35 cybersecurity statistics to lose sleep over in 2025

Cybercrime and cybersecurity statistics

Before diving into the specific types of cyberattacks, you need to understand how much data is involved. By 2028, humanity's collective data will reach 394 zettabytes -- that's the number 394 followed by 21 zeros. This data includes everything from streaming video and dating apps to healthcare databases. Securing all this data is vital.

The main goal for cybercriminals is to acquire information -- names, passwords and financial records, for example -- that can be sold on the dark web. As explained below, attacks can happen at any time, and both individuals and organizations are victims:

1. Perhaps no cybersecurity trend has been bigger in the last several years than the scourge of attacks related to the supply chain. Cyberincidents, such as the 2023 MoveIt vulnerability, the breach at software management vendor SolarWinds and the Log4j vulnerability in the open source world, put organizations around the globe at risk. Analyst firm Gartner predicted that by 2025, 45% of global organizations will be affected in some way by a supply chain attack.
2. The volume of reported vulnerabilities continues to rise. The "Vulnerability and Threat Trends Report 2024" from Skybox Security reported that over 30,000 new vulnerabilities were disclosed in the past year -- a 17% year-over-year increase.
3. Cybersecurity will remain a constant concern and there will be continued risk in 2025 from attacks against technology-enabled resources and services, including financial systems and communication infrastructure, according to the "Global Risks Report 2024" from the World Economic Forum.
4. The annual average cost of cybercrime is predicted to hit more than $23 trillion in 2027, up from $8.4 trillion in 2022, according to data cited by Anne Neuberger, U.S. Deputy National Security Advisor for cyber and emerging technologies, in 2023.
5. While businesses try to protect their own sensitive files from attack, customer information is stored in vulnerable databases all over the world. Identity fraud losses tallied a total of $23 billion in  2023, according to data in the "2024 Identity Fraud Study" from Javelin Strategy & Research.
6. It takes an average of 258 days for security teams to identify and contain a data breach, according to "Cost of a Data Breach Report 2024," released by IBM and Ponemon Institute.
7. According to the same report, data breaches involving lost or stolen credentials are more troublesome, taking 292 days to identify and contain.
8. Cryptojacking remains incredibly prevalent, increasing by 659% over 2022's threats to 1.06 billion cryptojacking attacks in 2023, according to the "2024 SonicWall Cyber Threat Report."
9. The mid-year update to the "2024 SonicWall Cyber Threat Report" identified a year-to-date increase of 107% in IoT malware attacks.
10. An Apple-sponsored independent study found that breaches reached an all-time high for the first nine months of 2023, coming in at 20% more than any other year for the same period.
11. The FBI's Internet Crime Complaint Center reported the volume of complaints in 2023 from the U.S. public at 880,418, which is a 10% increase from 2022. Potential losses from those complaints exceeded $12.5 billion.

Cybersecurity issues and threats

There are many types of security threats. Unlike a breach, a security incident doesn't necessarily mean information has been compromised, only that the information was threatened. The biggest types of security threats are malware, ransomware, social engineering, phishing, credential theft and DDoS attacks.

12. According to Verizon's "2024 Data Breach Investigations Report," the human element is the most common threat vector, with 68% of breaches involving a non-malicious human element. People are tricked by social engineering attacks, for example, clicking a link or providing information that can lead to exploitation.
13. Mobile malware is on the rise, with Kaspersky Lab reporting that its products blocked 6.7 million mobile attacks in the third quarter of 2024 alone.
14. Ransomware attacks are a constant threat affecting all sectors, and it's only getting worse. Ransomware affected 59% of respondents' organizations, according to "The State of Ransomware 2024" report from Sophos.
15. Thanks in part to the growth of generative AI (GenAI), phishing attacks increased by a whopping 4,151% since ChatGPT's public debut in late 2022 according to "The State of Phishing 2024" report from SlashNext. The Anti-Phishing Working Group (APWG) reported 932,923 phishing attacks in the third quarter of 2024 alone.
16. Social media platforms are frequently attacked, accounting for 30.5% of all phishing attacks, according to the APWG.
17. DDoS attacks spiked in  2024, with Netscout reporting approximately 8 million DDoS attacks in the first half of 2024 up by 13% over the previous six months. The maximum attack bandwidth for a DDoS attack was 960 Gbps.
18. One of the largest and most sophisticated DDoS attacks in 2024 was an attack reported by Cloudflare that, at its peak, hit a record bandwidth of 3.8 Tbps.

The cost of cybercrime

Cybercrime can affect a business for years after the initial attack occurs. The costs associated with cyberattacks -- lawsuits, insurance rate hikes, criminal investigations and bad press -- can put a company out of business.

19. Part of maintaining a high level of security is ensuring that every employee knows how security affects their day-to-day activities. Building a security awareness training program is a necessary part of any company's security strategy, as employees ranging from associates to CEOs are constantly inundated with phishing emails. When you have mobile and IoT devices in your environment, creating a mobile incident response plan is a must. The Accenture "State of Cybersecurity Resilience 2023" report identified the impact of organizations that align cybersecurity with business objectives as being very beneficial. The group that Accenture identifies as "cyber transformers" reported 26% lower costs from breaches than other respondent organizations and are 18% more likely to increase revenue growth.
20. A single attack -- be it a data breach, malware, ransomware or DDoS attack -- can have significant effects. The "Hiscox Cyber Readiness Report 2024" showed that 43% of organizations lost existing customers because of cyberattacks.
21. The average total cost of data breaches in 2024 was $4.88 million, according to the IBM/Ponemon Institute report. Breaches in the healthcare industry were the costliest at $9.77 million, on average, versus $6.08 million for financial services.
22. While 48% of all SMBs have experienced a cyberattack, 43% of them struggle to understand what security is actually required, according to the "Cyber security for SMBs: Navigating Complexity and Building Resilience" report from Sage Group.
23. Excluding the Department of Defense, the U.S. government budgeted $12.72 billion on cybersecurity spending for fiscal 2024.
24. Over the course of 2021 and 2022, Apple's sponsored security report found that a staggering 2.6 billion personal records had been stolen in data breaches.
25. By 2030, global spending on cybersecurity will reach $538.3 billion, according to Statista.

Headlines from the cybersecurity industry

Plenty of security news broke in 2024. Hackers and cybercriminals ruthlessly attacked businesses and individuals alike. But cybercrimes aren't the only news items security experts should consider from 2024. Here's a look at some of the major industry trends related to GenAI, incident response, attacks and testing:

26. GenAI has become a growing cybersecurity concern. According to the HackerOne 2024 "Hacker-Powered Security Report," GenAI is a top IT-related risk for 48% of organizations.
27. GenAI is making phishing more dangerous by enabling attackers to more easily construct articulate lures to reel in potential victims.
28. Beyond phishing, there are multiple security risks associated with GenAI that began to be exposed in 2023, including sensitive data leakage and data poisoning.
29. The FBI's Cyber Crimes Most Wanted list features more than 100 individuals and groups that conspired to commit the most damaging crimes against the U.S. These crimes include computer intrusions, wire fraud, identity theft, espionage, trade secret theft and many other offenses.
30. In 2023, approximately 63% of applications had first-party code flaws and 70% had flaws in third-party code, according to the Veracode "State of Software Security 2024" report.
31. Managing mobile device security is another challenge. Devices that have been rooted or jailbroken, along with devices that likely had malware installed, are one form of risk. Additional mobile risk comes from the growing volume of text messaging-based business email compromise.

The skills shortage

The cybersecurity industry has an employee and skills shortage. But don't lose heart, faithful security pros: Joseph Blankenship, a research director for security and risk at Forrester Research, suggested organizations look inward for current employees who might be well suited for security careers, and then recruit and train them for those new roles. There might be plenty of individuals out there -- such as networking admins, developers, systems engineers and even security analysts -- with the chops needed for the job.

The U.S. government is also working to improve the recruitment process. The Cybersecurity and Infrastructure Security Agency (CISA) is among the most active government agencies recruiting IT talent.

32. An estimated 5.5 million people are globally employed in the cybersecurity industry, according to the "2024 ISC2 Cybersecurity Workforce Study," but approximately 5 million cybersecurity employees are still needed globally.
33. The "State of Cybersecurity 2024" report from ISACA found that 46% of organizations have unfilled non-entry-level cybersecurity positions.
34. Adding insult to injury, that same study reported that 44% of organizations are managing staff with less than three years of cybersecurity experience. An inexperienced workforce can result from talented cybersecurity staff being recruited by other companies and poor salary incentives. Other top reasons employees leave, the survey said, are limited opportunities for promotion and high work stress.
35. The "2024 ISC2 Cybersecurity Workforce Study" found Asia-Pacific, the Middle East and Africa, and North America had the biggest demands for a cybersecurity workforce.

If the previous statistics have you lying awake in the middle of the night, here's a statistic to help you sleep: According to Gartner's 2025 worldwide IT forecast, global IT spending is set to grow by 9.3% to $5.74 trillion.

Editor's note: This article was updated to include cybersecurity news events and data from recent research and surveys.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.