Reports and Statistics

2005 - Bureau of Justice Statistics

The National Computer Security Survey (NCSS) documents the nature, prevalence, and impact of cyber intrusions against businesses in the United States. It examines three general types of cybercrime:

  • Cyber attacks are crimes in which the computer system is the target. Cyber attacks consist of computer viruses (including worms and Trojan horses), denial of service attacks, and electronic vandalism or sabotage.
  • Cyber theft comprises crimes in which a computer is used to steal money or other things of value. Cyber theft includes embezzlement, fraud, theft of intellectual property, and theft of personal or financial data.
  • Other computer security incidents encompass spyware, adware, hacking, phishing, spoofing, pinging, port scanning, and theft of other information, regardless of whether the breach was successful

Summary Findings

In 2005, among 7,818 businesses –

  • 67% detected at least one cybercrime.
  • Nearly 60% detected one or more types of cyber attack.
  • 11% detected cyber theft.
  • 24% detected other computer security incidents.
  • Most businesses did not report cyber attacks to law enforcement authorities.
  • The majority of victimized businesses (86%) detected multiple incidents, with half of these (43%) detecting 10 or more incidents during the year.
  • Approximately 68% of the victims of cyber theft sustained monetary loss of $10,000 or more. By comparison, 34% of the businesses detecting cyber attacks and 31% of businesses detecting other computer security incidents lost more than $10,000.
  • System downtime lasted between 1 and 24 hours for half of the businesses and more than 24 hours for a third of businesses detecting cyber attacks or other computer security incidents.


2010 Ponemon Statistics (Research funded by HP)

2011 Ponemon Statistics (Research funded by HP)

The costs of 5 high profile data breaches

Here are some interesting statistics regarding the costs associated with some high profile data  breaches.  These include notifying customers and penalties for non-compliance, among other things. For instance, the RSA costs include replacing SecurID tokens. None of these numbers are final at this point, and probably won't be for years.


RSA: $400,000,000
CitiGroup: $2,700,000
Sony: potentially $24,000,000,000 (yikes!)
Epsilon: up to $4,000,000,000
Heartland Payment Systems:$140,000,000 

Businesses:  90% suffered data breach during last year

Average Cost of 1 Customer Record Breach: $318 and climbing
Average Total Data Breach Costs: $7,200,000

So, what can organizations do to help lower these costs once the barn door has been left open and the horses are running free?  One solution that seems non-intuitive to a lot of companies is simply to take the time to do the proper forensics and only notify the customers whose data was actually accessed. Ultimately, getting it right the first time is both cheaper and more effective. 

Akamai - State of the Internet. Report detailing the most common attacks and where they originate from for the 1st quarter of 2012.

Symantec Reports Jump in Malicious Sites in July. The number of malicious websites identified by Symantec has inched upward in the past month to 2,189 websites per day, according to the company's latest intelligence report.

Incapsula - What Google doesn't show you: 31% of website traffic can harm your business. Google Analytics doesn’t show you 51% of website traffic including hackers, spammers & other non-human stalkers!

Additional Statistics to Consider

Hacking has become so common that in November of 2011 Hacking became the #1 way businesses lose data.
You are 22x more likely to lose data to a Hacker than you are to a virus.
60% of companies that lose their data for 10 days or longer file for bankruptcy.



Data Loss Statistics - From datalossdb.org