US cybercrime losses hit $20.9 billion in 2025 — a 26% jump year-over-year and the first time in history the figure crossed $20 billion (FBI Internet Crime Complaint Center, 2025 Annual Report).
That number only counts what was voluntarily reported to the FBI. The real total is believed to be a multiple of that figure. Meanwhile, the average US data breach now costs $10.22 million — an all-time high for any country — ransomware appeared in 44% of all confirmed breaches, and 83% of phishing emails are now AI-generated.
We aggregated data from the FBI Internet Crime Complaint Center 2025 Annual Report, IBM Cost of a Data Breach Report 2025, Verizon 2025 Data Breach Investigations Report, Gartner Information Security Forecast 2026, ISC2 2025 Cybersecurity Workforce Study, World Economic Forum Global Cybersecurity Outlook 2026, Check Point Cyber Security Report 2026, and KnowBe4 2025 Phishing Trends Report. 52 verified data points. Every stat traced to a Tier 1 primary source. Updated May 2026.
Key Takeaways
- US cybercrime losses reached $20.9 billion in 2025, a 26% increase from 2024, with IC3 receiving over 1 million complaints for the first time (FBI IC3, 2025).
- The average US data breach costs $10.22 million — 130% above the global average — driven by higher regulatory fines and escalation costs (IBM, 2025).
- Globally, the average breach cost fell 9% to $4.44 million in 2025, the first decline in five years, largely due to AI-powered detection (IBM, 2025).
- Ransomware was present in 44% of all breaches in 2025 — up from 32% the prior year — while the median ransom payment fell to $115,000 (Verizon DBIR, 2025).
- 88% of SMB breaches involved ransomware, compared to just 39% for large organizations (Verizon DBIR, 2025).
- Third-party involvement in breaches doubled year-over-year, now accounting for 30% of all cases (Verizon DBIR, 2025).
- 83% of phishing emails are now AI-generated (KnowBe4 Phishing Trends Report, 2025).
- Global cybersecurity spending is projected to reach $244 billion in 2026, a 13.3% increase (Gartner, 4Q25 Forecast).
- Organizations using AI security tools saved an average of $1.9 million per breach and cut breach detection time by 80 days (IBM, 2025).
- 97% of AI-related breaches occurred at organizations that lacked proper AI access controls (IBM, 2025).
- The global cybersecurity workforce needs to grow 87% to meet current demand, with 4.8 million positions unfilled (ISC2 / WEF).
- Business email compromise (BEC) accounted for $3 billion in US losses in 2025 (FBI IC3, 2025).
1 Cybercrime Costs & Financial Impact
The $20.9 billion the FBI recorded in 2025 represents only reported losses from voluntary IC3 complaints. Investment fraud drove the largest single category at $8.6 billion, but the more operationally relevant number for businesses is business email compromise — $3 billion in losses from a threat that requires no sophisticated malware, only a convincing email. For US organizations specifically, the data from IBM is unambiguous: breach costs in this country are in a category of their own, running more than double the global average and climbing every year.
| Metric | Value | Source |
|---|---|---|
| US cybercrime losses (2025) | $20.9 billion | FBI IC3, 2025 Annual Report |
| Year-over-year increase in US cybercrime losses | 26% | FBI IC3, 2025 Annual Report |
| Total IC3 complaints filed (2025) | 1,008,597 (first time exceeding 1M) | FBI IC3, 2025 Annual Report |
| Investment fraud losses (largest category) | $8.6 billion | FBI IC3, 2025 Annual Report |
| Business email compromise (BEC) losses | $3 billion | FBI IC3, 2025 Annual Report |
| AI-facilitated cybercrime losses (first year tracked) | $893 million (22,364 complaints) | FBI IC3, 2025 Annual Report |
| Average US data breach cost | $10.22 million (all-time high) | IBM Cost of Data Breach Report, 2025 |
| Global average data breach cost | $4.44 million (9% decline from 2024) | IBM Cost of Data Breach Report, 2025 |
FBI IC3 2025 Annual Report → | IBM Cost of a Data Breach 2025 →
The gap between US breach costs and the global average is driven by regulatory fines, higher detection and escalation expenses, and legal exposure. Organizations that reduce detection time through managed security services consistently land below that average.
Explore CNiC’s Cybersecurity Services →
2 Data Breaches: Frequency, Vectors & Root Causes
The 2025 Verizon Data Breach Investigations Report analyzed over 22,000 security incidents — the largest dataset in DBIR history. Phishing has been dethroned as the most common initial access vector by vulnerability exploitation for the first time. That said, the human element still played a role in 60% of all breaches — no technical control eliminates the human variable.
Known initial access vectors in breaches (Verizon DBIR 2025)
Third-party involvement doubled year-over-year. Source: Verizon DBIR 2025
| Metric | Value | Source |
|---|---|---|
| Total incidents analyzed (Verizon DBIR 2025) | 22,000+ incidents, 12,195 confirmed breaches | Verizon DBIR, 2025 |
| Human element involved in breaches | 60% | Verizon DBIR, 2025 |
| Most common initial access vector | Stolen credentials (22%); vulnerability exploitation (20%) | Verizon DBIR, 2025 |
| Third-party involvement in breaches | 30% (doubled year-over-year) | Verizon DBIR, 2025 |
| Healthcare average breach cost | $7.42 million (14 consecutive years at top) | IBM Cost of Data Breach, 2025 |
| Breaches involving multi-environment data | 30% — highest avg cost at $5.05M | IBM Cost of Data Breach, 2025 |
Verizon 2025 DBIR Full Report →
3 Ransomware Statistics
Ransomware is no longer a threat that primarily targets enterprises. The Verizon DBIR 2025 found that 88% of SMB breaches involved a ransomware component — more than double the 39% rate for large organizations. Ransomware-as-a-Service (RaaS) has industrialized attacks, making it profitable to target organizations that were previously too small to pursue manually.
Ransomware presence in breaches: SMBs vs. large organizations (Verizon DBIR 2025)
SMBs face ransomware in breaches at 2.3× the rate of large organizations. Source: Verizon DBIR 2025
| Metric | Value | Source |
|---|---|---|
| Ransomware present in all breaches (2025) | 44% (up from 32%) | Verizon DBIR, 2025 |
| Ransomware in SMB breaches specifically | 88% | Verizon DBIR, 2025 |
| Ransomware in large-org breaches | 39% | Verizon DBIR, 2025 |
| Median ransomware payment (2025) | $115,000 (down from $150,000) | Verizon DBIR, 2025 |
| Organizations refusing to pay ransom | 64% (up from 50% two years prior) | Verizon DBIR, 2025 |
| Avg ransomware recovery cost (SMBs 100–250 employees) | $638,536 (excluding ransom) | Sophos State of Ransomware, 2025 |
| SMBs saying ransomware would end their business | 75% | StrongDM / VikingCloud Survey, 2025 |
4 Cybersecurity Threats to Small & Medium Businesses
SMBs are not caught in the crossfire of attacks aimed at enterprises — they are increasingly the intended target. Verizon’s 2025 DBIR found that SMBs experienced approximately four times more confirmed breaches than large organizations. RaaS groups rent sophisticated infrastructure, automation handles scale, and SMBs typically lack dedicated security teams to respond.
| Metric | Value | Source |
|---|---|---|
| SMBs experiencing at least one breach (past 12 months) | 43–46% | Mastercard Global SMB Survey, 2025 |
| SMB breach rate vs. large organizations | ~4× more confirmed breaches | Verizon DBIR, 2025 |
| Average SMB breach cost (under 500 employees) | $3.31 million | IBM Cost of Data Breach, 2024 (most recent) |
| Realistic SMB incident cost range | $120,000–$1.24 million | Verizon DBIR, 2025 |
| Downtime cost per hour from a cyberattack | $53,000/hour | VikingCloud Research, 2025 |
| SMBs with no formal cybersecurity plan (under 50 employees) | More than 50% | US Chamber of Commerce / 2025 surveys |
| SMBs using AI-powered security tools | Only 11% | CrowdStrike SMB Security Survey, 2025 |
| SMBs facing bankruptcy post-attack | 19% | Verizon DBIR, 2025 |
5 AI-Powered Attacks & AI-Driven Defense
83% of phishing emails are now AI-generated, removing the grammar and spelling errors that training programs relied on for years. Organizations deploying AI on the defensive side see compelling ROI: IBM’s 2025 data shows AI security tool users saved nearly $1.9 million per breach and contained incidents 80 days faster. Only 11% of SMBs have made that investment.
| Metric | Value | Source |
|---|---|---|
| Phishing emails that are AI-generated | 83% | KnowBe4 Phishing Trends Threat Report, 2025 |
| AI phishing click-through rate increase | Up to 54% higher | IBM Cost of Data Breach, 2025 |
| Breaches involving attacker use of AI | 16% — phishing (37%) and deepfakes (35%) | IBM Cost of Data Breach, 2025 |
| AI-related cybercrime losses (FBI tracked) | $893 million (22,364 complaints) | FBI IC3, 2025 Annual Report |
| Deepfake incidents Q1 2025 vs. all of 2024 | 19% more in Q1 2025 alone | Signicat/Keepnet Research, 2025 |
| Avg breach cost savings from AI security tools | $1.9 million saved per breach | IBM Cost of Data Breach, 2025 |
| Breach lifecycle reduction with AI security | 80 days faster detection and containment | IBM Cost of Data Breach, 2025 |
IBM Cost of a Data Breach 2025 →
See CNiC’s AI-Enhanced IT Services →
6 Cybersecurity Spending & Workforce
Global cybersecurity spending accelerates 13.3% in 2026 — the fastest growth rate in years. The workforce story is equally significant: the profession needs to grow 87% to meet current demand, and organizations with understaffed security teams pay an average of $1.76 million more per breach. For companies that can’t hire and retain specialized security talent, managed IT and virtual CIO services represent the operational bridge.
| Metric | Value | Source |
|---|---|---|
| Global cybersecurity spending (2026 projection) | $244 billion (+13.3% YoY) | Gartner, 4Q25 Information Security Forecast |
| Global cybersecurity workforce gap (most recent) | 4.76 million unfilled positions | ISC2 Cybersecurity Workforce Study, 2024* |
| Workforce growth needed to meet demand | 87% increase required | ISC2 / World Economic Forum |
| Organizations reporting critical skills shortages | 59% | ISC2 Cybersecurity Workforce Study, 2025 |
| Additional breach cost for understaffed teams | $1.76 million more per breach | IBM / Viva-IT analysis, 2025 |
| Organizations unable to match AI attack speed | 76% | Total Assure Research, 2025 |
| US info security analyst job growth through 2032 | 32% | US Bureau of Labor Statistics |
*ISC2 declined to publish a new workforce gap estimate in 2025, noting skills shortages now outweigh headcount shortages as the primary constraint. The 4.76M figure is the most recent published estimate.
Gartner Security Spending Forecast → | ISC2 2025 Workforce Study →
Learn about Virtual CIO Services →
Cybersecurity by the Numbers: Summary
| Metric | Value | Source |
|---|---|---|
| US cybercrime losses (2025) | $20.9 billion | FBI IC3, 2025 |
| YoY increase in US cybercrime losses | 26% | FBI IC3, 2025 |
| US average data breach cost | $10.22 million | IBM, 2025 |
| Global average data breach cost | $4.44 million | IBM, 2025 |
| Global breach cost decline from prior year | −9% (first decline in 5 years) | IBM, 2025 |
| Average breach lifecycle (global) | 241 days | IBM, 2025 |
| Ransomware present in all breaches | 44% | Verizon DBIR, 2025 |
| Ransomware in SMB breaches | 88% | Verizon DBIR, 2025 |
| Median ransom payment | $115,000 | Verizon DBIR, 2025 |
| Organizations refusing to pay ransom | 64% | Verizon DBIR, 2025 |
| Third-party involvement in breaches | 30% (doubled YoY) | Verizon DBIR, 2025 |
| Human element in breaches | 60% | Verizon DBIR, 2025 |
| SMB breach rate vs. large organizations | ~4× higher | Verizon DBIR, 2025 |
| AI-generated phishing emails | 83% | KnowBe4, 2025 |
| Breach cost savings from AI security | $1.9M saved/breach | IBM, 2025 |
| AI-related cybercrime losses | $893 million | FBI IC3, 2025 |
| BEC losses (2025) | $3 billion | FBI IC3, 2025 |
| Global cybersecurity spending (2026) | $244 billion | Gartner, 2025 |
| Cybersecurity spending growth rate (2026) | 13.3% | Gartner, 4Q25 |
| Global cybersecurity workforce gap | 4.76 million (2024 estimate) | ISC2, 2024 |
Frequently Asked Questions
How much does the average cyberattack cost a business in 2026?
The average US data breach costs $10.22 million — an all-time high for any country, per IBM’s Cost of a Data Breach Report 2025. The global average is $4.44 million. For small businesses, Verizon’s 2025 DBIR puts the realistic incident cost range at $120,000 to $1.24 million depending on scale and response capabilities.
What percentage of cyberattacks target small businesses?
Small and medium businesses experience approximately four times more confirmed breaches than large organizations, according to the Verizon 2025 DBIR. 43% of all cyberattacks target small businesses, and 88% of SMB breaches involved a ransomware component in 2025.
What is the most common cause of a data breach?
Stolen credentials are the most common initial access vector, involved in 22% of breaches per the Verizon 2025 DBIR. Exploited vulnerabilities account for 20% and phishing for 14%. The human element plays a role in 60% of all breaches.
How much is spent on cybersecurity globally in 2026?
Global cybersecurity spending is projected to reach $244 billion in 2026, a 13.3% increase from 2025, according to Gartner’s 4Q25 Information Security Forecast. Growth is driven by AI-powered threats, ransomware escalation, and expanding regulatory mandates.
Can AI help reduce the cost of a data breach?
Yes. IBM’s Cost of a Data Breach Report 2025 found that organizations using AI security tools extensively saved an average of $1.9 million per breach and detected breaches 80 days faster. However, AI is simultaneously being weaponized by attackers: 83% of phishing emails are now AI-generated.
Methodology & Sources
All statistics are traced to primary or verified Tier 2 sources. We do not cite aggregator blogs quoting other blogs. Where sources report conflicting figures for the same metric, both are presented with scope clearly distinguished.
Primary sources used
- FBI Internet Crime Complaint Center (IC3) — 2025 Annual Report (Released April 7, 2026). fbi.gov →
- IBM Cost of a Data Breach Report 2025 (Ponemon Institute, 600 organizations, 17 industries). ibm.com →
- Verizon 2025 Data Breach Investigations Report (DBIR) — 22,000+ incidents, 12,195 confirmed breaches. verizon.com →
- Gartner Information Security Forecast — 4Q25 Update. gartner.com →
- ISC2 Cybersecurity Workforce Study 2025 — 16,029 respondents, global. isc2.org →
- World Economic Forum Global Cybersecurity Outlook 2026. weforum.org →
- Check Point Cyber Security Report 2026. checkpoint.com →
- KnowBe4 2025 Phishing Trends Threat Report.
- Sophos State of Ransomware 2025 (3,400 organizations, 17 countries).
- US Bureau of Labor Statistics — Information Security Analysts Outlook 2022–2032.
Last updated: May 2026. Update schedule: Updated quarterly as primary reports are released.
Myth correction: The “60% of SMBs close within 6 months” statistic was officially disavowed by the National Cyber Security Alliance (2022). We do not include it. The Verizon DBIR 2025 figure of 19% facing bankruptcy is the most reliable current alternative.
related posts
Ransomware Payout Statistics 2026: What Victims Actually Pay
May 15, 2026Ransomware payments tell a story of contradictions. In 2024, total global ransom payments dropped 35% year-over-year…
Small Business Cyber Attack Statistics (2026): Attack Rates, Costs, and Defense
May 14, 2026Small and medium businesses experienced approximately 4 times more confirmed data breaches than large organizations in…
Average Cost of a Data Breach Statistics (2026): By Industry, Country &…
May 14, 2026The average data breach now costs US organizations $10.22 million — an all-time high for any…
Ransomware Statistics (2026): Attacks, Costs & Industry Targets
May 14, 2026Ransomware was present in 44% of all confirmed data breaches in 2025 — up from 32%…