Enterprise organizations have a lot to deal with these days on the cybersecurity front.

The adoption of cloud and mobile technologies has significantly expanded the attack surface, even as the threat landscape itself has kept evolving constantly. IT organizations are under tremendous pressure to respond to business requirements while ensuring the security of corporate data. And regulations such as California's Consumer Privacy Act, scheduled to go into effect next January, and the already-in-force GDPR in Europe have considerably raised the stakes for companies that experience data breaches.

Situational awareness has become key to security for most organizations. Managing cyber risk is no longer just about applying the right controls for detecting, preventing, and mitigating internal threats. To get the full picture, security teams also need to stay on top of the latest developments in the threat landscape, understand their own exposure to those threats, know who is behind them, and learn how it is impacting their peers.

Here are statistics culled from multiple well-known and respected sources on some of the most important cybersecurity trends. (Note that registration is required to download some of the reports the data came from.)

Data breaches and cyberattacks

4: Average number of attacks IT security leaders said their organization had experienced in a year

Some 20% said their organizations got hit six or more times annually, and 80% said they had experienced at least one cybersecurity incident over the last 12 months that was so severe it required a board-level meeting.

Source: Collective Offense Calls for Collective Defense (IronNet)

65%: Security pros who expect to be responding to a major breach in the next year

Nearly two-thirds of security professionals in a survey of attendees at Black Hat USA 2019 that believe their organization will have to respond to at least one major cybersecurity breach over the next 12 months. Last year, the figure was 59%.

Source: Consumers in the Crosshairs (Black Hat USA)

77%: Security leaders anticipating a critical infrastructure breach

More than three quarters of IT security leaders anticipate a major breach involving a critical infrastructure organization in the near future. Just over one in five (21%) believe the government is prepared to respond to such a critical infrastructure breach.

Source: Consumers in the Crosshairs (Black Hat USA)

52%: Share of data breaches caused by external hacks

More than half of the 2,013 confirmed data breaches that Verizon investigated in 2018 were caused by external hacking. Some 33% of these external attacks included a social media vector, and 28% involved malware.

Source: 2019 Data Breach Investigations Report (Verizon)

34%: Proportion of breaches involving an insider

More than a third of breaches in 2018 involved an internal actor. Organized crime groups were involved in 39% of breaches last year.

Source: 2019 Data Breach Investigations Report (Verizon)

94%: Malware delivered by email last year

More than nine in 10 malware infections were delivered to victims via email last year. The most commonly used file type for concealing malware was Microsoft Office documents (45%), followed by Windows apps (26%).

Source: 2019 Data Breach Investigations Report (Verizon)

20,373: Number of complaints the FBI received last year involving business email compromise (BEC) attacks

BEC fraud resulted in losses of over $1.2 billion last year and continues to remain one of the most prolific and fastest-growing crime categories.

Source: 2018 Internet Crime Report (FBI)

45%: Proportion of organizations with comprehensive encryption protection

Less than half of companies have a consistent encryption plan implemented across the entire enterprise. Some 42% have implemented encryption in a somewhat more limited fashion, for specific applications and data types, for example.

Source: 2019 Global Encryption Trends Study (nCipher Security)

Cybersecurity skills shortage

80%: Number of security pros who find it harder in 2019 to find people with security skills

Eight in 10 respondents in a survey of over 336 security professionals said finding security skills had become harder this year than it was in 2017. Some 47% said they already were experiencing a cybersecurity skills gap.

Source: Cybersecurity Skills Gap Survey 2019 (Tripwire)

68%: Share of pros who said skills shortages were impacting their security operations

More than two-thirds of security professionals in a survey said a cybersecurity skills shortage was impacting their ability to stay on top of vulnerabilities. Some 60% said it had a negative impact on incident detection and response, 53% said it resulted in insecure configurations, and 42% said they were unable to translate security data into intelligence because of a lack of skills.

Source: Cybersecurity Skills Gap Survey 2019 (Tripwire)

Privacy

90%: Share of security pros who believe their personal data is at risk

Nine in 10 respondents in a survey of over 2,000 security professionals believe their personal data is available to criminals at any time, no matter how careful they are. Less than one-third (30%) of them think that consumers will be able to protect their security and identities in the future.

Source: Innovate MR for Nixplay

55%: Americans who believe their mobile conversations are being monitored

More than half of respondents in a survey of 2,003 Americans think their mobile device conversations are being secretly monitored for targeted advertising purposes. Some 43% said they had often seen advertising on their mobile devices that was related to a recent conversation.

Source: Innovate MR for Nixplay

Security operations

20%: Percentage of practitioners who say their SecOps practices are mature

Only one in five respondents to a survey of over 250 security operations practitioners described their organizations as having a mature security operations capability. The remaining 80% reported that they are just getting started on their maturity journey or are only midway through it.

Source: 2019 Security Operations Maturity Report (Cyentia Research for Siemplify)

3.5: Average number of major functions a SecOps staff member handles

Some staff handle as many as 12. Only a quarter of staff in organizations with immature SecOps practices possess coding skills, compared to 40% in organizations with a mature SecOps program.

Source: 2019 Security Operations Maturity Report (Cyentia Research for Siemplify)

94%: Security decision makers who take part in collective defense

More than nine in 10 of 200 IT security decision makers surveyed claimed their organizations currently invest in or subscribe to some form of collective defense. This includes sharing IPs, file hashes, domain names, and other types of threat information. The same proportion (94%) said they'd be willing to increase threat-intelligence sharing if it provided demonstrable benefits.

Source: Collective Offense Calls for Collective Defense (Vanson Bourne for IronNet)

Cybersecurity in the C-suite

82%: Share of CEOs who say they have a high level of cybersecurity knowledge

Eight in 10 CEOs in a study of 263 senior executives at companies around the world claimed to have a high level of knowledge about cybersecurity-related issues. Similarly, 84% of CIOs and CTOs in the same survey reported that same level of cybersecurity awareness.

Source: 2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security Into a Competitive Advantage (Merrill Research for Radware)

31%: Percentage of security leaders who say lack of visibility of sensitive data is a compliance concern

Nearly one-third of security leaders say a lack of visibility of sensitive data could impact their ability to comply with regulatory requirements. Nearly 90% say they don't have adequate visibility of the data that they are required to protect.

Source: 2019 Security Leader’s Peer Report (Censuswide for Panaseer)

$4.6 million: Average cost to recover from a cyberattack for organizations with more than $1 billion in revenue

The number marked a sharp increase from the average of $3 million reported in 2018.

Source: 2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security Into a Competitive Advantage (Merrill Research for Radware)

Third-party/supply-chain risk

97%: Percentage of financial services pros who worry about third-party risk

Nearly all of the respondents in a survey of 126 financial services professionals expressed major concern over third-party cyber risk. Nearly eight in 10 said they had already terminated or would decline a business relationship because of a vendor's cybersecurity performance.

Source: Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices (BitSight and CeFPro)

Ransomware

20%: Percentage decline in overall number of ransomware infections in 2018

Last year was the first since 2013 that ransomware volume declined.

Source: Internet Security Threat Report 2019 (Symantec)

81%: Percentage of all ransomware infections accounted for by enterprises

While overall ransomware numbers declined, enterprise infections went up by 12% in 2018.

Source: Internet Security Threat Report 2019 (Symantec)

Web application security

4,800: Average number of websites infected per month with formjacking code

Formjacking malware is designed to steal credit card data, bank account information, and other sensitive data that individuals enter into web forms.

Source: Internet Security Threat Report 2019 (Symantec)

67%: Share of web attacks that could be used for targeted attacks

More than two-thirds of web application attacks targeted at vulnerabilities or weaknesses reveal technical, configuration, environmental, or other information that could be used to launch targeted attacks. Information leakage attacks doubled in 2018 compared to the year before.

Source: Attacks on Web Applications: 2018 in Review (Positive Technologies)

20.4%: Share of web traffic carrying malicious bots

A fifth of web traffic in 2018 had bad or malicious bots designed to create automated attacks on websites, web application programming interfaces (APIs), and mobile applications. Nearly 74% of the bad bots were of the advanced and persistent variety.

Source: 2019 Bad Bot Report (Distil Networks)

GDPR compliance

34%: Percentage of IT pros who questioned disclosing accidental data breaches

More than a third of respondents in a survey of 298 IT professionals at Infosecurity Europe 2019 said they would not disclose, or are not sure if they would disclose, an accidental data breach if there was no evidence of an attacker having access to the data. Some 32% felt the same way about a ransomware attack where there was no evidence of data theft.

Source: State of Security Report (Tripwire)

22%: Share of a companies' folders accessible to every employee

One in five folders is open to all employees. At over half of all organizations (53%), employees have access to over 1,000 sensitive files.

Source: 2019 Varonis Global Data Risk Report

71%: Percentage of companies with 5,000 stale files protected under GDPR

Nearly three quarters of companies have more than 5,000 stale files containing data protected under GDPR. On average, companies have over 3,440 exposed files containing sensitive data per terabyte.

Source: 2019 Varonis Global Data Risk Report

Cybersecurity spending

$103.1 billion: Worldwide spending on security hardware, software, and services

Analyst firm IDC expects organizations' worldwide spending on security hardware, software, and services in 2019 to increase 9.4% increase over last year. Spending will continue to grow at a compound annual growth rate of 9.2%, IDC said, and will top $133 billion in 2022.

Source: Worldwide Semiannual Security Spending Guide (IDC)

$21 billion: Amount organizations will spend on managed security service providers in 2019

Enterprises will use managed security service providers (MSSPs) for functions such as round-the-clock security monitoring and managing security operations centers.

Source: Worldwide Semiannual Security Spending Guide (IDC)

Incident response

22%: Percentage of organizations with limited resources available to respond to a security incident

One in five respondents to this survey said they have only temporary resources, or no resources at all, to respond to a security incident. This is despite the fact that two-thirds of all organizations experience between one and 25 breaches every single month.

Source: 2019 Incident Response Report (BAE Systems)

30%: Percentage of attacks handled by incident response teams that are targeted attacks

Besides healthcare and government agencies, a growing number of financial organizations and small and medium-size businesses are being affected by targeted attacks as well.

Source: 2019 Incident Response Report (BAE Systems)

Keeping on top of cybersecurity trends is a challenge. This list is a good starting point. Add the cybersecurity stats that matter to your team in the comments below.

Keep learning