124+ Cybersecurity Statistics IT Leaders Need to Know

The cybersecurity space is brimming with thousands of statistics on cyber-related threats and trends.

But which are the most important ones to know about?

Below you’ll find a comprehensive collection of the most impactful cybersecurity statistics we believe IT leaders need to know to understand the threat landscape 2023.

---

---

Cybersecurity Statistics 2023

Password Security Statistics

Facts showing how passwords are often the weak spot in cybersecurity:

• 80% of data breaches are linked to the exploitation of passwords (Verizon, 2022)
• 30% of internet users have experienced a data breach due to a weak password (GoodFirms, 2021)
• 2 out of 3 Americans use the same password across multiple accounts (Google, Harris Poll, 2019).
• The most commonly used password is “123456” (CyberNews, 2023)
• The average password is 8 characters or less (Dataprot, 2023)
• 50% of people use the same password for all their logins (LastPass, 2021)
• More than 60% of workers use the same passwords for their job and personal apps (LastPass, 2021)
• 40% of people have had their identities hacked, passwords compromised or information breached because of passwords (Google, Harris Poll, 2019)
• 59% of US adults use birthdays or names in their passwords (Google, Harris Poll, 2019).
• Only 1 out of 3 people update their passwords once or twice a year (Digital Guardian, 2020).
• The average adult created 15 new online accounts during the COVID-19 Pandemic, with 82% reusing passwords across accounts (IBM, 2021)
• 53% of IT professionals use email to share passwords with colleagues (Exploding Topics, 2023)
• Only 27% of US adults use a password generator when creating new passwords (Security.org, 2023)
• 1 in 3 Americans are more interested in having a password that is easy to remember versus being secure (Businesswire, 2021).
• 36% of people engage in bad password habits because they believe their accounts are not valuable enough for hackers (Secureframe, 2023)
• 62.9% of online users change their passwords only when prompted (GoodFirms, 2021).
• 15% of people use their own first name in their password (Security.org)
• 37% of respondents have used their employer’s name in a work-related password (Keeper Security, 2023).
• 88% of passwords used in successful attacks consisted of 12 characters or less (Specops Software, 2023).

Quick Takeaways:

• Weak, reused passwords are a major factor in data breaches.
• Users often underestimate the value of their accounts to potential hackers.
• Tools to create complex passwords, such as password generators, are underutilized.

Detailed Takeaway:

Our statistics reveal that weak, reused passwords are linked to a majority of data breaches. Users frequently underestimate the value of their accounts to potential hackers, resulting in lax security practices. Password generators and complex passwords, while essential for securing accounts, are underused.

Password Management Statistics

Numbers on how people are handling and organizing their passwords:

• 57% of employees find password management a nuisance that stop them from doing their jobs (DataProt, 2023)
• 69% of people share passwords with co-workers (Ponemon Institute, 2019)
• Employees reuse a password an average of 13 times (LastPass, 2023)
• IT professionals reuse passwords more than average users (Ponemon Institute, 2020)
• 8 out of 10 individuals struggle with password management (Nordpass)
• 41% of internet users manage passwords across 10 to 25 websites and apps (Bitwarden, 2022)
• 62% of employees say they store login credentials in a notebook or journal (Keeper Security, 2023)

Quick Takeaways

• Password management is often viewed as a nuisance by employees.
• Risky practices like password sharing are common in the workplace.
• Managing multiple passwords across different platforms is challenging for many users.

Detailed Takeaway:

Password management is perceived as an obstruction to work by many employees, leading to unsafe practices such as password sharing. Furthermore, managing passwords across different platforms is a widespread issue, reflecting the need for more effective solutions.

Shadow IT Statistics

Info about people using software without approval and the problems it causes:

• 80% of workers admit to using SaaS applications at work without getting approval from IT (G2, 2020)
• Shadow IT cloud usages estimated to be 10x the size of known cloud usage (G2, 2020)
• The average company have 975 unknown cloud services (G2, 2020)
• Most companies have over 108 known cloud services (Perimeter 81, 2023)
• 37% of IT leaders say security policies are the biggest challenge to an effective employee digital experience (Google, 2022)
• 8% of software licenses are only used once a month (10duke, 2018)
• 30% of software licenses go completely unused (Techrepublic, 2016)
• Only 28% of IT leaders are using some kind of SaaS management tool to get visibility into shadow IT
• 20 – 40% of enterprise technology funding is spent outside IT’s purview (NetEnrich, 2019)
• Shadow IT accounts for 30-40% of IT spending in large enterprises (Gartner, 2017)
• 82% of IT leaders say users push back when management tried to dictate which tools should be used (Nextplane, 2023)
• 67% of workers have introduced their own tools into their organization (Nextplane, 2023).
• 1 out of 3 employees at Fortune 1000 companies use cloud services that haven’t been approved by IT (IBM, 2022)
• 53% of teams refuse to only use IT-approved tools (Nextplane, 2019)
• 65% of experienced remote workers use shadow IT (Beezy, 2021)

Quick Takeaways

• Unapproved SaaS applications and services are frequently used, contributing to Shadow IT.
• Many companies have poor visibility into their IT ecosystems.
• Inefficient software license management results in significant wastage.

Detailed Takeaway:

The use of unapproved SaaS applications is widespread, significantly contributing to Shadow IT. This situation is further exacerbated by many companies’ poor visibility into their IT ecosystems. Inefficient software license management leads to significant wastage, highlighting the need for improved processes.

Identity and Access Management Statistics

Data on who has too much access to systems and how it causes problems:

• 49% of businesses have at least one employee with access rights that go beyond what is required for their job responsibilities (Cybersecurity Insiders, 2020).
• 75% of enterprise security managers plan to increase spending on multifactor-authentication (BusinessWire, 2021).
• 50% of organizations don’t have a policy on the security requirements for their remote workers (Keeper Security, 2020).
• Over 80% of global IT leaders have implemented or intend to implement or expand cloud-based identity and access management in the next two years​ (Vsecurelabs, 2023).
• 74% of data breaches begin with the misusing of privileged credentials (Vsecurelabs, 2023).

Quick Takeaways

• Employee over-access is a common problem, indicating a need for tighter controls.
• Multifactor-authentication is increasingly recognized as a vital security measure.
• Data breaches often begin with the misuse of privileged credentials.

Detailed Takeaway:

Over-access by employees is a common issue, demonstrating a need for improved access controls and regular audits. The significance of multifactor-authentication is increasingly recognized, with many companies planning to expand their investments in it. It’s also crucial to note that data breaches often start with the misuse of privileged credentials.

Artificial Intelligence (AI) in Cybersecurity Statistics

Numbers on how AI is helping in the fight against cyberattacks.

• Organizations using AI are able to detect and contain data breaches 27% faster (Varonis, 2023)
• A survey revealed that 51% of IT decisions makers believe there will be a successful cyberattacked credited to AI (specifically language models like ChatGPT) within 2023 (Blackberry, 2023)
• Organizations with a fully deployed AI and automation program can identify and contain a breach 28 days faster than those without such a program (Varonis, 2023)
• The global artificial intelligence (AI) in cybersecurity market size was evaluated at $17.4 billion in 2022 and is expected to hit around $102.78 billion by 2032, growing at a CAGR of 19.43% between 2023 and 2032 (precedenceresearch, 2023)
• 75% of enterprises are relying on AI-based platforms and solutions for network security today, making it the most common use case (Statista, 2022)

Quick Takeaways:

• AI helps organizations detect and contain data breaches faster.
• IT decision-makers are concerned about potential AI-powered cyberattacks.
• AI and automation greatly reduce the time taken to identify and contain a breach.
• The AI in cybersecurity market is expected to see significant growth in the coming decade.
• AI-based platforms and solutions are a common choice for network security in enterprises.

Detailed Takeaway:

AI has become a crucial asset in cybersecurity, accelerating breach detection and containment. There’s growing concern among IT professionals about the potential for AI-powered cyberattacks. With AI and automation, businesses can further speed up breach responses. Reflecting its value, the AI in cybersecurity market is expected to grow significantly, reaching around $102.78 billion by 2032. Today, three-quarters of enterprises rely on AI for network security, highlighting its widespread adoption.

Cloud Security Statistics

Stats on how safe or risky cloud services are:

• 45% of breaches are cloud-based (IBM, 2022)
• 80% of companies have experienced at least one cloud security incident in the last year (Snyk, 2022)
• 72% of organizations are defaulting to cloud-based services when upgrading or purchasing new software (Foundry, 2022)
• Only 20% of organizations assess their cloud security posture in real-time (Tripwire, 2020)
• The top security-related cloud threat is misconfigurations (Snyk, 2022)
• 83% of organization report that at least one of the cloud data breaches they’ve experienced have been related to access (Ermetic, 2021)

Quick Takeaways:

• A significant portion of data breaches are cloud-based.
• Cloud security incidents are common, with the majority of companies experiencing at least one in the past year.
• Cloud-based services are the preferred choice for many organizations upgrading or purchasing new software.
• Real-time assessment of cloud security posture is not commonly practiced.
• Misconfigurations are the top cloud security threat.
• Access-related issues are a significant factor in cloud data breaches.

Detailed Takeaway:

Cloud-based breaches account for a large proportion of all data breaches, with the majority of companies reporting at least one cloud security incident in the past year. As many organizations default to cloud-based services for new software or upgrades, maintaining robust cloud security becomes critical. Despite this, only a fraction assess their cloud security posture in real-time. Misconfigurations pose the top cloud security threat, and access-related issues contribute significantly to cloud data breaches.

IoT Security Statistics

Statistics reflecting the current state of security in the Internet of Things devices sector:

• 69% of enterprises have networks that are made up of more IoT devices than computers (Armis, 2023)
• 67% of enterprises have experienced an IoT security incident (Armis, 2023).

Cybersecurity Spending Statistics

Facts about how much money is going into cybersecurity:

• 65% of organizations plan to increase cybersecurity spending in 2023 (CSOonline, 2023).
• 40% of survey respondents claim that improving cybersecurity is the most important justification for IT investments in 2023 (Reg4Tech, 2023).
• Global security spending will reach $219 billion in 2023 and is expected to grow to nearly $300 billion in 2026 (IDC, 2023).
• Cybersecurity spend is now more than 20% of the average IT budget (Hiscox, 2022).

Quick Takeaways:

• Most organizations plan to increase cybersecurity spending.
• Enhancing cybersecurity is a top priority when justifying IT investments.
• Global security spending is set to grow significantly in the coming years.
• Cybersecurity now constitutes a substantial portion of the average IT budget.

Detailed Takeaway:

The importance of cybersecurity is being reflected in budget allocations, with most organizations planning to increase their cybersecurity spending. It’s become a top priority for justifying IT investments. The global trend also points to a steady increase in security spending, expected to reach nearly $300 billion in 2026. In terms of proportions, cybersecurity now makes up more than a fifth of the average IT budget.

Cyberattacks Statistics 2023

Ransomware Attacks Statistics

Info on the increase of ransomware attacks and what they cost:

• There has been an 85% increase in ransomware attacks since 2020 (Palo Alto Networks, 2021).
• There are an estimated 4,000 ransomware attacks per day (Theiia, 2022).
• Ransomware accounted for 10% of all cyberattacks in 2021 (Verizon, 2021).
• 80% of previous ransomware targets got hit with a second ransomware attack (Cybereason, 2022).
• 70% of businesses were predicted to be hit by one or more ransomware attacks in 2022 (Statista, 2022).
• Only 4% of ransomware victims get retrieve all their data (Fortinet, 2023).

Quick Takeaways:

• Ransomware attacks have seen a significant surge since 2020.
• Ransomware contributed to a tenth of all cyberattacks in 2021.
• Few ransomware victims manage to retrieve all their data.

Detailed Takeaway:

Ransomware attacks have soared, with an 85% increase since 2020 and approximately 4,000 attacks occurring daily. They constituted 10% of all cyberattacks in 2021, and the risk remains high as most previous targets face subsequent attacks. The forecast isn’t bright, with 70% of businesses predicted to fall victim to one or more attacks in 2022. Moreover, the aftermath of these attacks is grim, as only a small fraction of victims manage to retrieve all their data.

DDoS Attacks Statistics

Numbers on the rise of DDoS attacks and the money lost:

• Reports predict the total number of DDoS attacks will reach 15 million by 2023 (MazeBolt, 2023).
• There’s been a 67% increase in ransom DDoS attacks in 2022 (Cloudflare, 2022).
• The US is the most targeted country for DDoS attacks, followed by mainland China, Germany, and France (Cloudflare, 2022)
• The Aviation and Aerospace industry experienced the highest number of DDoS attacks, followed by the Events Services industry (Cloudflare, 2022)
• The longest attack in Q3 2022 lasted 18 days and 19 hours (Securelist, 2022)
• Ransom DDoS attacks increased by 11% QoQ (Cloudflare, 2022),
• 43% of organizations experience an average revenue loss of $250,000 per hour due to DDoS attacks, with 51% taking at least three hours to detect and 40% taking at least three hours to respond (Technative, 2017).

Quick Takeaways:

• DDoS attacks are predicted to reach 15 million by 2023.
• There has been a notable increase in ransom DDoS attacks.
• The Aviation and Aerospace industry has experienced the highest number of DDoS attacks.

Detailed Takeaway:

DDoS attacks continue to surge, with predictions indicating a total of 15 million attacks by 2023. This includes a significant increase in ransom DDoS attacks. The U.S., followed by mainland China, Germany, and France, faces the brunt of these attacks. Among industries, the Aviation and Aerospace sector experiences the most DDoS attacks, with even the Events Services industry being heavily targeted. These attacks pose serious financial risks, causing significant revenue loss and requiring considerable time for detection and response.

Malware Attacks Statistics

Figures on the number, types, and targets of malware attacks:

• In 2022, 75% of organizations experienced malware activity that spread from one employee to another, the highest rate since the survey began in 2016​ (Mimecast, 2022)
• 300,000 new malware are created every day, 92% of which are delivered via email and have a detection period of 49 days​ (Getastra, 2023)
• In the first six months of 2022, there were 2.8 billion malware attacks and 255 million phishing attacks reported​ (Getastra, 2023)
• More than 1 billion malware programs are circulating as of 2023 (Dataprot, 2023)
• Over 92% of all malware is delivered by email (Legaljobs, 2023)
• Over 18 million websites are infected with malware at a given time each week (Purplesec, 2023)

Quick Takeaways:

• A large majority of organizations have experienced internal spread of malware.
• New malware creation is rampant, with most delivered via email.
• There are over a billion malware programs in circulation.
• A considerable number of websites are infected with malware each week.

Detailed Takeaway:

Malware attacks continue to plague organizations, with three-quarters experiencing internal spread of malware in 2022. This aligns with the rapid pace of new malware creation – an alarming 300,000 per day, of which the majority is delivered via email. This has contributed to the staggering number of reported malware attacks in just the first half of 2022. Furthermore, there’s a vast pool of malware programs in circulation, amounting to over a billion. This has significant implications for website security, with a significant number infected with malware at any given time each week.

Social Engineering Attacks Statistics

Info on tricks used to manipulate people into giving away sensitive data:

• Cybercriminals use social engineering in 98% of attacks. (Purplesec, 2021)
• Over 70% of all data breaches are due to social engineering. (GlobalSign, 2020)
• The average organization faces 700 social engineering threats per year. (AttackSimulator, 2021)
• Only 27% of companies provide social engineering awareness training. (Firewall Times, 2022)
• 43% of IT workers were victims of social engineering attacks in 2020. (ZDNet, 2021)
• Darktrace has seen an 136% increase in attacks that leverage social engineering in Q2 2023 (Theregister, 2023)

Quick Takeaways:

• A vast majority of cyberattacks involve social engineering.
• Over 70% of all data breaches are due to social engineering tactics.
• Training against social engineering is not widely provided in companies.

Detailed Takeaway:

Social engineering is a dominant technique used in cyberattacks, playing a part in 98% of them, and is responsible for over 70% of all data breaches. The average organization is not spared, facing around 700 social engineering threats per year. Despite the prevalent risk, only 27% of companies provide social engineering awareness training. This leaves employees, including those in IT roles, vulnerable. In fact, nearly half of IT workers were victims of such attacks in 2020.

Phishing Attacks Statistics

Figures on the use of deceptive emails or websites to steal personal info:

• 45% of millennial employees don’t know what phishing is. (Proofpoint, 2020)
• There are more than 2 million phishing websites. (IDAGENT, 2021)
• About 43% of phishing attackers impersonate Microsoft. (Spamtitan, 2021)
• About 30% of employees fail a phishing test. (KnowBe4, 2022)

Cost of Cybercrime

How much cybercrime is costing businesses:

• Victims paid $350 million in ransom in 2020 (Security and Technology, 2020)
• It costs a business $1.85 million on average to recover from a ransomware attack (Sophos, 2022)
• The highest ransom demanded from a victim reached $70 million in 2021 (Blackblaze, 2021)
• Ransomware is predicted to cost victims $265 billion annually in 2031 (Cybersecurity Ventures, 2023)

Cybersecurity Statistics by Industry

Finance

• In 2021, there were 2527 reported cyber incidents in the financial industry worldwide (Statista, 2023)
• The biggest financial data breach happened in 2019 and resulted in the leakage of 885 million financial and personal records (Statista, 2022)
• 19% of cyberattacks happened in the finance sector (Statista, 2023)

Manufacturing

• 24.8% of cyberattacks happened in the manufacturing sector (Statista, 2023)
• Manufacturers pay $2 million on average to restore operational systems after a successful ransomware attack (Globenewswire, 2022)
• Manufacturing companies are targeted by 23% of corporate ransomware attacks (IBM, 2022)
• 61% of manufacturing and production organizations reported an increase in cyberattacks since 2021.
• Only 24% of manufacturing firms have completed OT security projects and upgrades (Barracuda, 2022)
• 56.8% of all IoT traffic comes from the manufacturing industry (Zscaler, 2020)
• 73% of OT devices are completely unmanaged (Armis, 2023)
• 75% of industrial organizations experience no major breaches after completing a cybersecurity project (Barracuda, 2022)

Quick Takeaways:

• Manufacturing is a prime target for cyberattacks, with high recovery costs.
• OT devices are largely unmanaged, heightening risks.
• Investments in cybersecurity projects significantly reduce breaches.

Detailed Takeaway:

The manufacturing sector, targeted in nearly a quarter of all cyberattacks, faces significant recovery costs, with manufacturers paying $2 million on average after successful ransomware attacks. The risk is amplified by the fact that 73% of OT devices are unmanaged. However, these risks can be significantly reduced through investment in cybersecurity, with 75% of industrial organizations not experiencing any major breaches after completing a cybersecurity project.

Healthcare

• 93% of healthcare organization have experienced a data breach in the last 3 years (SafetyDetectives, 2023)
• Hospitals account for 30% of all large-scale data security incidents (SafetyDetectives, 2023)
• 6% of cyberattacks happened in the healthcare sector (Statista, 2023)

Energy

• Commodities, energy, and resources assets in the United States have been targeted more than any other nation, accounting for almost a quarter of all cyberattacks since 2017 (Power&Beyond, 2023).
• In 2022, 10.7% of observed cyberattacks targeted the energy industry (Security Intelligence, 2022).
• The biggest threat to energy organizations in 2022 was the exploitation of public-facing applications, accounting for 40% of all infections (Security Intelligence, 2022).
• Of the 45 cybersecurity incidents that have targeted the energy industry since 2017, 13 of them had taken place by July 2022, the highest annual level over the last six years (Power&Beyond, 2023).

Transport

• Between June 2020 and June 2021, the transportation industry saw a 186% increase in weekly ransomware attacks (Security Intelligence, 2022)
• Malicious insiders made up 29% of attacks on the transportation industry in 2021 (Security Intelligence, 2022).

Cybersecurity Statistics by Business Size

Small Business Cybersecurity Stats

Statistics demonstrating the frequency and impact of cyber threats encountered by small businesses:

• Employees at small businesses have an average of 85 passwords to manage (LastPass, 2022)
• 47% of businesses with less than 50 employee do not have a dedicated cybersecurity budget (SmallBusinessTrends, 2023)
• 46% of all breaches impact businesses with fewer than 1,000 employees (SmallBusinessTrends, 2023)
• 75% of SMBs cannot operate if hit with ransomware (SmallBusinessTrends, 2023)
• SMBs are most vulnerable to supply chain attacks (Cybereason, 2023)
• 54% of small businesses believe they’re too small for a cyberattack (Uprise Partners, 2023)
• 52% of small businesses expect their IT team to manage cybersecurity (Electric, 2022)

Quick Takeaways:

• Employees at small businesses manage a significant number of passwords.
• Almost half of small businesses lack a dedicated cybersecurity budget.
• Small businesses are significantly impacted by breaches and are vulnerable to supply chain attacks.
• Over half of small businesses incorrectly believe they are too small to be a target for cyberattacks.

Detailed Takeaway:

Cybersecurity is a critical issue for small businesses, with employees having to manage an average of 85 passwords. Despite this, almost half of such businesses do not have a dedicated cybersecurity budget. This could be a contributing factor to the fact that nearly half of all breaches impact businesses with fewer than 1,000 employees. These businesses also face a significant threat from ransomware, with three-quarters unable to operate if hit. Despite their vulnerability, particularly to supply chain attacks, over half of small businesses underestimate their risk, believing they are too small to be targeted.

Enterprise Cybersecurity Statistics

Figures illuminating the cybersecurity challenges faced by large corporations:

• 50% of large enterprises spend $1 million on security annualy (Secureworks, 2021)

Conclusion

Analyzing these 2023 cybersecurity stats makes it clear that our digital world is full of risk. From rampant ransomware to shadow IT, and from the vulnerabilities of small businesses to the rising threats in the finance and energy sector, the need for robust cybersecurity solutions and practices is high as ever. We urge you to use these figures and statistics to inform your security decisions, and hope that they offer a much-needed insight into our current threat landscape.

Frequently Asked Questions by IT Professionals

What is the most common cybersecurity threat in 2023?

Poor password security accounts for 81% of all breaches. In addition, ransomware attacks, DDoS attacks, and malware are some of the most common cybersecurity threats based on our industry findings.

Are small businesses at risk of cyberattacks?

Yes, small businesses are not only at risk of cyberattacks but are often considered easy targets due to their generally weaker cybersecurity infrastructure.

What role does AI play in cybersecurity?

AI can significantly enhance cybersecurity measures, from detecting and containing data breaches faster to predicting potential cyber threats. However, it’s also anticipated to be used for launching sophisticated cyberattacks.

How widespread is shadow IT? and why is it a problem?

Shadow IT is prevalent in many organizations. It poses a problem as it often doesn’t comply with an organization’s security policies, hence it can expose the organization to security risks.

Why is password management critical?

Proper password management can help prevent unauthorized access, thereby reducing the risk of data breaches. According to statistics, improper password usage and sharing is a factor in almost all cyberattacks.