Cybersecurity Ventures is excited to release this special third annual edition of the Cybersecurity Almanac, a handbook containing the most pertinent statistics and information for understanding cybercrime and the cybersecurity market.
We have something for everyone, including students, parents, academia, government, law enforcement, small-to-midsized businesses, Fortune 500 and Global 2000 companies, IT workers, cybersecurity experts, chief security officers, the boardroom, and C-suite executives.
The latest edition of the Cybersecurity Almanac provides an enlightening journey into noteworthy security incidents and the hackers behind them, as well as a comprehensive overview of critical historical dates, insightful statistical information, the cyberdefense landscape, cybersecurity investment trends, and more.
- Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next three years, reaching $8 trillion USD globally this year and $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.
- Cybercrime and cyber insecurity are new entrants into the Top 10 rankings of the most severe global risks over the next decade, according to the World Economic Forum. Now taking the 8th spot, cybercrime now stands side-by-side with threats including climate change and involuntary migration.
- In 2018, the U.S. Department of Justice stated that less than one in seven cybercrimes were reported. In some countries, the reported rate was even lower. Cybersecurity Ventures believes that reporting practices concerning illegal cyber activity are improving, but in 2023, we are still faced with a situation where less than 25 percent of cybercrimes committed globally are reported to law enforcement.
- According to IBM, the average cost of a data breach, including lost business, detection and escalation, notification, and post-breach response, was $4.35 million USD in 2022, representing a 2.6 percent increase from 2021 ($4.24 million USD). This figure was reached by averaging out the activity-based costing related to 550 organizations suffering data breaches across 17 countries (including the U.S., Canada, Japan, and Australia) and 17 industries, such as healthcare, finance, and energy.
- The global cost of ransomware was predicted to reach $20 billion USD in 2021, up from $325 million USD in 2015. Cybersecurity Ventures expects ransomware damage costs to exceed $265 billion USD annually by 2031.
- Cybersecurity Ventures predicted that a business fell victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019. The frequency of ransomware attacks on governments, businesses, consumers, and devices will continue to rise over the next five years and is expected to rise to every two seconds by 2031.
- CNA Financial made the biggest ransomware payout on record. The Chicago-based company paid $40 million USD to the Phoenix cybercriminal group, believed to come from Russia.
- Cybersecurity Ventures profiled 42 ransomware gangs in the latest edition of its “Who’s Who In Ransomware” quarterly report.
- Cryptocrime, including exit scams, rug pulls, and theft will cost the world $30 billion USD in 2025 alone, Cybersecurity Ventures predicts, rising at a rate of 15 percent annually. This is nearly twice the $17.5 billion USD lost in 2021.
- The FBI’s Internet Crime Complaint Center (IC3) says that in 2022, investment scams were the costliest criminal schemes reported. Complaints increased from $1.45 billion USD in 2021 to $3.31 billion USD in 2022. Among investment scams, cryptocurrency fraud rose from $907 million USD in 2021 to $2.57 billion USD in 2022, an increase of 183 percent.
- The FBI receives the most cryptocurrency fraud complaints from victims aged 30 to 49, who experience everything from liquidity mining to social media scams and fake employment offers. Most turn out to be cryptocurrency investment scams.
- Criminals have used decentralized exchanges (DEXs), cross-chain bridges, and coin swap services to obfuscate at least $4 billion USD in illicit crypto proceeds in recent years.
- According to Elliptic analysis, over 22 million crypto addresses have been directly linked to Russia. Many of these wallets are associated with criminal activity related to the Ukraine-Russia war, including addresses being used to solicit donations for the Russian military and mercenaries.
- In 2022, illicit cryptocurrency transaction volumes rose for the second consecutive year, hitting a record high of $20.6 billion USD, which Chainalysis calls a lower bound estimate. Furthermore, the share of all cryptocurrency activity associated with illicit activity rose for the first time since 2019, from 0.12 percent in 2021 to 0.24 percent in 2022.
- One of the most significant data breaches recorded so far in 2023 belongs to T-Mobile. In January, the telecoms giant disclosed the theft of personal information belonging to 37 million current postpaid and prepaid customer accounts, made possible by API exploitation. A second breach occurred in May.
- In February 2023, Cloudflare detected and mitigated the largest distributed denial-of-service (DDoS) attack ever recorded. The 71 million request-per-second (rps) DDoS attack, dubbed “hyper-volumetric,” is 54 percent higher than the previously reported attack, of 46 million rps in strength, in June 2022.
- One of the largest data breaches ever was suffered by Yahoo. A security incident dating back to 2013 impacted all of the firm’s three billion user accounts. Only three months prior to disclosure in 2015, the tech giant revealed a separate breach impacting at least 500 million accounts.
- Cybersecurity Ventures predicts that global spending on cybersecurity products and services will exceed $1.75 trillion USD cumulatively for the five-year period from 2021 to 2025, growing 15 percent year-over-year.
- Global spending on security awareness training for employees (previously one of the most underspent cybersecurity budget items) is predicted to exceed $10 billion USD by 2027, according to Cybersecurity Ventures, up from around $5.6 billion USD in 2023.
- Spending on information security and risk management products and services is predicted to grow 11.3 percent to reach more than $188.3 billion USD in 2023. Gartner says that remote and hybrid work, zero trust network access (ZTNA), and the deployment of cloud-based delivery models are influencing increased expenditure.
- Cybersecurity Ventures predicts the cyberinsurance market will grow to $14.8 billion USD in 2025 and will exceed $34 billion USD by 2031, based on a compound annual growth rate (CAGR) of 15 percent calculated over an 11-year period (2020 to 2031).
- Between 2017 and 2021, 98 percent of cyberinsurance claims monitored by NetDiligence were made by SMEs with less than $2 billion USD in annual revenue. The majority of claims were made in relation to ransomware incidents and Business Email Compromise (BEC).
- Marsh’s U.S. Cyber Purchasing Trends report indicates that the cost of cyberinsurance is still on the rise, although it is showing signs of moderating. Cyberinsurance pricing increased on average by 11 percent in the U.S. during the first quarter of 2023, compared to 28 percent in Q1 2022.
- After slowing in 2022, ransomware-related claims rose 77 percent in the first quarter of 2023 in the U.S., compared to the fourth quarter of 2022.
- In the World Economic Forum’s Global Cybersecurity Outlook 2023 report, small businesses were found to be less likely to have cyberinsurance compared to larger organizations. Specifically, 48 percent of small organizations reported not having cyberinsurance, whereas only 16 percent of larger organizations indicated the same. Furthermore, 57 percent of organizations with 100,001+ employees would not disclose whether they had made a claim within the past two years. Of the companies that admitted claiming (21 percent), 14 percent were successful, whereas 7 percent were unsuccessful.
- In a recent KPMG survey of 1,325 CEOs, 77 percent see information security as a strategic function and a potential competitive advantage. Geopolitical uncertainty is increasing concerns over corporate cyberattacks for 73 percent of executives.
- Risk management and insurance professionals branded cyber incidents as the top global business risk in the 2023 Allianz Risk Barometer, followed by business interruption and macroeconomic challenges, such as inflation and deflation. The annual survey incorporated views from experts in 23 industry sectors in 94 countries and territories.
- The consequences of cyberattacks have entered the boardroom, with Gartner predicting 75 percent of CEOs will be held personally liable for attacks against cyber-physical systems (CPSs) — incidents leading to physical and environmental harm, or the destruction of property — by 2024.
- Formal interactions between defenders and business leaders are becoming more frequent, with 56 percent of security leaders meeting monthly or more often with their board, according to the World Economic Forum.
- Cybersecurity Ventures tracked over $15.7 billion in venture capital devoted to cybersecurity companies in 2022.
- According to PitchBook, some of the most active global investors involved in cybersecurity venture capital since 2017 are Evolution Equity Partners, Insight Partners, Plug and Play Tech Center, Accel, and Sequoia Capital.
- An exhaustive list of venture capital firms globally can be found in Cybersecurity Ventures’ daily VC Report. These investors lead and participate in all levels of funding rounds for fledgling companies, emerging players and highfliers. 15 of these firms have been identified by Cybercrime Magazine in its first annual “Who’s Who Of Venture Capital Firms in Cybersecurity.”
- There will be 3.5 million unfilled cybersecurity jobs globally in 2023, according to Cybersecurity Ventures. This is enough empty seats to fill 50 NFL stadiums. We predict the same number of openings in 2025 as the disparity between demand and supply continues.
- The cybersecurity unemployment rate for the most experienced positions is at zero percent, and will likely remain so for years to come.
- India alone is expected to create 1.5 million new cybersecurity jobs by 2025. According to NASSCOM, the Indian cybersecurity market will be close to a valuation of $500 billion USD by 2030.
- The U.S. has a total employed cybersecurity workforce consisting of more than 1.1 million people, and there are over 755,000 unfilled positions, according to Cyber Seek, a project supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce.
- The U.S. Bureau of Labor Statistics projects the employment of “information security analysts” will grow 35 percent from 2021 to 2031, compared to the 5 percent average growth rate for all occupations. The median annual wage was recorded as $102,600 in May 2021.
- 10 percent of business leaders and 13 percent of cyber leaders believe they are lacking the personnel and skills for critical roles; according to the World Economic Forum’s Global Cybersecurity Outlook 2023 32 percent of business leaders and 34 percent of cyber leaders said training and skills gaps exist in some areas.
- Microsoft launched a national campaign with U.S. community colleges to help place 250,000 people into the cybersecurity workforce by 2025, representing half of the country’s labor shortage. Microsoft is also increasing its cybersecurity investment to $20 billion over the next five years, up from the $1 billion per year they’ve been spending on cybersecurity since 2015.
- Citing Cybersecurity Ventures skills shortage data, the Redmond giant also recently announced a new partnership under its Ready4Cybersecurity program in Asia to improve access to cybersecurity skills and careers for underrepresented groups. The program aims to certify 100,000 young women and underrepresented youth in cybersecurity by 2025.
- In 2021, Google announced an investment of more than $10 billion through 2025 in cybersecurity. The effort will include helping to secure the supply chain and strengthening open-source security. Google also says they’re training 100,000 Americans for vital data privacy and security jobs.
- Amazon said in May 2023 that the company was pouring more investment into the Open Source Security Foundation (OpenSSF) by committing an additional $10 million over the next three years.
- IBM has committed to providing 30 million people with learning opportunities to plug skills gaps in the technology sector, cybersecurity included, by 2030. Partnerships extend to NGOs focusing on underserved youth, women, and military veterans.
WOMEN IN CYBERSECURITY
- Women held 25 percent of cybersecurity jobs globally in 2022, up from 20 percent in 2019 and around 10 percent in 2013. Cybersecurity Ventures predicts that women will represent 30 percent of the global cybersecurity workforce by 2025, increasing to 35 percent by 2031.
- A BCG survey of female STEM graduates reveals 68 percent took a cybersecurity-related course during their studies. However, 37 percent of respondents regarded cybersecurity as a field where achieving a balance between salary, contributing to society, and maintaining a work-life balance is difficult.
- It is widely assumed that most cybercriminals are male. A recent report from Trend Micro dispels this myth and finds that approximately 30 percent of cybercriminal forum participants are women.
- Cybersecurity Ventures predicts the global security awareness training market will exceed $10 billion annually by 2027, up from around $5.6 billion in 2023, based on 15 percent year-over-year growth.
- CISSP (Certified Information Systems Security Professional) is the world’s premier cybersecurity certification granted by the International Information System Security Certification Consortium, also known as (ISC)². As of July 2022, there are 156,054 (ISC)² members holding the CISSP certification worldwide.
- Cybercrime Magazine highlights 12 hot security certifications for IT workers in 2023 that are valuable to employers. These include CompTIA Network+, OffSec Offensive Security Certified Professional (OSCP), CREST Registered Penetration Tester (CRT), EC-Council Certified Ethical Hacker (CEH), OffSec Certified Professional (OCSP), and TCM Security Practical Network Penetration Tester (PNPT).
CHIEF INFORMATION SECURITY OFFICERS (CISOs)
- The world’s first CISO was anointed in 1994, when financial services giant Citigroup (then Citicorp) set up a specialized cybersecurity office after suffering a series of cyberattacks from Russian hackers.
- 100 percent of Fortune 500 companies employed a CISO or equivalent in 2022, up from 70 percent in 2018.
- According to Cisco, security leaders report their top three areas of responsibility as CISO or security leadership (35 percent), risk assessment and management (44 percent), and data privacy and governance (33 percent).
- In a survey of 125 cybersecurity and incident response (IR) professionals, VMWare found that security teams are under strain. In total, 65 percent of respondents said cyberattacks have increased since the start of the Russia-Ukraine war; 47 percent have experienced burnout or extreme stress in the past 12 months, and 69 percent said that these conditions have made them consider leaving their roles.
- Gartner estimates that by 2025, nearly half of cybersecurity leaders will change roles — and 25 percent for different roles entirely — due to stress, psychological pressure, and burnout, among other factors.
- The gender gap remains a chasm when we consider the top roles in cybersecurity. For example, women only hold 17 percent of chief information security officer (CISO) roles at Fortune 500 companies.
- In 60 percent of cases an organization experienced a security breach, financial strain resulted in price increases for customers.
- The annual impact of global fraud now exceeds $1 trillion, according to LexisNexis. Every dollar lost to fraud resulted in a loss of $4.23 to U.S. financial services firms in 2022.
- According to a private study cited by the Congressional Research Service, 25 percent of malware attacks target financial services companies. The per-company cost of cybercrime is over $18 million USD for financial services, around 40 percent higher than the average cost for other sectors.
- 60 percent of cybersecurity leaders responding to questions posed in Cisco’s Cybersecurity Readiness Index said they had a cybersecurity incident in the last 12 months — and 41 percent of those affected said it cost their organizations at least $500,000 USD.
- Cybersecurity Ventures predicts the global healthcare cybersecurity market will grow by 15 percent year-over-year over the next five years, reaching $125 billion USD by 2025.
- Furthermore, IBM claims the average cost of a data breach in healthcare — comprising of hospitals and clinics — increased by nearly 1 million USD to $10.10 million USD in 2022. Healthcare is considered critical infrastructure by the U.S. government.
- Ransomware attacks against healthcare organizations doubled in the last five years, with the most common victim being health clinics, according to a JAMA Health Forum study.
- Roughly one million more people join the Internet every day. Cybersecurity Ventures estimates that six billion people were connected to the Internet in 2022, and we predict that there will be more than 5 billion Internet users in 2030, including 90 percent of the human population aged six years or older.
- There are 48 billion unique mobile phone users in the world today, according to the latest data from GSMA Intelligence. Mobile security and the risks associated with a hybrid workforce are a top concern for technology leaders, alongside data center and cloud vulnerabilities.
- Cybersecurity Ventures predicts that global data storage will exceed 200 zettabytes by 2025. This includes data stored on private, public, and utility infrastructures, private and public cloud data centers, personal devices, and IoT (Internet-of-Things) devices.
- We estimate that the world will need to secure 338 billion lines of new software code in 2025, up from 111 billion lines of new code in 2017. Our estimate is based on 15 percent year-over-year growth in new code.
- Citi predicts the metaverse market could be worth between $8 and $13 trillion USD by 2030 as metaverse applications expand. Research suggested that in 2021, metaverse businesses faced 80 percent more bot attacks and 40 percent more human attacks than many other online businesses.
- Mobile devices continue to replace laptops and desktop systems for many functions, including productivity, banking, payments, entertainment, and socializing. BlackBerry estimates that mobile devices generated 59.54 percent of all Internet traffic in 2022.
- Over 70 percent of mobile devices worldwide ran on the Android operating system.
- Continuous threat exposure management (CTEM) programs for managing the attack surface will become crucial. Gartner predicts that by 2026, organizations prioritizing CTEM security investments will experience two-thirds fewer breaches.
- Research cited by BlackBerry estimates there will be 775 million connected cars on the road by 2023, increasing the potential attack surface of an industry already beset with data breaches, ransomware, and hardware-related attacks.
- According to Upstream, in 2022, the number of automotive API attacks has increased by 380 percent, accounting for 12 percent of total incidents. Additionally, 63 percent of incidents were carried out by black hat actors, whereas white hat defenders conducted the rest.
- LV= General Insurance analysis of claims data shows that 48 percent of car thefts were vehicles equipped with keyless technology.
- Current estimates put the number of microchips in the average car at 1,000 to 3,000, according to the National Center for Manufacturing Sciences.
- Gartner estimates that by 2025, 60 percent of supply chain organizations, and their chief supply chain officers, will consider cybersecurity risk a significant determinant in conducting third-party transactions and business engagements.
- World Economic Forum research claims that over a third of organizations have become “collateral damage” in a third-party cyber incident. 9 out of 10 IT leaders are concerned about the cyber resilience of such third parties.
- The software supply chain has become a primary target for threat actors. Over the past three years, an average 742 percent annual increase in attacks has been recorded, according to Sonatype.
- In a recent KPMG survey of 1,325 CEOs, 76 percent of CEOs now believe protecting their partner ecosystem and supply chain is just as important as building their own organization’s cyber defenses.
- More than 300 billion passwords were used by humans and machines worldwide in 2021, according to the last tally by Cybersecurity Ventures.
- Only 1 percent to 3 percent of transactions in the U.S. are submitted through 3DS, the finance protocol designed to authenticate users.
- In 2022, Microsoft tracked 1,287 password attacks every second, equating to over 111 million attacks daily.
- Ponemon Institute research estimates the average business losses across all types of authentication weaknesses ranged from $39 million USD to $42 million USD in 2022. Furthermore, 66 percent of IT security staff respondents say it is difficult, or very difficult, to distinguish employees and customers from cybercriminal imposters utilizing stolen credentials.
FEDERAL BUREAU OF INVESTIGATION
- The FBI’s rogue’s gallery of cybercriminals has expanded rapidly, with 120 people currently featured on the agency’s ‘Cyber’s Most Wanted’ list — up from 105 people in 2022 and only 63 individuals in 2019. They are wanted for crimes including computer intrusion, wire fraud, identity theft, money laundering, extortion through ransomware, and more.
- The FBI’s Internet Crime Complaint Center (IC3) reports that in 2022, 800,944 cybercrime and cyberfraud-related complaints were received — a 5 percent decrease from 2021 (847,376 complaints). However, the number of complaints that the IC3 has received annually has more than doubled since 2018.
- Over 7.3 million complaints have been reported since the IC3’s inception, 3.6 million of which have been received in the past 5 years, equating to total losses of $27.6 billion USD.
- According to the IC3, phishing is the number one reported crime, with 300,497 complaints in 2022 and an estimated loss of $52 million USD. However, investment schemes reported the highest financial loss to victims for the first time, with an associated dollar loss of $3.3 billion USD — increasing by 127 percent year-over-year.
- “There are 30 million small businesses in the U.S. that need to stay safe from phishing attacks, malware spying, ransomware, identity theft, major breaches, and hackers who would compromise their security,” says Scott Schober, author of the popular books “Hacked Again” and “Cybersecurity Is Everybody’s Business.”
- 43 percent of cyber attacks target small businesses, of which 60 percent of victims go out of business within six months.
- The smaller the company, the fewer resources to dedicate to security — or is this a myth? A Cisco report examining the practices of SMBs (250 to 500 employees) says that less than 1 percent do not have anyone dedicated to security; 72 percent have employees dedicated to threat hunting, compared to 76 percent of larger organizations; and 56 percent have a daily or weekly patch routine. In total, 86 percent have clear metrics for assessing security process effectiveness, compared to 90 percent of larger counterparts.
DO YOU KNOW?
- There are currently more than 3,500 active threat groups, including over 900 newly tracked in 2022 by Mandiant.
- Organizations are notified of breaches by external entities in over 60 percent of incidents, researchers say, with the global median dwell time for internally detected incidents in 2022 being 13 days. The global median dwell time was 18 days in 2021.
- The five most cyber-attacked industries over the past seven years are healthcare, manufacturing, financial services, government, and transportation. Cybersecurity Ventures predicts that retail, oil and gas, energy and utilities, media and entertainment, legal, and education (K-12 and higher education) will round out the top 10 industries for 2023.
- Cybercrime is increasingly being directed at high-net-worth individuals and family offices. According to a study featured by Barclays Private Bank, more than a quarter of ultra-high-net-worth (UHNW) families, family offices, and family businesses with an average wealth of $1.1 billion USD have been targeted by a cyberattack.
- Fines for violations of the European Union’s landmark privacy law continue to soar. According to research from law firm DLA Piper, EU data protection authorities have handed out a total of $1.74 billion USD in fines over breaches of the bloc’s General Data Protection Regulation (GDPR) since January 2022. That’s up from about $1.25 billion USD a year earlier.
- The world’s first national data network was constructed in France during the 1790s. It was a mechanical telegraph system, consisting of chains of towers, each of which had a system of movable wooden arms on top. The French telegraph system was hacked in 1834 by a pair of thieves who stole financial market information — effectively conducting the world’s first cyberattack.
- Before computer hacking, there was phreaking. The “ph-” was for phone, and the phreaks liked to reverse engineer the system of tones that telecommunications companies used for long-distance dialing. Recreating the tones for each number, at just the right pitch, could mean making a free call rather than running up expensive charges. In 1957, Joe Engressia (Joybubbles), a blind, 7-year-old boy with perfect pitch, hears a high-pitched tone on a phone line and begins whistling along to it at a frequency of 2600Hz, enabling him to communicate with phone lines and become the U.S.’s first phone hacker or “phone phreak.”
- The modern definition of the word “hack” was first coined at MIT in April 1955, and the first known mention of computer hacking occurred in a 1963 issue of The Tech.
- The first computer virus, Creeper, was named after a Scooby-Doo cartoon show character. Creeper was written in 1971 by BBN computer programmer Bob Thomas as an experiment in self-duplicating code.
- The first notable ransomware incident was caused by the AIDS Trojan. Malicious floppy disks containing the Trojan were handed out to roughly 20,000 attendees of the World Health Organization’s AIDS conference by “the father of ransomware,” Joseph Popp. Victims were told to send $189 to PC Cyborg Corporation at a PO box in Panama. Although, as it was simple malware, decryption tools were made available quickly.
- Brain is the industry standard name for a computer virus that was released in its first form in January 1986, and is considered to be the first computer virus for the IBM Personal Computer (IBM PC) and compatibles.
AS SEEN IN CYBERCRIME MAGAZINE
- More than 250 hacker and cybersecurity movies from 1956 to 2022 are featured in the latest edition of the “Hackers Movie Guide” published by Cybercrime Magazine.
- Kevin Mitnick was the most elusive cyber invader in history — coined by CNN, Fox News and other prestigious networks as “The World’s Most Famous Hacker.” Cybercrime Magazine calls Mitnick “Cybersecurity’s Greatest Showman On Earth” and produced five original short films about him.
- There are over 90 cybersecurity industry associations globally on a list published in Cybercrime Magazine.
- As featured on CNN, Forbes, and Inc. Magazine — BookAuthority compiles a list of the “100 Best Cybersecurity Books of All Time,” based on recommendations by thought leaders and experts. The book “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime,” published by Cybersecurity Ventures, features on that list and it inspired a documentary produced by Cybercrime Magazine.
- Cybercrime Magazine publishes the world’s largest list of women in cybersecurity on Twitter @WomenKnowCyber. The list features more than 7,000 girls and women, and more are added every day.
- Every year Cybersecurity Ventures publishes its Pure Cyber 100 list of cybersecurity startups with $100 million or more in VC funding over the past two years.
- The world’s first and only 7x24x365 Internet radio station devoted to cybercrime and cybersecurity, WCYB Cybercime Radio, launched live from Long Island (Northport, N.Y.) on Jul. 15, 2021, to a worldwide audience. All of the facts, figures, predictions, and statistics from the Cybersecurity Almanac will be aired on WCYB in 2023. Stay tuned!