Cybercrime isn’t just a technical issue—it’s a financial one. For businesses, the damage from cyberattacks can be devastating. From lost revenue to reputational harm, the true cost of these attacks is often far higher than what many companies expect. Below, we’ll break down 30 of the most important stats on cybercrime costs and, more importantly, explain what they mean for your business and how you can protect yourself. Let’s dive in.
1. Global cybercrime costs are projected to reach $10.5 trillion annually by 2025
That number is hard to wrap your head around, but it tells us one thing clearly: cybercrime is a booming business. Criminals are getting more advanced, and the damage they cause continues to grow every year.
For businesses, this means you must take cybersecurity seriously—no matter your size. Don’t wait until an attack happens to act. Start by performing a security audit.
Identify where you store sensitive data, who has access, and how it’s protected. From there, invest in tools like firewalls, antivirus software, and encryption.
Also, educate your employees regularly. Even the most advanced system can be undone by one careless click on a phishing email. Finally, have a response plan ready. Knowing what to do if you’re attacked can drastically reduce costs and downtime.
2. The average cost of a data breach in 2023 was $4.45 million
This number includes everything from lost sales, legal fees, PR cleanup, and even customer churn. For many companies, especially small to midsize businesses, this kind of financial hit could be catastrophic.
What can you do? First, prioritize data classification. Not all data is equal—focus on securing the most sensitive information first. Use multi-factor authentication and make sure only the right people can access sensitive files.
It’s also smart to test your security regularly. Run penetration tests or hire outside experts to simulate a breach. You’ll uncover weak spots before criminals do. Don’t forget to back up your data offsite so if a breach occurs, recovery is faster and less expensive.
3. Ransomware attacks cost businesses an average of $1.85 million per incident
Ransomware locks you out of your data until you pay a fee. It’s becoming more common and expensive. Even if you pay, there’s no guarantee your data will be restored.
To avoid becoming a victim, keep your software updated. Hackers often get in through outdated systems. Backups are your best friend here—if you have a clean copy of your files, you don’t need to pay.
Train your team to recognize suspicious emails and links. Most ransomware gets in through a single click. Use endpoint protection on all devices and segment your network so the infection can’t spread easily.
4. 60% of small businesses go out of business within 6 months of a cyberattack
This is perhaps the most frightening stat on the list. Smaller companies often don’t have the resources to recover, and attackers know that.
If you’re a small business, start small but smart. Implement basic protections like strong passwords and a secure Wi-Fi network. Outsource your IT security if you don’t have an in-house team—it’s more affordable than recovering from an attack.
Consider cyber insurance as well. It won’t prevent an attack, but it can help you recover. Also, make sure your most critical business functions can keep running even if your systems go down.
5. Phishing attacks cost U.S. businesses over $14.8 million annually on average
Phishing is one of the easiest ways for criminals to get in—and it’s very effective. All it takes is one person clicking a link or opening an attachment.
To fight back, focus on awareness. Regular training goes a long way. Use real-life phishing simulations to test your team’s reactions. The more they practice, the better they’ll get at spotting fake emails.
Also, implement email filtering tools that scan for suspicious messages. They aren’t perfect but can catch many attempts before they reach your team. If you catch a phishing attempt, report it. The faster you act, the more damage you can prevent.
6. The average cost per stolen record in a data breach is $165
That number adds up fast. If 10,000 records are stolen, you’re looking at $1.65 million. And this includes legal fees, customer compensation, and loss of trust.
To reduce your risk, limit the amount of data you store. Only keep what you need. Encrypt everything—especially customer and employee data. And delete data when it’s no longer needed.
Have clear access controls. Know who can access what, and monitor for unusual activity. A data loss prevention system (DLP) can help detect if sensitive data is being moved where it shouldn’t be.
7. Business email compromise (BEC) scams cost businesses over $2.7 billion in 2022
BEC scams are sneaky. They involve tricking someone into sending money or sensitive info by pretending to be a trusted person—like the CEO.
These scams usually don’t involve malware, so they’re harder to detect. Train your team to always verify big or unusual requests, especially those involving money transfers. Pick up the phone and confirm with the person directly.
Use email authentication protocols like DMARC, DKIM, and SPF to help prevent impersonation. And limit who can approve or initiate financial transactions.
8. Downtime from cyberattacks costs businesses an average of $5,600 per minute
Every minute your systems are down costs money—whether it’s lost sales, lost productivity, or both. Multiply that by hours or days, and you get a real crisis.
Invest in business continuity planning. That means knowing how you’ll continue operations during a tech outage. Have backups ready to go and systems you can switch to quickly.
Consider setting up failover systems for key applications. Also, run tabletop exercises where your team practices responding to a cyberattack scenario. The faster you respond, the less downtime you’ll face.
9. Cyber insurance claims increased by over 75% between 2020 and 2022
More businesses are realizing that insurance is an essential part of cybersecurity. But insurers are also getting stricter—if your defenses are weak, they may not cover you.
If you’re shopping for cyber insurance, read the fine print. Understand what’s covered and what’s not. Work with a broker who understands cyber risk.
Before applying, make sure your security practices are solid. Insurers will want to see that you’re managing risk. That means firewalls, antivirus, access controls, and incident response plans.
10. 43% of cyberattacks target small and medium-sized businesses
Hackers love smaller businesses because they often lack strong defenses. Many assume they won’t be targeted—but they’re actually a top target.
If you’re a smaller business, focus on covering the basics. Use strong passwords, enable two-factor authentication, and train employees regularly.
Don’t ignore updates. Software patches fix vulnerabilities hackers love to exploit. And if you don’t have internal IT support, partner with a managed service provider who can help you stay protected.
11. The average time to identify and contain a breach is 277 days
That’s a long time for an attacker to be inside your system. The longer they stay, the more damage they can do.
Speed is key. Invest in tools that monitor your systems and alert you to suspicious activity. Security information and event management (SIEM) systems can help with this.
Also, review logs regularly. Look for failed logins, unusual file transfers, or access from odd locations. Don’t ignore small signs—early detection makes a big difference.
12. Insider threats cost organizations an average of $15.38 million annually
Insiders don’t always act maliciously. Sometimes they just make mistakes. But the result is the same: exposed data and financial loss.
Control access carefully. Not everyone needs access to everything. Use the principle of least privilege—only give people what they need to do their job.
Monitor insider activity, especially for those handling sensitive data. If someone suddenly downloads thousands of files, that should raise a red flag. And when employees leave, revoke their access immediately.
13. The cost of cybercrime for the healthcare industry averages $10.93 million per breach
Healthcare data is incredibly valuable to criminals. It includes personal, financial, and insurance info—all in one place.
If you’re in healthcare, encryption is a must. Patient data should never be stored or sent in plain text. Also, regularly audit your systems to ensure compliance with HIPAA and other regulations.
Educate staff on privacy practices and phishing threats. Healthcare workers are often targeted due to high stress and limited tech training. Use access controls to keep sensitive records locked down.
14. 95% of cybersecurity breaches are due to human error
That’s nearly all of them. The best tech in the world can’t protect your business if people don’t use it correctly.
Clicking the wrong link, reusing passwords, or leaving devices unlocked can open the door to an attack.
So what’s the fix? Start with training. Make it regular, make it practical, and make it relevant. Teach employees how to recognize phishing, why password hygiene matters, and how to report suspicious activity.
Also, simplify things. Use password managers so people don’t have to remember complex logins. Set systems to lock automatically after inactivity.
And make security part of the company culture—not something scary or annoying, but something important that everyone takes part in.
15. The global cybersecurity market is projected to exceed $300 billion by 2027, largely due to rising costs of cybercrime
This means companies everywhere are investing more in cybersecurity—and for good reason. If you’re not, you risk falling behind and becoming an easy target.
You don’t have to spend a fortune to improve. Start by allocating a portion of your IT budget specifically for security. Use it to get basic protections in place, like antivirus software, firewalls, and backup systems.
As your company grows, invest in more advanced solutions like threat detection, endpoint security, and vulnerability scanning. Even more importantly, invest in your people. Security tools help, but a well-trained team is your best defense.
16. Malware-related attacks cost businesses an average of $2.6 million per incident
Malware can sneak in through websites, email attachments, or even USB drives. Once inside, it can steal data, crash systems, or spread through your entire network.
To fight malware, make sure all devices have updated antivirus software. Set it to scan automatically and keep it current. Don’t allow users to install their own software without approval—it could contain malware.
Also, monitor your network for unusual activity. If a machine starts behaving oddly, investigate. And if malware is found, isolate the infected systems immediately before it spreads.
17. Supply chain attacks increased by over 78% in 2022, with an average cost of $4.46 million per incident
You may have great security—but what about your vendors and partners? If they’re compromised, it can affect you too.
Start by vetting all third-party vendors. Ask about their cybersecurity practices. Require them to follow the same standards you do. If they access your systems, limit what they can see and do.
Regularly review and update contracts to include security requirements. And monitor vendor access just like you would your own employees. If something seems off, investigate fast.
18. DDoS attacks cause an average of $218,000 in damages per attack
DDoS (Distributed Denial of Service) attacks flood your systems with traffic, crashing websites and services. Even a short disruption can cost thousands.
To reduce your risk, work with your hosting provider or ISP to set up DDoS protection. Many offer traffic filtering to block malicious traffic.
Also, create a response plan. Know who to call and what to do if your site is attacked. Communicate with customers during downtime, and have a backup platform ready if needed.
19. The financial services industry spends more on cybersecurity than any other sector, averaging $2,300 per employee
This sector is a prime target, so it’s no surprise they invest heavily. But the lesson for everyone else is that serious security requires serious investment.
If you’re in finance—or handle sensitive financial data—make cybersecurity part of your operating costs. Invest in regular audits, endpoint security, and secure communication tools.
Train staff on how to detect fraud and social engineering scams. And adopt zero-trust principles: never assume anyone or anything inside your network is safe without verification.
20. Cybercrime damages are predicted to grow by 15% per year through 2025
That’s a steep rise. It means the threat is getting worse, not better. More attacks. More tools for hackers. More risk for businesses.
You can’t afford to stand still. Review your security posture every six months. Threats evolve, and so should your defenses. Keep an eye on trends, new types of attacks, and updates in compliance rules.
Don’t be reactive—be proactive. Build security into every part of your business, from onboarding employees to launching new products.
21. Cloud misconfigurations cost businesses an average of $3.18 million per incident
The cloud is powerful, but it’s also easy to get wrong. Misconfigured settings can leave your data open to the world.
When setting up cloud systems, always use the principle of least privilege. Only give access to those who need it. Enable multi-factor authentication and use logging to monitor all activity.
Work with experts or certified partners to review your setup. Misconfigurations often go unnoticed until it’s too late. Regular audits and automated compliance tools can catch issues before they become disasters.
22. Credential theft incidents cost businesses $2.62 million on average
Passwords are a top target. Once stolen, they give attackers a direct route into your systems.
Use strong, unique passwords and require two-factor authentication for all accounts. Don’t allow password reuse across systems.
Consider using identity and access management (IAM) tools to control and monitor who accesses what. If credentials are stolen, respond quickly—revoke access, reset passwords, and investigate how it happened.
23. Companies with an incident response team and testing saved $1.49 million per breach
Having a plan makes a huge difference. When everyone knows what to do, you can act fast, contain the damage, and recover quicker.
Build an incident response plan and test it regularly. Include steps for detecting the breach, containing it, notifying stakeholders, and recovering data.
Assign clear roles and responsibilities. Practice through simulations or tabletop exercises. The more you practice, the more confident and effective your team will be when the real thing happens.
24. 70% of organizations believe cyber risks are increasing due to remote work
Remote work isn’t going away—but it does increase risk. Employees are working from home networks, using personal devices, and sometimes skipping security steps.
To reduce that risk, set clear remote work policies. Require VPNs, use device encryption, and restrict access to sensitive data on personal devices.
Provide secure tools for communication and file sharing. And make sure remote workers are trained on best practices. Security doesn’t stop at the office.
25. The average cost of a breach for organizations without security automation is $6.71 million
Automation can detect threats faster, reduce human error, and save money. Without it, breaches are more costly and harder to manage.
Start with automated patching, vulnerability scanning, and threat detection tools. These tools run 24/7 and catch problems humans might miss.
As your business grows, expand automation to include incident response and access control. The initial investment pays off in lower breach costs and better protection overall.
26. Cyberattacks cost U.S. businesses over $6.9 billion in 2021 alone
That figure shows how widespread and serious cybercrime has become, even in a single year. And that’s just the reported cases—many businesses don’t report attacks at all.
This cost includes ransomware payouts, stolen data, regulatory fines, legal fees, and lost customer trust. It’s a huge burden for any company.
To minimize your exposure, track your cyber risk just like you track financial risk. Perform regular security audits, assess your risk tolerance, and plan your defenses accordingly. Document your controls and policies so you’re ready for compliance checks or insurance applications.
And never ignore the value of cyber hygiene—simple habits like strong passwords, software updates, and data backups are incredibly effective when done consistently.
27. Financial losses from cybercrime are 7x higher in companies with outdated security systems
Old systems are easy targets. Hackers know where the weaknesses are, and those gaps don’t close themselves. If you’re running outdated software or hardware, you’re taking a big gamble.
Start with a full inventory of your tech stack. Know what you have, what’s supported, and what’s vulnerable. Replace or upgrade end-of-life systems. Apply patches and updates as soon as they’re released.
Outdated systems often lack modern security features like encryption or multifactor authentication. If you can’t upgrade yet, put extra protections around those systems—such as isolating them from the internet and limiting user access.
It’s not just about protecting data—it’s about protecting your reputation, your customers, and your business’s future.
28. 30% of breaches involved internal actors, causing higher remediation costs
When the threat comes from inside—whether by accident or on purpose—it’s harder to detect and can cause more damage. Internal actors already have access to systems, making it easier for them to bypass security controls.
To protect against this, build strong access control policies. Employees should only have access to what they need. Monitor behavior and set alerts for unusual activity, like downloading large files or accessing systems at odd hours.
Also, build a culture of trust but verify. Background checks for new hires, ongoing training, and clear reporting channels can all reduce risk. And when someone leaves the company, remove their access immediately—no exceptions.
29. Data breaches in organizations using AI and automation cost $1.76 million less on average
AI isn’t just a buzzword—it can truly lower the cost of a breach by catching threats early and automating responses. It reduces the time hackers can spend inside your system.
If you haven’t already, explore tools that use AI for threat detection, fraud monitoring, and behavior analysis. These tools learn over time and improve your security posture without requiring constant manual input.
Just remember, AI is a tool—not a full solution. It works best when paired with human oversight, strong policies, and employee awareness. Think of it as another layer of defense, not your only one.
30. The cost of lost business after a cyberattack averages $1.59 million per incident
Even if you fix everything after an attack, you might still lose customers. Trust takes years to build and only moments to lose. People want to know their data is safe, and one breach can change that.
To keep customer confidence, transparency is key. If something happens, communicate openly. Share what you’re doing to fix it, how it happened, and how you’re preventing future incidents.
Also, build trust before anything happens. Show that you take security seriously. Display security certifications, use secure checkout methods, and educate your customers about how you protect their information.
Being prepared, responding quickly, and being transparent can help reduce the long-term impact on your brand.
wrapping it up
The cost of cybercrime is no longer just a line item on a spreadsheet—it’s a core business issue that affects companies of all sizes. Whether you’re running a small startup or a large corporation, the risks are real, and the consequences are serious.
