35 cybersecurity statistics to lose sleep over in 2026

Cybercrime and cybersecurity statistics

By 2028, humanity's collective data will reach 394 zettabytes -- that's the number 394 followed by 21 zeros. This data includes everything from streaming video and dating apps to healthcare databases. Securing all this data is vital.

The main goal for cybercriminals is to acquire information -- names, passwords and financial records, for example -- that can be sold on the dark web. As explained below, attacks can happen at any time, and both individuals and organizations are victims.

1. Perhaps no cybersecurity trend has been more troublesome in the last several years than the scourge of attacks related to the supply chain. The 2025 Salesloft Drift attack, which followed earlier incidents, such as the 2019/2020 SolarWinds breach and the 2021 Log4j vulnerability in the open source world, put organizations around the globe at risk. Cybersecurity Ventures predicted that supply chain attacks will cost $138 billion globally by 2031, up from $60 billion in 2025.
2. The volume of reported vulnerabilities continues to rise. According to Recorded Future's "H1 2025 Malware and Vulnerability Trends" report, more than 23,600 new vulnerabilities were disclosed in the first half of 2025 -- a 16% increase over the same period in 2024.
3. According to the World Economic Forum's "Global Cybersecurity Outlook 2025" report, security remains a premier global threat, with 72% of cybersecurity leaders reporting a rise in organizational risk over the past year.
4. The annual average cost of cybercrime is predicted to hit more than $23 trillion in 2027, up from $8.4 trillion in 2022, according to data cited in 2023 by Anne Neuberger, former U.S. deputy national security advisor for cyber and emerging technologies.
5. While businesses try to protect their sensitive files from attack, customer information is stored in vulnerable databases all over the world. Identity-fraud losses tallied $27.2 billion in 2024, up 19% from 2023, according to data in the "2025 Identity Fraud Study" from Javelin.
6. It takes an average of 241 days for security teams to identify and contain a data breach, according to the "Cost of a Data Breach Report 2025," released by IBM and Ponemon Institute.
7. According to the same report, data breaches involving lost or stolen credentials take 246 days to identify and contain.
8. The IBM report also found that organizations that extensively used security AI and automation contained and resolved breaches 80 days faster than those that did not.
9. According to SonicWall's "2025 Cyber Threat Report," global IoT malware attacks increased by 124% year-over-year.
10. In the first nine months of 2025, the Identity Theft Resource Center tracked more than 2,500 data compromises, which resulted in a cumulative total of nearly 202 million affected individuals.
11. The FBI's Internet Crime Complaint Center reported 859,532 complaints in 2024 from the U.S. public. Potential losses from those complaints exceeded $16 billion -- a 33% increase from the prior year.

Cybersecurity issues and threats

There are many types of security threats. Unlike a breach, a security incident doesn't necessarily mean information has been compromised, it only means information was threatened. The most common types of security threats are malware, ransomware, social engineering, phishing, credential theft and DDoS attacks.

12. According to Verizon's "2025 Data Breach Investigations Report," the human element is the most common threat vector, with 60% of breaches involving a nonmalicious human element. This includes human error, social engineering scams and privilege misuse.
13. Mobile malware is on the rise, with Kaspersky Lab reporting that its products blocked 47 million mobile attacks in the third quarter of 2025 alone.
14. Ransomware attacks pose a year-after-year threat to all sectors. Ransomware affected 59% of respondents' organizations, according to "The State of Ransomware 2025" report from Sophos.
15. Thanks in part to generative AI, phishing attacks increased between June and November 2025 by 202%, according to the "State of Phishing Report" from Varonis. The Anti-Phishing Working Group (APWG) reported more than 892,000 phishing attacks in the third quarter of 2025 alone.
16. Social media platforms are frequently attacked, accounting for 14.6% of all phishing attacks, according to the APWG.
17. Netscout reported more than 8 million DDoS attacks in the first half of 2025.
18. One of the largest and most sophisticated DDoS attacks in 2025, reported by Cloudflare, was linked to the Aisuru botnet, which, at its peak, hit a record bandwidth of 29.7 Tbps.

The cost of cybercrime

Cybercrime can affect a business for years after the initial attack. The costs associated with cyberattacks -- lawsuits, insurance rate hikes, criminal investigations and bad press -- can, in the worst cases, put a company out of business.

19. The Accenture State of Cybersecurity Resilience 2025 report found that companies are not prepared to meet the AI challenge. In fact, 36% of technology leaders said their security capabilities are unable to keep pace with AI.
20. A single attack can have significant unexpected effects. The "Hiscox Cyber Readiness Report 2025" found that 33% of organizations faced a regulatory fine following a cyberattack.
21. The average total cost of a data breach in 2025 was $4.44 million, according to the IBM report. Breaches in the healthcare industry were the costliest, averaging $7.42 million, compared with $5.56 million in financial services.
22. While 46% of all SMBs experienced a cyberattack in 2025, only 14% said they are adequately prepared to defend against them. Seventy-five percent said they lack regular cybersecurity training programs, according to Total Assure's "Cyber Attacks on Small Businesses Statistics 2025."
23. The U.S. government budgeted an estimated $13 billion on cybersecurity spending for fiscal year 2025, excluding the Department of Defense.
24. Approximately 9.9 billion accounts have been breached globally since the beginning of 2020 through the second quarter of 2025, according to Surfshark's data breach statistics.
25. By 2033, global spending on cybersecurity will reach $663 billion, according to Grand View Research.

Headlines from the cybersecurity industry

Cybercrime isn't the only news item security experts should be thinking about. Here's a look at some of the major industry trends related to GenAI, incident response, attacks and testing:

26. GenAI has become a growing cybersecurity concern. According to HackerOne's 2025 "Hacker-Powered Security Report," GenAI is a top IT-related risk for 78% of organizations, up from 48% in 2024.
27. GenAI is making phishing more dangerous by enabling attackers to more easily construct clever lures to reel in potential victims.
28. Beyond phishing, there are multiple security risks associated with GenAI, including sensitive data leakage and data poisoning.
29. The FBI's Cyber Crimes Most Wanted list features more than 100 individuals and groups that conspired to commit the damaging crimes against the U.S. These crimes include computer intrusions, wire fraud, identity theft, espionage, trade-secret theft and other offenses.
30. Approximately 64% of applications had first-party code flaws, and 70% had flaws in third-party code, according to Veracode's "State of Software Security 2025" report.
31. Managing mobile device security is another challenge. Devices that have been rooted or jailbroken, along with devices that likely have malware installed on them, are one form of risk. Additional mobile risk comes from the growing volume of text messaging-based business email compromise.

The skills shortage

The cybersecurity industry has had an employee and skills shortage for years. Joseph Blankenship, a research director for security and risk at Forrester, suggested organizations look inward for current employees who might be well-suited for security careers, and then recruit and train them for those new roles. There might be plenty of individuals out there -- such as networking admins, developers, systems engineers and even security analysts -- with the chops needed for the job.

The U.S. government is also working to improve the recruitment process. CISA is among the most active government agencies recruiting IT talent.

32. The 2025 ISC2 Cybersecurity Workforce study found that 95% of cybersecurity teams have at least one critical skill shortage and 59% face critical or significant skills deficiencies.
33. The ISC2 study reported that Asia-Pacific, the Middle East and Africa, and North America have the biggest demands for cybersecurity workers.
34. The "State of Cybersecurity 2025" report from ISACA found that 52% of organizations have unfilled cybersecurity positions, and 55% of teams are understaffed.
35. That ISACA study also reported that 46% of organizations manage teams where more than half of staff transitioned from nonsecurity roles. ISACA also reported that the top reasons security employees leave their jobs are high work stress levels (47%), limited promotion opportunities (46%), recruitment by other companies (45%) and poor financial incentives (44%).

Editor's note: This article was updated in 2026 to include cybersecurity news events and data from recent research and surveys.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and has been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.