24 Jun 2024 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics

The past, present, and future of cybercrime. Brought to you by Cybersecurity Ventures and Evolution Equity Partners

– Steve Morgan, Editor-In-Chief

Sausalito, Calif. – Jun. 24, 2024

If it were measured as a country, then cybercrime — which is predicted to inflict damages totaling $9.5 trillion USD globally in 2024, according to Cybersecurity Ventures — would be the world’s third-largest economy after the U.S. and China, surpassing the wealth of entire nations.

Cybersecurity Ventures is excited to release this special fourth annual edition of the Cybersecurity Almanac, a handbook containing the most pertinent statistics and information for understanding cybercrime and the cybersecurity market.

We have something for everyone, including students, parents, academia, government, law enforcement, small-to-midsized businesses, Fortune 500 and Global 2000 companies, IT workers, cybersecurity experts, chief security officers, the boardroom, and C-suite executives.

The latest edition of the Cybersecurity Almanac provides an enlightening journey into noteworthy security incidents and the hackers behind them, as well as a comprehensive overview of critical historical dates, insightful statistical information, the cyberdefense landscape, cybersecurity investment trends, and more.

CYBERCRIME DAMAGE

• Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next two years, reaching $9.5 trillion USD globally this year and $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.
• The average cost of a data breach (at larger organizations) reached an all-time high in 2023 of $4.45 million USD, based on data analyzed from over 553 breaches in 16 different countries, according to IBM’s Cost of a Data Breach Report. This represents a 2.3 percent increase from the 2022 cost of $4.35 million USD. Taking a long-term view, the average cost has increased 15.3 percent from $3.86 million USD in 2020.
• Following three years of intensive research, an international team of researchers has compiled the first ever “World Cybercrime Index,” which identifies the globe’s key cybercrime hotspots by ranking the most significant sources of cybercrime at a national level. The index, published in Apr. 2024, shows that a relatively small number of countries house the greatest cybercriminal threat. Russia tops the list, followed by Ukraine, China, the U.S., Nigeria, and Romania. The U.K. comes in at number eight.
• Reporting practices concerning illegal cyber activity have improved, but in 2024, we are still faced with a situation where Cybersecurity Ventures predicts that less than 25 percent of cybercrimes committed globally are reported to law enforcement, up from less than one in seven cybercrimes that were reported in 2018, according to the U.S. Department of Justice.

---

---

WHAT’S AT RISK

• Cybersecurity Ventures estimates that around half of all cyberattacks globally strike small businesses, and it’s been reported in various media outlets over the past decade that 60 percent of small companies go out of business within six months of falling victim to a data breach or cyberattack.
• 60 percent of small businesses say that cybersecurity threats, including phishing, malware, and ransomware, are a top concern, according to the MetLife & U.S. Chamber of Commerce Small Business Index for Q1 2024. Less than half of small businesses say they are concerned about theft (42 percent), natural disasters (39 percent), or an act of terrorism (37 percent).
• Roughly one million more people join the internet every day. There were around 6 billion people connected to the internet interacting with data in 2022, up from 5 billion in 2020 — and we predict there will be more than 5 billion internet users in 2030. If street crime grows in relation to population growth, so will cybercrime.
• Total global data storage is projected to exceed 200 zettabytes by 2025. This includes data stored on private and public IT infrastructures, on utility infrastructures, on private and public cloud data centers, on personal computing devices — PCs, laptops, tablets, and smartphones — and on IoT (Internet-of-Things) devices. Cybersecurity Ventures predicts that the total amount of data stored in the cloud — which includes public clouds operated by vendors and social media companies (think Apple, Facebook, Google, Microsoft, X, etc.), government-owned clouds that are accessible to citizens and businesses, private clouds owned by mid-to-large-sized corporations, and cloud storage providers — will reach 100 zettabytes by 2025, or 50 percent of the world’s data at that time, up from approximately 25 percent stored in the cloud in 2015. 

RANSOMWARE

• The global cost of ransomware was predicted to reach $20 billion USD in 2021, up from $325 million USD in 2015. Cybersecurity Ventures expects ransomware damage costs to exceed $265 billion USD annually by 2031.
• Cybersecurity Ventures predicted that a business fell victim to a ransomware attack every 11 seconds in 2021, up from every 14 seconds in 2019. The frequency of ransomware attacks on governments, businesses, consumers, and devices will continue to rise over the next seven years and hit every two seconds by 2031.
• CNA Financial made the biggest ransomware payout on record. The Chicago-based company paid $40 million USD to the Phoenix cybercriminal group, believed to come from Russia.
• Verizon’s 2024 Data Breach Investigation Report (DBIR) found that 32 percent of all data breaches involved ransomware or other extortion techniques, with a median loss of $46,000 per breach. Pure extortion increased to 9 percent of all breaches.
• Health care and public health organizations made up the highest number of ransomware attacks in the U.S. with 249 reported last year, according to the FBI’s Internet Crime Report 2023. Hackers view hospitals, clinics and other health care organizations as lucrative targets because operators tend to pay a ransom to keep critical services running, Axios reports.

---

---

CRYPTOCRIME

• Cryptocrime, including exit scams, rug pulls, and theft is predicted to cost the world $30 billion USD in 2025, Cybersecurity Ventures predicts, rising at a rate of around 15 percent annually. This is more than twice the record-setting (at the time) $14 billion USD lost in 2021, according to a report from blockchain research firm Chainalysis.
• The largest cryptocurrency hack to date was conducted in Mar. 2022 and targeted the network that supports the popular Axie Infinity blockchain gaming platform. Hackers breached the Ronin Network and made off with around $625 million worth of Ethereum and the USDC stablecoin. U.S. officials said that a North Korean state-backed hacking collective, Lazarus Group, was linked to the theft.
• Over 20,000 crypto tokens have been manipulated via decentralized exchange (DEX) wash trading in the last three years, according to market surveillance firm Solidus Labs. In its “2023 Crypto Market Manipulation Report” released in Sep. 2023, they state that among a sample of 30,000 Ethereum-based DEX liquidity pools, nearly 70 percent were found to have executed wash trades since Sep. 2020 — making up for around $2 billion worth of crypto. Wash trading is a form of market manipulation where an entity buys and sells the same asset giving the false impression of market activity.
• Scams and frauds accounted for approximately a third of all cryptocrime in 2023, according to TRM Labs data. While some crime categories, such as darknet drugs sales, remained buoyant, the volumes of hacked and sanctions-exposed funds posted significant declines due in part to increased pressure from governments and law enforcement bodies.
• In Jan. 2024, hackers stole around $112 million of the Ripple-focused cryptocurrency XRP from a crypto wallet, Ripple’s co-founder and executive chairman had disclosed. Ripple’s Chris Larsen said at the time that the stolen crypto was his. He wrote on X that “there was unauthorized access to a few of my personal XRP accounts (not Ripple) — we were quickly able to catch the problem and notify exchanges to freeze the affected addresses. Law enforcement is already involved.”

RECENT MAJOR HACKS

• In May 2023, a ransomware gang called Clop began abusing a zero-day exploit of Progress Software’s MOVEit Transfer enterprise file transfer tool. Clop’s widespread attack saw it steal data from government, public, and business organizations worldwide, including New York City’s public school system, a UK-based HR solutions and payroll company with clients including British Airways and BBC, and others. More than 2,600 organizations and 77 million people had been impacted by the MOVEit hack as of Nov. 2023.
• In Oct. 2023, MGM Resorts International said that a cyberattack in Sep. 2023 disrupted its operations and would cause a $100 million hit to its third-quarter results, as it worked to restore its systems. One of the world’s largest gambling firms, MGM shut down its systems after detecting the attack to contain damage. The situation became so dire that federal authorities and the White House became involved in the recovery effort.
• In Dec. 2023, genetic testing company 23andMe announced that hackers accessed the personal data of 0.1 percent of customers, or about 14,000 individuals. The company also said that by accessing those accounts, hackers were also able to access “a significant number of files containing profile information about other users’ ancestry.” But 23andMe would not say how many “other users” were impacted by the breach that the company initially disclosed in early Oct. 2023. As it turns out, there were a lot of “other users” who were victims of this data breach: 9 million affected individuals in total.
• Change Healthcare, a subsidiary of healthcare giant UnitedHealth, was hit by a massive cyberattack in Feb. 2024. For several weeks, healthcare staff in practices across the U.S. were not able to receive payments from patients. CBS News called it the “biggest ever cybersecurity attack on the American healthcare system.” UnitedHealth’s Apr. 2024 earnings report noted that $872 million were spent on “unfavorable cyberattacks effects,” and the corporation’s CEO later confirmed that an additional $22 million ransom was paid to the hacker group. The company expects the cyberattack to cost $2.3 billion or more this year.

---

---

• A cyberattack on U.S. pharmaceutical solutions company Cencora in Feb. 2024 led to nearly a dozen pharma firms that partner with Cencora to disclose data breaches. Notifications published by the California Attorney General’s office from these companies indicated that the Cencora incident was the catalyst for their breaches. The companies are Bayer, Novartis, Regeneron, AbbVie, Incyte, Genentech, Sumitomo Pharma America, GlaxoSmithKline, Acadia, Endo, and Dendreon. This underscores the interconnected nature of data security within the pharmaceutical industry and highlights the ripple effect a single cyberattack can have on multiple organizations.
• In Mar. 2024, several French state services were targeted by a denial-of-service (DDoS) attack, that Prime Minister Gabriel Attal’s office described as a breach of “unprecedented intensity.” During almost an entire day, over 300 web domains and 177,000 IP addresses associated with the government were impacted, including severe disruptions to major public service websites.
• Roku said hackers gained unauthorized access to 576,000 accounts, the company’s second data-breach incident this year, prompting the streaming-hardware maker to institute additional security measures for users. In an Apr. 2024 blog post, Roku said the hackers likely gained access to the accounts by using usernames and passwords from other sites where customers may have used the same login credentials. This type of automated cyberattack is known as credential stuffing. San Jose, Calif.-based Roku has a user base of 80 million.
• Major London hospitals had to cancel operations and blood transfusions after being hit by a cyberattack that led to them declaring it a “critical incident” in Jun. 2024. Seven hospitals suffered serious disruption to their services as a result of a ransomware attack targeting a private company that analyses blood tests for them. More than 800 planned operations and 700 outpatient appointments were rearranged in the first week after the attack. The cyber assault also prompted an urgent call for blood donations.
• In Jun. 2024, as many as 165 customers of cloud storage provider Snowflake have been compromised by a group that obtained login credentials through information-stealing malware, researchers from Mandiant, a Google-owned security firm, said. Live Nation confirmed that data from its TicketMaster group stored on Snowflake had been stolen following a posting offering the sale of the full names, addresses, phone numbers, and partial credit card numbers for 560 million Ticketmaster customers. Mandiant said that all the compromises it has tracked so far were the result of login credentials for Snowflake accounts being stolen by infostealer malware and stored in vast logs, sometimes for years at a time.
• Roughly 15,000 car dealerships across the U.S. and Canada suffered without software systems crucial to running their business, following multiple cyberattacks on CDK Global in Jun. 2024. The company is one of just a handful of dealer management system providers that underpin auto retailers’ ability to access customer records, schedule appointments, handle car-repair orders and complete transactions. Bloomberg reported that the company was planning to pay the tens of millions of dollars that the group behind the hacks had demanded in order to restore service. Direct losses to the auto dealerships impacted by the outages could reach a collective $1 billion, according to Michigan-based Anderson Economic Group (AEG), whose analysts said the first two weeks cost dealers $600 million.

BIGGEST HACKS EVER

• The credit card payment processor Heartland Payment Systems was compromised in 2008, and an estimated 130 million customer accounts were accessed, making it one of the largest credit card hacks in history. Albert Gonzalez and two Russian hackers placed sniffer programs within the Heartland system. These sniffers intercepted credit card credentials in real time and relayed the data back to them. He was found guilty in 2010 and sentenced to an unprecedented 20 years in prison.
• The Stuxnet worm, uncovered in 2010, was a sophisticated cyber weapon used to target and damage Iran’s nuclear enrichment facilities. Stuxnet temporarily crippled Iran’s capacity to develop nuclear material and caused about one-fifth of centrifuges to be destroyed. The virus is widely attributed as a joint effort by U.S. and Israeli intelligence agencies.
• The 2013 Cryptlocker malware attacked upwards of 250,000 machines by encrypting their files. It displayed a red ransom note with a payment window. The virus’ creators used a worm called the Gameover Zeus botnet to make and send copies of the CryptoLocker virus. Although CryptoLocker itself was easily removed, the affected files remained encrypted in a way that researchers considered unfeasible to break. Many said that the ransom should not be paid, but did not offer any way to recover files; others said that paying the ransom was the only way to recover files that had not been backed up. Some victims claimed that paying the ransom did not always lead to the files being decrypted.
• In what is considered the largest data breach in history, all 3 billion Yahoo user accounts were compromised by a 2013 breach that went undetected for three years. The attackers, believed to be state-sponsored hackers from Russia, stole names, email addresses, phone numbers, birthdates, and encrypted passwords from Yahoo’s user database. A separate 2014 intrusion also allowed hackers to gain the account keys needed to access the private information of over 500 million accounts.
• In Nov. 2014, a hacker group calling itself the “Guardians of Peace” carried out a devastating cyberattack against Sony Pictures in retaliation for the planned release of the comedy film The Interview. The hackers stole and released over 100 terabytes of confidential data including upcoming film scripts, employee salaries, financial records, and thousands of private emails. They also wiped over half of Sony Pictures’ global network.
• In May 2017, a massive ransomware attack known as WannaCry spread to over 200,000 computer systems across 150 countries. The attack encrypted files on infected systems and demanded ransom payments in Bitcoin to decrypt them. Total financial losses from the WannaCry attack were estimated to exceed $4 billion.
• In Jun. 2017, organizations around the world were hit by another destructive ransomware attack known as NotPetya. It is considered one of the most damaging cyber attacks to date, causing over $10 billion in damages. Major multinational companies were severely impacted, including shipping company Maersk, pharmaceutical giant Merck, and the French construction company Saint-Gobain. The attack also crippled computer systems across Ukraine where it is believed to have originated.
• The credit reporting agency Equifax announced in Sep. 2017 that the personal information of over 145 million Americans had been exposed in a massive data breach. The attackers exploited a security flaw to gain access to Equifax systems and stole sensitive customer information including Social Security numbers, birthdates, addresses, and some driver’s license numbers.
• In 2020, state-backed hackers exploited a ubiquitous SolarWinds software product in order to spy on government and business networks around the world, including in the U.S., U.K., Israel and Canada. The cyber spies lurked in email services, and posed as legitimate staffers to tap confidential information stored in the cloud. The bombshell revelations sent 18,000 exposed SolarWinds customers scrambling to assess whether outsiders did indeed enter their systems, what the damage was and how to fix it. The sprawling operation targeted some of the U.S. government’s most sensitive data.
• Global meat supplier JBS was hit by a massive attack during the 2021 Memorial Day weekend. This was one of the biggest hacks in history to affect a player in food production. This ransomware attack brought its beef and pork slaughterhouses in North America and Australia to a standstill. The company obliged the attackers’ demand and paid an $11 million USD ransom to resume its operations.

---

---

HISTORIC VIRUSES

• For computer buffs visiting Pakistan’s historic city of Lahore, it seemed too good a bargain to pass up. A shop called Brain Computer Services was selling brand-name computer programs, such as Lotus 1-2-3 and WordStar, for as little as $1.50 each, according to TIME. From early 1986 to late 1987, scores of Americans — most of them students and backpackers — snapped up cut-rate disks for use on their computers back home. Hidden in nearly every disk was an extra program not supplied by any manufacturer: a snippet of computer code many considered to be the world’s most sophisticated computer virus. Every time an unsuspecting user lent his new disk to a friend or colleague, and every time the disk was run on a machine shared by other users, the code spread from one computer to another. The so-called Brain virus had found its way onto at least 100,000 floppy disks, sometimes with data-destroying impact. In each case the illicit program left behind a calling card for those savvy enough to find it: a message that began with the words WELCOME TO THE DUNGEON, and was signed by brothers Amjad Farooq Alvi, 26, and Basit Farooq Alvi, 19, the owners of Brain Computer Services.
• At around 8:30 p.m. EST on Nov. 2, 1988, a malicious program developed by 23-year-old Robert Morris was unleashed on the internet from a computer at the Massachusetts Institute of Technology (MIT), according to the FBI. The Morris Worm was soon propagating at remarkable speed and grinding computers to a halt. Within 24 hours, an estimated 6,000 of the approximately 60,000 computers that were then connected to the internet had been hit. The rogue program had infected systems at a number of the prestigious colleges and public and private research centers that made up the early national electronic network. This was a year before the invention of the World Wide Web. The Morris Worm inspired a new generation of hackers and a wave of internet-driven assaults that continue to plague our digital systems to this day.
• ILOVEYOU, sometimes referred to as the Love Bug or Loveletter, was a computer worm that infected over ten million Windows personal computers on and after May 5, 2000. It started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.TXT.vbs.” Onel de Guzman, a then-24-year-old computer science student at AMA Computer College and resident of Manila, Philippines, created the malware.
• With nearly $20 billion in estimated damages, The Klez Worm infected about 7.2 percent of all computers in 2001, or 7 million PCs. Klez sent fake emails, spoofed recognized senders and, among other things, attempted to deactivate other viruses. As with other viruses and worms, Klez was released in several variants. It infected files, copied itself, and spread throughout each victim’s network. It hung around for years, with each version more destructive than the last.
• Code Red was a computer worm observed on the internet on Jul. 15, 2001. It attacked computers running Microsoft’s IIS web server. It was the first large-scale, mixed-threat attack to successfully target enterprise networks. The Code Red computer virus was yet another worm that penetrated 975,000 hosts. It displayed the words “Hacked by Chinese!” across infected web pages, and it ran entirely in each machine’s memory. In most cases it left no trace in hard drives or other storage. Financial costs are pegged at $2.4 billion. The virus attacked websites of infected computers and delivered a distributed denial of service (DDoS) attack on the U.S. White House’s website.
• The Sobig Worm was a computer worm that infected millions of internet-connected, Microsoft Windows computers in Aug. 2003. As of 2018, Sobig is the second fastest computer worm to have ever entered the wild, being surpassed only by Mydoom. Sobig was not only a computer worm in the sense that it replicates by itself, but also a Trojan horse in that it masquerades as something other than malware.
• 20 years ago, the internet came as close to a total meltdown as we’ve seen since its commercialization in the 1990s. A UDP network worm payload of just 376 bytes, targeting UDP destination port 1434, aggressively propagated to all vulnerable, internet-connected Microsoft SQL Server hosts worldwide within a matter of minutes. Popularly known as the SQL Slammer (though the name Sapphire was suggested within the academic community, it didn’t catch on) worm, it infected around 75,000 vulnerable servers worldwide. The significant disruption it caused made international news. It was enough to bring many networks to a screeching halt, and disrupted retail credit card point-of-sale systems and ATMs worldwide.
• The worst computer virus outbreak in history, according to HP, Mydoom caused estimated damage of $38 billion in 2004. Also known as Novarg, this malware is technically a “worm,” spread by mass emailing. At one point, the Mydoom virus was responsible for 25 percent of all emails sent. Though a $250,000 reward was offered, the developer of this dangerous computer worm was never caught. Mydoom scraped addresses from infected machines, and then sent copies of itself to those addresses. It also roped those infected machines into a web of computers called a botnet that performed distributed denial of service (DDoS) attacks. These attacks were intended to shut down a target website or server.
• The Zeus computer virus is an online theft tool that hit the web in 2007. A whitepaper by Unisys three years later estimated that it was behind 44 percent of all banking malware attacks. By then, it had breached 88 percent of all Fortune 500 companies, 2,500 organizations total, and 76,000 computers in 196 countries. The Zeus botnet was a group of programs that worked together to take over machines for a remote “bot master.” It originated in Eastern Europe and was used to transfer money to secret bank accounts. More than 100 members of the crime ring behind the virus, mostly in the U.S., were arrested in 2010.
• Neel Mehta of Google’s security team privately reported Heartbleed to the OpenSSL team on Apr. 1, 2014. Codenomicon discovered it independently at approximately the same time, and reported HeartBleed on Apr. 3, 2014. At the time of disclosure, some 17 percent (around half a million) of the internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords. Journalists deemed the Heartbleed bug “catastrophic.”

---

---

ARTIFICIAL INTELLIGENCE (AI)

• 63 percent of security professionals believe in AI’s potential to enhance security measures, especially in improving threat detection and response capabilities, according to a Cloud Security Alliance survey commissioned by Google. Only 12 percent of the security professional respondents believe that AI will completely replace their role.
• 80 percent of AI decision-makers are worried about data privacy and security and only 10 percent of organizations have a reliable system in place to measure bias and privacy risk in large language models (LLMs), according to a study sponsored by SAS that surveyed 300 U.S. GenAI strategy or data analytics decision-makers to pulse check major areas of investment and the hurdles organizations are facing. The same study found 93 percent of U.S. businesses lack a comprehensive governance framework for GenAI, and the majority are at risk of noncompliance when it comes to regulation.
• In Apr. 2024, Google announced a major Gmail AI security update for its three billion users. The results: 20 percent more spam is blocked in Gmail using large language models (LLMs); 1,000 percent more user-reported Gmail spam is reviewed each day; 90 percent faster response time dealing with new spam and phishing attacks in Google Drive.
• Threat actors aren’t attacking generative AI (GenAI) at scale yet, but AI security threats are coming. That prediction comes from IBM’s 2024 X-Force Threat Intelligence Index. Increased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cybercriminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned in more than 800,000 posts on dark web forums and illicit markets. That high level of activity provides an accurate gauge of interest. These attacks may not be happening now, but this interest indicates groundwork and planning phases.
• Gartner predicts that by 2026, enterprises that combine GenAI with an integrated platforms-based architecture in security behavior and culture programs (SBCP) will experience 40 percent fewer employee-driven security incidents.
• In an Apr. 2024 survey of 600 fraud-management officials at banks and financial institutions by banking software company Biocatch, 70 percent said the criminals were more skilled at using AI for financial crime than banks are at using it for prevention.
• With AI as an accomplice, fraudsters are reaping more money from victims of all ages. People reported losing a record $10 billion to scams in 2023, up from $9 billion a year prior, according to the Federal Trade Commission. Since the FTC estimates only 5 percent of fraud victims report their losses, the actual number could be closer to $200 billion.

CYBERSECURITY MARKET

• Cybersecurity Ventures predicts that global spending on cybersecurity products and services will exceed $1.75 trillion USD cumulatively for the five-year period from 2021 to 2025, growing 15 percent year-over-year.
• According to McKinsey & Company, the corporate sector is poised to spend $213 billion on cybersecurity software in 2024. However, that isn’t nearly enough to defend against what Cybersecurity Ventures estimates will be $9.5 trillion worth of damage caused by cybercrime throughout the year. McKinsey believes companies should be collectively spending $2 trillion each year instead, which leaves a gap of $1.8 trillion.
• Gartner predicts that by 2028, enterprise spend on battling malinformation will surpass $500 billion, cannibalizing 50 percent of marketing and cybersecurity budgets.
• Evolution Equity Partners, based in New York City, Palo Alto, Calif., London, and Zurich, raised $1.1 billion for its Evolution Technology Fund III, the world’s largest-ever cybersecurity investment fund. Evolution plans to use roughly 75 percent of the new fund for growth investments, Richard Seewald, the firm’s founder and managing partner, told The Wall Street Journal. Another 15 percent of committed capital will go to later-stage companies and 10 percent for newer startups.

---

---

• AI is reshaping nearly every industry — and cybersecurity is no exception. A recent research report estimated the global market for AI-based cybersecurity products was about $15 billion in 2021 and will surge to roughly $135 billion by 2030.
• Gartner forecasts that spending on data privacy and cloud security are projected to record the highest growth rates in our industry for 2024, with each segment increasing more than 24 percent year-over-year. Privacy remains a top organizational priority as regulations that impact the processing of personal data continue to emerge, including those related to the use of AI. Gartner predicts that by 2025, 75 percent of the world’s population will have its personal data covered by modern privacy regulations.
• Global spending on security awareness training for employees (previously one of the most underspent cybersecurity budget items) is predicted to exceed $10 billion USD by 2027, according to Cybersecurity Ventures, up from around $5.6 billion USD in 2023.
• Spending on security services — consulting, IT outsourcing, implementation and hardware support — is forecast by Gartner to total $90 billion in 2024, an increase of 11 percent from 2023. Security services is expected to represent 42 percent of total security and risk management end-user spending in 2024, and to remain the largest area of security and risk management spending in 2024.
• Deltek forecasts the demand for vendor-supplied cybersecurity products and services by the U.S. federal government will increase from $15.8 billion in FY 2023 to $20.1 billion in FY 2027.

CYBERINSURANCE

• Cybersecurity Ventures predicts the cyberinsurance market will grow to $14.8 billion USD in 2025 and will exceed $34 billion USD by 2031, based on a compound annual growth rate (CAGR) of 15 percent calculated over an 11-year period (2020 to 2031).
• Despite a growing number of cyber incidents and heightened privacy regulation, the U.S. market showcased expansion of a buyer-friendly cyber (insurance) market. Throughout 2023, cyberinsurance premium rates decreased by an average of 17 percent, according to AON.
• Analysis of 1,800+ cyber claims submitted to cyberinsurer Marsh in the U.S. and Canada in 2023 reveals that 21 percent of clients that purchased a cyber policy reported an event in 2023. The number of reported ransomware events is under 20 percent of total reported cyber claims from Marsh clients for the past two years. Ransomware attacks remain central to most cyber risk discussions as they continue to increase in frequency, sophistication, and severity and remain the dominant cyber threat to many organizations’ daily operations, long-term finances, reputation, and more.
• According to cyberinsurance provider Coalition, 56 percent of all claims last year (they handled) were either business email compromise (BEC) or funds transfer fraud (FTF), while ransomware accounted for 19 percent.
• Woodruff Sawyer’s annual survey of cyberinsurance carriers found more than half — 56 percent — of underwriters surveyed said they believe cyber risk will increase greatly in 2024. While the survey found 2024 is bringing a shift in concern for underwriters, with privacy violations and data breaches drawing more concern than last year, ransomware remains the most significant threat as 63 percent ranked it their number one threat for 2024.
• A survey of more than 100 brokers and insurers who shared their insights on U.S. cyberinsurance trends highlighted the challenges facing insurers in assessing a client’s cyber risk. The top three issues were the lack of accurate, real-time cyber exposure insight (35 percent), clients not being transparent about their cybersecurity practices (21 percent), and accurately estimating systemic loss through modeling (21 percent).

BIG TECH

• Microsoft launched a national campaign with U.S. community colleges to help place 250,000 people into the cybersecurity workforce from 2021 to 2025, representing half of the country’s labor shortage. Microsoft also increased its planned cybersecurity investment to $20 billion over five years, up from the $1 billion per year it had been spending on cybersecurity since 2015. Last year, Microsoft CEO Satya Nadella announced that Microsoft Security has surpassed $20 billion USD in revenue.
• Citing Cybersecurity Ventures skills shortage data, the Redmond giant announced last year a new partnership under its Ready4Cybersecurity program in Asia to improve access to cybersecurity skills and careers for underrepresented groups. The program aims to certify 100,000 young women and underrepresented youth in cybersecurity by 2025.

---

---

• In 2021, Google announced an investment of more than $10 billion through 2025 in cybersecurity. The effort will include helping to secure the supply chain and strengthening open-source security. Google also said they’re training 100,000 Americans for vital data privacy and security jobs. They are providing $15 million to create 15 new cybersecurity clinics at universities across the country, the company informed in Jun. 2024. The tech giant has also funded 2,000 students to earn a Career Certificate in Cybersecurity in Africa. Last year, Google started offering a Cybersecurity Professional Certificate training program for anyone, including those with no background in coding or computer science. The program, created by cybersecurity experts at Google, is designed to provide people with job-ready skills in under 6 months to jumpstart their career.
• IBM has committed to providing 30 million people in more than 30 countries across the Americas, Asia Pacific, Europe, Middle East and Africa, with learning opportunities to plug skills gaps in the technology sector, cybersecurity included, by 2030. Partnerships extend to NGOs focusing on underserved youth, women, and military veterans.
• In Jun. 2024, Cisco Investments, the global corporate venture investment arm of Cisco, launched a $1B AI investment fund to bolster the startup ecosystem and expand the development of secure, reliable, and trustworthy AI solutions. Cisco has already committed nearly $200M of the $1B investment fund to date.

BOARDROOM

• Cybersecurity Ventures predicts that by 2025, 35 percent of Fortune 500 companies will have board members with cybersecurity experience, and by 2031 that will climb to more than 50 percent. This is up from a Heidrick & Struggles estimate of 17 percent in 2021.
• Liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75 percent of CEOs by 2024, according to Gartner, Inc. Due to the nature of cyber-physical systems (CPSs), incidents can quickly lead to physical harm to people, destruction of property or environmental disasters. Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023.
• Research from Trend Micro reveals that 79 percent of global cybersecurity leaders have felt boardroom pressure to downplay the severity of cyber risks facing their organization. Of those security leaders who came under pressure from their board, 42 percent say it is because they are seen as being overly negative.
• Harvard Business Review surveyed 600 board members about their attitudes and activities around cybersecurity. Their research shows that despite investments of time and money, most directors (65 percent) still believe their organizations are at risk of a material cyberattack within the next 12 months, and almost half believe they are unprepared to cope with a targeted attack. Just 69 percent of responding board members see eye-to-eye with their CISOs.

WOMEN IN CYBER

• There’s a shortage of women in the cybersecurity industry. A Cybersecurity Ventures report found that women accounted for 25 percent of cybersecurity jobs worldwide in 2022. The organization predicted that women “will represent 30 percent of the global cybersecurity workforce by 2025, and that will reach 35 percent by 2031.”
• Black women are a vastly underrepresented group in technology and cybersecurity. The National Center for Women & Information Technology (NCWIT) has stated that of the 25 percent of women working in tech, just 3 percent of them are black. And only an undetermined fraction of those women are in cybersecurity.
• It is widely assumed that most cybercriminals are male. A recent report from Trend Micro sheds light on the numbers and finds that approximately 30 percent of cybercriminal forum participants are women.
• In 2018, Girl Scouts of the USA (GSUSA) partnered with Palo Alto Networks to add cybersecurity badges to Girl Scout programming. As of 2023, more than 315,00 cybersecurity badges have been earned by Girl Scouts.
• In Mar. 2024, Cisco signed an agreement with the Karnataka government in India under which it will train 40,000 people in cybersecurity skills and awareness. Out of that, 50 percent will be women to help meet the growing need for cyber talent as organizations look to bolster defenses against an evolving and complex threat landscape.

---

---

CHIEF INFORMATION SECURITY OFFICERS

• The world’s first CISO was anointed in 1994, when financial services giant Citigroup (then Citicorp) set up a specialized cybersecurity office after suffering a series of cyberattacks from Russian hackers.
• Cybersecurity Ventures estimates there are now at least 32,000 CISOs employed worldwide. Zippia, established through a database of 30 million profiles and verified against Census Bureau data, estimates over 7,523 chief security officers (an interchangeable term with CISOs) are “currently employed” in the U.S.
• According to Cybersecurity Ventures, 100 percent of Fortune 500 companies and the majority of Global 2000 organizations employ a CISO or an equivalent role in 2024, up from 70 percent in 2018.
• Only 5 percent of CISOs reported directly to the CEO in 2023, down from 8 percent in 2022 and 11 percent in 2021, according to a Heidrick & Struggles survey of 262 CISOs in the U.S., Europe, and Asia Pacific.
• Gartner estimates that by 2025, nearly half of cybersecurity leaders will change roles — and 25 percent for different roles entirely — due to stress, psychological pressure, and burnout, among other factors.
• The gender gap remains a chasm when we consider the top roles in cybersecurity. For example, women only hold 17 percent of chief information security officer (CISO) roles at Fortune 500 companies, according to research from Cybersecurity Ventures.

CYBERSECURITY JOBS

• Global cybersecurity job vacancies grew by 350 percent, from one million openings in 2013 to 3.5 million in 2021, enough to fill 50 NFL stadiums, according to Cybersecurity Ventures.
• The number of unfilled jobs leveled off in 2022, and remains at 3.5 million in 2024, with around a half-million of those positions in the U.S., according to CyberSeek. Industry efforts to source new talent and tackle burnout continues, but we predict that the disparity between demand and supply will remain through at least 2025.
• Employment of information security analysts is projected to grow 32 percent from 2022 to 2032, much faster than the average for all occupations, according to the U.S. Bureau of Labor Statistics (BLS). The median annual wage for information security analysts was more than $120,000 as of May 2023.
• India alone is expected to create one million new cybersecurity jobs by 2025. According to NASSCOM, the Indian cybersecurity market will be close to a valuation of $500 billion USD by 2030.
• The cybersecurity unemployment rate for the most experienced positions hovers at around zero percent, and will likely remain so for years to come.
• Forbes’ 2024 Cybersecurity Job Outlook looks at entry-level, mid-level, and advanced salaries in our field, including Cybercrime Analyst @ $101,000, Penetration Tester (aka Ethical Hackers) @ $125,000, Cybersecurity Architect @ $147,000, Incident and Intrusion Analyst @ $98,000, IT Auditor @ $99,000, and Cybersecurity Engineer @ $132,000.
• The average Chief Information Security Officer salary in the U.S. is $243,943, according to Salary.com, with some CISO pay packages exceeding $500,000 and even $1 million, according to Fortune Magazine.

---

---

SOME HISTORY

• The world’s first national data network was constructed in France during the 1790s. It was a mechanical telegraph system, consisting of chains of towers, each of which had a system of movable wooden arms on top. The French telegraph system was hacked in 1834 by a pair of thieves who stole financial market information — effectively conducting the world’s first cyberattack.
• Before computer hacking, there was phreaking. The “ph-” was for phone, and the phreaks liked to reverse engineer the system of tones that telecommunications companies used for long-distance dialing. Recreating the tones for each number, at just the right pitch, could mean making a free call rather than running up expensive charges. In 1957, Joe Engressia (Joybubbles), a blind, 7-year-old boy with perfect pitch, hears a high-pitched tone on a phone line and begins whistling along to it at a frequency of 2600Hz, enabling him to communicate with phone lines and become the U.S.’s first phone hacker or “phone phreak.”
• The modern definition of the word “hack” was first coined at MIT in April 1955, and the first known mention of computer hacking occurred in a 1963 issue of The Tech.
• The first computer virus, Creeper, was named after a Scooby-Doo cartoon show character. Creeper was written in 1971 by BBN computer programmer Bob Thomas as an experiment in self-duplicating code.
• The first notable ransomware incident was caused by the AIDS Trojan in 1989. Malicious floppy disks containing the Trojan were handed out to roughly 20,000 attendees of the World Health Organization’s AIDS conference by “the father of ransomware,” Joseph Popp. Victims were told to send $189 to PC Cyborg Corporation at a PO box in Panama. Although, as it was simple malware, decryption tools were made available quickly.

– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Venture

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback, and suggestions.

---