48+ cybersecurity statistics you can cite

Global average cost of a data breach in 2024, the highest figure ever recorded.

Up 10% year-over-year. The report aggregates 604 organisations across 17 countries and 17 industries.

Healthcare remains the costliest sector for breaches — fourteenth consecutive year on top.

Average breach cost in India — approximately ₹19.5 crore (US$2.35M), up 28% since 2020.

Average time to identify AND contain a breach worldwide. 194 days to identify, 64 to contain.

Stolen or compromised credentials remain the costliest initial-attack vector — and the slowest to detect.

Breaches that originate in the supply chain cost on average 11.8% more than internally-caused breaches.

Organisations that deployed security AI and automation extensively saved an average $2.22M per breach versus those that didn't.

Confirmed data disclosures analysed in Verizon's 2024 DBIR — across 30,458 real-world security incidents.

Of surveyed organisations were hit by ransomware in the past year.

Average ransom payment in 2024 — five times the 2023 figure of $400K.

Average cost to recover from a ransomware attack (excluding ransom paid), up 50% YoY.

Of ransomware attacks started with an exploited vulnerability — the most common initial vector.

Average eCrime adversary breakout time — how fast attackers move from initial access to lateral compromise.

Year-over-year increase in cloud-based intrusions tracked by CrowdStrike threat-intelligence telemetry.

Of ransomware victims paid the ransom in Q4 2024 — historic low, down from 85% in 2019.

Of breaches in 2024 involved a non-malicious human element — error, mis-routing, or social-engineering victim.

Of breaches involved stolen credentials, making them the most common entry tactic for the third consecutive year.

Pretexting incidents (business email compromise) doubled year-over-year, with median loss of $50,000.

Median time from receipt of a phishing email to the first click by a user.

Baseline phish-prone percentage across untrained employees — one in three clicks on a simulated phishing email.

Phish-prone rate drops to ~4.6% after 12 months of consistent security-awareness training and simulations.

Identity attacks blocked daily by Microsoft Entra ID across the global Microsoft cloud — a 10× year-over-year increase.

Of cloud security failures through 2025 will be the customer's fault — primarily misconfiguration.

Of organisations have experienced a cyber incident from an internet-facing asset they didn't know they owned.

Critical services (databases, RDP, exposed admin panels) found on the public internet in routine scans.

Secrets (API keys, passwords, tokens) discovered in public GitHub repositories in a single year.

Of an enterprise's external attack surface is, on average, undocumented in the CMDB at the start of an EASM engagement.

Multi-cloud environments take 13 days longer to identify and contain a breach than single-cloud environments.

Vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog — actively exploited in the wild.

Reduction in account-compromise risk when multi-factor authentication is enabled on user accounts.

Of all web-application attacks involve credential stuffing — automated reuse of leaked username/password pairs.

Year-over-year increase in MFA-bypass attempts using social engineering, push-fatigue, and adversary-in-the-middle phishing.

Of red-team engagements end with domain-admin compromise via Active Directory weaknesses — Kerberoasting, ACL abuse, GPO misconfiguration.

Unique credentials known to have been exposed in public data breaches indexed by Have I Been Pwned.

Median ratio of non-human identities (service accounts, automation, machine credentials) to human users in enterprise cloud estates.

Typical time from kickoff to first ISO/IEC 27001 certification for a mid-sized organisation.

Total first-year cost for a SOC 2 Type 2 attestation — audit fees, tooling, and internal effort combined.

Cumulative GDPR fines issued since May 2018 — Meta, Amazon, TikTok, and Instagram top the list.

Year India's Digital Personal Data Protection (DPDP) Act became law. Rules and enforcement are rolling out through 2025-2026.

Year the RBI Cyber Security Framework became mandatory for all scheduled commercial banks operating in India.

EU Digital Operational Resilience Act (DORA) enforcement date — applies to all financial entities and their ICT third-party providers.

Control overlap between ISO/IEC 27001 Annex A and SOC 2 Trust Services Criteria — most evidence is reusable across both audits.

Cyber incidents reported to CERT-In in 2023 — a 27% increase over 2022, driven by ransomware, phishing, and supply-chain attacks.

Of Indian organisations experienced at least one ransomware attack in the last 12 months.

Co-operative banks in India subject to RBI cyber-security framework — a sector consistently ranked the most targeted by financial fraud.

Average breach cost across ASEAN — lower than the global $4.88M average but climbing fastest in the world.

Compliance frameworks in India that explicitly mandate periodic VAPT — RBI, SEBI, IRDAI, NPCI, and CERT-In Empanelment.

Indian co-operative banks securing their digital channels with Infilux AppSec's VAPT, GRC, and SOC services.