Cyber threats aren’t slowing down, they’re getting smarter, faster, and harder to spot. For businesses, that means the pressure is on to stay ahead of the curve. These days, it’s not a matter of if you’ll face a cyber attack, but when.
To stay protected, companies need more than just antivirus software. Robust security policies and a well-rehearsed incident response plan are key, not only to keep operations running smoothly and data safe, but also to stay on the right side of regulations like GDPR.
In this blog, we’re diving into some eye-opening cyber security stats that highlight just how important it is to be prepared.
Cyber Attacks
With cyber attacks increasing rapidly, any business that relies on technology is at risk. Did you know that…
- Cyber attacks occur more than 2,200 times per day, and someone falls victim every 39 seconds. (Senhasegura)
- Over 30,000 vulnerabilities were disclosed last year, a 17% increase from previous figures, reflecting the steady rise in cyber risks. (Sentinelone)
- Half of businesses (50%) report having experienced some form of cyber security breach or attack in the last 12 months. (GovStats)
- There has been a 71% Increase year over year in the volume of attacks using valid credentials. For the first time ever, abusing valid accounts became cybercriminals’ most common entry point into victim environments. It represented 30% of all incidents X-Force responded to in 2023. (IBM)
- A 2024 report showed that nearly one-third of incidents that X-Force (cloud-based, threat intelligence sharing platform) responded to, were cases where legitimate tools were used for malicious purposes, such as credential theft, reconnaissance, remote access or data exfiltration. (IBM)
Phishing Attacks
A phishing attack is when a scammer tries to trick you into giving them your personal information, like passwords, credit card numbers, or other sensitive details. They often do this by pretending to be someone you trust, like a bank, a company, or even a friend. The key is that these scams are designed to look trustworthy and you should be suspicious if personal information is ever demanded from you on an urgent basis.
- Phishing attacks account for more than 80% of reported security incidents. (CSO)
- $17,700 / £14,162 is lost every minute due to a phishing attack. (CSO)
- A new phishing website is created once every 20 seconds on average. (DataProt)
- In 2024, there was a sharp increase in phishing and social engineering attacks, with 42% of organisations reporting such incidents. (WF)
- 76% of all phishing attacks targeted specific individuals. These attacks, known as spear phishing, involve careful research and are therefore more likely to succeed. (Slashnet)
- Astra Security learned that 61% of respondents to its study could not differentiate between Amazon’s real login page and a phishing site designed to imitate it. (Astra Security)
Malware and Ransomware
Malware refers to any software specifically designed to disrupt, damage, or gain unauthorised access to a computer system. Malware can steal sensitive information, corrupt files, or render systems inoperable.
Ransomware is a specific type of malware that locks or encrypts a victim’s files or system and demands payment (ransom) in exchange for restoring access.
Both pose serious cyber security risks that can cause significant financial and data loss if not prevented or addressed promptly, and here are some stats to prove it…
- Ransomware was a top threat across 92% of industries. (Verizon)
- Only eight percent of businesses that pay ransom to hackers receive all of their data in return. (Sophos)
- An average of around 24,000 malicious mobile apps are blocked daily on the internet. (Tech Jury)
- 72% of organizations report an increase in cyber risks, with ransomware remaining a top concern. (WF)
Human Element
The human element is one of the biggest risks to a company’s security because employees, contractors, and even trusted partners can inadvertently or intentionally compromise security measures. Whether they fall victim to social engineering, use weak or reused passwords, have a lack of security awareness, maliciously or accidentally leak confidential information or follow inconsistent security practises, the human element can often be the weakest link in a company’s security chain.
- When asked ‘What are the common types of information security/ cyber security mistakes made by your employees?’
- 28% answered not properly securing sensitive information
- 35% answered using personal devices for work purposes without proper security measures. (ISMS)
- 68% of breaches involved a human element in 2024. (Verizon)
- 19% of data breaches involve internal actors. (Verizon)
- 78% say employees use their personal devices at work even when it’s forbidden. (Ivanti)
- Over 24 billion passwords were exposed by hackers in 2022, and 64 percent of passwords only contain eight to 11 characters. (Norton)
AI, Video Cloning and Deepfakes
AI can be used to automate and scale cyber attacks, targeting specific individuals to identify vulnerabilities and crack passwords. Cybercriminals can clone voices, e-mails, and other personal data so convincingly that employees share sensitive information, or make critical decisions based on fraudulent requests. Similarly, deepfake technology use AI to create hyper-realistic but fabricated video and audio content to impersonate executives, stakeholders and employees into disclosing confidential information.
- Nearly 47% of organisations cite adversarial advances powered by generative AI as their primary concern, enabling more sophisticated and scalable attacks. (WEF)
- Businesses are increasingly deploying generative AI models without proper governance, leading to significant data security risks. (SI)
- Attacks featuring deepfakes are cited by 30% of respondents. It appears that voice and videocloning tech is already becoming cheap and convincing enough for threat actors to try it. (ISMS)
Damage Potential
Cyber attacks can have devastating consequences and repercussions for organisations. Ultimately the potential damage of a cyber attack goes far beyond financial loss and feeds into the disruption of operations and loss of customer trust.
- The average lifecycle of a breach is 292 days from identification to containment. (IBM)
- Operational outages that reduced productivity affected more than half (55%) of organisations. (Fortinet)
- 73% of organisations experienced an intrusion that impacted either OT systems only or both IT and OT systems. (Fortinet)
Financial Penalties
Financial penalties are a significant consequence of failing to maintain strong cyber security practices and comply with relevant laws and regulations such GDPR. This can also be felt in industry-specific penalties and fines for the failure to report a breach.
- The average cost of a data breach was $4.88 million in 2024, the highest average on record. (IBM)
- 70% of businesses have received fines for data breaches in excess of £100,000 in the last 12 months. (ISMS)
- The average fine amount businesses are reporting has increased 3.5% in just one year to £258,000. (ISMS)
- Spotify were fined over $5 million for breaching GDPR regulations in 2023. (Medium)
- Meta was fined $1.3 billion for GDPR violations in 2023. (NYTimes)
The Cost Of A Data Breach
On top of expenses related to incident response, forensic investigations, restoring systems and data, and regulatory fines, the potential loss of customers following a data breach can prove detrimental to customer retention and therefore revenue.
- The global average cost of a data breach in 2024 is $4.88 million (£3.9 million), a 10 percent increase over last year. (IBM)
- Organisations with a zero-trust approach saw average breach costs $1.76 million (£1.4 million) less than organisations without. (IBM)
- Worldwide cybercrime costs are estimated to hit $10.5 trillion (£8.42 trillion) annually by 2025. (Cybersecurity Ventures)
- The average cost of a data breach is expected to rise, with organizations facing significant financial impacts from such incidents. (TT)
Scale and Historic Attacks
The scale of a data breach can vary greatly depending on the target, the method of attack, and the organisation involved however it almost always results in long-lasting effects on both businesses and consumers. Even some of the largest global organisations have suffered attacks and endangered the security of their users and consumers.
- In 2023, X (formerly Twitter) was targeted by a criminal hacker that leaked more than 220 million users email addresses. (IT Governance)
- Personal data belonging to more than 100 million Android users was exposed in a 2021 data leak due to misconfigured cloud services. (Check Point)
- A 2021 LinkedIn data breach exposed the personal information of 700 million users (about 93 percent of all LinkedIn members). (RestorePrivacy)
- An attack on Microsoft in March 2021 affected more than 30,000 organisations in the U.S., including businesses and government agencies. (Microsoft)
Preventative Measures
The increasing scale of data breaches highlights the need for stronger cyber security measures and proactive threat management.
So what can you do to avoid being a victim, mitigate the risk of a cyber attack and minimise recovery time?
Educate and Train Your Employees: Regular training on identifying phishing e-mails, safeguarding data, safe browsing and credential creation can largely reduce the likelihood of human error.
Implementation and Preparation: It is essential to implement proactive cyber security practices and prepare a robust response plan. Implement firewalls, antivirus software, and intrusion detection systems (IDS) to detect and block potential threats.
Regular Software Updates: Keep all software, operating systems, and applications up to date with the latest security patches to reduce vulnerabilities. Cybercriminals often exploit unpatched software to carry out attacks.
Backup Data Regularly: Regular backups ensure that, in the event of a ransomware attack or data breach, you can quickly restore your systems and minimise downtime. Ensure backups are stored securely and tested for integrity.
Limit Access Privileges: Apply the principle of least privilege, where employees have access only to the data and systems necessary for their roles. This limits potential damage in case of an insider threat or compromised account.
How 3B Data Security secure your organisation – Get your free Threat Assessment
Our specialist team have real-life experience and knowledge of how to prevent, manage and forensically investigate cyber security incidents. This comprehensive experience enables us to help organisations mitigate the risks of cyber threats, recover from and prevent future incidents, and maintain compliance to various security standards and best practice.
We offer a FREE Open-Source Threat Assessment, which gives you a top-level review of your website’s security and any leaked credentials available on the surface and dark web.
Find out more and request your assessment today.
Think you’ve fallen victim to a cyber incident?
Our team of senior consultants are on-hand 24x7x365 to help you contain the incident, recover your systems, and make sure you have measures in place to ensure you don’t fall victim again.
