Cybersecurity Facts and Statistics: Essential Data [2026]
Your Social Security Number sells for $1 on the dark web. A casino was hacked through a fish tank thermometer. The first ransomware ever demanded $189 by postal mail. And the world’s most common password has been exposed in millions of data breaches — yet people keep using it.
You’ll find 100+ cybersecurity facts and statistics across 17 categories below — from password habits and dark web pricing to IoT attacks, AI threats, and historical firsts. Every fact is sourced from authoritative reports by IBM, Verizon, CrowdStrike, the FBI, ISC2, and 50+ other publishers. Each section includes original analysis cross-referencing multiple sources to surface insights you won’t find elsewhere.
Key Cybersecurity Facts at a Glance
💰 $10.5 Trillion
Annual cybercrime cost — 3rd largest economy if it were a country
Cybersecurity Ventures
⚡ $336,000 Every Second
Lost to cybercrime globally — $20M per minute, $1.2B per hour
SentinelOne
🔑 “123456” Still #1
Found in 4.5 million breaches — the world's most common password
CyberNews
🎭 Your SSN: $1-$6
On the dark web. A medical record sells for $500+
Privacy Affairs / Trustwave
👤 95% Human Error
of cybersecurity breaches involve a human mistake
ISPartners
🏠 820,000+ IoT Attacks/Day
Smart devices hacked daily — up 46% year-over-year
Dexpose
💸 $75M Largest Ransom
Largest ransomware payment ever — paid to Dark Angels group
Zscaler
👥 4.8M Jobs Unfilled
Cybersecurity positions unfilled globally — 87% workforce increase needed
ISC2
🤖 54% AI Phishing Click Rate
AI-powered phishing achieves 4.5x normal click rates
iPification / HBR
💾 96% Target Backups
of ransomware attacks specifically target backup systems
VikingCloud
Last updated: March 2026
📊 Cybersecurity Facts: The Headlines
These are the cybersecurity facts that stop you mid-scroll. Each one is sourced, verified, and — in many cases — far stranger than fiction. From a $1 Social Security Number to a fish tank that brought down a casino’s network, these are the numbers that define the current threat landscape.
1. Cybercrime is the world’s fastest-growing criminal enterprise — generating more revenue than the entire global illegal drug trade. (Cybersecurity Ventures)
2. A cyberattack occurs approximately every 39 seconds. The average organisation faces 1,968 attacks per week. (Cobalt.io)
3. The world’s most common password has appeared in millions of data breaches — and people keep using it. (CyberNews)
4. Your Social Security Number sells for just $1-$6 on the dark web. A full medical record? $500+. (DeepStrike / Experian)
5. Hackers breached a casino through its internet-connected fish tank thermometer in 2017. (CSO Online)
6. The first ransomware (1989) demanded $189 by postal mail. Today, ransom demands have escalated by over 397,000x. (Wikipedia / Zscaler)
7. The vast majority of data breaches involve a human mistake — yet training reduces phishing risk by 86% after one year. (ISPartners / Keepnet Labs)
8. IoT devices face hundreds of thousands of hacking attempts daily. Routers account for 75% of all IoT attacks. (Dexpose)
9. AI-powered phishing emails achieve a 54% click-through rate — 4.5x more effective than human-crafted phishing. (iPification)
10. The cybersecurity workforce gap requires an 87% increase to meet current global demand. (ISC2)
| Finding | Value | Source |
|---|---|---|
| Global cybercrime cost annually | $10.5T | Cybersecurity Ventures |
| Average data breach cost | $4.44M | IBM Cost of a Data Breach Report 2025 |
| Breaches involving ransomware | 44% | Verizon DBIR 2025 |
| Lost to cybercrime every second | $336,000 | SentinelOne / Cybersecurity Ventures |
| '123456' found in data breaches | 4.5 million | CyberNews |
| Social Security Number price on dark web | $1-$6 | DeepStrike |
| Largest ransomware payment ever | $75 million | Zscaler ThreatLabZ |
| Unfilled cybersecurity jobs globally | 4.8 million | ISC2 Cybersecurity Workforce Study 2025 |
| Breaches involving human error | 95% | ISPartners / Multiple Sources |
| Daily IoT hacking attempts | 820,000+ | Dexpose |
| Records in largest single-company breach (Yahoo) | 3 billion | Verizon / Yahoo Disclosure |
| Time between cyberattacks | 39 seconds | Cobalt / University of Maryland |
| AI phishing email click-through rate | 54% | iPification |
| Ransomware targeting backup systems | 96% | VikingCloud |
Cybersecurity: Fact or Fiction?
Common beliefs about cybersecurity — tested against the data
“Most breaches are caused by human error”
True. The vast majority of breaches involve human error (ISPartners / Stanford). This includes clicking phishing links, misdirecting emails, and poor security practices.
“Paying ransom guarantees data recovery”
Fiction. 67% of organisations that paid a ransom were attacked again within 12 months (Fortinet). 96% of attacks also target backup systems. Paying does not guarantee recovery.
“Only large companies get hacked”
Fiction. 46% of cyberattacks target businesses with fewer than 1,000 employees. 88% of SMB breaches involve ransomware vs 39% at large organisations. A small business is attacked every 11 seconds.
“Strong passwords are enough to protect you”
Fiction. 24 billion credentials are available on the dark web. Even strong passwords can be stolen via phishing (54% AI click rate), infostealers, or data breaches. Multi-factor authentication is essential.
“IoT devices are too small to be targets”
Fiction. Hundreds of thousands of IoT hacking attempts occur daily. A casino was hacked through a fish tank thermometer. The average IoT device is attacked within 5 minutes of going online. 98% of IoT traffic is unencrypted.
“Cybersecurity training doesn’t work”
Fiction. Security awareness training reduces phishing risk by 40% after 90 days and 86% after a full year (Keepnet Labs). The ROI on training is one of the highest in cybersecurity.
If Cybercrime Were a Country
If cybercrime were a nation, its GDP would rank third globally -- behind only the United States and China. It generates more revenue than the entire illegal drug trade combined, and its growth trajectory outpaces every legitimate economy on earth. (Cybersecurity Ventures)
💰 Cost of Cybercrime Facts
Cybercrime is the fastest-growing criminal enterprise in history. At $10.5 trillion annually, it generates more revenue than the global illegal drug trade. The costs span direct financial losses, recovery expenses, ransomware payments, regulatory fines, lost productivity, and reputational damage. And it is accelerating: projected to reach $15.63 trillion by 2029. These facts quantify the economic scale of the cyber threat.
1. Global cybercrime costs $10.5 trillion annually, projected to reach $15.63 trillion by 2029. (Cybersecurity Ventures)
2. $336,000 is lost every second, $20 million every minute, $1.2 billion every hour, $28.8 billion every day. (SentinelOne)
3. The average data breach costs $4.88 million globally (IBM 2024). In the US, breaches cost a record $10.22 million. (IBM)
4. Global cybersecurity spending hit $213 billion in 2025, projected to reach $240 billion in 2026. (VikingCloud / Cobalt.io)
5. Ransomware costs $2,400 per second globally — $4.8 billion monthly. (Cobalt.io)
6. FBI IC3 reported $16.6 billion in losses for 2024, a 33% jump from $12.5 billion in 2023. (FBI IC3)
7. It takes an average of 277 days to detect and contain a data breach. Stolen credential breaches take 328 days. (IBM)
8. Organizations using AI/automation save $1.9 million per breach ($3.62M vs $5.52M without). (IBM 2025)
9. A small business is attacked every 11 seconds. 46% of cyberattacks target businesses with fewer than 1,000 employees. (University of San Diego)
10. Insider-caused breaches cost $4.99 million on average — 12% more than the global average. (IBM)
11. Incident response costs $200-$500 per hour for breach handling. (GammaTek Solutions)
12. The probability of detecting and prosecuting a cybercrime entity in the US is just 0.05%. (WEF 2025)
Cybercrime Cost by the Clock
| Finding | Value | Source |
|---|---|---|
| Global cybercrime cost (annual) | $10.5T | Cybersecurity Ventures |
| Projected cybercrime cost by 2029 | $15.63T | Cybersecurity Ventures |
| Lost to cybercrime per second | $336,000 | SentinelOne / Cybersecurity Ventures |
| Average data breach cost (2025) | $4.44M | IBM Cost of a Data Breach Report 2025 |
| Average data breach cost (2024) | $4.88M | IBM Cost of a Data Breach Report 2024 |
| US average breach cost (record high) | $10.22M | IBM Cost of a Data Breach Report 2025 |
| FBI IC3 reported losses (2024) | $16.6B | FBI Internet Crime Report 2024 |
| FBI IC3 reported losses (2023) | $12.5B | FBI Internet Crime Report 2023 |
| Average days to detect + contain a breach | 241 days | IBM Cost of a Data Breach Report 2025 |
| Ransomware breach cost | $5.08M | IBM Cost of a Data Breach Report 2025 |
| Stolen credential breach cost | $4.81M | IBM Cost of a Data Breach Report 2025 |
| Savings from security AI/automation | $1.9M | IBM Cost of a Data Breach Report 2025 |
| Global ransomware cost (2025) | $57 billion | Programs.com |
| Global cybersecurity spending | $212B | Gartner |
Cybercrime by the Clock
At $10.5 trillion annually, cybercrime costs approximately $20.0M per minute, or $333K per second per second. Global cybercrime generates $28.8 billion per day, $1.2 billion per hour. For context, that is more than the GDP of most countries -- every single day. (Cybersecurity Ventures)
🔓 Password Facts
1. “123456” has been found in over 4.5 million breaches and remains the #1 most common password globally. (CyberNews)
2. 7 of the top 10 most common passwords are consecutive number sequences — all crackable in under 1 second. (CyberNews)
3. The average person manages 255 passwords: 168 personal and 87 business. (PasswordManager.com)
4. 80-94% of users reuse passwords across multiple accounts. 12-15% use the exact same password everywhere. (Heimdal Security)
5. Only 3% of passwords meet recommended complexity standards. 42% are just 8-10 characters long. (CyberNews)
6. Gen Z reuses passwords at the highest rate of any generation: 72%. (Heimdal Security)
7. Only 36% of Americans use a password manager. (MyNewITGuys)
8. 60% of people capitalize the first letter and add a number or symbol at the end — a pattern hackers exploit first. (DeepStrike)
9. 67% of Americans include names or birthdays in their passwords. (DeepStrike)
10. The year “2010” appears in over 10 million passwords. Curse words appear in 7% of unique passwords. (DeepStrike / CyberNews)
11. 37% of cyberattacks use brute force on weak passwords. Microsoft processes 600 million+ password attacks per day. (DeepStrike / Microsoft)
12. When one account is breached, credential stuffing typically compromises 3-5 other accounts from the same person. (Heimdal Security)
Password Crack Times by Length & Complexity
How long it takes to brute-force a password based on character set (Source: Hive Systems)
| Length | Numbers Only | + Lowercase | + Upper + Symbols |
|---|---|---|---|
| 6 chars | Instant | Instant | Instant |
| 8 chars | Instant | 28 secs | 7 mins |
| 10 chars | Instant | 1 hour | 5 days |
| 12 chars | 6 secs | 6 months | 226 years |
| 16 chars | 1 hour | 10M years | 5Tn years |
Based on bcrypt hashing, modern GPU hardware. Actual times vary by algorithm and hardware.
| Finding | Value | Source |
|---|---|---|
| '123456' found in breaches | 4.5 million | CyberNews |
| Passwords per person (avg) | 255 | PasswordManager.com |
| Users who reuse passwords | 80-94% | Heimdal Security |
| Passwords meeting complexity standards | 3% | CyberNews |
| Gen Z password reuse rate (highest) | 72% | Heimdal Security |
| Attacks using brute force on weak passwords | 37% | DeepStrike |
| Americans using a password manager | 36% | MyNewITGuys |
| Microsoft: password attacks per day | 600 million+ | Microsoft Digital Defense Report 2024 |
| Passwords reused or duplicated (from 19B analyzed) | 94% | CinchOps / Password Leak Study |
The Password Problem in Numbers
The average person manages 255 passwords. 80-94% reuse them. Only 3% meet complexity standards. And "123456" has appeared in 4.5 million breaches but remains the #1 most common password. Password-based authentication is fundamentally broken at scale. (CyberNews / Heimdal / PasswordManager.com)
🎣 Phishing & Social Engineering Facts
1. AI-powered phishing emails achieve a 54% click-through rate — 4.5x more effective than standard phishing at 12%. (iPification)
2. AI reduces the cost of crafting phishing campaigns by 95% compared to manual creation. (HBR 2024)
3. 3.4 billion phishing emails are sent daily. The median time from delivery to click is just 21 seconds. (Multiple sources / Verizon DBIR)
4. 49% of businesses were hit by phishing last year — more than viruses (32%) or email compromise (27%). (Cobalt.io)
5. Mobile users are 3x more likely to click malicious links sent via SMS compared to desktop. (SentinelOne)
6. 90% of organizations report AI deepfakes are making phishing far more convincing. (Cobalt.io)
7. 40% of BEC emails in Q2 2024 were identified as AI-generated. (VIPRE)
8. Business Email Compromise losses hit $2.9 billion in 2024. (FBI IC3)
9. SIM-swapping cases in the UK surged 1,055% — from 289 to nearly 3,000 cases. (iPification)
10. Security awareness training reduces phishing risk by 40% after 90 days and by 86% after a full year. (Keepnet Labs)
11. 26% of employees fell for phishing emails at work. (Keepnet Labs)
12. Voice phishing (vishing) surged in 2025, driven by AI voice cloning from just 3 seconds of audio. (CrowdStrike / McAfee)
Phishing: The Attack Timeline
From email delivery to credential theft — how fast phishing works
Phishing email delivered
3.4 billion phishing emails are sent daily. 82.6% are now AI-crafted.
Median time to click
Users click phishing links in just 21 seconds on average. (Verizon DBIR 2025)
Time to submit credentials
Within 28 seconds of clicking, credentials are entered on the fake page. (Verizon DBIR 2025)
Total attack time: Under 1 minute
From delivery to credential theft in under 60 seconds. AI phishing achieves 54% click rate vs 12% standard.
| Finding | Value | Source |
|---|---|---|
| Phishing emails sent daily | 3.4 billion | AAG IT / industry data |
| AI phishing click-through rate (vs 12% standard) | 54% | iPification |
| Median time to click phishing link | 21 seconds | Verizon DBIR 2025 |
| Phishing in data breaches | 36% | Verizon DBIR 2025 |
| Phishing as initial breach vector | 16% | IBM Cost of a Data Breach Report 2025 |
| AI phishing cost reduction vs manual | 95%+ | Harvard Business Review / Heiding, Schneier et al. |
| BEC emails that were AI-generated | 40% | VIPRE Security Group Q2 2024 |
| FBI BEC losses (2024) | $2.77B | FBI Internet Crime Report 2024 |
| FBI phishing complaints (2024) | 193,407 | FBI Internet Crime Report 2024 |
| Mobile users click rate vs desktop | 3x | SentinelOne |
| Smishing share of mobile attacks | 35% | SentinelOne / Industry Reports |
| Voice phishing increase YoY | 442% | CrowdStrike 2025 Global Threat Report |
| Phishing risk reduction after 1yr training | 86% | Keepnet Labs |
| AI phishing success rate vs human | 82.6% | Keepnet Labs / VIPRE Security Group |
AI Makes Phishing 4.5x More Effective at 95% Lower Cost
AI-powered phishing emails achieve a 54% click-through rate versus 12% for standard phishing -- 4.5x more effective. Meanwhile, AI reduces the cost of crafting phishing campaigns by 95% (HBR 2024). The economics are devastating: attacks that once required skilled operators can now be launched by anyone with access to an AI model. (iPification / HBR)
🔒 Ransomware Facts
Ransomware has evolved from a nuisance into a multi-billion dollar criminal industry. The largest single payment hit $75 million in 2024 — nearly double the previous record. 44% of all breaches now involve ransomware, up from 32% the prior year. And the business model has industrialised: Ransomware-as-a-Service kits start at $40/month, with developers taking 20-40% of payments. Most organisations now refuse to pay (64%), but attackers are adapting with “no-encryption” extortion and backup targeting.
1. The largest ransomware payment ever was $75 million, paid to the Dark Angels group in 2024 — nearly double the previous record. (Zscaler)
2. Ransomware is present in 44% of all data breaches, up from 32% the prior year. (Verizon DBIR 2025)
3. 96% of ransomware attacks specifically target backup systems to prevent recovery. (VikingCloud)
4. 54% of ransomware is deployed within just 7 days of initial access. (VikingCloud)
5. 64% of organizations now refuse to pay ransom demands, up from 41% two years ago. (Verizon DBIR 2025)
6. Colonial Pipeline paid $4.4 million in ransom (2021) after a single compromised VPN password shut down fuel to the US East Coast. (Multiple sources)
7. CNA Financial paid $40 million in ransom (2021). JBS paid $11 million to protect its meat processing operations. (DeepStrike)
8. 67% of organizations that paid a ransom were targeted again within 12 months. (Fortinet 2024)
9. Ransomware-as-a-Service operates on affiliate models where developers take 20-40% of payments. (Varonis / Quorum Cyber)
10. Global ransomware damages: $57 billion annually, $4.8 billion monthly, $6.5 million per hour. (Programs.com)
11. Mean recovery cost (excluding ransom) is $2.73 million. Median recovery time exceeds 100 days. (Sophos 2025)
12. “No-encryption” extortion is rising — attackers steal data and threaten to leak it without ever deploying ransomware. (Darktrace)
Ransomware Payment Escalation
From $189 in 1989 to $75 million in 2024 — a 397,000x increase in 35 years
| Finding | Value | Source |
|---|---|---|
| Ransomware in breaches | 44% | Verizon DBIR 2025 |
| Largest single ransom payment (Dark Angels) | $75 million | Zscaler ThreatLabZ |
| Attacks targeting backup systems | 96% | VikingCloud |
| Deployed within 7 days of access | 54% | VikingCloud |
| Global ransomware cost (2025) | $57 billion | Programs.com |
| Colonial Pipeline ransom payment | $4.4M | Insurance Journal |
| Total crypto ransom payments (2024) | $813M | Chainalysis |
| Organizations refusing to pay | 64% | Verizon DBIR 2025 |
| Median ransom payment | $115,000 | Verizon DBIR 2025 |
| Largest payment (2024) | $75M | Mandiant M-Trends 2024 |
| Mean recovery cost (excl. ransom) | $2.73M | Sophos State of Ransomware 2024 |
| Median recovery time | 100+ days | Sophos State of Ransomware 2024 |
| Backup repositories targeted | 96% | Veeam Ransomware Trends Report 2024 |
| Attacked again after paying | 80% | Fortinet State of Ransomware 2024 |
| RaaS developer cut (affiliate model) | 20-40% | Varonis / Quorum Cyber |
| Ransomware attack increase (2025) | 58% | HIPAA Journal |
From $189 to Record-Breaking Ransoms: The Evolution of Ransomware
The first ransomware (1989) demanded $189 by postal mail. In 35 years, ransom demands escalated by a factor of 397,000x. The first computer virus (1971) was a curiosity. Now IoT devices face constant attack and AI-generated phishing achieves 54% click-through rates. The trajectory is exponential, and defences have not kept pace with offence. (Wikipedia / Zscaler / iPification)
💥 Biggest Data Breaches in History
The scale of modern data breaches is staggering. Yahoo lost all 3 billion accounts and it took 3 years to notice. The Syniverse breach went undetected for 5 years, exposing billions of text messages. National Public Data leaked 2.9 billion records in 2024. And the US alone saw breaches grow from 614 to 3,205 per year over a decade. These aren’t just statistics — they represent real people whose personal data is now circulating on dark web marketplaces.
1. Yahoo (2013): 3 billion accounts. Undetected 3 years. (Huntress)
2. Chinese Surveillance (2025): 4 billion records, 631 GB database. (Huntress)
3. National Public Data (2024): 2.9 billion records, 1.3 billion individuals. (UpGuard)
4. NotPetya (2017): $10B+ damage. Maersk replaced 45,000 PCs. (CSO Online)
5. Syniverse (2021): 5 years undetected, 500M telecom records. (UpGuard)
6. US breaches: 614 to 3,205 per year over a decade. (VikingCloud)
7. 2.9M stolen financial credentials sold on dark web (2025). (Cobalt.io)
8. Stolen credential breaches: 328 days to detect (51 days longer). (IBM)
Largest Data Breaches: Records Exposed
Ranked by number of records compromised
Detection gap: The average breach takes 277 days to detect and contain. Stolen credential breaches take even longer: 328 days. Yahoo went 3 years undetected. Syniverse went 5 years.
| Finding | Value | Source |
|---|---|---|
| Yahoo breach (2013) -- 3 years undetected | 3 billion | Verizon / Yahoo Disclosure |
| Chinese Surveillance Network (2025) | 4 billion | Huntress |
| National Public Data breach (2024) | 2.9 billion | UpGuard |
| NotPetya damage (2017) -- most expensive attack ever | $10 billion | CSO Online / Netwrix |
| Change Healthcare breach (2024) | 190M+ | US Department of Health and Human Services |
| Syniverse -- 5 years undetected | 5 years | UpGuard |
| US breaches: decade growth (614 to 3,205) | 614 to 3,205 | VikingCloud |
| US data breaches (record high) | 3,322 | Barracuda Networks / ITRC |
| Financial credentials on dark web (2025) | 2.9 million | Cobalt.io |
| Globally breached accounts (2025) | 425.7 million | Surfshark |
👤 Human Error & Insider Threat Facts
1. 95% of breaches involve human error. (ISPartners)
2. 51% made mistakes when tired. 50% when distracted. (Keepnet Labs)
3. 17% emailed wrong party. 29% lost a customer. (UpGuard)
4. 21% lost jobs after misdirected email. (UpGuard)
5. Insider threats: 43% of all breaches. (ISPartners)
6. 31% of cloud breaches: misconfiguration/human error. (UpGuard)
7. Top drivers: poor practices 30%, deficient training 29%. (UpGuard)
8. Training cuts phishing risk 86% after one year. (Keepnet Labs)
Human Error Breakdown: What Goes Wrong
The bottom line: Human error is the #1 cause of breaches, but training works. The gap between the problem and the solution (86% risk reduction after one year) represents one of the highest-ROI investments in cybersecurity.
| Finding | Value | Source |
|---|---|---|
| Breaches involving human error | 95% | ISPartners / Multiple Sources |
| Stanford: breaches from human error | 88% | Stanford University |
| Verizon: human element in breaches | 68% | Verizon DBIR 2025 |
| Employees making mistakes when tired | 51% | Keepnet Labs / UpGuard |
| Phishing risk cut after 1yr training | 86% | Keepnet Labs |
| Negligent insider share of incidents | 55% | Ponemon Institute / DTEX 2025 Cost of Insider Risks Report |
| Non-malicious insider share | 75% | Ponemon / DTEX 2025 |
| Insider-involved breaches | 30% | Verizon DBIR 2025 |
| Malicious insider breach cost | $4.92M | IBM Cost of a Data Breach Report 2025 |
| Insider threat containment time | 81 days | Ponemon Institute / DTEX 2025 Cost of Insider Risks Report |
| Average cost per insider incident | $676,517 | Ponemon / DTEX 2025 |
| Orgs with frequent insider attacks | 48% | Cybersecurity Insiders |
95% of Breaches Involve People, Not Just Technology
Human error drives the vast majority of breaches, yet security awareness training reduces phishing risk by 86% after one year. The gap between the problem (95% human involvement) and the solution (86% reduction with training) suggests massive underinvestment in people-focused security. (ISPartners / Keepnet Labs)
📱 Mobile Security Facts
Mobile devices have become the primary attack surface for cybercriminals. With 70% of online fraud originating on mobile devices and users 3x more likely to click malicious SMS links than email links, the smartphone in your pocket represents one of the biggest security risks in your digital life.
1. AI-powered phishing achieves a 54% click rate versus just 12% for standard phishing — 4.5x more effective, and mobile users are the primary targets. (HBR / iPification)
2. SIM-swap attacks increased 1,055% in the UK, from 289 to nearly 3,000 cases. (Action Fraud)
3. 90.4% of free Android apps contain trackers, with a median of 10 trackers per app. (Exodus Privacy)
4. Mobile users are 3x more likely to click malicious links sent via SMS compared to email on desktop. (Lookout)
5. 70% of online fraud now originates on mobile devices. (RSA)
6. Mobile malware variants grew 37% in 2024. (Kaspersky)
7. 43% of compromised mobile devices had no screen lock enabled. (Verizon)
8. The average smartphone has 80 apps installed, but only 30 are used regularly — the rest expand the attack surface without providing value. (BuildFire)
9. Kaspersky blocked 33.3 million smartphone attacks in 2024, including 1.1 million mobile banking trojans. (Kaspersky)
10. Smishing (SMS phishing) now accounts for the majority of mobile social engineering attacks, surpassing email-based phishing on mobile devices. (SentinelOne)
| Finding | Value | Source |
|---|---|---|
| Free Android apps with trackers | 90.4% | Oxford Internet Institute |
| Median trackers per app | 10 | Oxford Internet Institute |
| SIM-swap surge in UK | 1,055% | iPification |
| Mobile click rate vs desktop | 3x | SentinelOne |
| AI phishing click rate on mobile | 54% | iPification |
| Infostealer malware surge (vs 2023) | 180% | IBM X-Force |
| Attacker breakout time | 29 minutes | CrowdStrike GTR |
| Attacks that are malware-free | 79% | CrowdStrike 2025 Global Threat Report |
| Smartphone attacks blocked (2024) | 33.3 million | Kaspersky Mobile Threat Report 2024 |
| Mobile banking trojans (2024) | 247,949 | Kaspersky Financial Cyberthreats Report 2024 |
| Smishing share of mobile attacks | 35% | SentinelOne / Industry Reports |
| SIM swap fraud surge (2024) | 1,055% | Infisign |
Mobile: The Weakest Link
70% of fraud originates on mobile devices, yet mobile security receives a fraction of the investment that desktop and network security do. The combination of smaller screens (harder to verify URLs), always-on connectivity, and personal use mixing with corporate data creates a perfect storm. SIM-swap surging 1,055% shows attackers have found a lucrative attack vector that bypasses traditional security controls entirely. (RSA / Action Fraud / iPification)
🏠 IoT & Smart Device Facts
The Internet of Things is expanding the attack surface at an unprecedented rate. With 29.7 billion endpoints expected by 2027 and 98% of IoT traffic traveling unencrypted, connected devices represent one of the most underprotected frontiers in cybersecurity. From smart TVs pre-loaded with malware to hospital equipment running obsolete operating systems, these facts reveal the scale of the IoT security crisis.
1. 820,000+ IoT hacking attempts occur every day globally. (Kaspersky / Dexpose)
2. BadBox 2.0 came pre-installed on 10 million+ smart TVs and streaming devices, turning them into botnets before buyers even opened the box. (Google)
3. 77% of hospital systems have known exploitable vulnerabilities in their connected medical devices. (Claroty)
4. 1 in 5 medical devices runs on an unsupported operating system that no longer receives security patches. (Claroty)
5. 29.7 billion IoT endpoints are expected to be connected by 2027. (IoT Analytics)
6. 98% of IoT device traffic is unencrypted, meaning data travels in plaintext across the network. (Palo Alto Networks)
7. A casino was hacked through an internet-connected fish tank thermometer — attackers used it as a pivot point to access the casino’s high-roller database. (Darktrace)
8. The average IoT device is attacked within 5 minutes of connecting to the internet. (NETSCOUT)
9. Routers account for 75% of all IoT attacks, with command injection as the primary exploit vector. (Dexpose)
10. IoT malware surged 46% year-over-year, with baby monitors and cameras rising to 19% of all IoT exploits. (Dexpose / Vectra AI)
11. The Aisuru botnet, built entirely from compromised IoT devices, achieved a peak DDoS attack volume of 6.3 Tbps. (Cloudflare)
12. OT (operational technology) protocol abuse increased significantly, with ransomware targeting industrial control systems surging in 2025. (Nozomi Networks)
| Finding | Value | Source |
|---|---|---|
| Daily IoT hacking attempts worldwide | 820,000+ | Dexpose |
| IoT malware surge year-over-year | 124% | Dexpose |
| IoT attacks targeting routers | 75% | Dexpose |
| Exploits targeting baby monitors/cameras | 19% | Dexpose |
| BadBox 2.0 pre-infected devices | 10 million+ | Google / Trend Micro |
| Casino hacked via fish tank thermometer | 1 fish tank | CSO Online |
| Average IoT incident cost | $330,000 | Vectra AI |
| Hospital systems with exploitable vulns | 77% | Vectra AI |
| Government IoT malware increase | 370% | Dexpose |
| OT protocol abuse increase | 84% | Xcitium |
| IoT traffic unencrypted | 98% | Palo Alto Networks Unit 42 |
| Connected IoT endpoints by 2027 | 29.7 billion | Statista |
| IoT attack surge (2024) | 107% | SonicWall 2024 Mid-Year Cyber Threat Report |
| Aisuru botnet DDoS peak (IoT-powered) | 29.7 Tbps | Dexpose / Vectra AI |
| OT ransomware surge (2025) | 46% | Nozomi Networks |
820,000 IoT Attacks Per Day -- And Growing
820,000+ daily IoT hacking attempts, up 46% from 2024. Routers account for 75% of attacks. Baby monitors and cameras rose to 19% of exploits. BadBox 2.0 pre-infected 10 million+ smart TVs. And a casino was hacked through a fish tank thermometer. The IoT attack surface is vast, unmanaged, and largely unmonitored. (Dexpose / Vectra AI)
🌑 Dark Web Facts
The dark web operates as an underground marketplace where stolen data, hacking tools, and criminal services are bought and sold openly. Prices are driven by supply and demand: Social Security Numbers are cheap ($1-$6) because of massive oversupply from years of breaches, while medical records command $500+ because they enable fraud that is harder to detect. Use the interactive explorer below to see what your data is worth.
1. A Social Security Number sells for just $1-$6 on the dark web — less than a coffee. (Privacy Affairs)
2. A US passport sells for approximately $50 on underground marketplaces. (Privacy Affairs)
3. A hacked Gmail account sells for $60 — valuable because of the connected services it unlocks. (Privacy Affairs)
4. Stolen credit cards sell for $5-$25 depending on balance and type. Cards with $5K+ limits: $110-$120. (Privacy Affairs)
5. Medical records sell for $500+ each — 50-100x more valuable than a credit card because they enable insurance fraud, blackmail, and identity theft that is harder to detect. (Trustwave)
6. Complete identity packages (“fullz”) sell for $30-$100 and include name, SSN, DOB, address, and financial data. (Privacy Affairs)
7. Ransomware-as-a-Service kits start at $40/month on dark web marketplaces, lowering the barrier to entry for cybercrime. (Fortinet)
8. 24 billion stolen credentials are available on the dark web, offering attackers a vast supply for credential-stuffing attacks. (Digital Shadows)
9. Access broker advertisements — selling entry points into corporate networks — surged on dark web forums, with prices ranging from $500 to $10,000+ per target. (CrowdStrike)
10. AI prompt playbooks are now sold on dark web marketplaces, providing copy-paste frameworks for misusing AI models for malicious purposes. (Multiple sources)
11. 54 billion authentication cookies have been leaked, allowing attackers to bypass passwords entirely using session hijacking. (NordVPN)
12. Japanese credit cards are the most expensive at $22-$35 each due to low supply. US cards sell for $10-$40 due to oversupply from frequent breaches. (Privacy Affairs)
Dark Web Price Explorer
See what your stolen data sells for on underground marketplaces.
Sources: DeepStrike, NordVPN, Experian, Varonis (2025 pricing data)
Most Expensive on Dark Web
- Bank login -- $200-$1,000+
- Medical record -- $500+
- Coinbase account -- $120-$1,170
- US passport -- $50
Cheapest on Dark Web
- Social Security Number -- $1-$6
- Credit card (CVV) -- $10-$40
- Gmail account -- $60-$65
- Facebook account -- $45-$50
| Finding | Value | Source |
|---|---|---|
| Social Security Number | $1-$6 | DeepStrike |
| Credit card with CVV | $10-$40 | DeepStrike |
| Full medical record | $500+ | DeepStrike |
| US passport | $50 | Experian |
| Bank account login | $200-$1,000+ | DeepStrike |
| Hacked Gmail account | $60-$65 | DeepStrike |
| Stolen financial credentials (2025) | 2.9 million | Cobalt.io |
| RaaS developer cut | 20-40% | Varonis / Quorum Cyber |
| Access broker ads on dark web | 50% | CrowdStrike 2025 Global Threat Report |
| AI prompt playbooks for sale | Available for purchase | ZeroFox |
| Leaked authentication cookies | 94 billion | NordVPN Research |
Your Identity Is Worth Less Than a Pizza
A Social Security Number sells for $1-$6 on the dark web -- less than a coffee. A full medical record ($500+) is worth 50-100x more because it enables insurance fraud, blackmail, and identity theft that is harder to detect. Credit cards ($10-$40) fall in between, kept cheap by oversupply. (DeepStrike / Experian)
🤖 AI & Cybersecurity Facts
Artificial intelligence is the most disruptive force in cybersecurity today, supercharging both attackers and defenders. On the offensive side, AI slashes phishing costs by 95% while boosting effectiveness 4.5x. A single deepfake video call stole $25.6 million. On defence, AI and automation save organisations $1.9 million per breach. The arms race is intensifying — and the organisations that deploy AI with proper governance will have a decisive advantage.
1. AI-generated phishing costs 95% less than manual campaigns while matching their effectiveness. (HBR)
2. 82.6% of phishing emails are now AI-crafted, making them harder to distinguish from legitimate correspondence. (Abnormal Security)
3. The largest deepfake scam netted $25.6 million via a faked CFO video call — the entire meeting was AI-generated. (CrowdStrike)
4. 87% of leaders identify AI vulnerabilities as the fastest-growing risk in their organisation. (WEF)
5. Shadow AI adds $670,000 to the average data breach cost when employees use unauthorised AI tools. (IBM)
6. 57% of employees use personal GenAI tools for work; 33% input sensitive corporate data into them. (Gartner)
7. AI-powered attacks increased 89% year-over-year, outpacing defensive AI adoption. (CrowdStrike)
8. By 2027, 17% of all cyberattacks will involve generative AI in some capacity. (Gartner)
9. Deepfake fraud increased 3,000% year-over-year, with AI voice cloning now possible from just 3 seconds of audio. (Onfido / McAfee)
10. Organisations using security AI and automation pay $3.62M per breach, versus $5.52M without — a $1.9M saving. (IBM 2025)
11. 66% of organisations expect AI to have the most significant impact on cybersecurity in 2026. (WEF)
12. Only 37% of organisations have processes to assess AI tool security before deployment, creating widespread “shadow AI” risks. (WEF)
Savings: $1.9M per breach (IBM 2025)
| Finding | Value | Source |
|---|---|---|
| AI as top cybersecurity concern (2026) | 87% | WEF Global Cybersecurity Outlook 2026 |
| AI phishing click-through rate | 54% | iPification |
| AI phishing 95% cheaper than manual | 95%+ | Harvard Business Review / Heiding, Schneier et al. |
| Shadow AI extra breach cost | $670,000 | GitProtect.io |
| Shadow AI PII exposure incidents | 65% | IBM Cost of a Data Breach Report 2025 |
| AI/automation savings per breach | $1.9M | IBM Cost of a Data Breach Report 2025 |
| Breach cost with AI/automation | $3.62M | IBM Cost of a Data Breach Report 2025 |
| Breach cost without AI/automation | $5.52M | IBM Cost of a Data Breach Report 2025 |
| Largest deepfake CFO scam ($25M) | $25.6M | CrowdStrike 2025 Global Threat Report |
| Audio needed to clone a voice | 3 seconds | McAfee |
| Deepfake fraud increase | 3,000% | Onfido 2024 Identity Fraud Report |
| AI used by attackers in breaches | 16% | IBM Cost of a Data Breach Report 2025 |
| Security teams adopting AI tools | 77% | IBM Cost of a Data Breach Report 2025 |
| GenAI share of cyberattacks by 2027 | 17% | Gartner |
AI Makes Phishing 4.5x More Effective at 95% Lower Cost
AI-powered phishing emails achieve a 54% click-through rate versus 12% for standard phishing -- 4.5x more effective. Meanwhile, AI reduces the cost of crafting phishing campaigns by 95% (HBR 2024). The economics are devastating: attacks that once required skilled operators can now be launched by anyone with access to an AI model. (iPification / HBR)
🌍 Cybersecurity Facts by Country
Cybercrime is a global phenomenon, but its impact varies dramatically by geography. The United States is both the largest target and a major source of attacks. Russia leads in attack origin volume. Israel faces the most concentrated hacktivist activity. North Korea has industrialised cryptocurrency theft. These country-specific facts reveal the geopolitical dimension of cybersecurity.
1. The US experienced 31,020 cyber incidents — the most of any country globally. (FBI IC3)
2. Russia is the top origin country for cyberattacks, leading globally in attack volume. (CloudSEK)
3. 23.5 billion US records have been leaked since 2004, more than any other country. (UpGuard)
4. Israel faced 12,563 hacktivist incidents in 2024 — the highest concentration of politically-motivated cyberattacks. (CloudSEK)
5. India suffered 265 million+ cyberattacks in 2025, with weekly attack volumes among the highest globally. (CERT-In)
6. North Korea stole $1.46 billion in cryptocurrency in a single heist in 2024, the largest crypto theft ever. (CrowdStrike)
7. China-nexus intrusions increased 38% year-over-year, with 40% targeting edge devices for espionage. (CrowdStrike)
8. Africa faces the highest weekly attack volume per organisation — averaging 3,286 attacks per week — yet only 5% of African organisations express confidence in their national cyber resilience. (Check Point Research / WEF)
9. 54% of global IoT attacks target the United States. (Dexpose)
10. Russia leads the world in data breaches per capita, with 8.8 billion records exposed. (VoronoiApp)
11. Ukraine experienced thousands of cyber incidents in 2024, with Russian state actors targeting critical infrastructure. (CERT-UA)
12. Taiwan faces thousands of daily cyberattacks, primarily from China-nexus threat actors targeting government and technology sectors. (CSIS)
| Finding | Value | Source |
|---|---|---|
| US cyber incidents (2025) | 31,020 | CloudSEK |
| US ransomware cases (most globally) | 3,229 | CloudSEK |
| US share of global IoT attacks | 54% | Dexpose |
| US average breach cost (record) | $10.22M | IBM Cost of a Data Breach Report 2025 |
| Israel hacktivist incidents | 12,563 | CloudSEK |
| Russia data breaches per capita | 8.8 billion | VoronoiApp |
| Ukraine cyber incidents (2024) | 4,315 | CERT-UA / Ukraine State Service |
| Germany breach cost | $4.03M | IBM Cost of a Data Breach Report 2025 |
| India breach cost | $2.51M | IBM Cost of a Data Breach Report 2025 |
| India weekly attacks (projected) | 3,195 | SentinelOne / Check Point Research |
| Taiwan daily cyberattacks | 2.4 million | CSIS |
| Africa: weekly attacks per org | 2,372 | Check Point Research |
| Africa cyber confidence level | 36% | WEF Global Cybersecurity Outlook 2025 |
| Latin America cyber confidence | 13% | WEF Global Cybersecurity Outlook 2026 |
The US Is Both the Biggest Target and a Major Source
The United States reported 31,020 cyber incidents in 2025 and 3,229 ransomware cases -- both the highest globally. 54% of IoT attacks target the US. But the US is also a significant source of cyberattacks, not just a victim. Russia leads in data breaches per capita (8.8 billion records), while Israel faces the highest concentration of hacktivist attacks (12,563 incidents). (CloudSEK / Dexpose / VoronoiApp)
👥 Cybersecurity Workforce & Career Facts
The cybersecurity industry faces a paradox: an extraordinary skills shortage alongside accelerating demand. With millions of unfilled positions and an active workforce of just 5.5 million, the industry needs to nearly double its talent pool. The diversity gap compounds the problem — women represent only 25% of the workforce. These facts paint a picture of both crisis and opportunity for aspiring cybersecurity professionals.
1. 4.8 million cybersecurity positions remain unfilled globally. (ISC2)
2. The industry needs an 87% workforce increase to meet current demand. (ISC2)
3. Women represent approximately 25% of the cybersecurity workforce, projected to reach 1 in 3 by 2031. (ISC2)
4. Women receive 450% less recognition than male peers in cybersecurity roles. (SheLeadsTech)
5. 14% of security teams have zero women on staff. (ISC2)
6. The youngest convicted hacker was 15 — Jonathan James breached NASA and the Pentagon in 1999. (DOJ)
7. 79% of cybersecurity job postings offer remote work options. (Security Magazine)
8. The average cybersecurity professional manages 255 passwords across personal and professional accounts. (NordPass)
9. Cybersecurity job growth rate is 33% from 2023 to 2033 — much faster than the average for all occupations. (BLS)
10. The median US infosec analyst salary is $120,360 per year. CISOs can earn $280,000-$420,000+. (BLS / SentinelOne)
11. 66% of cybersecurity professionals report burnout symptoms, and the industry attrition rate exceeds most technology sectors. (Sophos / BCG)
12. AI/ML is now the #1 most in-demand cybersecurity skill, followed by cloud security and zero trust architecture. (ISC2)
Cybersecurity Workforce: The Gap
| Finding | Value | Source |
|---|---|---|
| Global cybersecurity workforce gap | 4.02 million | ISC2 Cybersecurity Workforce Study 2024 |
| Unfilled cybersecurity positions | 4.8 million | ISC2 Cybersecurity Workforce Study 2025 |
| Active cybersecurity workforce | 5.5 million | ISC2 Cybersecurity Workforce Study 2024 |
| Women in cybersecurity (projected 1 in 3 by 2031) | 1 in 4 | Programs.com / ISC2 |
| Youngest person jailed for cybercrime | 15 | ABC News / Wikipedia |
| Cybersecurity job growth rate | 33% | BLS Occupational Outlook Handbook |
| US median infosec analyst salary | $120,360 | BLS Occupational Outlook Handbook |
| CISO salary range | $220,000-$420,000 | SentinelOne / Industry Reports |
| AI as top needed cyber skill | 41% | ISC2 Workforce Study 2025 |
| Cloud security as needed skill | 36% | ISC2 Workforce Study 2025 |
| Cybersecurity pros with burnout | 76% | Sophos Addressing Cybersecurity Burnout 2025 |
| Cybersecurity attrition rate | 17% | BCG / ISC2 |
| Women in cybersecurity workforce | 22% | ISC2 Cybersecurity Workforce Study 2024 |
| Unfilled US cybersecurity roles | 570,000 | National Science Foundation |
4.8 Million Jobs Nobody Can Fill
The cybersecurity workforce stands at 5.5 million, but there are 4.8 million unfilled positions -- an 87% gap. Meanwhile, only 1 in 4 cybersecurity professionals are women, and the youngest person ever convicted of cybercrime hacked NASA at age 15. The industry needs a broader talent pipeline. (ISC2 / Programs.com)
📜 Historical Cybersecurity Facts
The history of cybersecurity is a story of exponential escalation. The first computer virus was a curiosity. The first ransomware demanded $189 by postal mail. Today, ransom demands have escalated by a factor of 397,000x and cybercrime has become the world’s fastest-growing criminal enterprise. These historical milestones reveal how we arrived at the current threat landscape — and why the trajectory shows no signs of slowing.
1. The first computer virus (Creeper) appeared in 1971. It displayed: “I’m the creeper, catch me if you can!” (History of Computing)
2. The first antivirus (Reaper) was created specifically to delete Creeper — making it the first cybersecurity tool ever built. (History of Computing)
3. Elk Cloner (1982) was the first virus to spread in the wild — written by a 15-year-old high schooler, it infected Apple II floppy disks. (Wikipedia)
4. The AIDS Trojan (1989) was the first ransomware — it demanded $189 sent by postal mail to a PO box in Panama. (Wikipedia)
5. The Morris Worm (1988) infected 6,000 machines — 10% of the entire internet at the time — and caused an estimated $10 million in damage. (FBI / Wikipedia)
6. Stuxnet (2010) was the first cyberweapon — it used 4 zero-days simultaneously and destroyed 1,000 Iranian nuclear centrifuges. (Wired / Wikipedia)
7. Yahoo’s 2013-2014 breach affected all 3 billion user accounts — and went undetected for 3 years. (Huntress)
8. NotPetya (2017) caused $10 billion in global damage — the most destructive cyberattack in history. Maersk alone replaced 45,000 PCs. (CSO Online)
9. The Syniverse breach went undetected for 5 years (2016-2021), exposing billions of text messages from hundreds of telecoms. (UpGuard)
| Finding | Value | Source |
|---|---|---|
| First computer virus (Creeper, ARPANET) | 1971 | Wikipedia |
| Elk Cloner author age (first wild PC virus) | 15 | Wikipedia |
| Year 'computer virus' formally defined | 1983 | Infoplease |
| First IBM PC virus (Brain) | 1986 | Kaspersky |
| Computers disabled by Morris Worm | 6,000+ | MAPCON |
| First ransomware demand (AIDS Trojan) | $189 | Wikipedia |
| Slammer worm: 75K computers in 10 min | 10 minutes | Infoplease |
| Centrifuges destroyed by Stuxnet | 1,000 | CSO Online / Wikipedia |
| Zero-days used by Stuxnet simultaneously | 4 | CSO Online / Kaspersky |
| NotPetya total global damage | $10 billion | CSO Online / Netwrix |
| Colonial Pipeline ransom (2021) | $4.4M | Insurance Journal |
Cybersecurity Timeline: Key Milestones
Creeper Virus
First computer virus appears on ARPANET. Displays “I’m the creeper, catch me if you can!”
Reaper — First Antivirus
Created specifically to delete Creeper. The first cybersecurity tool ever built.
Elk Cloner
First virus to spread in the wild. Written by a 15-year-old. Infected Apple II floppy disks.
Brain Virus
First IBM PC virus. Created by two Pakistani brothers to protect their medical software from piracy.
Morris Worm
Infected 6,000 machines — 10% of the internet. $10M in damage. Led to creation of CERT.
AIDS Trojan — First Ransomware
Demanded $189 by postal mail to a PO box in Panama. Distributed via floppy disks at a WHO conference.
Jonathan James — Youngest Hacker
At 15, breached NASA and Pentagon systems. Sentenced to juvenile detention. Youngest person convicted of cybercrime in the US.
SQL Slammer
Infected 75,000 computers in 10 minutes. Doubled in size every 8.5 seconds. Disrupted ATMs, airlines, and 911 services.
Stuxnet — First Cyberweapon
Used 4 zero-days simultaneously. Destroyed 1,000 Iranian nuclear centrifuges. Changed warfare forever.
Yahoo Breach
All 3 billion accounts compromised. Went undetected for 3 years. Largest single-company breach in history.
NotPetya
$10 billion in global damage. Most destructive cyberattack in history. Maersk replaced 45,000 PCs in 10 days.
Casino Fish Tank Hack
Attackers breached a casino through its internet-connected fish tank thermometer to access the high-roller database.
Colonial Pipeline
Single compromised VPN password shut down fuel supply to the US East Coast. $4.4M ransom paid. Exposed critical infrastructure vulnerability.
Syniverse Breach Discovered
Undetected for 5 years (2016-2021). Exposed billions of text messages from hundreds of telecoms worldwide.
$75 Million Ransom
Dark Angels group receives the largest ransomware payment in history — nearly double the previous record.
$25.6M Deepfake Scam
Largest deepfake fraud: AI-generated video call impersonated a CFO, convincing a finance employee to transfer $25.6 million.
North Korea $1.46B Crypto Theft
DPRK-nexus actors steal $1.46 billion in cryptocurrency in a single heist — the largest crypto theft in history.
From $189 to Record-Breaking Ransoms: The Evolution of Ransomware
The first ransomware (1989) demanded $189 by postal mail. In 35 years, ransom demands escalated by a factor of 397,000x. The first computer virus (1971) was a curiosity. Now IoT devices face constant attack and AI-generated phishing achieves 54% click-through rates. The trajectory is exponential, and defences have not kept pace with offence. (Wikipedia / Zscaler / iPification)
🏢 Industry-Specific Cybersecurity Facts
Cybersecurity risk varies dramatically by industry. Healthcare suffers the highest breach costs ($10.93M per incident) but manufacturing is the #1 ransomware target. Financial services faces 300x the attack frequency of other sectors. And small businesses — which often have zero cybersecurity budget — bear a disproportionate burden, with 88% of SMB breaches involving ransomware versus 39% at large organisations.
1. Healthcare breaches cost $10.93 million per incident — the highest of any industry for 14 consecutive years. (IBM)
2. Financial services is the #1 most targeted industry for cyberattacks, facing 300x the attack frequency of other sectors. (Verizon)
3. Manufacturing accounts for 27.7% of all cyber incidents, making it the top ransomware target globally. (IBM X-Force)
4. 88% of small business breaches include ransomware, compared to 39% at large organisations. (Verizon)
5. 47% of businesses with fewer than 50 employees have zero cybersecurity budget. (StrongDM)
6. Colonial Pipeline was breached through a single compromised VPN password — no multi-factor authentication was in place. (Bloomberg)
7. The education sector has the highest email exposure rate at 1 in 212 emails containing a malicious payload. (Verizon)
8. 67% of healthcare organisations hit by ransomware report increased patient mortality rates as a direct consequence. (Ponemon Institute)
9. 60% of small and mid-sized businesses that suffer a major cyberattack go out of business within 6 months. (NCSA)
10. A small business is attacked every 11 seconds. 46% of cyberattacks target businesses with fewer than 1,000 employees. (University of San Diego)
11. Financial services organisations face 300x the attack frequency of companies in other sectors. (KnowBe4)
12. Critical infrastructure breach cost averages $4.82 million per incident, with energy and utilities sectors particularly vulnerable. (IBM)
Data Breach Cost by Industry
Source: IBM Cost of a Data Breach Report 2025
Most Expensive Industries
- Healthcare -- $11.2M per breach
- Financial Services -- $6.08M per breach
- Critical Infrastructure -- $4.82M per breach
Most Targeted
- Manufacturing -- #1 ransomware target
- Financial services -- 300x attack frequency
- Small business -- attacked every 11 seconds
| Finding | Value | Source |
|---|---|---|
| Healthcare breach cost (most expensive) | $11.2M | IBM Cost of a Data Breach Report 2025 |
| Financial services breach cost | $6.08M | IBM Cost of a Data Breach Report 2025 |
| Education sector breach cost | $3.80M | IBM Cost of a Data Breach Report 2025 |
| Critical infrastructure breach cost | $4.82M | IBM Cost of a Data Breach Report 2025 |
| Healthcare orgs hit by ransomware | 67% | Sophos State of Ransomware in Healthcare 2024 |
| Cyberattacks linked to patient mortality | 28% | Ponemon Institute / Proofpoint 2024 Healthcare Study |
| Hospital systems with exploitable vulns | 77% | Vectra AI |
| Financial attack frequency vs others | 300x | KnowBe4 Financial Sector Threats Report 2025 |
| SMBs targeted by cyberattacks | 43% | Cybersecurity Magazine / Verizon |
| SMBs failing within 6 months of attack | 60% | National Cyber Security Alliance |
| Small business attacked every... | every 11 seconds | University of San Diego |
| Manufacturing: top ransomware target | 660 attacks | Group-IB |
Small Businesses: Disproportionate Targets, Zero Budget
47% of businesses with fewer than 50 employees have zero cybersecurity budget. Yet 88% of SMB breaches involve ransomware (vs 39% for large organisations), and 60% of SMBs that suffer a major attack fail within 6 months. The economics are brutal: attackers target SMBs precisely because they lack defences, and the cost of a single breach can be existential. (StrongDM / Verizon / NCSA)
📋 Key Takeaways
- Cybercrime is the world’s fastest-growing criminal enterprise, projected to reach $15.63 trillion annually by 2029 — see the cost section for the full economic breakdown.
- Human error dominates breaches, yet security awareness training reduces phishing risk by 86% after one year. The ROI on people-focused security is massive and underinvested.
- AI is transforming both offence and defence. AI phishing achieves 54% click rates at 95% lower cost. Meanwhile, AI/automation saves $1.9 million per breach for defenders who deploy it.
- Passwords are fundamentally broken. 80-94% of users reuse passwords, only 3% meet complexity standards, and the same weak sequences top breach lists year after year.
- Your SSN is worth less than a coffee on the dark web ($1-$6). Medical records ($500+) are 50-100x more valuable than credit cards.
- Ransomware is in 44% of all breaches, with record-breaking payment demands. 96% of attacks specifically target backup systems.
- IoT devices face constant attack. 98% of IoT traffic is unencrypted, and a casino was hacked through a fish tank thermometer — see the IoT section for the full scale.
- The cybersecurity workforce gap requires an 87% increase to meet demand. Women represent only 25% of the workforce and receive 450% less recognition.
- Nation-state attacks are accelerating. China-nexus intrusions rose 38%, North Korea stole $1.46 billion in crypto, and Russia leads as the top attack origin country.
- The historical trajectory is exponential. From a $189 ransom sent by postal mail in 1989 to a 397,000x escalation in demands over 35 years.
Test Your Cybersecurity Knowledge
10 questions based on the facts in this article. How many can you get right?
❓ Cybersecurity Facts FAQ
These answers are based on data from IBM Cost of a Data Breach 2025, Verizon DBIR 2025, CrowdStrike Global Threat Report, ISC2 Cybersecurity Workforce Study, FBI IC3, and 50+ other authoritative sources cited throughout this article.
How many cyberattacks happen per day?
A cyberattack occurs approximately every 39 seconds. The average organisation faces around 1,968 attacks per week. Microsoft alone detects over 600 million attacks per day targeting its customers. IoT devices face hundreds of thousands of hacking attempts daily — see the IoT section for the full breakdown. (Cobalt.io / Microsoft / Dexpose)
What is the most common password?
“123456” is the most common password, found in over 4.5 million data breaches. Seven of the top 10 most common passwords are consecutive number sequences, all crackable in under one second. Despite years of awareness campaigns, it remains #1 globally. (CyberNews)
How much does a data breach cost?
The global average cost of a data breach is $4.88 million (IBM 2024). In the US, breaches cost a record $10.22 million. Healthcare breaches are the most expensive at $10.93 million per incident. Organisations using AI and automation save $1.9 million per breach compared to those without. (IBM)
What sells for the most on the dark web?
Full medical records ($500+) are the most valuable per-item commodity, worth 50-100x more than credit cards. Bank account logins sell for $200-$1,000+ depending on balance. Coinbase accounts sell for $120-$1,170. By contrast, a Social Security Number sells for just $1-$6, and credit cards go for $5-$25. (Privacy Affairs / Trustwave / Experian)
What was the first computer virus?
The Creeper virus appeared in 1971 on ARPANET, displaying the message “I’m the creeper, catch me if you can!” It was followed by Reaper — the first antivirus — created specifically to delete it. The first virus to spread in the wild was Elk Cloner (1982), written by a 15-year-old.
How many cybersecurity jobs are unfilled?
4.8 million cybersecurity positions remain unfilled globally (ISC2 2024). The current active workforce is 5.5 million, meaning the industry needs an 87% increase to meet demand. Women represent approximately 25% of the workforce. The US alone has over 750,000 unfilled cybersecurity roles. (ISC2 / NIST)
What percentage of breaches involve human error?
95% of all data breaches involve human error (ISPartners / Stanford). The Verizon DBIR confirms the “human element” is present in the majority of breaches. Common mistakes include clicking phishing links (21-second median response time), misdirecting emails, and poor security practices. Training reduces phishing risk by 86% after one year. (ISPartners / Verizon / Keepnet Labs)
Is cybercrime really the 3rd largest economy?
Yes. At $10.5 trillion annually (Cybersecurity Ventures), cybercrime’s economic impact exceeds every national economy except the United States ($27T GDP) and China ($18T GDP). It generates more revenue than the entire global illegal drug trade combined. This figure encompasses direct losses, recovery costs, ransomware payments, intellectual property theft, and business disruption.
About This Data
This article draws from 1472 statistics aggregated from 50+ authoritative sources including IBM Cost of a Data Breach, Verizon DBIR, CrowdStrike Global Threat Report, WEF Global Cybersecurity Outlook, FBI IC3, ISC2 Cybersecurity Workforce Study, Sophos, Gartner, Mandiant M-Trends, and Ponemon Institute reports.
Derived statistics (marked "Nathan House's Analysis") are computed by cross-referencing data from multiple sources — for example, comparing breach costs across industries using IBM data, or validating ransomware trends across Verizon, Sophos, and HIPAA Journal findings.
All statistics include inline source citations with links to primary sources. Data spans 2023-2026, with preference given to the most recent available figures. Last updated: March 2026.
How to Use This Data
Security professionals can use these cybersecurity facts and statistics to build business cases for cybersecurity investment, benchmark risk profiles against industry averages, justify budget requests with hard data, and inform security awareness training programmes. Use the contrast boxes and interactive tools to highlight cost differentials that resonate with executive decision-makers.
For CISOs building board presentations: The data points most relevant to executive audiences are the global cybercrime cost trajectory (Section 2), the human error dominance (Section 7), the breach cost differentials by industry (healthcare at $10.93M, IBM), and the AI impact ($1.9M savings with AI/automation, IBM). The dark web pricing data is particularly effective for making abstract threats tangible to non-technical stakeholders.
For security teams building awareness training: The password facts (Section 3), phishing data (Section 4), human error statistics (Section 7), and mobile security facts (Section 8) provide concrete, memorable data points for employee training. The password and dark web pricing data — such as your SSN selling for less than a coffee — resonates far more than abstract policy statements.
For cybersecurity students and career changers: The workforce section (Section 13) provides the market context — millions of unfilled positions, 33% job growth, and median salaries of $120,360. Combined with the historical section (Section 14), these facts demonstrate both the scale of the opportunity and the trajectory of the field.
This page is updated as new data emerges. Sources include IBM Cost of a Data Breach Report, Verizon DBIR, CrowdStrike Global Threat Report, ISC2 Cybersecurity Workforce Study, FBI IC3 Annual Report, and 50+ other authoritative publishers. All source citations are provided inline. If you spot an outdated statistic or want to suggest a source, contact us.
About the Author
Nathan House, StationX
Nathan House is a cybersecurity expert with 30 years of hands-on experience. He holds OSCP, CISSP, and CEH certifications, has secured £71 billion in UK mobile banking transactions, and has worked with clients including Microsoft, Cisco, BP, Vodafone, and VISA. Named Cyber Security Educator of the Year 2020 and a UK Top 25 Security Influencer 2025, Nathan is a featured expert on CNN, Fox News, and NBC. He founded StationX, which has trained over 500,000 students in cybersecurity.
