Cybersecurity Predictions. PHOTO: Cybercrime Magazine.

2022 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics

The past, present, and future of cybercrime. Sponsored by Cisco

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Jan. 19, 2022

If it were measured as a country, then cybercrime — which was predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the U.S. and China, Chuck Robbins, Chair and CEO at Cisco, informed, citing research from Cybersecurity Ventures, when he delivered a keynote at last year’s RSA Conference.

Cybersecurity Ventures is excited to release this special second annual edition of the Cybersecurity Almanac, a handbook containing the most pertinent statistics and information for understanding cybercrime and the cybersecurity market.

We have something for everyone including students, parents, academia, government, law enforcement, small-to-midsized businesses, Fortune 500 and Global 2000 companies,  IT workers, cybersecurity experts, chief security officers, boardroom and C-suite executives.

Read on to learn about important dates in history, statistical information, cyberattacks, data breaches, hacks and hackers, criminals, and much more.

CYBERCRIME DAMAGE

  • Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.
  • Digital ad fraud is rising sharply. The ad industry loses approximately $51 million per day due to ad fraud and by 2023 that number will skyrocket to $100 billion annually, according to an estimate featured in Bloomberg Law.
  • Cybercrimes are vastly undercounted because they aren’t reported — due to embarrassment, fear of reputational harm, and the notion that law enforcement can’t help (amongst other reasons). Some estimates suggest as few as 10 percent of the total number of cybercrimes committed each year are actually reported.
  • Organized cybercrime entities are joining forces, and their likelihood of detection and prosecution is estimated to be as low as 0.05 percent in the U.S., according to the World Economic Forum’s 2020 Global Risk Report.

RANSOMWARE

  • A report from Cybersecurity Ventures predicted ransomware damages would cost the world $5 billion (USD) in 2017, up from $325 million in 2015 — a 15X increase in just two years. The damages for 2018 were predicted to reach $8 billion, for 2019 the figure was $11.5 billion, and in 2021 it was $20 billion — which is 57X more than it was in 2015.
  • Ransomware will cost its victims more around $265 billion (USD) annually by 2031, Cybersecurity Ventures predicts, as perpetrators progressively refine their malware payloads and related extortion activities. The dollar figure is based on 30 percent year-over-year growth in damage costs over the next 10 years.
  • It is estimated that an organization suffered a ransomware attack every 11 seconds in 2021, according to Cybersecurity Ventures, and it is expected there will be a new attack on a consumer or business every two seconds by 2031.
  • Ransomware attacks on healthcare organizations were predicted by Cybersecurity Ventures to quadruple from 2017 to 2021 and 2022 is expected to continue trending up.
  • Every week, an aviation actor suffers a ransomware attack somewhere in the world.
  • CNA Financial, one of the largest insurance companies in the U.S., reportedly paid hackers $40 million, the largest ransom ever, after a ransomware attack blocked access to the company’s network and stole its data, according to a report from Bloomberg.


CRYPTOCRIME

  • Cryptocrime, or crimes having to do with cryptocurrencies, are predicted to cost the world $30 billion in 2025, up from an estimated $17.5 billion in 2021, according to Cybersecurity Ventures.
  • Cryptocurrency worth some $86 billion (over €76 billion) is currently stored on DeFi platforms, versus $12 billion a year ago, according to sector tracker DeFi Pulse. Users globally have suffered over $12 billion in losses through crime at DeFi apps, crypto lending platforms, and exchanges since 2020, with the majority of losses coming in 2021 alone, according to London-based blockchain analytics firm Elliptic.
  • Crypto scam revenue in 2021 topped $7.7 billion, up 81 percent compared to 2020, according to the blockchain data platform Chainalysis.
  • CryptoSlate reports that in 2021, rug pulls plagued the DeFi ecosystem, and netted over $2.8 billion worth of crypto from victims. Rug pull is a fairly new type of exit scam — typically orchestrated by project insiders, who drain the funds from the liquidity pool — causing the token’s price crash. They accounted for 37 percent of all cryptocurrency scam revenue in 2021, versus just 1 percent in 2020.

BIG HACKS

  • Meris broke the record for the largest volumetric DDoS attack twice, reports The Record. It did it the first time in Jun. 2021, when it was behind a large 17.2 million RPS (request-per-second) DDoS attack that hit a U.S. financial company, according to Cloudflare, which had the unpleasant task of mitigating this particular attack. In Sep. 2021, Qrator Labs said Meris outdid itself again during an attack that hit even a bigger milestone at 21.8 million RPS.
  • The attack on governmental organizations and businesses using the SolarWinds software is the largest and “most sophisticated” (cyber) attack ever, the president of U.S. software giant Microsoft said. “From a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Brad Smith told U.S. broadcaster CBS’ “60 Minutes” program in Feb. 2021. Politico reports the hack exploited business software firm SolarWinds’ Orion product to send malware to about 18,000 public and private organizations, in what is known as a “supply chain” cyberattack.
  • The Yahoo hack in 2016 is still widely considered the world’s largest data breach ever.  In Sep. 2016, Yahoo said that data associated with at least 500 million accounts had been stolen. Three months later, it disclosed a second breach — the one that’s been revealed to have affected all three billion customer accounts that existed at the time.

CYBERSECURITY SPENDING



CYBERINSURANCE

  • Cybersecurity Ventures predicts the cyberinsurance market will grow from approximately $8.5 billion in 2021 to $14.8 billion in 2025, and exceed $34 billion by 2031, based on a CAGR (compound annual growth rate) of 15 percent over an 11-year period (2020 to 2031) calculated.
  • Cyber incidents top the Allianz Risk Barometer (44 percent of responses); Business interruption drops to a close second (42 percent); and Natural catastrophes ranks third (25 percent.). The annual survey from Allianz Global Corporate & Specialty (AGCS), a leading cyberinsurer, incorporates the views of 2,650 experts in 89 countries and territories, including CEOs, risk managers, brokers and insurance experts.
  • 71 percent of respondents (global cyber leaders) to the World Economic Forum’s Global Cybersecurity Outlook 2022 report currently have cyberinsurance, either to limit financial liability for specific cyber incidents, and/or to benefit from incident response and cyber professional services made available through an insurance carrier. Due to emerging ransomware attacks and their volume, the average 2021 cyber insurance premium increase is 180 percent.

BOARDROOM

VENTURE CAPITAL

CYBERSECURITY JOBS

  • Over an eight-year period tracked by Cybersecurity Ventures, the number of unfilled cybersecurity jobs grew by 350 percent, from one million positions in 2013 to 3.5 million in 2021. For the first time in a decade, the cybersecurity skills gap is leveling off. Looking five years ahead, we predict the same number of openings (3.5 million) in 2025.
  • The Hindu Business Line cites a report from Michael Page, a global recruiting consultancy, which states that India alone is expected to have more than 1.5 million job vacancies in cybersecurity by 2025.
  • The U.S. has a total employed cybersecurity workforce consisting of more than one million people, and there are nearly 600,000 unfilled positions, according to Cyber Seek, a project supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce.
  • The U.S. Bureau of Labor Statistics projects “information security analyst” will be the 10th fastest growing occupation over the next decade, with an employment growth rate of 31 percent compared to the 4 percent average growth rate for all occupations.
  • The U.S. Bureau of Labor Statistics reports African Americans make up a scant 3 percent of infosec analysts in the U.S. today.
  • A recent survey of over 120 global cyber leaders conducted by the World Economic Forum (WEF) found that 59 percent of all respondents would find it challenging to respond to a cybersecurity incident due to the shortage of skills within their team. While the majority of respondents ranked talent recruitment and retention as their most challenging aspect, business executives appear less acutely aware of the gaps than their security-focused executives, who perceive their ability to respond to an attack with adequate personnel as one of their main vulnerabilities.

BIG TECH

  • Big Tech is hacking the skills shortage in the U.S. Microsoft recently launched a national campaign with U.S. community colleges to help place 250,000 people into the cybersecurity workforce by 2025, representing half of the country’s labor shortage. Microsoft is also quadrupling its cybersecurity investment to $20 billion over the next five years, up from the $1 billion per year they’ve been spending on cybersecurity since 2015.
  • Google’s CEO announced the search giant will invest more than $10 billion over the next five years in cybersecurity. The effort will include helping to secure the supply chain and strengthening open-source security. Google is also running a full-page ad in The Wall Street Journal that says they’re training 100,000 Americans for vital jobs in data privacy and security. A few months ago, the company stated in a blog post that this pledge is being made through the Google Career Certificate program.
  • A Fact Sheet published by The White House announced that IBM will train 150,000 people in cybersecurity skills over the next three years, and they will partner with more than 20 historically black colleges and universities to establish cybersecurity leadership centers to grow a more diverse cyber workforce.


WOMEN IN CYBERSECURITY

  • Women hold 25 percent of cybersecurity jobs globally in 2021, up from 20 percent in 2019, and around 10 percent in 2013, according to Cybersecurity Ventures. This research looks beyond securing corporate networks (which has seen a rise in the number of women), and includes IoT security, IIoT and ICS security, medical device security, automotive cybersecurity, aviation cybersecurity, military cyber defense technology, and other market categories. Further, it covers the cybersecurity service provider ecosystem, which also includes women-owned small businesses, and broadens to include digital forensics and other jobs.
  • Cybersecurity Ventures predicts women will represent 30 percent of the global cybersecurity workforce by 2025, and that will reach 35 percent by 2031. The latest research figure from Cybersecurity Ventures is based on in-depth discussions with numerous industry experts in cybersecurity and human talent, vetting, analyzing and synthesizing third-party reports, surveys, and media sources, and conducting their own list compilation.

TRAINING

  • Code.org joined Microsoft, Google, IBM, Apple, and Amazon at the White House in 2021 and committed to teaching cybersecurity concepts to three million students. This includes two million K-12 students across 35,000 classrooms over the next three years, and the launch of a new instructional cybersecurity video series with a goal of reaching one million students of all ages. 45 percent of Code.org students are young women, and 49 percent are from underrepresented racial and ethnic groups.
  • CISSP (Certified Information Systems Security Professional) is the world’s premier cybersecurity certification granted by the International Information System Security Certification Consortium, also known as (ISC)². As of Jan. 2022, there are 152,632 (ISC)² members holding the CISSP certification worldwide.
  • Cybercrime Magazine highlights 10 hot security certifications for IT workers in 2022 including Certified Ethical Hacker (CEH), Certified in Risk and Information Systems Control (CRISC), Certified Information Privacy Professional/US (CIPP/US), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Cisco Certified Network Associate Security (CCNA), Cisco Certified Network Professional Security (CCNP), CompTIA Security+, and Computer Hacking Forensics Investigator (C|HFI.)

CHIEF INFORMATION SECURITY OFFICERS

FINANCIAL SERVICES

  • Financial institutions (FIs), such as banks and insurance providers, are reporting significantly increased threat levels from COVID-related cybercrime according to research by BAE Systems Applied Intelligence, the cyber and intelligence arm of BAE Systems. According to their 2021 COVID Crime Index, which surveyed 902 organizations in the financial services sector, 74 percent have experienced a rise in cybercrime since the pandemic began, with 42 percent of banks and insurers revealing the remote working model has made them less secure.
  • Financial institutions seek to prevent electronic theft of money and other assets, as cyberspace disruptions, such as denial-of-service attacks, could interrupt or shut down their businesses. According to a private study, the per-company cost of cybercrime is over $18 million for financial services companies, around 40 percent higher than the average cost for other sectors.

HEALTHCARE

  • Cybersecurity Ventures predicts the global healthcare cybersecurity market will grow by 15 percent year-over-year over the next five years, and reach $125 billion cumulatively over a five-year period from 2020 to 2025.
  • Cybersecurity Ventures predicts that healthcare suffered 2-3X more cyberattacks in 2021 than the average amount for other industries. Woefully inadequate security practices, weak and shared passwords, plus vulnerabilities in code, exposes hospitals to perpetrators intent on hacking treasure troves of patient data.

INTERNET USERS



ATTACK SURFACE

  • By 2023, there will be 3X more networked devices on Earth than humans, according to a report from Cisco. And by 2022, 1 trillion networked sensors will be embedded in the world around us, with up to 45 trillion in 15 years.
  • The world will store 200 zettabytes of data by 2025, according to Cybersecurity Ventures. This includes data stored on private and public IT infrastructures, on utility infrastructures, on private and public cloud data centers, on personal computing devices — PCs, laptops, tablets, and smartphones — and on IoT (Internet-of-Things) devices.
  • It’s predicted that the total amount of data stored in the cloud — which includes public clouds operated by vendors and social media companies (think Apple, Facebook, Google, Microsoft, Twitter, etc.), government-owned clouds that are accessible to citizens and businesses, private clouds owned by mid-to-large-sized corporations, and cloud storage providers — will reach 100 zettabytes by 2025, or 50 percent of the world’s data at that time, up from approximately 25 percent stored in the cloud in 2015.
  • The research team at Cybersecurity Ventures predicts the world will need to secure 338 billion lines of new software code in 2025, up from 111 billion lines of new code in 2017, based on 15 percent year-over-year growth in new code.
  • From connected cars to traffic lights, home security systems, connected toys and smart speakers, the combined B2C and B2B IoT market is due to reach 75 billion IoT devices by 2025, according to Cisco. IDC expects that number to reach 200 billion by 2031. Every “Thing” generates or stores data and poses a security risk.
  • Some estimates put the size of the deep web (which is not indexed or accessible by search engines) at as much as 500 times larger than the surface web, and growing at a rate that defies quantification. The Darknet, a subset of the darkweb, or deepweb, is a place where illegal activity thrives and criminals function in perceived anonymity, according to the U.S. Department of Homeland Security.

CARS

AUTHENTICATION

  • More than 300 billion passwords were used by humans and machines worldwide in 2021, according to Cybersecurity Ventures.
  • More than half of U.S. consumers think biometric authentication methods are faster, more convenient and more trustworthy than passwords or PINs — but less than 10 percent are using biometric authentication.
  • Multi-factor authentication (MFA) a.k.a. two-factor authentication (2FA) should be turned on 100 percent of the time, but it may only be 50 percent effective. Hackers have spent years closely studying MFA systems, poking and prodding them to understand how they work and where they may be vulnerable — and figuring out how they can be bypassed or compromised.

FEDERAL BUREAU OF INVESTIGATION 

  • The FBI’s rogue’s gallery of cybercriminals has expanded rapidly, with 105 people currently featured on the agency’s ‘Cyber’s Most Wanted’ list — up from 63 people in 2019, and 19 in 2016. They are wanted for a range of crimes including computer intrusion, wire fraud, identity theft, money laundering, theft of trade secrets, and more.
  • The FBI’s Internet Crime Complaint Center released its annual 2020 Internet Crime Report in Mar. 2021, which includes information from 791,790 complaints of suspected internet crime — an increase of more than 300,000 complaints from the year prior.
  • The FBI reported that the Business Email Compromise (BEC), aka Email Account Compromise (EAC) — a sophisticated scam targeting both businesses and individuals performing wire transfer payments — cost around $26 billion in losses globally from 2016 to 2019. Based on those figures and other estimates, Cybersecurity Ventures predicts total BEC damages from 2013 (when the FBI began tracking it) to 2021 exceed $45 billion.
  • The FBI said thousands of people had filed complaints about online romance scams that resulted in losses totaling about $133 million for 2021.

SMALL BUSINESSES

  • “There are 30 million small businesses in the U.S. that need to stay safe from phishing attacks, malware spying, ransomware, identity theft, major breaches and hackers who would compromise their security,” says Scott Schober, author of the popular books “Hacked Again” and “Cybersecurity Is Everybody’s Business.”
  • More than half of all cyberattacks are committed against small-to-midsized businesses (SMBs), and 60 percent of them go out of business within six months of falling victim to a data breach or hack.
  • 66 percent of SMBs had at least one cyber incident in the past two years, according to Mastercard.
  • A Better Business Bureau survey found that for small businesses — which make up more than 97 percent of total businesses in North America — the primary challenges for more than 55 percent of them in order to develop a cybersecurity plan are a lack of resources or knowledge.
  • A Cisco report debunks myths having to do with SMBs who have 250 to 500 employees: Less than 1 percent do not have anyone dedicated to security; 72  percent have employees dedicated to threat hunting, compared to 76 percent of large organizations; 56 percent have a daily or weekly patch routine, compared to 58 percent of large organizations; and an impressive 86 percent have clear metrics for assessing the effectiveness of their security, compared to 90 percent of large organizations.


DO YOU KNOW?

  • There are currently more than 1,900 distinct hacking groups that are active today, a number that grew from 1,800 groups recorded at the end of 2019, according to The Record.
  • The 5 most cyber-attacked industries over the past 7 years are healthcare, manufacturing, financial services, government, and transportation. Cybersecurity Ventures predicts that retail, oil and gas / energy and utilities, media and entertainment, legal, and education (K-12 and higher ed), will round out the top 10 industries for 2022.
  • ATM makers, banks, and law enforcement have been scrambling to defend the 400,000 ATMs in the U.S. against “jackpotting” since 2018. When cybercriminals take control of the machine, cash spews out of it like a Las Vegas jackpot. Jackpotting has been rising worldwide, though it’s unclear how much has been stolen because victims and police often do not disclose details.
  • Cybercrime is increasingly being directed at high net worth individuals and family offices. According to a study featured by Barclays Private Bank, more than a quarter of ultra-high-net-worth (UHNW) families, family offices and family businesses, with an average wealth of $1 billion USD, have been targeted by a cyberattack.
  • Fines for violations of the European Union’s landmark privacy law have soared nearly sevenfold in the past year, according to new research from the law firm DLA Piper. EU data protection authorities have handed out a total of $1.25 billion in fines over breaches of the bloc’s General Data Protection Regulation (GDPR) since Jan. 28, 2021. That’s up from about $180 million a year earlier.
  • There are nearly 5.3 billion unique mobile phone users in the world today, according to the latest data from GSMA Intelligence. Mobile security threats are on the rise: Mobile devices now account for more than 60 percent of digital fraud, from phishing attacks to stolen passwords.

SOME HISTORY

  • The world’s first national data network was constructed in France during the 1790s. It was a mechanical telegraph system, consisting of chains of towers, each of which had a system of movable wooden arms on top. The French telegraph system was hacked in 1834 by a pair of thieves who stole financial market information — effectively conducting the world’s first cyberattack.
  • Before computer hacking, there was phreaking. The “ph-” was for phone, and the phreaks liked to reverse engineer the system of tones that telecommunications companies used for long-distance dialing. Recreating the tones for each number, at just the right pitch, could mean making a free call rather than running up expensive charges. In 1957, Joe Engressia (Joybubbles), a blind, 7-year-old boy with perfect pitch, hears a high-pitched tone on a phone line and begins whistling along to it at a frequency of 2600Hz, enabling him to communicate with phone lines and become the U.S.’s first phone hacker or “phone phreak.”
  • The modern definition of the word “hack” was first coined at MIT in April 1955, and the first known mention of computer hacking occurred in a 1963 issue of The Tech.
  • The first computer virus, Creeper, was named after a Scooby-Doo cartoon show character. Creeper was written in 1971 by BBN computer programmer Bob Thomas. BBN, Bold, Beranek, and Newman, now Raytheon BBN Technologies, developed packet switching networks for ARPANET.
  • Brain is the industry standard name for a computer virus that was released in its first form in Jan. 1986, and is considered to be the first computer virus for the IBM Personal Computer (IBM PC) and compatibles.

ACCORDING TO CISCO

  • 39 percent of security technologies used by organizations are considered outdated, according to a report from Cisco.
  • Cisco asked over 5,100 IT and security professionals across 27 countries about staying resilient when disaster strikes. Key findings include: Organizations with board-level oversight of business continuity and disaster recovery are the most likely (11 percent above average) to report having strong programs; Organizations that regularly test their business continuity and disaster recovery capabilities in multiple ways are 2.5 times more likely to maintain business resiliency; Organizations that make chaos engineering standard practice are twice as likely to achieve high levels of resiliency.
  • Overall, cryptomining, phishing, ransomware, and trojans averaged 10x the internet activity of all other threat types, according to a 2021 report by Cisco.
  • Nearly half (46 percent) of Cisco 2021 Consumer Privacy Survey respondents feel they are unable to effectively protect their data today. This is despite having over 140 national and multinational privacy laws around the world, regulations requiring privacy notices and choice for consumers, and security technologies to help prevent unauthorized access. Respondents included 2,600 adults (over the age of 18) in 12 countries (5 Europe, 4 Asia Pacific, and 3 Americas).
  • The main reason consumers don’t feel safe is the lack of transparency and clarity with respect to business data practices. 76 percent told Cisco that it’s too hard for them to understand what’s going on and how their information is being used. What companies are actually doing with their data remains a mystery.


AS SEEN IN CYBERCRIME MAGAZINE

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.


About Cisco

The 2022 Cybersecurity Almanac is sponsored by Cisco (NASDAQ: CSCO), the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure, and empowering your teams for a global and inclusive future.

As the largest enterprise cybersecurity company in the world, we lead the way with solutions that are driving the industry in SASE, XDR, and zero trust. Integrating it all is Cisco SecureX, our security platform that provides simplicity, visibility and efficiency across your security infrastructure.

Discover more on The Network and follow us on Twitter @Cisco.