Looking for an edge against cybercrime? Today’s cybercriminals are unleashing havoc on businesses around the globe, through complex, socially engineered attacks that have just one goal in mind: stealing your data. They’re getting very good at it too; data breach numbers have been rising steadily. New data breaches are happening daily, and they’re not just profitable for the bad actors who sell that stolen data. They’re also gateways to future attacks by adding to the massive pool of information including billions of passwords on the dark web that fuels operations like ransomware, business email compromise, spear phishing, and more hacking. If you’re worried about protecting your company’s credentials and data, these 10 cybersecurity statistics paired with 10 important facts about data breaches pulled from Verizon’s Data Breach Investigations Report 2021 can give you an edge in planning an effective strategy to keep your data safely inside your business and away from cybercriminals.


These 10 Cybersecurity Statistics Can Help You Understand Your Data Breach Risk

Cybersecurity Statistics About the Primary Causes of Cloud Data Breaches

The IT professionals surveyed in The State of Cloud Security 2021 had plenty of targets in mind as the influences that cause a cloud data breach. Spoiler alert: none of them are cybercriminal hackers.

  • 32% say too many APIs and interfaces to govern
  • 31% cite lack of adequate controls and database oversight
  • 27% point to lack of policy awareness around data security
  • 23% blamed old-fashioned negligence
  • 21% said they are not checking Infrastructure as Code (IaC) prior to deployment
  • 20% admitted that their IT team oversight is at fault

Cybersecurity Statistics Show: A Data Breach is Punishingly Expensive

It’s not just the initial hit in a cyberattack that’s driving companies into the red. In an expert breakdown of the cost of a data breach, it’s easy to see how the impact of a data breach can linger for years, impacting a company’s brand reputation and its bottom line. Around 61% of the cost of a data breach is paid in the first year after impact, an estimated 24% comes due in the next 12 to 24 months, and the bills for the final 15% can arrive more than two years later. Altogether, IBM reports that data breach costs rose from $3.86 million to $ 4.24 million, the highest average total cost in the 17-year history of their reporting.

In a study, done by economists and technology experts at Yeshiva University in New York City and Hong Kong Polytechnic University, it’s easy to see how a data breach can damage a company’s financial future too. Companies that suffer a data breach face a 22% higher loan spread and a 40-basis-point increase in borrowing costs on average. The negative lending cost impact of a breach is worse for companies in “vulnerable industries”, including healthcare, business services, and transportation. Breached firms can look forward to paying 40 basis points, or about 0.4 percentage points, substantially higher interest rates than the average of 28 points for nom-breached companies. Only financial restatement carried a higher penalty at 65 basis points. Breached companies also tend to face a roughly 25% increase in loan covenants.


Cybersecurity Statistics Show: No Company is Safe from Greedy Malicious Insiders

The dark web economy is booming, and cash-strapped staffers may be tempted to make easy money by selling their credentials or your data on the dark web. The cybercrime-as-a-service trend on the dark web provides ample opportunity for profit. The DBIR breaks down the reasoning behind incidents that resulted from the actions of malicious employees, and top motivation never changes – it’s overwhelmingly money. An estimated 70% of malicious insider breaches were financially motivated, chiefly through employees selling credentials or access to systems and data on the dark web. In economically challenging times like these, that fact needs to be top of mind for anyone who is working on defensive strategies to combat insider threat risks. Another 25% of the malicious insider incidents surveyed were motivated by espionage, like selling formulas, sensitive data, or company secrets. The final cause of malicious insider incidents, around 4% were caused by angry employees who just wanted to damage the company.


Cybersecurity Statistics Show: Data is Currency on the Dark Web

Data is the fuel of cybercrime, enabling hackers and cybercriminals to conduct cybercrime operations like phishing, ransomware, business email compromise, brute force hacking, and other devastating gambits against businesses. Buyers are hungry for databases, creating opportunities for enterprising hackers. Those enterprising hackers are having a field day snatching up data from companies that haven’t addressed vulnerabilities. Sometimes, hackers don’t even wait for a buyer, they’ll sell pre-hacked, freshly unlocked databases that can be priced as high as $20,000, or up to $50 per 1,000 entry. Typically, those entries include some personally identifying information (PII) in each entry like username, email address, full name, phone number, home address, date of birth, and occasionally social security and identification numbers. Boutique hacking, sometimes involving assistance from malicious insiders, like accessing a custom database is available at a premium price: between $100 and $20,000, or between $5 and $50 per 1,000 entries – definitely not chump change. Storing your data in the cloud does not reduce your organization’s chance o a data breach either 36% of organizations suffered a cloud data breach in the past 12 months.


Cybersecurity Statistics Show: Bad, Recycled or Compromised Passwords Are a Data Breach Risk

Reused, recycled and weak passwords are a fast path to a data breach. About 60% of the data that was already on the dark web at the start of 2020 could harm businesses. Then that generous pool of passwords for sale in dark web markets was augmented by an estimated 22 billion new records that landed in dark web data markets and dumps in 2020. In 2021, record-breaking data dumps like the massive RockYou2021 leak added an estimated 8.4 billion passwords to the mix. Add in gigantic new breaches including the 2021 LinkedIn breach that exposed records including passwords for 92% of LinkedIn’s estimated total of 756M users to danger on the dark web, and it’s easy to see how even one recycled password can spell disaster. Big companies are at just as much risk as small ones too.  Over 281 million records of personally identifiable information (PII) for employees of Fortune 1000 companies were available, making it easy for bad actors to conduct impersonation and fraud operations as well as answer the “secret questions” that are so popular in many applications. Researchers also noted a pattern — a 60% password reuse rate among email addresses in surveyed databases exposed in more than one breach in 2020.

1. 85% of breaches involved a human element.

This is important because it illustrates that the top cause of data breaches is still human beings. Specifically, errors made by employees. Diving deeper, the top error that spawns data breaches is a misconfiguration. In the second place, misdelivery is still riding high on the chart. That includes accidentally sending someone information that they’re not authorized to have or sending the wrong information outside the organization.

2. 3-time champion phishing remained the top threat action that resulted in a breach.

To no one’s surprise, phishing remains the top data breach threat for the third year in a row. It actually increased by 10%, which tracks with the tremendous increase in email volume and record-breaking cybercrime rates that started in March 2020. This category does not include ransomware, which has become such a behemoth that it has its own category these days. This reinforces how crucial phishing defense is for every business.

3. The number of breaches that involved ransomware doubled.

The villain of the year in 2020 was ransomware, and that’s reflected in this report. The number of breaches studied that included ransomware doubled, a confirmation of just how dangerous this phishing-related threat is for every organization. Ransomware is already up by more than 100% in 2021 over record numbers in 2020 and it’s still climbing, making this the top security concern for 2021. Eliminating ransomware threats starts with eliminating phishing incidents.

4. 61% of breaches involved credentials.

Everyone wants to do things the easy way, even cybercriminals. The easy way for them to snatch up data is to obtain credentials through phishing, making strong access control a necessity. But beyond just phishing, a credential from an employee, huge quantities of dark web records including 22 billion more added in 2020 provide ample resources for password cracking. Taking the power out of stolen or cracked passwords is one of the prime benefits of multifactor authentication (MFA), and every company needs to be using it now.

5. 85% of social engineering actions that lead to a data breach are done via email.

Once again, there’s no surprise here but there is a strong illustration of why phishing resistance training is absolutely vital. Cybercriminals are using many different lures to entice employees into action through social engineering and they can be difficult to unmask. Phishing resistance training that teaches employees to spot and reject social engineering tricks, especially sophisticated social engineering attempts, is critical to keeping cybercriminals away from data.

6. 23% of monitored organizations experienced brute force or credential stuffing attacks.

Remember credential stuffing? It seems like all that the security world has been talking about is ransomware, but credential stuffing is just as dangerous. Almost a quarter of breaches last year were the fruit of credential stuffing- with 95% of them getting hit with between 637 and 3.3 billion credentials in order to force entry. This is an important reason why single sign-on (SSO) is a must-have for access control. In case of trouble, SSO enables techs to quickly isolate a compromised user account and prevent further intrusion.

7. Over 80% of breaches were discovered by external parties.

This should be a troubling number for anyone securing data. More breaches are discovered by researchers than internal teams, a strong indication that lax cybersecurity practices can create big problems. Increased security awareness training and building a strong cybersecurity culture is the prescription for increasing vigilance to make sure that breach risks are caught sooner rather than later.

8. Credentials remain the most sought-after data type and personal data is the second most sought-after data type.

Continuing its winning streak, credentials are the most desirable data for cybercriminals to snatch. It’s not a surprise that gaining access to the heart of a business is at the top of the cybercriminal wishlist. Credentials make it easy for them to conduct multiple operations quickly. Personal data remains in second place, valued both for its usefulness in identity theft and spear phishing.

9. The majority of known data breaches involve the loss of personal data, quickly followed by medical data.

Bad actors want personal data to power all sorts of cybercrime operations, and they’re working hard to get it. Thanks to the hot market for COVID-19 data in 2020, medical data is in second place. A record number of breaches at hospitals, laboratories, pharmaceutical companies, and even medical data processers bears out that conclusion. Anyone who handles data like this needs to be maintaining strong access controls and phishing resistance training to keep cybercriminals out of it.

10. Business Email Compromise (BEC) is the second most common vector for social engineering.

Although the primary reason that cyber criminals choose to conduct sophisticated social engineering attacks in 2020 was phishing for credentials, BEC scams took their turn in the spotlight. These fraud attempts were also buoyed by high email volumes and uncertainty as many inexperienced remote workers created a bumper crop of targets ripe for the picking. Reliance on doing business remotely also made 2020 the perfect year for BEC. Companies will benefit from stepping up security awareness training around BEC to avoid trouble from this constant threat.


Contact a Solutions expert for your risk-free Cyber Security Assessment.