Cybersecurity Statistics 2026: 150+ Facts, Costs & Trends

Cybersecurity Statistics 2026

The FBI recorded $20.877 billion in reported US cybercrime losses in 2025 — the first time that figure crossed $20 billion, up 26% from 2024. Globally, Cybersecurity Ventures projects total cybercrime costs at approximately $10.8 trillion for 2026. For context: if cybercrime were a country, its GDP would rank third worldwide, behind only the United States and China.

These are not projections built on assumptions. They come from the FBI’s 2025 Internet Crime Report, IBM’s Cost of a Data Breach 2025, Verizon’s Data Breach Investigations Report 2025, the World Economic Forum’s Global Cybersecurity Outlook 2026, ISC2’s Cybersecurity Workforce Study, and 30+ additional primary sources documented below. Every statistic in this article links to its origin.

This page is updated quarterly. Last reviewed: April 26, 2026.

---

Key facts at a glance

Metric	Figure	Source
Global cybercrime costs (2026 projection)	$10.8 trillion	Cybersecurity Ventures
US cybercrime losses reported to FBI (2025)	$20.877 billion	FBI IC3 2025
Average global data breach cost	$4.44 million	IBM CODB 2025
Average US data breach cost	$10.22 million	IBM CODB 2025
Ransomware in all breaches	44%	Verizon DBIR 2025
Average ransomware incident total cost	$5.08 million	IBM CODB 2025
Global cybersecurity spending (2026)	$308 billion	Gartner / Medha Cloud
Unfilled cybersecurity positions worldwide	4.8 million	ISC2 2025
Average breach detection time	197 days	IBM CODB 2025
Phishing/social engineering in all breaches	60% involve the human element	Verizon DBIR 2025

---

1. Global cybercrime costs & frequency

Scale of the problem

1. Global cybercrime costs are projected at approximately $10.8 trillion in 2026 (Cybersecurity Ventures). That figure includes data destruction, stolen money, lost productivity, IP theft, financial manipulation, post-attack disruption, and reputational damage.
2. The same forecast projects cybercrime costs reaching $15.6 trillion by 2029 — growing faster than global GDP every year (Cybersecurity Ventures).
3. For every $1 spent on cybersecurity, cybercriminals extract an estimated $49.50 in damages at current spending levels (BitsFromBytes analysis cross-referencing Gartner 2026 spending forecast and Cybersecurity Ventures damage projections).
4. The FBI’s IC3 received more than 1 million complaints in 2025 — the first time the annual total crossed that threshold (FBI IC3 2025 Annual Report).
5. Total reported US cybercrime losses reached $20.877 billion in 2025, a 26% increase over the $16.6 billion reported in 2024 (FBI IC3 2025).
6. The average loss per IC3 complaint in 2025 is $20,699, heavily skewed by high-dollar fraud categories such as investment scams and BEC (FBI IC3 2025).
7. Only 26% of people who lost money to an online scam reported the incident to law enforcement — meaning IC3 figures substantially undercount actual losses (Nationwide surveys via Parachute Cloud 2026).
8. A cyberattack occurs every 39 seconds on average globally (Medha Cloud compilation, 2026).
9. By 2031, ransomware will attack a business, consumer, or device every 2 seconds, up from every 11 seconds in 2021 (Cybersecurity Ventures).
10. The frequency of cyberattacks has doubled since the COVID-19 pandemic (IMF).

Cryptocurrency crime

11. In 2025, the FBI received over 180,000 complaints involving cryptocurrency, with reported losses exceeding $11.36 billion (FBI IC3 2025).
12. Cryptocurrency fraud now represents the single largest category of financial loss in the IC3 dataset by dollar value, overtaking investment fraud in 2025 for the first time (FBI IC3 2025).

---

2. Data breach statistics

Breach costs

13. The global average cost of a data breach dropped to $4.44 million in 2025 — the first decline in five years, down from $4.88 million in 2024 (IBM Cost of a Data Breach 2025).
14. US breaches averaged $10.22 million per incident in 2025, a record high, and nearly 2.3× the global average (IBM CODB 2025).
15. Mega-breaches involving 50 million or more records cost an average of $332 million — roughly 75× the global average breach cost (IBM CODB 2025).
16. Multi-cloud breaches average $5.05 million, versus $4.01 million for purely on-premises incidents (IBM CODB 2025).
17. When attackers reveal a breach before the organization detects it internally, average cost soars to $5.08 million — nearly 20% higher than self-detected breaches (Auxis, citing IBM 2025).
18. The US alone recorded 3,322 data breaches in 2025 — a record (StationX / multiple breach databases).
19. Supply-chain breaches cost an average of $4.91 million per incident (IBM CODB 2025).

Breach causes & attack vectors

20. Stolen or compromised credentials are the most common initial attack vector, involved in approximately 22% of breaches (IBM CODB 2025).
21. Phishing accounts for approximately 16% of initial vectors in confirmed data breaches (IBM CODB 2025).
22. The human element is involved in 60% of all breaches — ranging from phishing clicks to credential reuse to social engineering (Verizon DBIR 2025).
23. 98% of cyberattacks involve some form of social engineering at some stage of the kill chain (Sprinto, via StationX).
24. 30% of breaches in 2025 involved third-party organizations — double the proportion recorded in the prior year’s DBIR (Verizon DBIR 2025).
25. Vulnerability exploitation as an initial access vector increased substantially year-over-year in the 2025 DBIR — one of the fastest-growing initial access categories (Verizon DBIR 2025).
26. Only 54% of perimeter-device vulnerabilities were fully remediated by organizations in the past year; nearly half remained unresolved (Verizon DBIR 2025).

Detection & containment

27. The average time to identify a data breach is 197 days; the average time to contain it after identification adds another 69 days, for a total lifecycle of 266 days (IBM CODB 2025).
28. Breaches involving stolen or compromised credentials take the longest to identify: 292 days from initial access to identification (IBM CODB 2025 / DeepStrike analysis).
29. Breaches taking longer than 200 days to identify cost $1.02 million more than those detected within 200 days (IBM CODB 2025).
30. In the healthcare sector, the average detection and containment timeline stretches to 279 days — the longest of any industry (IBM CODB 2025).
31. Organizations with a 24/7 SOC reduce breach detection time by 70% compared to business-hours-only monitoring (Medha Cloud, 2026).

What reduces breach costs

32. Organizations with fully deployed AI and security automation save an average of $2.22 million per breach compared to those without these tools (IBM CODB 2025 / Gartner).
33. A separate IBM finding puts the AI/automation advantage at $3.05 million per breach for organizations with the highest level of deployment (IBM CODB 2025, via Medha Cloud).
34. Organizations with Zero Trust architecture deployed saved $1.51 million per breach compared to those without (IBM CODB 2025).
35. Engaging law enforcement during a ransomware incident reduces total breach cost by approximately $1 million (DeepStrike, citing IBM / law enforcement data).
36. Organizations with staffing shortages experience breach costs $1.76 million higher than well-staffed peers (IBM CODB 2025).
37. Organizations with high-level skills shortages incur $5.22 million in average breach costs — $1.57 million more than those with low or no shortage (Auxis 2026, citing IBM).
38. 17% of cloud breaches resulted from lack of multi-factor authentication (IBM CODB 2025).

---

3. Ransomware statistics

Frequency & volume

39. Ransomware was present in 44% of all data breaches studied by Verizon in 2025 — up from 32% the prior year and marking the sharpest single-year increase on record (Verizon DBIR 2025).
40. Ransomware accounted for 75% of all system-intrusion breaches in the 2025 DBIR (Verizon DBIR 2025).
41. More than 7,500 organizations appeared on dark web ransomware leak sites in 2025, up 58% from roughly 4,750 in 2024 (GuidePoint Security, via Axis Intelligence 2026).
42. Ransomware attacks globally reached an estimated 7,419 confirmed incidents in 2025, up 32% year-over-year (DeepStrike, citing multiple sources).
43. Ransomware attacks averaged approximately 535 confirmed victims per month on tracked dark web leak sites in H2 2025 — a figure representing disclosed extortion cases only; actual volume is substantially higher (Check Point Research Q2–Q3 2025).
44. 72% of ransomware attacks target organizations with 1,000 or more employees — though small businesses face disproportionate survival risk when hit (Medha Cloud 2026).
45. Annual global damage costs for ransomware multi-stage extortion attacks are forecast to reach $74 billion in 2026 (SentinelOne).

Financial impact

46. The average total cost of a ransomware incident — including downtime, remediation, and lost revenue — reached $5.08 million in 2025 (IBM CODB 2025).
47. The average recovery cost excluding the ransom payment is $1.53 million (Sophos 2025).
48. Average ransom payments hit $1 million (mean), while the median payment sits at $200,000 — a small number of very large payments skews the mean significantly (Medha Cloud, citing Coalition / Sophos 2025).
49. Only 65% of organizations that paid a ransom actually recovered their data — the remainder paid and still lost access (Medha Cloud 2026).
50. Approximately 36% of ransomware victims paid the ransom in 2025, down from 41% in 2024, reflecting improving backup capabilities and earlier law enforcement engagement (Axis Intelligence 2026).
51. Average downtime following a ransomware attack is 24 days (Medha Cloud, citing Coveware 2025 data).
52. For the healthcare sector specifically, ransomware downtime costs average $1.9 million per day of operational disruption (DeepStrike, citing Comparitech Healthcare data).
53. Between 2018 and 2024, 525 ransomware campaigns targeted US government bodies, causing over $1 billion in downtime losses alone (Axis Intelligence 2026, citing government breach databases).

Tactics evolution

54. Double extortion — encrypt the data AND threaten to publish it — is used in 70% of ransomware cases in 2025; pure encryption-only attacks now represent only 30% of incidents (SentinelOne 2026).
55. Ransomware-as-a-Service (RaaS) platforms have lowered the technical barrier to entry for attackers — most active ransomware groups in 2025 operated affiliate programs, not monolithic criminal organizations (CrowdStrike 2025 Global Threat Report).
56. Government and public sector saw a 65% increase in ransomware incidents in H1 2025 year-over-year, with 208 attacks on government bodies in that window (Corvus Insurance, via Axis Intelligence).
57. Manufacturing ranks first or second across attack volume datasets for ransomware — its reliance on operational technology and just-in-time production creates maximum pressure to pay quickly (Group-IB; Axis Intelligence 2026).
58. 66% of K-12 districts have no specialist cybersecurity personnel, making education a high-value, low-defense target (Axis Intelligence 2026).

---

4. Phishing & business email compromise

Volume & frequency

59. APWG observed approximately 3.8 million phishing attacks across 2025 — slightly above the 3.76 million recorded in 2024 (APWG 2025 Annual Report).
60. APWG recorded 1,003,924 phishing attacks in Q1 2025 alone — its largest quarterly total since late 2023 (APWG).
61. In Q2 2025, APWG observed 1,130,393 phishing attacks, up 13% from Q1 (APWG).
62. Financial institutions were the most targeted sector at 18.3% of phishing attacks in mid-2025 (APWG).
63. Phishing/spoofing was the top crime category by complaint count in the FBI IC3 2024 report, with 193,407 complaints (FBI IC3 2024).
64. Microsoft screens approximately 5 billion emails per day for malware and phishing threats (Microsoft Digital Defense Report 2025).

Business Email Compromise (BEC)

65. BEC accounted for $2.77 billion in US losses in 2024 (FBI IC3 2024) — the costliest category outside of investment fraud.
66. In 2025, IC3 recorded 24,768 BEC complaints with reported losses totaling $3.046 billion — a 10% year-over-year increase (FBI IC3 2025).
67. The FBI has documented $55.5 billion in cumulative BEC losses over the past decade, making it the most financially devastating social engineering technique on record (FBI IC3 cumulative totals, via StationX 2026).
68. Wire-transfer BEC attempts surged 136% quarter-over-quarter in Q4 2025, with an average requested wire amount of $50,297 (Fortra/APWG Q4 2025).
69. Gift cards remain the dominant cash-out method in BEC fraud at 59% of confirmed cases (APWG, via DeepStrike 2026).
70. In 2025, businesses reported over $30 million in losses tied specifically to AI-assisted BEC (FBI IC3 2025 — the first year the IC3 broke out AI-assisted BEC as a distinct category).

AI-enhanced phishing

71. AI-automated phishing emails achieve a 54% click-through rate, versus 12% for standard phishing attempts — a 4.5× improvement in attacker effectiveness (Microsoft, via BrightDefense 2026).
72. The Tycoon 2FA phishing-as-a-service operation alone generated over 30 million phishing emails in a single month in mid-2025, accounting for approximately 62% of Microsoft-blocked phishing during that period (Microsoft Digital Defense Report 2025).
73. AI now powers over 80% of social engineering activity observed by Abnormal Security’s platform (Abnormal Security 2025).
74. 91% of security professionals report encountering AI-enabled email attacks in the past six months (StationX, citing industry surveys 2026).
75. AI tools can generate convincing phishing emails at 95% lower cost than human-authored attacks (Harvard Business Review 2024 study via StationX).
76. Voice cloning technology can replicate a person’s voice from as little as 3 seconds of audio, enabling highly convincing vishing attacks (McAfee 2024).
77. Vishing (voice phishing) attacks surged 442% year-over-year in 2025, driven by AI voice-cloning tools reducing the cost and skill required (CrowdStrike 2025 Global Threat Report).
78. SMS-based phishing (smishing) grew 30–40% quarter-over-quarter in Q4 2025 (APWG Q4 2025 report).

---

5. Identity & credential attacks

79. Microsoft logs approximately 600 million identity attack attempts per day against its platform (Microsoft Digital Defense Report 2025).
80. More than 99% of identity attacks remain password-based — password spraying, credential stuffing, and brute force dominate despite the availability of passwordless alternatives (Microsoft).
81. In 2025, Constella processed over 27.9 billion identity records — a 135% year-over-year increase — pulled from breaches, data leaks, and infostealer packages across the surface, deep, and dark web (Constella 2026 Identity Breach Report).
82. Constella’s 2026 report identified a 661% increase in breaches containing PII — a deliberate strategic shift by threat actors away from recycled credential lists toward high-fidelity data containing names, phone numbers, physical addresses, and account identifiers (Constella 2026 Identity Breach Report).
83. Government impersonation complaints to the FBI nearly doubled: rising from 17,367 in 2024 to 32,424 in 2025, with $797.9 million in reported losses (FBI IC3 2025).
84. The FBI received more than 22,000 complaints directly referencing AI use by cybercriminals in 2025, with adjusted losses exceeding $893 million (FBI IC3 2025 — first year this was tracked as a distinct category).
85. About 88% of system-intrusion breaches involving stolen credentials relied on those credentials to authenticate as a legitimate user without triggering alerts (Verizon DBIR 2025).
86. Infostealers — malware designed to harvest credentials at scale — accounted for a growing share of initial access in 2025, with multiple major RaaS groups listing them as their primary procurement method (CrowdStrike 2025 Global Threat Report).

---

6. AI & emerging threats

87. 94% of respondents to the WEF Global Cybersecurity Outlook 2026 survey identified AI as the most significant driver of cybersecurity change in 2026 (WEF GCO 2026, 804 respondents across 92 countries).
88. 87% of WEF survey respondents flagged AI-related vulnerabilities as the fastest-growing cyber risk throughout 2025 (WEF GCO 2026).
89. Nearly 47% of organizations rank adversarial generative AI — enabling adaptive malware, hyper-realistic deception, AI model manipulation, and large-scale attack automation — as their top security concern (WEF cybersecurity survey 2025, via Auxis).
90. Only 26% of security professionals rate their ability to detect AI-based attacks as “high”, despite 96% recognizing the importance of doing so (Auxis 2026, citing industry survey data).
91. 53% of leaders state they are unprepared for cybersecurity risks posed by AI tools deployed inside their organizations (VikingCloud, citing ISC2 data).
92. The AI security market is valued at $24.3 billion in 2026 and projected to reach $133.8 billion by 2030 — a 21.9% compound annual growth rate (Medha Cloud 2026).
93. Research suggests companies adopting generative AI for hyper-personalized security awareness training could see 40% fewer employee-caused security incidents by 2026 (VikingCloud, citing research projection).

---

7. Industry breach costs — sector breakdown

Industry	Average breach cost	Key driver	Consecutive years at top
Healthcare	$11.2M–$12.6M	HIPAA penalties, medical record value, patient notification	15 years
Financial services	$5.97M–$6.08M	Regulatory exposure (SEC, GLBA, DORA), transaction fraud	—
Technology	~$4.97M	IP theft, SaaS credential abuse	—
Education	$3.80M	Low defenses, high data volume	—
Critical infrastructure	$4.82M	OT/IoT exposure, rising 107% YoY	—
Government / public sector	$2.83M	Nation-state espionage, data volume	—
Global average	$4.44M	—	—

Sources: IBM Cost of a Data Breach 2025; ScienceSoft projections for 2026 healthcare figure.

94. Healthcare has topped breach cost rankings for 15 consecutive years — at $11.2 million globally and potentially reaching $12.6 million in 2026 — reflecting HIPAA penalties, patient notification requirements, and the high dark web value of medical records (IBM CODB 2025; ScienceSoft 2026 projection).
95. 93%+ of healthcare organizations experienced at least one cyberattack in 2024 (Ponemon Institute, via Axis Intelligence).
96. 460 ransomware attacks and 182 data breaches hit the healthcare and public health sector in 2025 — the highest count of any critical infrastructure sector (FBI IC3 2025).
97. Healthcare cyberattacks cause organizations to report: delays in tests and procedures (56%), increased complications from procedures (53%), longer patient stays (52%), higher transfer rates to other facilities (44%), and higher mortality rates (28%) (ScienceSoft, via Axis Intelligence 2026).
98. Almost three in four healthcare organizations reported patient care disruption caused by a cyberattack in the past year (Ponemon Institute).
99. Financial services firms face 300× more cyberattacks than organizations in other industries (multiple threat intelligence sources, via Medha Cloud 2026).
100. Critical infrastructure IoT-related threats rose 107% year-over-year in 2025, with attacks targeting industrial control systems and connected operational technology (IBM CODB 2025).
101. The education sector experienced a record 252 reported incidents in 2025 (DeepStrike, citing multiple breach databases).

---

8. Supply chain & third-party risk

102. 30% of all breaches in 2025 involved a third-party organization — double the proportion recorded the prior year (Verizon DBIR 2025). This is the fastest-growing initial access category in the DBIR.
103. Supply-chain breaches cost an average of $4.91 million per incident, above the global breach average (IBM CODB 2025).
104. At least 29% of all data breaches involve third-party software or vendor relationships (VikingCloud, cross-referencing Verizon and IBM data).
105. The Clop ransomware group’s MOVEit exploitation in 2023 — still used as a reference event in 2026 security planning — compromised over 2,700 organizations in a single campaign, demonstrating the amplified blast radius of supply-chain vulnerabilities (multiple incident response post-mortems).
106. 59% of organizations say geopolitical tensions have directly affected their cybersecurity strategies in 2025–2026 (WEF Global Cybersecurity Outlook 2026).
107. 33% of CEOs specifically cite cyber espionage as a concern for their organizations, reflecting the blurring of nation-state and criminal activity (WEF GCO 2026).
108. 125 attacks on space assets and undersea cable infrastructure were recorded in 2025, reflecting the expansion of cyberwarfare to physical telecommunications infrastructure (Axis Intelligence, citing satellite/cable security databases).

---

9. Small & medium businesses

109. The average cost of a cyberattack to a small business is $120,000 — enough to close 60% of affected SMBs within six months (Medha Cloud 2026, citing Cybersecurity Ventures).
110. Three-quarters of small businesses say a major cyberattack would “likely” or “definitely” put them out of business (CrowdStrike 2025, via Auxis).
111. More than a quarter of SMBs report experiencing a ransomware attack (26%), a customer data breach (27%), or a deepfake scheme (29%) in the past year (VikingCloud SMB research 2026).
112. 25% of SMBs say their credentials have appeared on the dark web — and most were unaware until after the fact (VikingCloud 2026).
113. 84% of business owners say they self-manage their cybersecurity, and more than half of those with a dedicated cyber expert still manage most of the program themselves (VikingCloud 2026).
114. More than a quarter of SMB respondents (28%) admit the person managing their cybersecurity lacks sufficient training — and that person is usually the respondent (VikingCloud 2026).

---

10. Cybersecurity workforce & skills gap

115. The global cybersecurity workforce gap reached 4.8 million unfilled positions in 2024, a 19% year-over-year increase (ISC2 Cybersecurity Workforce Study 2024).
116. Despite the gap, the global cybersecurity workforce grew to 5.5 million active professionals — meaning demand is outpacing supply even as absolute headcount increases (ISC2 2025).
117. 90% of cybersecurity teams report skills gaps that go beyond headcount shortages — including AI security, cloud security, and DevSecOps capabilities (ISACA / ISC2 2025).
118. 71% of organizations report that the talent shortage has directly affected their security posture (Medha Cloud, citing ISC2 data).
119. Only 15% of firms expect cybersecurity skills to significantly ramp up by 2026 (WEF, via Auxis).
120. The WEF identifies Latin America and the Caribbean (65%) and sub-Saharan Africa (63%) as the regions facing the most severe cybersecurity talent shortages (WEF GCO 2026).
121. Small organizations are 2.5 times more likely to report insufficient cyber resilience compared to large enterprises — driven primarily by the talent and budget gap (WEF GCO 2026).
122. 85% of organizations with insufficient resilience also lack critical cybersecurity skills — the two deficiencies are nearly inseparable (WEF GCO 2026).
123. Only 19% of organizations now report cyber resilience that exceeds requirements — up from 9% in 2025, but still the minority (WEF GCO 2026).
124. AI/ML is the #1 skill need in cybersecurity for 2026, cited by 41% of security teams as their top requirement, ahead of cloud security (ISC2 2025).
125. The US Bureau of Labor Statistics projects 32% job growth in information security analysis through 2032 — roughly 4× the average for all occupations (BLS Occupational Outlook Handbook).
126. New roles emerging at the AI-security intersection in 2026 include: AI security engineer, ML security researcher, AI governance analyst, and prompt injection specialist (ISC2 2025 / WEF GCO 2026).

---

11. Cybersecurity spending

127. Global cybersecurity spending is projected at $308 billion in 2026, a 15.1% increase from 2025 (Gartner Security & Risk Management forecast).
128. IDC’s parallel forecast puts the 2026 growth rate at 12.2% — both forecasts represent the fifth consecutive year of double-digit growth (IDC 2025 Security Spending Guide).
129. Gartner projects 12.5% further growth in 2027, sustaining the multi-year acceleration (Gartner, via StationX).
130. Security software commands the largest share of the market at approximately $106 billion (50%), overtaking services — reflecting the market shift toward cloud-native, automated platforms (StationX, citing Gartner breakdown).
131. 78% of organizations plan to increase their cybersecurity spending in 2026 (Medha Cloud, citing Forrester/ISC2 data).
132. Cloud security is the fastest-growing security segment, expanding at 25.4% annually (Medha Cloud 2026).
133. The average enterprise security budget as a percentage of total IT budget is 10.9% in 2026, up from 8.6% in 2022 (Medha Cloud).
134. Personnel costs represent approximately 51% of total security spending when both internal staff and external contractors are included (NuHarbor Security, via Elisity 2026).
135. Microsoft alone dedicates 34,000 full-time-equivalent engineers to security — a figure that illustrates the scale of investment required at the frontier (StationX, citing Microsoft Digital Defense Report 2025).
136. Healthcare spends the least on cybersecurity at 0.3–0.5% of revenue despite facing the highest breach costs — a structural mismatch that explains the sector’s 15-year breach-cost leadership (StationX 2026).
137. Financial services allocates 0.8–1.0% of revenue to security and technology firms 0.9%+ — the two highest-spending sectors (StationX 2026).
138. The Identity and Access Management (IAM) market reached $24.1 billion in 2026 (Medha Cloud).
139. The managed security services market is projected at $46.4 billion in 2026 (Medha Cloud, citing MSSP industry forecast).
140. MDR (Managed Detection and Response) adoption grew 35% year-over-year in 2025 as organizations substitute outsourced monitoring for understaffed internal SOCs (Medha Cloud 2026).

---

12. Cyber insurance

141. The global cyber insurance market will reach $22.5 billion by 2026 (Medha Cloud, citing insurance market data).
142. 42% of insured organizations say their cyber insurance policy covers only a small portion of actual damages — a growing concern as breach costs exceed policy limits (Medha Cloud 2026).
143. Cyber insurance premiums increased 11% on average in 2025, following 25–50% increases in 2022 and 2023 (Medha Cloud, citing market reports).
144. 21% of cyber insurance claims are denied due to non-compliance with policy security requirements at the time of the incident (Medha Cloud 2026).
145. Organizations without MFA are seeing premium increases of 25–40% or outright denial of coverage as underwriters tighten technical requirements (Medha Cloud 2026).
146. The loss ratio for cyber insurers improved to 43% in 2025, down from 67% in 2022, as underwriting standards tightened — making coverage more stringent but the market more sustainable (Medha Cloud, citing Coalition 2025 Cyber Claims Report).
147. 87% of cyber insurance applications now require evidence of endpoint detection and response (EDR) deployment before coverage is offered (Medha Cloud 2026).

---

13. Regulation & compliance

148. CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) reaches full effect in May 2026, requiring 72-hour incident reporting for critical infrastructure operators — with estimated compliance infrastructure costs of $150,000 to $400,000 per organization (Elisity 2026, citing CISA CIRCIA documentation).
149. The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) has been required in defense contracts since November 2025 — but more than 50% of defense contractors struggle to implement CMMC requirements (Radicl, via Axis Intelligence 2026).
150. NIS2, DORA, and SEC disclosure rules are making cybersecurity spending non-negotiable across European and US regulated sectors — regulatory compliance is now cited as the second driver of security budget growth after AI threats (StationX, citing Gartner and regulatory filings).
151. NIST CSF 2.0’s new “Govern” function now requires board-level security oversight, formalizing what many organizations had treated as informal (NIST Cybersecurity Framework 2.0, February 2024).
152. IEC 62443 compliance for manufacturing OT environments takes 18–36 months and costs $3–8 million, making supply-chain security attestation a significant operational burden for industrial firms (Elisity 2026).

---

14. Cybersecurity predictions: what to watch in 2026–2027

153. 47% of organizations rank adversarial GenAI as their top security concern for 2026 — AI-generated adaptive malware that modifies itself to evade detection is the most feared emerging capability (WEF GCO 2026).
154. Quantum computing threatens current RSA and ECC encryption standards — NIST published its first post-quantum cryptography standards in August 2024, and organizations are beginning multi-year migration programs (NIST, August 2024).
155. Agentic AI systems introduce new attack surfaces in 2026: prompt injection, tool misuse, and cross-agent trust exploitation are emerging threat categories without mature defenses (WEF GCO 2026 / IBM Security X-Force).
156. The cybersecurity skills shortage is projected to remain above 4 million unfilled roles through 2028 despite expanding training programs — demand is growing faster than pipeline (ISC2 / WEF joint assessment).
157. “Shadow AI” — generative AI tools deployed by employees without IT oversight — represents a growing data-leak vector in 2026, with 59% of organizations reporting governance gaps around employee AI usage (WEF GCO 2026).

---

Methodology & sources

All statistics in this article are drawn from primary sources. For each statistic, the original report is named. Where figures appear in multiple aggregators, this article traces them to their origin.

Primary sources used in this article:

Source	Type	Coverage
FBI IC3 2025 Annual Report	Government	US cybercrime complaints and losses
IBM Cost of a Data Breach 2025	Industry research	Breach costs, vectors, detection times
Verizon DBIR 2025	Industry research	Breach patterns, actor types, industries
WEF Global Cybersecurity Outlook 2026	International body	Executive survey, resilience gaps
ISC2 Cybersecurity Workforce Study 2025	Professional body	Workforce size, skills gap, demographics
CrowdStrike 2025 Global Threat Report	Vendor research	Threat actor tactics, ransomware trends
APWG eCrime Reports 2025	Industry coalition	Phishing volume and sector targeting
Sophos State of Ransomware 2025	Vendor research	Ransomware payments, recovery costs
Gartner Security & Risk Management Forecast 2026	Research firm	Spending forecasts
NIST Cybersecurity Framework 2.0	Government standard	Framework, Govern function
Constella 2026 Identity Breach Report	Vendor research	Identity record exposure, PII trends

A note on data quality: Not every number published in cybersecurity articles reflects a full-year 2026 actual. The most reliable enterprise metrics currently come from the latest complete 2024–2025 datasets. Figures explicitly marked as “projected” or “forecast” are based on trend extrapolation, market research modeling, or vendor projection methodologies — not confirmed actuals. Readers should distinguish between complaint data (FBI IC3), breach-cost studies (IBM), incident-response cohort data (Verizon), and vendor telemetry (CrowdStrike, Microsoft) rather than treating them as interchangeable populations.

This article separates measured outcomes from forward-looking expectations.

---

Frequently asked questions

What is the average cost of a data breach in 2026?

The most recent confirmed figure is $4.44 million globally, from IBM’s Cost of a Data Breach 2025 report — the first decline in five years after peaking at $4.88 million in 2024. US breaches average significantly higher at $10.22 million. The global average is expected to resume its upward trend in 2026 as ransomware involvement continues rising.

How many cyberattacks happen per day in 2026?

A cyberattack occurs every 39 seconds on average, implying roughly 2,200 attacks per day globally. Microsoft logs approximately 600 million password attack attempts per day against its platform alone. APWG observed 3.8 million phishing attacks across 2025, averaging 10,400 per day. These figures cover different attack categories and should not be added — they describe overlapping populations.

Which industry has the highest cybersecurity breach costs?

Healthcare has topped breach cost rankings for 15 consecutive years, at $11.2 million globally per IBM’s 2025 data. Financial services ranks second at approximately $6 million. Healthcare’s dominance reflects HIPAA penalties, patient notification requirements, and the high value of medical records on dark web markets.

How many cybersecurity jobs are unfilled in 2026?

ISC2’s 2024 Workforce Study documented 4.8 million unfilled positions globally — a 19% year-over-year increase. Despite this gap, the active workforce grew to 5.5 million professionals, meaning demand is growing faster than supply. The most acute shortages are in AI security, cloud security, and DevSecOps.

Is ransomware getting worse in 2026?

Yes. Ransomware appeared in 44% of all data breaches in 2025, up from 32% the prior year — the largest single-year jump on record in Verizon’s DBIR dataset. Over 7,500 organizations appeared on dark web leak sites in 2025, a 58% increase from 2024. The only positive signal: the percentage of victims paying ransom dropped from 41% to 36%, reflecting improving backup postures and law enforcement engagement.

What is cybercrime expected to cost globally in 2026?

Cybersecurity Ventures projects total global cybercrime costs at approximately $10.8 trillion in 2026, rising to $15.6 trillion by 2029. The FBI’s IC3 recorded $20.877 billion in US losses from voluntary reports alone — making the FBI figure a confirmed floor, not a ceiling.

---

Last updated: April 26, 2026. Statistics reflect the most recent available data from the primary sources listed. Cloud pricing, threat landscape, and workforce figures change continuously — check primary sources before using these figures in regulatory filings, board presentations, or insurance applications.

---