Examining key cyber security statistics from leading industry reports provides insight into attack trends, vulnerabilities, and best practices and illustrates why it is crucial for small businesses to prioritize cybersecurity awareness in 2024.
Looking across reports from the FBI, Mandiant, Microsoft, Verizon, and Crowdstrike reveals useful patterns. I have used the most recent of each of the reports, however, the time period covered by each is different. Please check the sources section for further details.
Threat Landscape and Cyber Attacks
Cyber threats continue to increase in frequency, complexity, and impact. Key metrics point to ongoing growth in attack volume, techniques focused on evasion and targeting of critical infrastructure.
In 2022, the FBI’s IC3 received 800,944 complaints, a 5% decrease from 2021, but with total losses growing from $6.9 billion to over $10 billion. 1
Phishing attacks decreased slightly to just over 300,000 in 2022 but remain the top cybercrime type. 1
Over the last five years, the IC3 has received an average of 652,000 complaints per year. 1
Ransomware accounts for 24% of breaches.5
In 2022, the IC3 received over 2,000 complaints identified as ransomware with adjusted losses of more than $34.3 million.1
Social engineering incidents increased largely due to a rise in pretexting, doubling since last year.5
The number of interactive intrusion campaigns increased by 50% in 2022.8
Cloud exploitation cases grew 95% in 2022.8
Attacks targeting open-source software grew 742% since 2019.7
Detection and Response
Trends highlight security teams continue to struggle to detect threats quickly, with external notifications common. However, some metrics indicate modest improvements in response times.
In 55% of incidents, organizations were notified by an external entity, up from 40% last year.6
External notifications detected 70% of ransomware incidents.6
Median dwell time decreased to 10 days in the Americas, down from 17 days.6
Dwell time is calculated as the number of days an attacker is present in a victim environment before they are detected. The median represents a value at the midpoint of a data set sorted by magnitude.
64% of intrusions in the Americas were detected within 30 days.6
Ransomware attacks had an average dwell time of 5 days.6
Non-ransomware attacks had a 12-day dwell time in 2022, down from 17 days in 2021.6
The FBI’s Recovery Asset Team successfully froze 73% ($433m) of funds targeted in BEC scams.1
The FBI’s Recovery Asset Team saw a 64% increase in Financial Fraud Kill Chain (FFKC) initiations in 2022.1
Breakout time for eCrime intrusions declined from 98 to 84 minutes.8
Microsoft blocked 4,000 identity attacks per second.7
Industries and Targets
Certain industry verticals face disproportionate targeting from cyber adversaries, including finance, healthcare, retail, and education. Attack patterns also reveal trends in technologies, assets, and data targeted.
Outside of government investigations, the top three global industries targeted in 2022 were Business and Professional (14%), Financial (12%) and High Tech (9%).6
The top sectors hit by ransomware in 2022 were Healthcare, Critical Manufacturing, and Government.1
In Retail, 70% of payment card breaches originated from web apps.5
Ransomware caused 1/3 of breaches in Education.5
Financial and Insurance – Basic Web Application Attacks, Miscellaneous Errors, and System Intrusion represent 77% of breaches.5
System Intrusion, Basic Web Application Attacks, and Social Engineering represent 77% of breaches in the Information sector.5
System intrusion (42%) remains the top breach in Manufacturing.5
Mining, Quarrying, and Oil and gas Extraction and Utilities saw 1/3 of breaches stem from ransomware.5
Cost of data breaches
The monetary damages from cyber attacks are massive and increasing, with losses now measured in the billions annually across scams, ransomware, and breach recovery costs.
In 2022, total losses reported to the FBI’s IC3 grew to over $10.3 billion.1
Investment fraud losses reported to the IC3 rose 127% to $3.31 billion.1
Cryptocurrency investment fraud rose 183% to $2.57 billion.1
The median loss in business email compromise scams increased to $50,000.5
The FBI reported $2.7 billion in losses just from business email compromise.1
The cost of cybercrime is projected to reach $10.5 trillion annually by 2025.7
Initial Access Vectors
Cybercriminals rely on common fundamental techniques for initial compromise such as phishing, exploiting remote access tools, abusing stolen credentials, and more recently MFA compromises.
44.7% of breaches involve stolen credentials, up from 41.6%.5
17% of intrusions use known RATs and RMM tools.7
80-90% of ransomware comes through unmanaged devices.7
The exploitation of vulnerabilities enables initial access in 32% of intrusions.6
Stolen credentials are leveraged in 14% of intrusions.6
Attacks initially using phishing increased from 12% to 22% of intrusions.6
Microsoft Entra data shows attempted password attacks increased more than tenfold in 2023, from around 3 billion per month to over 30 billion.7
Approximately 6,000 MFA fatigue attempts were observed per day by the end of June 2023.7
Almost half of VPN accounts lacked adequate MFA.7
Pretexting and Phishing Attacks
Pretexting and phishing remain dominant attack vectors with potentially devastating impacts. Both techniques exploit human vulnerabilities rather than technical weaknesses, using psychological manipulation and deceit to trick users into handing over access, information, or funds.
Pretexting scams are present in nearly 60% of social engineering incidents, overtaking phishing.5
Email makes up 98% of the phishing attack vector.5
Persuading someone to change the bank account for the claimed recipient, for example, is found in 56% of incidents.5
The frequency of BEC attacks has skyrocketed to 156,000 daily.7
Microsoft removed over 100,000 domains used by cybercriminals including over 600 employed by nation-state threat actors.7
Ransomware Trends
Ransomware has exploded as a top threat, accounting for a large portion of attacks across industries with new technical and extortion tactics.
The top vectors for ransomware attacks are Email (35%), Desktop sharing software e.g. RDP (30%), and Web applications (27%).5
Ransomware is present in 62% of all incidents by organized crime actors.5
The three top ransomware variants reported to the IC3 that victimized a member of a critical infrastructure sector were Lockbit, ALPHV/Blackcoats, and Hive.1
31% of Microsoft’s incident response engagements involved ransomware.7
Human-operated ransomware attacks are up more than 200% since September 2022.7
13% of human-operated ransomware attacks include some form of data exfiltration.7
The top human-operated ransomware variants that achieved breaches were Lockbit 3.0 (16%), BlackBasta (14%), Blackcat (14%), and Royal (12%).7
40% of ransomware encounters detected by Microsoft in June 2022 were human-driven.7
- LockBit listed over 800 victim organizations on their Data Leak Site in 2022.8
- 40.9% of LockBit victims in 2023 H1 were in North America.9
- LockBit accounted for 26% of total victim organizations in the first half of 2023.9
The number of ransomware-as-a-service affiliates grew 12% in 2022.7
Malware Trends
Adversaries continuously evolve stealthy malware, with an increasing focus on living off-the-land techniques, supply chain insertion, and evading detection.
49 new malware families were identified monthly in 2022.6
93% of malware runs on Windows.6
15% of malware in 2022 could run on Linux, down from 18%.6
The top malware families are Beacon, SystemBC, and HiveLocker.6
Of the 588 newly tracked malware families, the top five categories consisted of backdoors (34%), downloaders (14%), droppers (11%), ransomware (7%), and launchers (5%). 6
Distributed Denial of Service (DDoS)
Cybercriminals are leveraging the cybercrime-as-a-service ecosystem to launch phishing, identity, and distributed denial of service (DDoS) attacks at scale. DDoS-for-hire-services can be purchased for as little as $5 USD and are increasingly being used as a cyberweapon in human-operated ransomware attacks to exploit vulnerabilities in internet resources
US entities experienced 54% of DDoS attacks.7
In 2023, Microsoft’s global DDoS mitigation operations combatted an average of 1,700 DDoS attacks daily.7
the number of DDoS-for-hire platforms continues to rise, with 20 percent having emerged in the past year alone.7
Transmission Control Protocol (TCP) has become the dominant attack vector, encompassing 59 percent of all DDoS attacks.7
The median bits per second of DDoS attacks grew a whopping 57% from 1.4 gigabytes per second (Gbps) last year to 2.2 Gbps now, and the 97.5 percentile grew 25% from 99 Gbps to 124 Gbps.5
Talent Shortage
Organizations already struggle to staff cybersecurity roles, with shortages projected to worsen rapidly at the same time threats are accelerating.
3.5 million cybersecurity job shortages globally.7
Less than 15% of NGOs have cyber staff.7
35% annual increase in cyber job demand.7
Shortage increased 350% over 8 years.7
Small and Medium Businesses
Small and medium-sized businesses face disproportionate cybersecurity risks, with limited resources to defend against financially motivated threat actors exploiting common attack vectors like phishing, stolen credentials, and web app vulnerabilities. Implementing security awareness training, access control, and data recovery capabilities are critical controls for SMBs to prevent breaches.
Ransomware impacted 70% of organizations under 500 employees.7
System Intrusion, Social Engineering, and Basic Web Application Attacks represent 92% of breaches.5
94% of threat actors are external.5
98% of motives are financial.5
54% of data compromised is credentials.5
- 57.3% of LockBit ransomware victims in the first half of 2023 were small businesses (<200 employees). 9
CIS Critical Security Controls Navigator shows which controls would have helped the SMEs – Security and Awareness Training (89%), Data Recovery (80%), and Access Control Management (67%).5
Importance of Cyber Awareness Training
Despite advanced security tools, humans represent the weakest link in the cyber chain; ongoing, tailored cybersecurity awareness training focused on behavior change rather than info delivery is essential for managing human risk factors like phishing, poor password hygiene, and security misconfigurations that contribute to nearly three-quarters of breaches. Properly training end users to recognize threats, follow procedures, and report incidents enables organizations to rapidly detect and contain the majority of attacks.
74% of breaches involve the human element.5
Only 11.3% of phishing email recipients report them.7
Annual standard video-based phishing training only reduces clicks by ~3% at best. Personalized training is needed to prioritize behavior change and improve security behavior.7
MFA reduces the risk of cyber attack compromise by 99.2%7
In June 2023 alone, Microsoft detected 158 million instances of password reuse across sites.7
Report the breach! More than 50% of victims were able to recover at least 82% of their stolen money.5
The error vector of Carelessness appeared in 98% of cases.5
99% of attacks could be prevented by the 5 fundamental security hygiene best practices – MFA, Zero Trust, XDR, and Anti-Malware, Keeping up to date, and Protecting your data.7
Wrapping Up
Wow, those are some eye-opening stats! As I witness daily in my role with the FBI, it’s clear we need to take cybersecurity seriously. The threats are increasing rapidly, but many of us don’t have the resources or staff to implement complex security controls.
The good news is that most attacks can be prevented by focusing on the basics – things like using strong passwords, enabling multi-factor authentication, training employees to spot phishing attempts, and keeping software updated. doing those simple things makes a huge difference!
I know it’s not easy when you’re focused on customers and growing the business. But cyber attacks can literally put you out of business if you’re not careful.
Investing a little time upfront to boost security can save you a massive headache down the road. Don’t wait until it’s too late! Take action now to protect your livelihood before the bad guys target your business. Your future self will thank you.
Want to use some of our Cyber security stats?
No problem. All that we ask is that you reference (link to) this CyberVillagers page. Thank you!
Sources
2022 IC3 Annual Report – Federal Bureau of Investigation – Internet Crime Complaint Center
2022 IC3 Elder Fraud Report – Federal Bureau of Investigation – Internet Crime Complaint Center
2022 State Reports – Federal Bureau of Investigation – Internet Crime Complaint Center
2022 Elder Fraud State Reports – Federal Bureau of Investigation – Internet Crime Complaint Center
2023 Data Breach Investigation Report – Verizon
M-Trends 2023 – Mandiant
Microsoft Digital Defense Report 2023 – Microsoft
CrowdStrike 2023 Global Threat Report – Crowdstrike
- Trend Micro Ransomware in 2023 H1 – Trend Micro