Cybersecurity statistics for 2026

Phishing & social engineering

AI-generated phishing emails achieve click-through rates 4x higher than traditional human-written campaigns (multiple industry reports 2025-2026).

73% of organizations reported being affected by cyber-enabled fraud in 2025 (World Economic Forum, Global Cybersecurity Outlook 2026).

Voice deepfake fraud increased 194% across Asia-Pacific from 2024 to 2025 (Group-IB, High-Tech Crime Trends Report 2026).

Phishing remains the initial access vector in 36% of breaches (Verizon DBIR 2024).

Data breaches

Average global cost of a data breach reached $4.88M in 2024, the highest on record (IBM Cost of a Data Breach Report 2024).

The average time to identify and contain a breach was 258 days globally (IBM 2024).

Customer PII appeared in 53% of breaches; intellectual property in 18% (IBM 2024).

Healthcare remains the costliest sector, averaging $9.77M per breach for 14 consecutive years (IBM 2024).

Ransomware

Ransomware payments fell to $813M in 2024 from $1.25B in 2023 — the first decline in 5 years (Chainalysis 2025).

About 36% of ransomware victims paid in 2024, down from 76% in 2019 (Coveware 2025).

Average ransomware downtime is 24 days (Coveware 2025).

65% of US schools experienced a ransomware attack in 2024 (Sophos State of Ransomware in Education 2024).

Identity theft & fraud

Consumers reported losing $12.5B to fraud in 2024 — 25% increase year-over-year (FTC Sentinel 2025).

Investment fraud accounted for the largest losses ($5.7B), followed by imposter scams ($2.7B).

Pig-butchering scams alone account for an estimated $75B+ globally over the last 4 years (US Institute of Peace estimate, 2024).

276 individuals were arrested in a coordinated April 2026 international operation against pig-butchering operations (FBI/Dubai joint statement, April 2026).

Vulnerabilities & patching

68,000+ CVEs were published in 2024, the highest annual count on record (CVE.org).

Critical vulnerabilities (CVSS 9.0+) made up about 12% of disclosures.

Average time from CVE publication to active exploitation continues to shorten — 30% are exploited within 1 day (Cyentia/Kenna 2024).

60% of breaches involve unpatched vulnerabilities for which patches were available (Ponemon 2024).

AI in security

63% of organizations report deploying AI in security operations in 2025 (Gartner 2025).

AI-augmented attackers also increased: 45% of detected attacks in 2025 used AI in some phase (CrowdStrike 2025 Threat Report).

Prompt injection became OWASP's #1 ranked LLM-application risk in the 2025 Top 10.

Consumer behavior gaps

Only 13% of users have unique passwords for every account (LastPass Psychology of Passwords 2024).

53% of users still use SMS as primary 2FA where stronger options are available (Okta 2024).

1 in 3 users have never installed a password manager (Bitwarden 2024 Survey).

65% of users say they update their phone OS but only 38% verify their router firmware annually (Sentrly editorial estimate).

The good news

Phishing-resistant 2FA adoption increased from 8% to 21% in two years (Cisco Duo 2024).

Passkey availability now covers 87% of top-100 web services (FIDO Alliance 2025).

Major banks reduced SMS-2FA fraud by 50%+ after rolling out app-based push or hardware-key options (multiple bank reports 2024-2025).

Public key infrastructure migration to post-quantum cryptography is on schedule per NIST IR 8547.

Frequently asked questions

Where can I see the original sources?

Each statistic above identifies its primary source. We link directly where possible. The annual reports (IBM, Verizon DBIR, FTC Sentinel, FBI IC3, ENISA Threat Landscape) are publicly downloadable.

Why do statistics in 'cybersecurity' articles vary so much?

Because they cover different scopes (consumer vs enterprise), different time periods, and different methodologies. We try to use the most recent reputable single source per claim rather than averaging across vendor reports.

Why no statistics about specific companies' breach counts?

Per-company breach numbers are lagging indicators and easily cherry-picked. We focus on aggregate industry data from research bodies, government agencies, and primary surveys.

How often do you update this page?

Quarterly, when the major reports refresh. The 'Updated' date at the top reflects the most recent source check.

Are some of these numbers contested?

Yes — methodologies vary. We note ranges where they exist (e.g., 'pig-butchering losses estimated at $75B+ globally' — different sources estimate $40B-$100B). When there's no consensus number, we say so.

Sources & further reading

We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.

• CISA — Cybersecurity & Infrastructure Security Agency ↗
• OWASP — Open Worldwide Application Security Project ↗
• NIST Cybersecurity Framework ↗
• Have I Been Pwned ↗

How we research: see our Source Policy and Review Methodology. If you spot an inaccuracy, please tell us — we publish corrections at the top of the affected article.

Related guides