Stats & Trends
Jonathan Crowe
Dec 2016

Cyber Attack Statistics: Majority of Victims Aren't Changing Their Security in 2017


Photo by Thomas Hawk

In a year dominated by the accelerating rise of ransomware, the biggest threat of all may be ¯\_(ツ)_/¯.

With the year winding down we surveyed IT pros at over 100 organizations to find out how many had been impacted by cyber attacks in 2016, and how that was affecting their budgets and planning for 2017. What we found was surprising.

Despite significant concerns over both new threats (ransomware, specifically) and age-old, persistent ones (users unknowingly triggering attacks), for the majority of organizations, next year’s security plan essentially boils down to more of the same.

Before we dig into the responses around 2017 security budgeting and planning, however, let's look at how often our respondents were attacked and infected in 2016:

Cyber Attack Statistics 2016

Click on the charts below to sort and get more details on the responses.

One third of the IT pros we surveyed reported their security had been bypassed by a cyber attack in 2016.

Nearly 6 out of 10 respondents reported being aware that their organization was the target of one or multiple cyber attacks during 2016. For more than half of the IT pros who reported experiencing attacks, the security they had in place unfortunately wasn’t enough to stop all of them. 54 percent of those who were targeted suffered one or more successful attacks.

Over half the organizations targeted by cyber attacks in 2016 fell victim to one or more of them.

The numbers are even worse for organizations that were targets of ransomware attacks (57% of organizations that experienced attacks, overall).

71% of organizations targeted with ransomware attacks were infected.

Yet when asked what adjustments they were planning on making to their security stack to better protect themselves from cyber attacks in 2017, nearly two-thirds of IT pros reported no changes were planned.

Standing pat: Over half the organizations that suffered successful cyber attacks in 2016 aren't making any changes to their security in 2017.

Despite the fact that their security had been bypassed and compromised, only a slightly larger percentage of attack victims indicated they were making changes and improvements next year (31 percent compared to 23 percent of respondents, overall).

Even fewer organizations have plans to change or augment their antivirus solution:

That's in spite of additional responses indicating antivirus performance was clearly a mixed bag. Of the organizations that acknowledged experiencing attacks, more than half reported their antivirus had been bypassed by one or more of them.

To recap, the majority of organizations out there are getting attacked. More than half of those organizations are getting infected. The protection they have in place is getting bypassed. Yet the majority aren't making any adjustments to change that.


For some, the simple answer might be that they can't — they don't have the budget or support. Nearly 60 percent of the IT pros we surveyed expect their 2017 IT security budget to decrease or stay the same. Only a third are planning to have more budget to work with.

That stands in contrast to a variety of frothy forecasts predicting a steep, steady rise in cybersecurity spending, some to the tune of budgets topping $170 billion worldwide by 2020. It could even hint at a potential deepening divide between security budget haves and have nots (for every example of a J.P. Morgan Chase & Co. doubling its annual budget from $250 million to $500 million, how many small businesses are holding steady or cutting back?).

When asked whether they thought their 2017 security budget was adequate, responses from IT pros were evenly split. Respondents who reported suffering a successful cyber attack in 2016 were slightly more disapproving and looking for more.

That said, pointing to a lack of new budget assumes IT pros want to make changes and additions to their security stacks, they just lack the means to do so. The next set of data indicates that may not be the case...

Despite the successful attacks and infections, it actually appears the majority of IT pros are happily confident in their protection. Half the respondents rated their confidence in their current security stack 4 out of 5. Another 12 percent rated their confidence a perfect 5 out of 5.

IT pros at organizations that had suffered a successful cyber attack were predictably less bullish. Both groups reported having higher confidence in their security heading into 2017.

More doubt crept in when we asked IT pros about their confidence in terms of being equipped to prevent and handle ransomware attacks and other infections triggered by user mistakes (their top two security concerns).

IT pros are essentially thinking, “We’ve got this… unless we get hit with ransomware and/or a user does something dumb. Then maybe we’ve got this (fingers crossed).”

Major Disconnect Between Confidence, Concerns, and Gaps

One of the most surprising takeaways from these survey responses is the persisting confidence in security solutions that are actively getting bypassed.

For example, ransomware attacks, the top security concern respondents cited, resulted in one or more successful infections for 71 percent of the organizations that were aware of being targeted. That means less than three out of 10 security stacks reliably held up against all the attacks they faced. Yet less than a third of ransomware victims are planning to make any adjustments to improve their protection in 2017. The majority are confident their stack will protect them from future attacks, even though they've been burned before.

The easy conclusion to draw is that there's a lot of misplaced confidence out there. But could it also be confidence is high because expectations are low?

Another way to interpret confidence in flawed protection is that it may be masking something else — an acceptance of infections as inevitable, and in the case of ransomware, even tolerable.

Are Companies Content to Clean Up After Ransomware Infections?

As Barkly co-founder and CTO Jack Danahy explains:

"The ability of companies to recover encrypted data from backup has been widely viewed as taking the sting out of ransomware attacks. But it's dangerous to think of backup as a ransomware solution."

"It's true that backup may be able to help you avoid paying the ransom, but the fact remains criminals have successfully gained access to your system. This time around, they encrypted your data. But they can just as easily choose to steal it, publish it publicly, or take future infections in another damaging direction."

In fact, some criminals are already experimenting with ways of packaging together ransomware with credential-stealing malware to create multi-stage ransomware attacks.

"For many reasons, tolerating infections and assuming they can be easily remedied with backup is extremely risky," Danahy advises.

Quick wins for improving your security in 2017 — no new budget required

Whether you already have changes planned for your security stack or not, there are plenty of things you can be doing to better secure your organization. Make sure you have your bases covered with a free copy of our Open Source Cybersecurity Playbook and 2017 Cybersecurity Checklist.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


2017 Cybersecurity Checklist

Are you focusing on the right things to protect your company against the latest threats? Find out now.

Get my checklist


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.