How much does a data breach cost in 2026?

IBM's 2024 Cost of a Data Breach Report — the most-cited number in the industry — put the global average at $4.88 million per breach, a record. US breaches average $9.36 million, the highest of any country. Healthcare is the most-expensive industry at $9.77 million average.

How long does it take to detect a breach?

IBM reports the global average time to identify a breach is 194 days, plus another 64 days to contain it — so roughly 258 days from first compromise to remediation. The detection time has been gradually decreasing year-over-year as detection tools improve.

How much do ransomware attacks cost?

Chainalysis tracked about $1.1 billion in ransomware payments in 2023 — a record year. The 2024 figure is expected to be similar or higher. Total economic damage (downtime, recovery costs, lost revenue) is multiples of the ransom payment itself.

How big is the cybersecurity industry?

Gartner forecasts global cybersecurity spending to exceed $215 billion in 2024. The cybersecurity vendor market (products + services) is estimated by Statista and IDC at $185-220 billion. Major segments: identity, endpoint protection, cloud security, and managed security services.

Is there a cybersecurity worker shortage?

Yes. ISC2's 2024 workforce study estimates the global cybersecurity workforce at 5.5 million people, with a gap of about 3.5 million unfilled positions globally and 700,000 in the US. The gap has actually widened in 2024 despite hiring growth.

How common are cyberattacks?

The FBI's 2023 Internet Crime Report logged about 880,000 individual complaints reporting $12.5 billion in losses — an undercount because most cyber incidents aren't reported to the FBI. The Identity Theft Resource Center tracked 3,205 publicly disclosed data compromises in 2023, the highest year on record.

Cybersecurity Statistics 2026

The cost of a breach

The single most-cited cybersecurity statistic of the past decade is IBM's average cost of a data breach. The 2024 figure: $4.88 million globally, a record and a 10% increase over 2023. The US figure is much higher at $9.36 million — the highest of any country and roughly 2× the global average.

The cost components, roughly:

Detection & escalation: ~$1.6M
Notification: ~$370K
Post-breach response: ~$1.4M
Lost business: ~$1.5M

By industry, the most expensive sectors in IBM's 2024 report:

Healthcare — $9.77M average
Financial services — $6.08M
Industrial — $5.56M
Technology — $5.45M
Energy — $5.29M

Time to detect and respond

IBM tracks two metrics that matter:

Mean time to identify (MTTI): how long from initial compromise to first detection. 2024 average: 194 days.
Mean time to contain (MTTC): how long from detection to containment. 2024 average: 64 days.

Combined, the average breach is unresolved for roughly 258 days from first compromise to full remediation. The trend has been gradually improving (these times were over 300 days in 2017), driven mostly by better detection tooling. AI-enabled SIEM and SOAR systems are the main reason for the improvement.

Ransomware

Chainalysis tracks ransomware payments via blockchain analysis. Their figures:

Year	Tracked ransomware payments
2020	$905M
2021	$983M
2022	$567M (drop after sanctions)
2023	$1.1B (record)
2024 (preliminary)	~$1.0–1.2B (estimate)

Important context: ransom payment is a tiny share of total ransomware cost. Verizon's 2024 DBIR found ransomware/extortion was a factor in roughly 32% of all confirmed breaches. The total economic damage — downtime, recovery, lost data, lost revenue, reputational cost — typically runs 7–10× the ransom payment.

Notable 2023–2024 incidents

Change Healthcare (Feb 2024) — disrupted US prescription processing for weeks; UnitedHealth disclosed paying $22M ransom; estimated total cost $2.45B
MOVEit Transfer mass exploitation (May 2023) — Cl0p ransomware group breached thousands of organizations via MOVEit zero-day
MGM Resorts (Sept 2023) — Scattered Spider intrusion, ~$100M operational impact
Caesars (Sept 2023) — same threat actor, reportedly paid $15M ransom

How much cybercrime happens

The FBI's Internet Crime Complaint Center (IC3) 2023 report:

880,418 complaints filed
$12.5 billion in reported losses (a 22% increase year-over-year)
Top categories by loss: investment fraud ($4.6B), business email compromise ($2.9B), tech support scams ($925M), confidence/romance scams ($653M)
Top categories by victim count: phishing/spoofing, personal data breach, non-payment/non-delivery

These are reported losses only. Total US cybercrime is widely estimated to be 4–10× higher than what IC3 captures.

The Identity Theft Resource Center tracked 3,205 publicly disclosed data compromises in the US in 2023 — the highest year on record. The 2024 figure was expected to be similar or higher.

The workforce gap

ISC2's 2024 Cybersecurity Workforce Study estimates:

5.5 million cybersecurity professionals globally
3.5 million additional positions needed but unfilled globally
700,000 additional positions needed in the US specifically
The gap widened in 2024 despite hiring growth — demand grew faster than supply

Two structural problems beneath the headline number:

The "gap" includes positions employers want to hire but haven't budgeted for. Actual budgeted-and-open positions are a smaller subset.
Specific skill areas have much bigger gaps than the headline number: cloud security, application security, AI security, OT/ICS security.

Vulnerabilities keep climbing

NIST's National Vulnerability Database (NVD) recorded:

2019: ~17,300 CVEs published
2020: ~18,400
2021: ~20,200
2022: ~25,100
2023: ~28,900 (38% increase over 2022)
2024: ~40,000 (provisional, NVD has had backlog issues)

The 2024 NVD backlog itself was a story — NIST publicly acknowledged it was behind on vulnerability enrichment, with CVE assignment continuing but the analysis/scoring layer slowed dramatically. Several private alternatives (the CVE Numbering Authorities themselves, plus services like First.org's EPSS) have stepped in.

How attackers actually get in

Verizon's 2024 Data Breach Investigations Report — the most respected annual breach-pattern report — found these initial-access categories dominate:

Credential abuse (stolen passwords, password reuse, password spraying) — about 24% of breaches
Vulnerability exploitation (especially MOVEit-class mass exploits) — about 14%, tripled from 2023
Phishing — about 12%
Misconfiguration / cloud security errors — about 11%
Other (insider threat, physical, etc.) — remainder

The 3× jump in vulnerability-exploitation-as-initial-access was the defining trend of 2023–2024. Edge-device vulnerabilities (firewalls, VPN appliances, file-transfer software) drove most of it.

Spending and market size

Gartner forecast global cybersecurity spending to reach $215 billion in 2024, growing roughly 14% per year. Major segments by spend:

Security services (consulting, managed services) — about 45% of total
Security software — about 35%
Network security — about 14%
Consumer security — about 6%

What to expect 2026–2028

AI in cybersecurity — both directions. Defenders are deploying AI-driven detection (with mixed efficacy claims); attackers are using AI for spear-phishing, voice cloning for vishing, and large-scale credential-stuffing automation.
Post-quantum cryptography — NIST published final standards in August 2024. Migration will take a decade or more; "harvest-now-decrypt-later" attacks are the active concern.
Regulatory pressure — SEC cybersecurity disclosure rules in effect since Dec 2023; EU's NIS2 directive transposition continuing through 2024–2025.
Supply-chain attacks — SolarWinds-style and dependency-confusion attacks remain a top concern; SBOM (software bill of materials) requirements expanding.

Related explainers

What Is Cybersecurity? — the canonical definition
AI Statistics 2026 — relevant to AI-in-cybersecurity context
Cryptocurrency Statistics 2026 — relevant to ransomware payment trends