The cybersecurity situation in the US is among the worst, or among the best, in the world – depending on whom you ask. Some reports show terrifying data breach statistics, while others like to point out the tremendous amounts of energy and resources that the country invests to fight cybercrime.
In the meantime, the National Cyber Security Index ranked the United States as the 41st best-prepared country in the world based on its overall readiness to prevent cyber threats and manage cyber incidents. We can all agree that this is quite a low ranking for such an economic giant. But is it a realistic representation of the actual cybersecurity state in which the country is, and what can the latest data and statistics tell us more about the subject? Let's find out!
Cybersecurity and cybercrime in the US – numbers and facts
We went over different US and international sources to gather the most impartial and up-to-date statistics. We hope these numbers and facts will help you get a clearer image of the current US cybersecurity and cybercrime landscape.
1. Cybercrime affected over 53 million individuals in the first half of 2023
According to the Latest 2023 Cyber Crime Statistics by AAG, approximately 53.35 million US citizens became victims of cybercrime in H1 of 2023. Not long before that, from July 2020 to June 2021, the US accounted for 46% of all cyber attacks in the world and became the most targeted country overall.
Statista released similar findings, supported by a graph below. On the graph, we can also see that a total of 817 data compromises were reported across the States during that period.
2. The number of data compromises reached record heights in 2021
Statista also found that there were a total of 1,862 reported data compromises in the US in 2021 – the biggest amount in the last 16 years, since 2005. Luckily, after this cybercrime peak in 2021, the numbers started dropping in 2023. However, it's still too early to tell whether the year 2023 will be better or worse than the year before, as the data seen on the graph (817 compromises) represents only the reports from the first half of the year.
3. Almost 90% of US organizations have experienced at least one successful cyber attack within a year
The Cyberthreat Defense Report (CDR) by Cyber Edge ranked the US as the sixth most exposed country in 2021. Nearly 89.7% of US organizations experienced at least one successful attack 12 months prior to the report getting released.
The only countries which had bigger percentages of cyber attacks during the same period were Columbia (93.9%), China (91.5%), Germany (91.5%), Mexico (90.6%), and Spain (89.8%). The UK showed the best level of preparedness, with almost 20% fewer cyber attacks than the US – or 71.1%.
4. Companies in the US allocate 13.7% of their IT budget to security
When it comes to investing in cybersecurity, the US organizations were again sixth according to CDR. On average, they invested 13.7% of their IT budget to secure their systems. Interestingly, this is nearly 3% more than the UK, which reported the lowest rate of cyber attacks in 2021.
Columbia, which was hit the hardest, invested even more in cybersecurity – 14.7% of its IT budget. This just proves that investing money in the cybersecurity field isn't the only important factor in preventing breaches.
5. The US was the second most affected country by ransomware
Ransomware continues to be one of the main cybersecurity threats worldwide. With 78.5% of organizations hit by ransomware (within 12 months prior to 2021 CDR), the US was the second most ransomware-affected country in the world. Australia was first, with 79.6% of companies facing this online threat. Japan was at the bottom of the list, with just a little over half of their organizations (56%) having to deal with ransomware between 2020 and 2021.
6. Phishing emails remain the main entry point for ransomware in the US
A great interactive tool by the Hiscox Group shows various useful regional cyber attack data. Among other useful findings, we can see that 61% of all ransomware in the US reaches businesses through phishing emails. Credential theft is the second most common point of entry, responsible for 51% of all ransomware attacks in the US, and third parties account for 41% of these incidents. It's worth mentioning that the attack vectors often overlap, which is why the combined percentage of these entry points exceeds 100%.
7. 34% of US businesses have a standalone cyber insurance policy
Of all US businesses included in Hiscox statistics, 34% have a standalone cyber insurance policy in 2023. This is almost the same (1% more) as the average of all the countries involved in the study (33%). In the meantime, 12% of US companies do not have nor plan to purchase a cyber insurance policy, while 12% don't have it but intend to get it in the future.
As the main reason for purchasing a cyber insurance policy, most correspondents ticked the box which said: "I am concerned about the security of my organization."
8. Only 6% of US companies have reached the Cyber Expert maturity level in cyber readiness
According to the same report, only 6% of US companies can be classified as cyber experts according to their readiness maturity level. Again, this is slightly higher than the average of all the countries involved in the report (4%).
Most businesses show an intermediate level of preparedness, both internationally (68%) and in the US (72%). Surprisingly, the size of the business doesn't change these percentages significantly, although, as expected, large businesses tend to score better in this aspect.
9. Almost one-third of organizations in the US faced difficulties in attracting new customers after an attack
The Hiscox Cyber Readiness Report 2023, among other things, showed the impact that cyber attacks had on businesses. It found that nearly one-third of US companies (29%) have struggled to find new customers in the aftermath of an attack. It also revealed that the companies which experienced a substantial fine from a breach have more than doubled over a course of 12 months.
10. Most American companies trust machine learning and AI security products
Companies around the world have different preferences for security products, with some among them more inclined towards advanced technologies, including AI and machine learning. CDR found that 89% of the companies in the US had a moderate to strong preference for such products. This placed the US somewhere in the middle of the list of all the countries that participated in the study. Saudi firms showed the strongest interest (98%) in AI and machine learning technologies, while German companies (71.6%) turned out to be the least interested.
11. The United States has the highest average total cost of a data breach
IBM Security released its annual Cost of a Data Breach Report 2023, comparing the costs of cyber attacks across different regions and industries. According to it, the US had the costliest data breaches for the 12th consecutive year – $9.44 million on average per incident. The report also showed a significant increase compared to 2021, when an average data breach in the US was worth 0.39 million less, or $9.05 in total.
The second highest cost region was the Middle East, with a considerably smaller average cost of a data breach – $7.46 million to be precise. Canada was again third, with $5.64 million lost per breach. Among 17 surveyed countries, Turkey reported the lowest average cost of a data breach, $1.11 million, which is nearly 10 times less compared to the US.
12. Over 84% of US organizations said training reduces phishing failure rates
The 2023 State of the Phish report by Proofpoint considered the most important phishing statistics and trends throughout the year before. As part of their survey, approximately 84% of organizations in the US said security awareness training had reduced phishing failure rates in 2021. This is the highest rate of positive feedback on cybersecurity training, all participating regions considered.
13. 80% of US employees use their own electronic devices for work
The BYOD or "bring your own device" trend has been on the rise all over the world since the beginning of the Covid-19 pandemic, and the US is not an exception to it. According to the same Proofpoint report, as much as 80% of US employees use their own mobile devices for work-related tasks. Of these, 64% use personal phones, and 30% use their own tablets. Again, this was the highest percentage of all the regions surveyed.
However, this statistic is not as worrying as the one showing that almost one-third (33%) of workers in the States save their login credentials in their web browser. This is also higher than the global average, which was around 24% in 2021.
We have to remind our readers that this is not a particularly safe strategy, as web browsing companies are as prone to cyber attacks as any other large businesses. It's much safer to remember your own password and change it regularly. The second best option is using a password manager. They are convenient and apply important security measures to protect your data.
14. 42% of US employees believe all emails with familiar logos are safe
Even more concerning is the Proofpoint finding that 42% of American workers trust emails with familiar logos. In this high-tech era, when almost everything is susceptible to plagiarism, especially documents and images, it's really important to triple-check each email for irregularities and not rely on a single identifier, such as a logo.
15. Over half of the workers in the US admitted they take risks
While we're on the bad news – 55% of US workers reported they took at least one risky action in 2021. For example, 26% clicked on a suspicious link, and 17% compromised their credentials by mistake or accident.
16. 7.11% of users living in the US opened a phishing link
Studies by Kaspersky bring us somewhat more optimistic findings from this sphere of cybersecurity in the US. Comparing its two latest reports, we can see that the percentage of users who attempted to open a phishing link has dropped from 11.82% in 2020 to 7.11% in 2023. Raising cybersecurity awareness in the States meant that the US didn’t make it in the top 10 targeted countries – as opposed to Brazil, France, and Portugal, who led the list with 12.39%, 12.21%, and 11.40% of users opening a phishing link, respectively.
17. The States were the third most significant source of spam in 2021
The same study by Kaspersky, called Spam and phishing in 2021, revealed that 10.46% of all spam originated from the US, making it one of the three biggest sources of spam in the world for the second consecutive year. Russia (24.77%) remained the absolute spam leader, with its share rising by 3.5 percentage points since 2020. Germany, whose share increased by 3.15 percentage points (to 14.12%) also kept its second place.
18. The US is also one of the top three countries most affected by stalkerware
With 2,319 victims of stalkerware in 2020, The State of Stalkerware 2021 ranks the United States of America as the third most affected country in the world by this growing cybersecurity threat. Brazil, which was the second on the list, had more than twice as many stalkerware incidents (4,807), and the Russian Federation was by far the worst, with 7,541 affected users.
In Europe, the countries most affected by stalkerware were Germany (1,012 cases), Italy (611 cases), and the UK (430 cases). Cerberus and Reptilicus were the most popular stalkerware apps worldwide, with 5,575 and 4,417 affected users, respectively.
19. Over half of US businesses trust the cloud
Between the two latest CDR reports, the one in 2020 and the one in 2021, the percentage of cloud usage for security jumped from 35.7% to 40.6% across businesses worldwide, a solid 4.9% increase. What's more, 50.1% of companies in the US reported they had their security applications and systems delivered via the cloud in the past year. The only country that showed a bigger trust in cloud services was Brazil, with 50.3% of companies relying on the cloud for securing their systems.
20. The US Department of Homeland Security spends the most on cybersecurity
According to the Statista graph below, the US department that invested the most in online security is the US Department of Homeland Security. The department invested more than $2.4 billion so far in 2023. Next was the Department of Justice, which spent over $1.2 billion on cybersecurity solutions, and the third was the Department of the Treasury, with $829 million spent on cybersecurity investments.
21. Companies in the US took 237 days on average to identify and contain a data breach
The Cost of a Data Breach Report 2020 by IBM showed that companies in the US took 186 days on average to identify a data breach, and another 51 days to contain it – or 237 days in total. This was considerably less than the global average, which was 280 days that year, and much less than countries like Brazil (380 days) and regions like the Middle East (369 days).
22. 24% of data breaches in the US happen due to human error
The above report broke down the principal causes of data breaches around the globe and concluded that human error still generated around 24% of all data breaches in the US. As expected, malicious attacks were the root cause of the majority of data breaches, or 54% of them, and system glitches were behind 22% of breaches.
The results were fairly similar in other countries involved in the study as well. However, ASEAN countries suffered by far the most because of human error, with almost one-third of data breaches (30%) involving this factor. The Middle East had the smallest percentage of human error incidents, 17%.
23. Cybercrime increased by over 300% since the Covid-19 pandemic
Major work environment changes (most companies switching to remote or hybrid working) along with fear and anticipation inevitably led to an increase in cybercrime worldwide, including in the US. The FBI’s Internet Crime Complaint Center (IC3) revealed that cybersecurity complaints went from 1,000 to over 3,000 complaints a day since the beginning of the Covid-19 pandemic.
In the meantime, Google reported blocking over 18 million fake coronavirus emails per day and an over 600% increase in phishing scams during the first months of the pandemic.
24. There are over 110 high-profile cyber criminals on the most wanted FBI list
FBI’s cyber's most-wanted list is publicly available and currently includes over 110 dangerous cyber criminals and groups in 2023. FBI is seeking information about them in an exchange for hefty, millions-of-dollars-worth rewards. Their crimes range from espionage and identity theft to mass computer intrusions, ransomware extortions, government infrastructure damages, and more.
25. The US was the hardest hit country by ransomware Trojans in 2020
Year after year, the United States has the biggest share of users attacked by Trojan ransomware – and there were 2.25% of users affected in 2020. The next hardest-hit country was Kazakhstan, with 0.77% of affected users. Third and fourth were Iran (0.35%) and China (0.21%).
26. North America accounted for 17% of all DDoS Attacks in H1 2023
Netscout’s 2023 Threat Intelligence Report shows that, on average, 5,755 DDoS attacks happened every day in the US in the first half of 2023. At the time, the global average was 33,260 attacks per day. So, in other words, the US accounted for 17% of all DDoS attacks in the world.
Despite the relatively small increase in attack volume in H1 of 2023 (around 2% since H1 2021), it's clear that DDOS attacks in the US still have upward trends. This isn’t surprising considering global cybercrime trends and constant innovations by perpetrators worldwide, including in the US.
27. American company Meta was issued the second-largest GDPR fine ever
GDPR Fines Tracker & Statistics shows that of over €2 billion-worth GDPR fines issued so far, almost one-fifth (€405 million) was paid by the tech conglomerate Meta, based in the US. Before that, for over two years, the highest GDPR fine was the one issued to Google in January 2019 – worth €50 million.
Amazon Europe Core S.a.r.l. set the all-time record in July 2021, which it still holds, with a €746 million fine. Meta Platforms, Inc. (Facebook) is currently second on the list of companies paying the all-time highest GDPR fines, with the above-mentioned sum.
28. California suffered the highest losses of all US states in 2021
If you ever wondered which US state suffers the biggest financial damages caused by cyber crime – it's California. In 2021, this state reported a loss of over $1.2 billion on cyber attacks, almost twice as much as second-placed Texas, which reported a little over $606 million in damage. The third was the state of New York, with nearly $560 million in cybercrime losses.
29. Only around half of Americans know what malware is
Proofpoint conducted another interesting study, which included a knowledge check of various cybersecurity terms, such as phishing, ransomware, malware, and similar. Disappointingly, the US respondents heavily underperformed in defining the term malware, with only 54% of them answering correctly.
That was more than 10% less than the global average (65%) at the time of the study taking place, in 2021. According to Proofpoint's latest report from 2023, the global average of recognizing the term dropped to 63%, and we can only hope that this is not the case in the US as well.
30. 56% of Americans don't know how to respond to a breach
According to a Varonis survey, Americans still don't show satisfactory levels of cybersecurity literacy, with most of them not knowing what to do in case of a data breach. Over 56% of 1,000 US respondents admitted they wouldn't know what steps to take if they were affected. The study also points out that, although US users spend nearly three hours on their mobile devices each day (half of the time on social media), 64% of them never took a moment to check if they have been involved in a breach.
Checking if your email or phone number is in a data breach is very important, but also very easy, and it can be done for free on haveibeenpwned.com. So don't skimp on your own online security.
Data breach prevention – what to do to avoid becoming a victim of a cyber attack in the US?
With its benefits and great possibilities, the internet is making everyone's life easier. Unfortunately, cybercriminals and various threat actors have also learned how to make the best of it. While some threats are almost unavoidable and nearly impossible to identify, you can still avoid most of them by following these steps.
- Use only unique and strong passwords across all your accounts. Password managers and multi-factor authentication (MFA) can help you stay safe online.
- Get proper antivirus protection. There are many excellent options out there, and they are easy to install.
- Perform routine device/app scans and keep your systems and apps up to date. Delete the software you're not using.
- Stay alert. Most banks nowadays offer alert services to inform you of any irregular or suspicious activities on your account – so use them! Learn about the latest scams and threats. Knowledge will keep you one step ahead of perpetrators.
- Whenever you can, stick with secure networks. If you must use a less secure (public) network, make sure you secure your connections with a VPN.
Data breach mitigation – what to do to minimize the damage of a cyber attack in the US?
If you suspect that you've been a part of a data breach, there's no time for hesitation! You must act fast to prevent the situation from worsening. Here's what you can do.
- Contact the institution, company, or bank that you suspect has suffered a breach (in which you may be involved) to verify your suspicion and seek advice.
- Change all your passwords and update your sensitive credentials and apps.
- Freeze all compromised accounts, credit, or debit cards.
- Keep your alert systems on and monitor apps for money or identity theft.
- Notify relevant institutions and agencies. Don't be afraid to ask for help.
Data breaches are a harsh reality of the digital age, and it's going to stay that way for the foreseeable future. Organizations and consumers in the US are not less prone to cyber attacks, due to advanced levels of systems modernizations and the strong presence of the internet in almost everyone's work and leisure activities.
What's important, however, is to not leave anything to chance – build up your defences and act quickly in moments of crisis. Believe it or not, it can make a big difference in reducing the damage.
Although, in most cases, the responsibility of securing accounts should fall on the shoulders of the organizations storing and working with your data, they don't always act timely or adequately. So be proactive in securing your accounts and data. After all, once the damage is done, no one will be more affected by your loss than yourself.