Cyber security stats you should know for 2020

Written by Joseph Poppy on 17/12/2019

Beginning of a new era?

A turbulent decade is now behind us. In the last ten years, hackers attempted to break into business networks every 39 seconds1. Global spending on cyber security has rocketed up from $3.5 billion in 2004 to a staggering $120 billion in 2017. This is not going to go down, with an estimated $170.4 billion expected to be the figure by 2022.

With this rise in spend, it’s safe to say we’re all cyber secure and those hackers haven’t had any luck in years. Except throughout the decade roughly four billion records were stolen and there were approximately 10.52 billion malware attacks2 recorded in 2018 alone. So, maybe not. The fact is, businesses are as vulnerable as ever, and getting the right security strategy in place is still a challenge with numerous shifting factors. With this in mind, here are 15 top cyber security statistics to consider as we take our first tentative steps into an uncharted decade.

The fact is, businesses are as vulnerable as ever, and getting the right security strategy in place is still a challenge
  1. 1

    1 in 5 Bulletproof penetration tests revealed a critical flaw

    Throughout the year, we have conducted hundreds of penetration tests. 20% of all tests contained a critical to high flaw. We define a critical issue as a flaw which poses an immediate and direct risk to a business. Having a critical flaw in an app or network will leave you vulnerable to a costly, reputation damaging data breach. Among these, default or poor passwords, as well as access control issues make up a large portion with outdated software being the worst offender.

    Cyber Stats Security
  2. 2

    50% of critical to high flaws involved outdated components

    Best practices dictate that businesses have an effective update schedule in place. With 50% of all critical and high rated flaws found in our tests relating to out-of-date components or software, it’s clear that a lot of companies are not sticking to best practices. Whilst there are some rare instances where out-of-date components are deliberately left unpatched, on the whole it comes down to oversight, negligence and lack of resources. If you have outdated software in play, it’ll be found and exploited.

  3. 3

    20% of high risks involved weak cryptography

    A hacker with enough time and resources can decrypt traffic that has been encrypted with outdated cryptography. This can be particularly dangerous if customers are inputting sensitive information. If working to best practices, the most recent cryptography will be used by default.

    Cyber Stats Vulnerability
  4. 4

    500,000 DPOs are currently working in Europe3

    GDPR proved to be the biggest shake up in data protection law in years and this has had an impact on the number of data protection officers working across Europe with a recent figure being quoted as high as 500,000.

  5. 5

    Public-facing hosts are discovered in 32ms

    Our honeypot investigations have shown that public facing services are discovered in as little as 32ms, demonstrating that everything is a target the moment it goes live. This busts the widely held myth that a company can be ‘too small to be a target.’

  6. 6

    74% of businesses lack the staff to deal with security4

    The vast majority of businesses are underprepared to deal with cyber security issues, with 74% admitting that they don’t have the right staff to deal with a security event. Even if protected by the best technology, without knowledgeable people to take action on events, businesses are left vulnerable to attack.

Interested to learn more behind these cyber security stats?

Get your copy of the Bulletproof Annual Cyber Security Industry Report 2020.

Download the report
  1. 7

    53% of suspicious activity comes from users

    Our analysts, armed with our S.W.A.T. Defence® platform, recorded thousands of events throughout the year that required investigation. 53% of which involved user activity. Users are the biggest weakness to cyber security, able to undo all security controls. This can involve compromised user accounts, users accessing what they should not, user accounts being used as service accounts, accounts with administrator privileges when they should not have etc.

  2. 8

    In Q3 of 2019 cyber attacks were up 243%5

    A sharp jump from previous quarters, attacks in Q3 of 2019 rose by 243%, showing the threat landscape is as volatile as ever. Companies should never get complacent, attacks come in thick and fast from everywhere.

  3. 9

    Average dwell time for SMEs is between 43 and 895 days6

    Dwell time, the time it takes for a business to become aware of a breach, sits between 43 and 895 days for SMBs. This is a wide range hinting at a variety of different security strategies. The longer it takes to discover a breach, the more time a hacker has to gather information and profit from their exploits.

  4. 10

    The education sector at biggest risk

    Whilst it shared similar percentages with other industries (even tying with the automotive industry), education contained the most critical risks throughout Bulletproof’s penetration tests in 2019.

    Cyber Stats Victims
  5. 11

    Worldwide spending on cyber security to reach £96.3 billion7 in 2019

    £96.3 billion is a lot of money, which means cyber security is a big business. As threats continue to evolve, this figure is likely to grow even further. This is a 141% increase from 2010.

    Complete data security
  6. 12

    80% of outdated software relates to Microsoft patches

    According to our penetration testers, most outdated software relates to Microsoft patches. As these can often come about to patch glaring security holes, not installing them can be dangerous.

  7. 13

    Average cost of a phishing attack £1.3 million8

    For a mid-sized company, a successful phishing attack could cost up to £1.3 million. For these sorts of companies, that can equate to a large portion of a company’s annual turnover, which makes for an uncertain future.

  8. 14

    88% of UK companies affected by a data breach in last 12 months9

    Whilst what constitutes a data breach can vary in severity, this is an alarming statistic. 88% of companies include big, small and medium sized companies, all of whom will have different levels of security in place. No one is safe.

  9. 15

    33% of businesses lost customers due to a breach10

    Losing customers further adds to the cost of a data breach. Reputational damage can be the hardest to recover from, particularly if you lose financial or other important data belonging to your customers.


Startling statistics to inform your strategy

Things don’t look like they’ll be getting any better on the security front in the coming years. If anything, the stats show that there’s no predicting what will come next. Companies have a responsibility to protect their customer data, and failing to do so could cost a lot of money. As we progress into 2020, it’s more important than ever to invest in cyber security or you’re likely to be among next year’s stats.




  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.