Cloud Data Center. PHOTO: Cybercrime Magazine.

The World Will Store 200 Zettabytes Of Data By 2025

50 percent of all data to be stored in the cloud Sponsored by Cyera

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Feb. 1, 2024 / Press Release

The 2024 Data Attack Surface Report predicts the total amount of data that the world will need to protect over the next two years.

Cybersecurity Ventures predicts that the total amount of data stored in the cloud — which includes public clouds operated by vendors and social media companies (think Apple, Facebook, Google, Microsoft, Twitter, etc.), government-owned clouds that are accessible to citizens and businesses, private clouds owned by mid-to-large-sized corporations, and cloud storage providers — will reach 100 zettabytes by 2025, or 50 percent of the world’s data at that time, up from approximately 25 percent stored in the cloud in 2015.

Total global data storage is projected to exceed 200 zettabytes by 2025. This includes data stored on private and public IT infrastructures, on utility infrastructures, on private and public cloud data centers, on personal computing devices — PCs, laptops, tablets, and smartphones — and on IoT (Internet-of-Things) devices.

With this exponential data growth the opportunities — for innovation, and for cybercrime — are incalculable because data is the building block of the digitized economy.


The internet is a pivotal technology that, through time, has and will change the lives of people across the globe. The availability of dial-up, broadband, fiber, and 4G/5G cellular connectivity has given rise to new businesses, jobs, and changes to how we communicate.

According to Cybersecurity Ventures, there were six billion internet users in 2022. It is predicted that this figure will increase to 7.5 billion internet users by 2030 (or 90 percent of the projected world population of 8.5 billion, aged six years or older).

As each new individual joins the online community, the attack surface expands.

Every person connecting to the web brings with them a valuable commodity: data. This can include Personally Identifiable Information (PII) such as names and physical addresses, gender, age, medical records, and financial information; online activity logs, online search records, app usage data, and more.

Data is one of the most valuable commodities organizations collect, store, trade, and sell today. User information can provide the insight required for improved customer relationship management, retention, and service, alongside the data necessary for business analysis and future projections.

As custodians of this information, companies have a responsibility to protect it and adhere to data security standards.

Unfortunately, this wealth of information is also a goldmine for cybercriminals, who are taking advantage of the data explosion to engage in activities including identity theft, credit card cloning, financial fraud, corporate information theft, and extorting custodian organizations through ransomware.


When we consider internet connectivity, it is crucial to consider mobility as an independent market and an area of extreme growth.

In the days of dial-up, internet connections were limited to phone lines, single connections, and desktop PCs. Now, broadband and fiber, wireless connectivity, smartphones, tablets, and Internet of Things (IoT) devices all contribute to an expanding attack surface.

In 2023, there were nearly 7 billion smartphone users worldwide, or over 85 percent of the world’s population. In regards to IoT devices as a whole, estimates suggest that more than 15 billion IoT devices are in active circulation this year.

Cisco estimated that in 2020, wireless and mobile device traffic accounted for two-thirds of total global IP traffic. Cybersecurity Ventures predicts that Wi-Fi and mobile devices will account for nearly 80 percent of IP traffic by 2025, with smartphones alone accounting for more than 55 percent of total IP traffic in the same year. 

Our telecommunications infrastructure is constantly improving and with enhanced speeds, additional spectrum, and lower latency on the table, technology giants are further encouraged to innovate and bring new mobile and IoT devices to market.

The expansion of 5G, for example, has benefits beyond smartphone users. 5G also provides new opportunities in remote and hybrid work, smart cities, industrial solutions, education, healthcare, and next-generation technologies such as artificial intelligence (AI) and machine learning (ML).

In 2023, Ericsson estimated that total 5G subscriptions reached 1.1 billion. By 2028, 5G subscriptions are anticipated to reach 4.6 billion, accounting for over half of all mobile subscriptions.

5G has also had an effect on the widespread adoption of Enterprise Connected Devices (ECDs). ECDs, described as devices that interact with, hold, or process an organization’s data, include business-related mobile devices, IoT products, and devices primarily designed for the enterprise.

ECDs must be backed by strong cellular or Wi-Fi connectivity to function, but as soon as they join the global network, they become a “hugely attractive target for different types of threat actors,” as noted by the UK’s National Cyber Security Centre (NCSC). 

According to the security agency, ECDs expand the attack surface due to many ECD categories — in particular, IoT devices — providing multiple endpoints for cyberattacks. Furthermore, they tend to possess less computing power, which can make the deployment of security applications, patches, and fixes a challenge.

“It is highly likely that the growing number of ECDs being adopted by enterprises presents an expanding attack surface, with many of these devices being accessible over the public internet, and with cybersecurity often being an afterthought,” NCSC informs. “Following initial compromise, it is highly likely that ECDs will be used as an attack vector or pivot point to enable cyber actors to gain access to an enterprise’s corporate network for espionage purposes, disruption, or financial gain.”


Several decades ago, the idea of internet-connected fridges and lights could have been seen as preposterous. But as the recent explosion in connectivity and data generation has taught us, technology can be developed at an astonishing rate, and only our imagination limits us.

We now have smart kitchen appliances, intelligent security cameras and doorbells, internet-connected voice assistants, and robot vacuums as standard household items. While convenient, each of these devices produces data and requires protection.

The problem is that for many years, B2C IoT product developers did not introduce cybersecurity within the design and manufacturing process. This has created a legacy technology problem, with countless consumer IoT devices vulnerable to cyberattacks conducted through automatic scanning, brute-force credential attacks, and more.

For example, the Mirai botnet, and variants thereof, enslaves vulnerable IoT devices to create vast networks of devices able to perform Distributed Denial-of-Service (DDoS) attacks. At its peak, Mirai launched a 1TB/s attack with over 100,000 enslaved devices to take down Domain Name System (DNS) provider Dyn.

The IoT data security challenge is only going to become more complex in the future with the arrival of smart cities, shifting IoT adoption from individual homes to blanket communities.

With the emergence and deployment of smart city technologies, it isn’t only household devices at risk of exposure, compromise, and data theft.

Smart city IoT includes traffic light systems, automotive vehicles, water monitoring systems, building maintenance sensors, electricity meters, and even energy grids.

Data flows from each component in the smart city supply chain, and with it, internet connectivity paves a path for cyberattackers to launch campaigns that can have a substantial impact on citizens.

While data theft and destruction are two objectives for cybercriminals should they elect to attack these devices and networks, attacks may also stem from political purposes — as we observed in a recent assault on Ukraine’s energy grid from the Russian hacking group Sandworm.

Another area to underscore is the smart factory, also known as Industry 4.0. Industrial equipment and components used to be ‘dumb’ — that is, without any form of internet or Bluetooth connectivity — but now, many factories and agricultural centers make use of IoT on the factory floor and beyond.

Smart factories include internet-connected equipment monitoring, predictive analytics, supply chain data collection and analysis, robotics, automation, digital sensors, and both AI and augmented reality (AR) tools to enhance productivity and efficiency in the workplace.

“In the conversations I have with business leaders it’s clear they see the need to invest in Industry 4.0 principles and AI to increase supply chain resilience, but many are still in the piloting stage,” said Thomas Saueressig, an SAP SE Executive Board member.

A SAP-commissioned 2023 survey of supply chain executives across 15 industries in multiple countries found that the smart factory is still in the beginner stages across the majority of organizations.

There is still time to ensure that the wealth of new industrial-connected devices does not further increase the overall attack surface. We may have missed our opportunity in regards to consumer IoT, but with data breaches occurring every day, we can ensure that security isn’t an afterthought in our future industrial systems.


The data attack surface has also been immeasurably changed by how we work.

The COVID-19 pandemic forced organizations to rapidly rethink existing business processes and, with staff furloughed or under stay-at-home orders, many turned to digital solutions to remain operational.

Digital transformation typically requires time and effort in planning, analyzing, testing, and deploying new technologies. However, in a matter of weeks, many organizations shifted their operations to the cloud, relying on remote solutions for everything from project management to sales.

Employees often used their own mobile devices and PCs to access corporate resources during the pandemic, a practice we call Bring Your Own Device (BYOD). In the aftermath of COVID-19, BYOD has become far more common, as are hybrid and remote job roles, despite many companies calling for a return to the office.

According to a survey conducted by Dell, which details responses from 1,000 IT decision-makers, 70 percent of those surveyed believe that their organization has increased exposure to data loss from cyberthreats with the growth of employees working from home.

Now with remote technologies and mobile devices firmly entrenched in work culture, our defenders are responsible for an increased data attack surface. Remote devices must be able to access corporate resources and data securely and effectively, but unless organizations supply the right equipment, securing data falls into the hands — and responsibility — of employees.

It only takes one device that hasn’t been patched, or one malicious app, to potentially compromise an entire corporate network and the data stored within.

As the attack surface continues to evolve and expand, leadership is not standing idly by, with the creation of continuous threat exposure management (CTEM) programs becoming a requirement for the modern enterprise. Gartner predicts that by 2026, organizations prioritizing CTEM security investments will experience two-thirds fewer breaches.


We are in what is known as the Zettabyte Era, a period of time beginning in 2010 in which internet traffic has surpassed a zettabyte. As described by Cisco, a zettabyte is “2 to the 70th power bytes, also expressed as 1021 (1,000,000,000,000,000,000,000 bytes) or 1 sextillion bytes.”

Or, to put it in other words, “a billion terabytes, or a trillion gigabytes.”

Cybersecurity Ventures predicts that the amount of data stored in the cloud alone will reach 100 zettabytes by 2025, or 50 percent of the world’s data at that time, up from approximately 25 percent stored in the cloud in 2015.

For every jump in connectivity, computing, and mobile technology, skilled help is required to develop and manage the firmware and software required to operate them — and, hopefully, ensure that new code is inherently secure.

Research suggests there were close to 27 million software developers worldwide at last count, which is expected to grow to around 29 million in 2024. Developer Nation estimates that there will be 45 million developers worldwide by 2030.

The world will need to secure 338 billion lines of new software code in 2025, up from 111 billion lines of new code in 2017, based on 15 percent year-over-year growth in new code.

“Security is not an add-on,” according to a McKinsey & Company Insights report. “It has to be a part of the discussion when a product is in the creation stage, all the way to when it is in working mode. Everyone on the development team should think about making sure the product is secure — and know it will be ready to help the customer, whether banking, manufacturing industrial, or medical, ward off an attack.” 


As the data attack surface expands at an exponential rate with no signs of slowing down, cyberattackers have more opportunities than ever to compromise our devices and networks.

Cybersecurity Ventures predicts that cybercrime will cost the world $8 trillion USD in 2023 and $10.5 trillion USD by 2025, growing at a rate of 15 percent per year. As a result, cybercrime will eventually be more profitable than the global trade of all major illegal drugs, combined.

Cybercriminal activities can include system damage or destruction, the theft of intellectual property, and the exposure or theft of personal and private data. Organizations may be extorted to pay a blackmail demand to prevent stolen data from becoming public. Threat actors can also use stolen data to conduct financial fraud and identity theft.

Data is central to the damage cyberattackers can cause to enterprise firms, and many organizations are concerned that their existing data protection measures are not sufficient to handle modern-day threats.

We have provided an overview of the most common cybercriminal tactics below:

  • Social engineering: Social engineering is aimed at convincing victims to hand over sensitive or personal information. This information may then be used to impersonate high-value targets to gain access to services or networks. Initial attack vectors can include phishing emails, malicious links, and telephone calls.
  • Credential theft: Brute-force attacks are typically automated and rely on victims using weak credentials to protect their accounts. Threat actors will often try combinations commonly used and may also perform dictionary-based attacks if the target system does not adequately protect against them. Credentials may also be stolen via social engineering.
  • Data dumps: Existing data leaks, published online, can include working credentials. There are cases of high-profile breaches taking place after cyberattackers utilized credentials leaked by third parties that were used across different services.
  • Vulnerabilities: Cyberattackers can use known and zero-day vulnerabilities to infiltrate networks, steal data, and deploy malware. Exploits for vulnerabilities are often added to exploit kits and malware deployed in drive-by downloads or distributed through malicious links and phishing emails.
  • Initial access traders: To streamline the attack process, some cybercriminals now specialize in finding weak and compromised initial access points in target networks. These initial access vectors are then sold online.
  • Insider threats: Insiders, including employees and contractors, can become malicious or accidental insider threats. A malicious actor could delete, steal, or damage their employer’s records, for example, whereas an accidental insider could fall prey to a phishing attack and expose their organization’s networks to attack, or they may unintentionally leak valuable information.
  • Malware: Different forms of malware are used for information theft and surveillance. The most damaging strains may delete and destroy information or encrypt files and networks.
  • Ransomware: By utilizing ransomware, criminals can steal data, move laterally across networks, and encrypt an organization’s systems.


Ransomware is a huge threat to businesses and their data today.

Ransomware is a vicious family of malware which is able to encrypt files and storage systems. Advanced strains may include modules to scan an infiltrated network first in order to exfiltrate data.

Known variants include Ryuk, LockBit, Petya, NotPetya, Cerber, and CryptoLocker.

Many organizations feel the sting after a successful ransomware attack. Indeed, this criminal enterprise, which has expanded due to Ransomware-as-a-Service (RaaS) offerings, can cost victims millions of dollars in business disruption and post-attack recovery.

Victims tend to receive a ransom demand following encryption, and in cases of double extortion, their data will be stolen prior to the cybercriminals making themselves known. If they refuse to pay up, this information will be posted on leak sites.

Cybersecurity Ventures predicts that ransomware damage costs will exceed $265 billion USD annually by 2031, with a ransomware attack launched against governments, businesses, consumers, and devices every two seconds by 2031.


“The way we build regulations for cybersecurity is centralized,” says Hoda Al Khzaimi, director, Center for Cybersecurity at New York University. “The regulations that this system creates are valuable, but the process takes time. It can take two years for a regulation to be developed. Standardization can take 18 months. A cyberattack takes seconds.”

With so much information at stake and the threat of a cyberattack a persistent shadow, business leaders are taking notice.

Emerging technologies and the expanding data attack surface can outpace the defenses of today’s organizations, as well as existing data regulations.

According to the World Economic Forum’s 2023 Global Cybersecurity Outlook Report, 29 percent of cyber executives see data privacy laws and cybersecurity regulations as effective tools for reducing cyber risks. While this figure is still arguably low, it is an improvement compared to a year prior, when only 17 percent agreed.

While data protection standards including the EU’s GDPR and the US HIPAA bill can guide organizations in how to establish basic data security standards, leaders must go beyond just compliance if they are going to be resilient against today’s cyberthreats.

Data is the new currency in business and in crime. As custodians of vast troves of information and in the face of an ever-increasing data attack surface, it is crucial that organizations consider how best to protect their data, networks, and their future.


The data explosion, and some of the numbers around it:

  • The total amount of data stored in the cloud will reach 100 zettabytes by 2025, or 50 percent of the world’s data at that time, according to Cybersecurity Ventures.
  • Total global data storage is projected to exceed 200 zettabytes by 2025.
  • There were six billion internet users in 2022, a figure set to increase to 7.5 billion by 2030.
  • 43 percent of organizational leaders think it is likely a cyberattack will materially affect their own organization in the next two years, according to WEF.
  • A Deloitte survey of over 500 executives revealed that 21 percent of respondents involved in their organizations’ digital trust programs lack confidence in program effectiveness, but close to 49 percent added that their organization plans to improve these programs over time.
  • Approximately 15.14 billion IoT devices are in active use in 2023.
  • In 2023, smart city projects resulted in $89.49 billion USD in revenue.
  • Cybersecurity Ventures predicts that cybercrime will cost the world $10.5 trillion USD annually by 2025.
  • In total, 77 percent of chief executive officers surveyed by KPMG view information security as a strategic function.
  • On average, organizations will take 277 days to detect and contain a data breach, according to IBM.
  • Dell research suggests that 70 percent of decision-makers believe remote workers increase the risk of cyber threats.
  • A Cyera & Forrester survey found that 39 percent of organizations believe their legacy technologies are insufficient for current data security requirements.
  • Javelin Strategy & Research estimates that identity fraud losses accounted for $24 billion USD in losses in 2021.

What will come next? It will be yottabytes, which IEEE Spectrum suggests we could see within a decade.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.


Cyera is the data security company that gives businesses deep context on their data, applying proper, continuous controls to assure cyber-resilience and compliance.

Cyera takes a data-centric approach to security across your data landscape, empowering security teams to know where their data is, what exposes it to risk, and take immediate action to remediate exposures.

Backed by leading investors, including Sequoia, Accel, Cyberstarts and Redpoint Ventures, Cyera is redefining how companies secure data in the cloud.