that paid, 53% successfully negotiated a lower amount than the initial demand (Sophos 2025)
• Only 4% of organizations that paid ransoms recovered all of their data (Fortinet)

Total cryptocurrency ransomware payments fell to approximately $813 million in 2024, a 35% decline from the prior year (Chainalysis). This reflects three converging forces: increased refusal to pay, successful law enforcement disruptions (LockBit takedown), and government guidance discouraging payments. The IC3-reported figure of $32 million captures only what gets explicitly reported as a ransom payment through voluntary disclosure — it represents a small fraction of actual payments.

The financial case for law enforcement involvement: Organizations that involved law enforcement in ransomware incidents saved an average of $990,000 per breach ($4.38M vs. $5.37M without law enforcement involvement) — an 18% cost reduction for an action that costs nothing (IBM 2025).

Ransomware-as-a-Service: The Ecosystem Expanding

The professionalization of ransomware has created a layered criminal supply chain:

• 55 new Ransomware-as-a-Service (RaaS) families emerged in 2024 — a 67% year-over-year increase (Travelers Insurance)
• 95 active ransomware gangs are currently tracked globally, up 40% year-over-year (Halcyon)
• Double extortion (encrypting data plus threatening to publish it) is now present in 87.6% of ransomware claims (Travelers Insurance) — meaning recovering data from backups alone is no longer sufficient to prevent the reputational harm
• 63% of ransomware attackers remain undetected for up to 6 months before deploying the ransomware payload (Fortinet) — most of that dwell time is spent performing reconnaissance and exfiltrating data before the encryption event
• The median time from initial intrusion to ransomware execution was 5 days in 2025, down sharply from 9 days in 2023 (Sophos) — attackers are moving faster to outpace detection improvements

Ransomware by Sector (FBI IC3 2025)

Per the FBI’s 2025 Annual Report, the healthcare and public health sector reported more ransomware incidents than any other critical infrastructure sector:

Critical Infrastructure Sector	Ransomware Attacks (2025)	Data Breaches (2025)
Healthcare & Public Health	460	182
Critical Manufacturing	High	Moderate
Financial Services	High	Moderate
Government Facilities	High	Moderate
Information Technology	Moderate	Moderate

Source: FBI IC3 2025 Annual Report. Exact figures for non-healthcare sectors are expressed in ranges due to IC3 rounding.

Additional sector context:

• 40% of healthcare organizations expected to experience a ransomware attack in 2026 (ScienceSoft)
• Healthcare ransomware downtime costs average $1.9 million per day of outage
• The manufacturing sector represented 29% of published ransomware victims globally in 2024, a 56% year-over-year increase (IBM X-Force)
• 65% of financial organizations worldwide were impacted by ransomware in 2024, up from 64% in 2023 and 55% in 2022 (Sophos)

Most Active Ransomware Groups in 2025

Per the FBI IC3 2025 report, the most frequently reported ransomware variants impacting critical infrastructure were: Akira, Qilin, INC Ransom/Lynx/Sinobi, BianLian, and Play. These top 10 reported variants accounted for 56% of reported incidents and 49.8% of total reported losses.

Law enforcement actions including the LockBit takedown and BlackCat/ALPHV disruption in 2024–2025 temporarily disrupted operations but did not eliminate those ransomware ecosystems — RaaS operators quickly recruited new affiliates and rebranded.

Phishing and Social Engineering Statistics

How Attackers Get In: The Human Vector

The Verizon 2025 Data Breach Investigations Report analyzed over 22,000 security incidents — the largest dataset in DBIR history — and reached a consistent conclusion: the human element is still the dominant attack surface.

• 60% of confirmed data breaches involved a human element — through error, social engineering, or credential misuse (Verizon DBIR 2025)
• Social engineering appeared in 24% of breaches as a contributing action (Verizon DBIR 2025)
• Phishing was the most common initial attack vector in IBM’s data: 16% of breaches — and the most expensive at $4.8 million average breach cost (IBM 2025)
• Credential abuse was the most common initial access method in Verizon’s data: 22% of breaches (Verizon DBIR 2025)
• Vulnerability exploitation reached 20% of breaches as an initial access path — a 34% year-over-year increase, driven largely by edge device and VPN exploitation (Verizon DBIR 2025)
• Third-party involvement surged to 30% of all breaches — doubling from 15% in the prior DBIR (Verizon DBIR 2025)

The divergence between IBM (phishing as #1) and Verizon (credentials as #1) reflects methodology differences: IBM’s controlled study of 600 organizations captures deliberate attack causation; Verizon’s broader incident dataset includes more credential-stuffing and automated attacks.

The Velocity Problem

Security awareness training is valuable, but it faces a fundamental time constraint:

• The median time for a user to fall for a phishing email is less than 60 seconds after receiving it — faster than most automated detection systems can respond (multiple sources)
• Malicious AI-written emails have roughly doubled over the past two years, from approximately 5% to 10% of malicious emails (Verizon DBIR 2025 analysis from email security partners)
• AI-generated phishing is specifically noted for higher language quality and personalization that makes standard detection indicators less effective

MFA Bypass: The Evolution of Authentication Attacks

Multi-factor authentication remains essential but is no longer an adequate standalone defense:

• 88% of basic web application attacks involved stolen credentials (Verizon DBIR 2025) — indicating that even with MFA in many cases, credential theft is the dominant tactic
• MFA bypass techniques now documented at scale in the 2025 DBIR include:
  • Prompt bombing (flooding users with MFA notifications until they approve) — first year prompt bombing made the top-action list in the DBIR
  • Token theft: hijacking session cookies after authentication
  • Adversary-in-the-Middle (AiTM): intercepting MFA prompts in real-time
  • SIM swapping: taking over phone numbers to intercept SMS codes
• VPN-targeted exploits grew almost eight-fold year-over-year in DBIR 2025 data — directly relevant to the enterprise VPN security posture discussed in our VPN Statistics 2026 guide

Business Email Compromise (BEC)

• $3.046 billion in BEC losses in 2025 (FBI IC3) — the most financially damaging enterprise cyberthreat
• Median BEC loss per complaint: ~$50,000 (FBI IC3 / Verizon DBIR 2025)
• Pretexting (impersonating authority figures or trusted parties) has nearly doubled in frequency and now overtakes phishing in BEC incident volume (Verizon DBIR 2025)
• Attackers are increasingly bypassing the credential-theft step and targeting financial approval workflows directly — meaning MFA alone doesn’t stop BEC

Phishing Sector Targeting

• Healthcare and pharmaceutical organizations are more susceptible to phishing than any other sector — 41.9% are classified as vulnerable (KnowBe4 Phishing By Industry Benchmarking Report)
• Social media and SaaS/webmail were the most attacked sectors by phishing volume in Q4 2025 at 20.3% each, followed by telecommunications at 18.7% (APWG)
• Organizations investing in regular security training saw a 4× improvement in employee phishing reporting rates (Verizon DBIR 2025)
• However: no training program provides immunity — 30% of compromised infostealer-infected systems were enterprise-licensed devices with managed security (Verizon DBIR 2025)

AI and Cybersecurity: The Offense-Defense Arms Race

AI has fundamentally changed both attack capability and defense capacity simultaneously. The 2025 data marks the first year that major industry reports systematically measured AI’s dual role.

AI as an Attack Tool

• 1 in 6 (16%) of breaches studied by IBM in 2025 involved attackers using AI tools — primarily for phishing (37% of AI-assisted attacks) and deepfake impersonation (35%) (IBM 2025)
• Generative AI enables attackers to craft convincing phishing messages in minutes rather than hours — dramatically scaling the volume and personalization of attacks
• Both OpenAI and Google have reported identifying usage from state-sponsored actors attempting to augment influence operations, phishing, and malicious code development using LLMs (Verizon DBIR 2025)
• Weekly average cyberattacks in India hit 3,195 per organization in early 2026 — 62% higher than the global average — driven partly by AI-enabled attack automation (SentinelOne)
• 82% of malware detections were malware-free (using legitimate tools and living-off-the-land techniques rather than novel malware) per CrowdStrike 2026 Global Threat Report — AI assists in these identity-abuse-focused attacks
• AI agents are now capable of autonomous reconnaissance, vulnerability exploitation, and lateral movement without human direction (SentinelOne threat research)

Shadow AI: The Insider Threat Nobody Planned For

Shadow AI — employees using unauthorized AI tools including ChatGPT, Claude, Gemini, or other LLMs without IT approval — has emerged as a significant new breach vector:

• 1 in 5 breached organizations (20%) experienced breaches linked to shadow AI (IBM 2025)
• 97% of AI-related breaches occurred in organizations lacking proper AI access controls (IBM 2025)
• 63% of breached organizations had no AI governance policy — or were still developing one (IBM 2025)
• The average enterprise has approximately 1,200 unofficial applications creating potential vulnerabilities — and 86% of organizations are completely blind to their AI data flows (Kiteworks research)
• 83% of organizations lack technical controls to detect or prevent employees from uploading confidential data to public AI platforms (Kiteworks)
• Shadow AI breaches had longer detection times (247 days), higher PII exposure (65%), and higher IP theft (40%) compared to global averages

AI as a Defense Tool

The same AI capabilities are also delivering meaningful defensive improvements:

• Organizations using AI and automation extensively in security operations saved an average $1.9 million per breach and reduced the breach lifecycle by 80 days (IBM 2025)
• 87% of cybersecurity professionals identify AI-related vulnerabilities as the fastest-growing cyber risk over 2025 (PreVeil citing ISC2/Gartner data)
• The percentage of organizations assessing the security of AI tools nearly doubled from 37% in 2025 to 64% in 2026 (PreVeil)
• 41% of cybersecurity professionals cite AI as the most critical skill needed in their organizations — the top answer for the second consecutive year (ISC2 2025 Workforce Study)
• 73% of cybersecurity professionals believe AI will create more specialized cybersecurity skills rather than eliminate jobs (ISC2 2025)
• 69% of cybersecurity professionals are already integrating, testing, or evaluating AI tools in their security work (ISC2 2025)

Post-Quantum Cryptography: The Emerging Threat Horizon

Nation-state adversaries are already implementing “harvest now, decrypt later” strategies — collecting encrypted data today to decrypt it once quantum computing matures:

• Over 50% of leading VPN providers have announced plans or active pilots for post-quantum encryption deployment (Axis Intelligence research 2026)
• Organizations in defense, intelligence, and critical infrastructure are being urged by CISA and NIST to begin post-quantum cryptography migration planning now, not when quantum computing becomes viable
• Post-quantum cryptography will move from theory to action planning across enterprises as the “harvest now, decrypt later” threat becomes operational (SentinelOne predictions)
• NordVPN’s NordLynx protocol and ExpressVPN’s Lightway protocol are among the first consumer VPN products to deploy post-quantum encryption at scale

Industry-Specific Cybersecurity Statistics

Healthcare

Healthcare combines maximum data value with maximum operational risk — the worst possible combination from a security standpoint.

• Healthcare breach cost in 2025: $7.42 million average — the highest of any industry, for the 15th consecutive year (IBM 2025); down from $9.77M in 2024
• Healthcare breach cost in 2026: projected to reach $12.6 million (ScienceSoft estimate)
• 93%+ of healthcare organizations experienced at least one cyberattack in 2024 (Ponemon Institute)
• 460 ransomware attacks and 182 data breaches hit the healthcare and public health sector in 2025 — the highest of any critical infrastructure sector (FBI IC3 2025)
• Cyberattacks cause healthcare organizations to report: delays in tests and procedures (56%), increased complications from procedures (53%), longer patient stays (52%), increased transfers to other facilities (44%), and higher mortality rates (28%) (ScienceSoft)
• Almost three in four healthcare organizations suffered patient care disruption because of cyberattacks (Ponemon Institute)
• Average detection + containment time in healthcare: 279 days — significantly above the 241-day global average (IBM 2025)
• Ransomware downtime costs healthcare an average of $1.9 million per day

Financial Services

• The financial sector has suffered more than 20,000 cyberattacks between 2004 and 2023, resulting in approximately $12 billion in direct losses (BIS / IMF research)
• 65% of financial organizations worldwide were impacted by ransomware in 2024 (Sophos)
• 55% of organizations globally in financial services were impacted by ransomware in 2022, growing to 65% in 2024 — a consistent upward trend
• Ransomware initial access in financial services most commonly exploits API vulnerabilities, poorly secured hardware, and cloud misconfigurations
• Small banks are disproportionately targeted because large banks can spend billions on detection while small banks cannot match that vigilance (Gradient Cyber)

Manufacturing and Critical Infrastructure

• Ransomware attacks on manufacturing increased 56% year-over-year in 2024 (IBM X-Force)
• Manufacturing represented 29% of published ransomware victims globally in 2024 (IBM X-Force)
• In attacks targeting critical infrastructure, 85% of incidents could have been mitigated with patching, multi-factor authentication, or least-privilege principles (CISA)
• More than 30,000 vulnerabilities were disclosed in the past year — a 17% increase from prior figures (Qualys research)
• Only 54% of edge device and VPN vulnerabilities were fully remediated by organizations within the study period (Verizon DBIR 2025) — leaving nearly half of perimeter exposures unpatched

Government

• Government data breaches nearly tripled, from 47 incidents in 2020 to 128 in 2024, with the steepest year-over-year jump between 2022 (74) and 2023 (99) (multiple government breach databases)
• Ransomware attacks on US government bodies in H1 2025 increased 65% year-over-year (Corvus Insurance)
• 525 ransomware campaigns targeting US government bodies between 2018–2024 caused over $1 billion in downtime losses
• The Department of Defense introduced the Cybersecurity Maturity Model Certification (CMMC), required in defense contracts since November 2025 — but more than 50% of defense contractors struggle to implement CMMC requirements (Radicl)
• 59% of organizations say geopolitical tensions have directly affected their cybersecurity strategies (World Economic Forum Global Cybersecurity Outlook 2026)
• 33% of CEOs cite cyber espionage as a specific concern for their organizations (World Economic Forum)
• International tensions have made satellites and undersea cables targets: 125 attacks on space satellites since the 2022 Viasat hack that coincided with the Russia-Ukraine war (World Economic Forum)

Cybersecurity Spending and Investment Statistics

Global Security Spending Trajectory

Organizations are spending more on cybersecurity than at any prior point — and the gap between spending and actual security outcomes remains significant.

• Cybersecurity spending will increase 12.5% in 2026 to $240 billion (Gartner forecast)
• Global information security spending is set to increase 15% for the year ahead (Gartner)
• Estimated yearly cybersecurity spending in 2026: approximately $183.9–240 billion depending on what the estimate includes (Gartner, IDC)
• Security software leads all investment categories at approximately $106 billion, followed by security services at $84 billion and network security at $23 billion (Gartner breakdown)
• Security accounts for approximately 10.9% of average IT spending (IANS Research)
• Average organizations spend approximately 0.7% of annual revenue on cybersecurity (IANS Research)
• The global cybersecurity market is expected to grow to approximately $266.2 billion by 2027 (MarketsandMarkets)

Investment Gaps and Priorities

Despite rising spend, significant gaps persist:

• Only 49% of breached organizations planned to increase their security investments following a breach in IBM’s 2025 study — down from 63% the previous year, a 14-point drop that suggests budget fatigue
• SMBs prioritize real-time threat monitoring (49%), antivirus (42%), and vulnerability scanning (40%) for investment in 2026, while fewer plan to invest in penetration testing (30%) or dark web monitoring (27%) (VikingCloud)
• Fewer than 25% of SMBs plan to invest in password managers despite credential theft being the #1 initial access vector (VikingCloud)

Cyber Insurance Market

• Cyber insurance premiums are projected to grow from $14 billion in 2023 to $29 billion by 2027 (BD Emerson)
• The market is expected to exceed $34 billion by 2031
• Claims from businesses with less than $25 million in revenue averaged $73,000 per incident — substantially below the headline enterprise figures but still operationally significant for small businesses
• 60% of small businesses that suffer a cyberattack go out of business within six months (multiple studies, including US National Cyber Security Alliance — this figure is frequently cited; underlying methodology varies by study)

The ROI of Security Controls

IBM’s 2025 report provides the most granular cost-of-control data available:

Security Control	Average Breach Cost Reduction
DevSecOps approach	-$227,192
AI/ML security insights	-$223,503
Security analytics/SIEM	-$212,061
Threat intelligence sharing	-$211,906
Encryption	-$208,087
Extensive AI in security ops (combined)	-$1.9 million average

These figures represent average cost differences between organizations with and without these controls in IBM’s 600-organization sample.

Workforce and Skills Gap Statistics

The Shift From Headcount to Skills

For years, the cybersecurity workforce story centered on a single number: the global gap between security professionals needed and available. The 2025 ISC2 Cybersecurity Workforce Study — the world’s largest survey of cybersecurity professionals, based on 16,029 practitioners globally — marked a fundamental shift in how the profession views its own challenge.

ISC2 declined to publish a global workforce gap estimate in its 2025 study for the first time, explaining that respondents now view skills shortages as more critical than headcount shortages. The problem isn’t simply not enough people — it’s not enough people with the right skills for the current threat environment.

Workforce Size and Scale

• Global cybersecurity workforce is estimated at approximately 5.5 million professionals (ISC2 2025 / various sources — ISC2 changed its estimation methodology in 2025)
• The global workforce grew approximately 5.5% from the prior year (ISC2 estimates)
• The prior ISC2 (2024) workforce gap estimate was 4.76 million professionals needed globally but not yet available — the largest gap ever recorded at the time
• ISC2’s decision to not publish a gap estimate in 2025 reflects recognition that the “how many people” question is less useful than “which skills are missing”
• The US Bureau of Labor Statistics projects 32% job growth in information security analysis between 2022 and 2032 — far above the average for all occupations
• ISC2 estimates approximately 4.8 million total cybersecurity job openings globally in 2026

Skills Shortages: What’s Missing

• 59% of organizations reported critical or significant skills shortages within their cybersecurity teams (ISC2 2025) — up sharply from 44% in 2024
• Only 5% of organizations report no current skills gaps (ISC2 2025)
• The top skills in critical shortage (ISC2 2025):
  • AI and machine learning security: 41% (top answer, second consecutive year)
  • Cloud security: 36%
  • Risk assessment: 29%
  • Application security: 28%
  • Governance, risk, and compliance (GRC): 27%
  • Security engineering: 27%
• 88% of cybersecurity professionals report that skills shortages led to at least one significant cybersecurity incident in their organization (ISC2 2025)
• 69% experienced more than one significant incident attributable to skills gaps (ISC2 2025)

Economic Pressures on the Workforce

The 2025 ISC2 data reveals that economic headwinds — while stabilizing from the 2024 surge — continue to constrain security team capabilities:

• 36% of organizations reported budget cuts in cybersecurity in 2025 (down one percentage point from 2024) (ISC2 2025)
• 24% reported layoffs in their cybersecurity teams in 2025 (down one point from 2024) (ISC2 2025)
• 49% of large organizations experienced hiring freezes (ISC2 2025 — large organizations were hit hardest)
• 33% of organizations lack resources to adequately staff their security teams (ISC2 2025)
• 29% cannot afford to hire staff with the skills needed to adequately secure their organizations (ISC2 2025)
• 72% of respondents believe that reducing security personnel significantly increases breach risk (ISC2 2025)

Job satisfaction indicators are broadly positive despite pressure: 68% of cybersecurity professionals reported being satisfied in their current role (up 2% from 2024), with 30% “very satisfied” (up 3%). However:

• 48% feel exhausted from trying to stay current on emerging threats and technologies (ISC2 2025)
• 47% feel overwhelmed by workload (ISC2 2025)
• Only 66% plan to stay at their current organization over the next two years — suggesting retention will become a challenge as the job market improves (ISC2 2025)

AI and the Workforce: Opportunity Not Threat

Contrary to concerns that AI would displace cybersecurity workers, the 2025 ISC2 data shows the opposite sentiment:

• 73% of cybersecurity professionals believe AI will create more specialized skills requirements, not fewer jobs (ISC2 2025)
• 72% say AI will necessitate more strategic security mindsets (ISC2 2025)
• 69% are already integrating, testing, or evaluating AI tools in their security work (ISC2 2025)
• 48% are actively working to gain generalized AI knowledge and skills (ISC2 2025)
• The top concern is not job displacement but skill obsolescence — professionals who don’t adapt to AI-augmented workflows risk being outpaced

2026 Threat Trends and Projections

The following reflect consensus projections from major threat intelligence organizations including CrowdStrike, SentinelOne, Google Cloud Security, Mandiant, Gartner, and the World Economic Forum:

Attackers Are Logging In, Not Breaking In

The most significant tactical shift: attackers now predominantly abuse legitimate identities rather than deploying novel malware:

• 82% of malware detections were malware-free in CrowdStrike’s 2026 Global Threat Report — attackers use stolen credentials, remote management tools, and legitimate software
• 79% of initial access attacks are now malware-free (CrowdStrike 2025) — identity abuse is faster, stealthier, and more scalable than malware deployment
• Credential theft through infostealers is the primary supply chain for ransomware initial access: 30% of compromised systems in infostealer logs were enterprise-licensed managed devices (Verizon DBIR 2025)
• Protecting login credentials — with strong unique passwords and a reputable password manager — remains the highest-leverage individual security action

Agentic AI SOCs and AI-Powered Attack Automation

• AI agents will handle up to 90% of routine security operations triage by end of 2026 as organizations deploy “agentic SOC” capabilities (SentinelOne prediction)
• AI-assisted attacks will enable faster, more personalized, and more adaptive phishing — the arms race between AI attackers and AI defenders will define the 2026–2028 security landscape
• Shadow AI will remain a top enterprise risk as adoption continues to outpace governance frameworks (IBM, Google Cloud Security)

Supply Chain and Third-Party Risk

Third-party involvement in breaches doubled in a single year:

• Third-party involvement in breaches reached 30% in the Verizon DBIR 2025, up from 15% in 2024 — the single largest year-over-year increase in any major attack vector
• Supply chain attacks will continue targeting software build pipelines, open-source libraries, and managed service providers as entry points into larger target networks
• Software supply chain attacks are expected to grow 4× by 2025 compared to 2021 (Gartner estimate)

Double Extortion and Data-Theft Evolution

• Double extortion is now the norm in 87.6% of ransomware claims — recovering from backups doesn’t prevent the data leak threat (Travelers Insurance)
• Organizations must now prioritize preventing data exfiltration as a distinct security objective, not just restoring from backups
• Ransomware groups are investing in AI-assisted data analysis to identify the most valuable data to extract before triggering encryption — maximizing leverage for extortion

Quantum Computing: The Horizon Threat

• Nation-state actors are currently collecting encrypted data with the intent to decrypt it once quantum computers become sufficiently powerful (“harvest now, decrypt later”) — this is not a future risk; the data collection is happening now
• NIST finalized its first set of post-quantum cryptographic standards in August 2024, providing the technical baseline for migration
• Organizations handling data with long-term sensitivity (healthcare records, financial transactions, government communications) should begin post-quantum cryptography roadmap planning in 2026

Quick Reference: Key Cybersecurity Statistics 2026

Metric	Figure	Source
US cybercrime losses (2025)	$20.877 billion	FBI IC3 2025
IC3 complaints (2025)	1,008,597 (first time >1M)	FBI IC3 2025
Investment fraud losses (2025)	$8.65 billion	FBI IC3 2025
BEC losses (2025)	$3.046 billion	FBI IC3 2025
Global avg. data breach cost	$4.44 million	IBM 2025
US avg. data breach cost	$10.22 million (record)	IBM 2025
Healthcare avg. breach cost	$7.42 million	IBM 2025
Average breach lifecycle	241 days	IBM 2025
Ransomware % of all breaches	44%	Verizon DBIR 2025
IC3 ransomware complaints (2025)	3,611	FBI IC3 2025
Median ransom demand (2025)	$1.32 million	Sophos 2025
Orgs refusing to pay ransom	64%	Verizon DBIR 2025
Total crypto ransomware payments (2024)	~$813 million	Chainalysis
Human element in breaches	60%	Verizon DBIR 2025
Third-party breach involvement	30% (doubled YoY)	Verizon DBIR 2025
Credential abuse as initial vector	22%	Verizon DBIR 2025
Phishing as initial vector (IBM)	16%	IBM 2025
Shadow AI breaches	20% of all breaches	IBM 2025
Shadow AI breach cost premium	+$670,000	IBM 2025
AI-used in attacks (IBM data)	16% of breaches	IBM 2025
Cost savings with AI in security	$1.9M average	IBM 2025
Cybersecurity spending 2026	~$240 billion	Gartner
Global cybercrime cost projection (2026)	~$10.8 trillion	Cybersecurity Ventures
Workforce skills shortages	59% of organizations	ISC2 2025
Top skill in demand	AI/ML security (41%)	ISC2 2025
Global cybersecurity workforce	~5.5 million	ISC2 2025
BLS job growth projection (to 2032)	32%	BLS.gov
Orgs using AI-driven security	69% integrating/testing	ISC2 2025
Malware-free attacks	82% of detections	CrowdStrike 2026
Vulnerabilities disclosed (past year)	30,000+ (+17% YoY)	Qualys
Healthcare ransomware attacks (2025)	460	FBI IC3 2025
Healthcare breach detection time	279 days	IBM 2025

---

Frequently Asked Questions

What is the total cost of cybercrime in 2026?

Two figures apply to different scopes. The FBI IC3’s 2025 Annual Report recorded $20.877 billion in US cybercrime losses from voluntary reports — the first time the figure crossed $20 billion. Cybersecurity Ventures projects total global cybercrime costs (including unreported incidents and indirect costs) at approximately $10.8 trillion for 2026. The IC3 figure is verified and empirical; the Cybersecurity Ventures figure is a market research projection.

What is the average cost of a data breach in 2026?

IBM’s 2025 Cost of a Data Breach Report found the global average at $4.44 million — the first decline in five years. However, US breaches average $10.22 million, a record high. Healthcare remains the most expensive sector at $7.42 million globally. Organizations using AI and automation extensively in security save approximately $1.9 million per breach compared to organizations without these tools.

How common are ransomware attacks?

Ransomware appeared in 44% of all data breaches studied by Verizon in 2025 — up from 32% the prior year. The FBI IC3 received 3,611 ransomware complaints in 2025. Separately, 73% of organizations reported being hit by ransomware at least once in 2024 (Fortinet), and 78% of companies were hit in the past year (CrowdStrike). Ransomware attack volume is estimated to have surged 58% in 2025 year-over-year.

What percentage of breaches involve human error?

Approximately 60% of confirmed data breaches involved a human element — through social engineering, errors, or credential misuse — per the Verizon DBIR 2025. IBM’s data puts the figure at 95% when including any human component across the attack chain. These figures reflect different methodologies: Verizon counts human action as a contributing factor at any point; IBM’s figure covers the broader category of human error in enabling access.

What is the biggest cybersecurity threat in 2026?

By financial damage: investment fraud ($8.65B in FBI IC3 losses) and BEC ($3.046B). By breach prevalence: credential theft (22% of initial access), ransomware (44% of breaches), and phishing (16% initial vector per IBM). By emerging risk: AI-powered attacks and shadow AI governance failures. By supply chain exposure: third-party involvement doubled to 30% of all breaches in the 2025 DBIR.

How large is the cybersecurity workforce gap?

ISC2’s 2025 Workforce Study declined to publish a gap estimate for the first time, noting that skills shortages now outweigh headcount shortages as the primary constraint. The 2024 ISC2 estimate was a gap of approximately 4.76 million professionals globally. In 2025, 59% of organizations report critical or significant skills shortages, with AI and cloud security as the most urgent gaps. The US Bureau of Labor Statistics projects 32% job growth in information security analysis through 2032.

What cybersecurity spending is projected for 2026?

Gartner projects global cybersecurity spending will reach approximately $240 billion in 2026, a 12.5% increase. Security software leads at approximately $106 billion, followed by security services at $84 billion. Average organizations spend approximately 0.7% of annual revenue on security.

How can individuals protect themselves from the most common threats?

The data identifies three highest-leverage individual actions: (1) Use strong unique passwords for every account with a password manager — credential theft is the #1 initial access vector; (2) Enable phishing-resistant MFA (passkeys or hardware keys where available) — standard SMS and push MFA are increasingly bypassed; (3) Use a verified VPN on public networks — 29% of remote workers connect to public Wi-Fi without a VPN even when required by their employers. For evaluated tools, see our Best Password Manager, Best VPN, and Best Antivirus guides.