Cybersecurity Statistics You Should Know For 2021

Share on linkedin
Share on facebook
Share on twitter

Table of Contents

2020 was marked by a rapid and unprecedented digital transformation for many organizations, as many adapted their operations to allow remote work. This transformation has also resulted in a drastic increase in cybersecurity risks for many organizations and a significant growth in the amount of cyberattacks.

In order to prepare for the upcoming year and the risks that will continue to be on the rise, here are many relevant statistics that you should know for 2021:

Application Cybersecurity Statistics for 2021

More than half of web application vulnerabilities are classified high-severity or critical – Web applications have become essential in everyone’s day-to-day life, whether for making banking transactions, ordering from a restaurant, or collaborating in a workplace setting, it’s undeniable that they now hold an important place in our lives. In order to maintain a competitive edge, companies are constantly adding new features and new integrations which increases the complexity of these applications. For this reason, critical and high-severity vulnerabilities often unknown to development teams are introduced into the app and can have serious repercussions when exploited by an attacker.

2/3 of all attacks on web applications involve an SQL injection – SQL injection attacks, one of the predominant security controls addressed in the OWASP standard, targets the application’s database and attempts to gain access to any stored data. Vulnerabilities that involve SQL injections are often critical, as they are generally accessible without requiring any specific access.

Cyberattacks on web applications increased by 52% in 2019 according to a report published in mid-2020 – Hackers are becoming well aware of the risks associated with the growing use of web applications. The have become one of the primary vectors of attack prioritized by attackers due to the amount of sensitive data they process.

More than 20% of all cyberattacks in 2020 were against web applications – Nearly 1 in 4 cyberattacks in 2020 targeted a web application.

COVID-19 Cybersecurity Statistics for 2021

During COVID-19, phishing attacks increased by 667% in only one month – Hackers are taking advantage of the pandemic to create convincing scenarios, leveraging a combination of fear and a sense of urgency to persuade individuals to download malicious attachments or submit their credentials in a malicious web page. For example, some phishing emails sent in March 2020 impersonated governments and claimed to invite users to a vaccine trial, asking that they fill out a form attached to the email.

Over 30% of Canadian organizations have seen a noticeable spike of cyberattacks during the pandemic – According to a survey conducted by the Canadian Internet Registration Authority (CIRA), more than 30% of Canadian organizations faced a significant increase in cyberattacks during the COVID-19 pandemic.

The majority of Canadian companies implemented new cybersecurity protections directly in response to COVID-19 – With the rise of cyberattacks in 2020, most organizations in Canada were forced to put new cybersecurity measures in place. Furthermore, the adoption of remote work has resulted in unexpected cyber risks that led companies to implement new protections.

Cyberattacks against banks rose by 238% due to COVID-19 – Banks were a primary target for hackers in 2020 as millions of consumers shifted their banking and shopping habits due to stay-at-home orders, notably with a 50% increase in online transactions during the pandemic. The primary goal of attackers is to steal banking credentials or sensitive information they can use to access and divert funds.

Ransomware attacks increased by 148% at the peak of the pandemic – Considering the rise in phishing, it’s no surprise that ransomware attacks have also increased drastically during the pandemic. Cryptographic malware is generally delivered through infected email attachments, allowing hackers to infect workstations. The latter is designed to ultimately exploit vulnerabilities for spreading itself across an entire network and infecting as many devices as possible.

According to CIRA, Canadian governments saw a 20% increase in cybersecurity incidents in May 2020 – Many Canadian government agencies faced an increase in ransomware and phishing attacks in May 2020, as many opted for remote work, resulting in various cybersecurity incidents. This same trend has been seen on the other side of the border, with many local US governments declaring a state of emergency due to ransomware attacks.

Want to know how Vumetric has helped 1,000+ organizations improve their cybersecurity?

No matter the size of your business or your industry, our experts understand the most intricate risks you face on a daily basis that could potentially be disastrous if a hacker exploited them.

Canada’s Cybersecurity Statistics For 2021

80% of companies in Canada were hit by a cyberattack between 2019 and 2020 – According to a survey conducted by CIRA, only 20% of Canadian companies did not record a cyberattack between 2019 and 2020.

30% of all Canadian organizations hit by a cyberattack saw their day-to-day work interrupted – From denial of service (DDoS) to encrypted workstations due to ransomware, nearly a third (1/3) of companies suffered a loss in productivity and saw their daily operations affected by an attack, causing delays for their customers, revenue losses, and skyrocketing technical recovery costs.

45% of companies in Canada performed a penetration test in 2020 to prevent future cyberattacks – Penetration tests or pentests remain the most effective way to secure an organization from cyberattacks, as it allows them to replicate a cyberattack following the same steps a hacker is using to identify vulnerabilities that can be exploited. Additionally, it prioritizes their security gaps based on their risk level and provides recommendations to help them effectively allocate their resources on measures that protect them from cyberattacks.

41% of Canadian organizations plan to conduct penetration testing to mitigate their cyber risks in 2020 and 2021 – Nearly half of companies plan to incorporate penetration tests into their risk management strategy for the upcoming year. Many of them face roadblocks or have a hard time justifying the return on investment that it provides to their company, but the benefits are clear. For example, startups have limited resources and investing on a pentest might seem counter-intuitive, but it will allow them to meet various requirements to unlock business partnership and in turn, get more resources.

66% of organizations in Canada hold sensitive data from their customers, employees, suppliers, vendors, or partners – This explains why so many organizations are investing into cybersecurity measures, such as penetration tests. Whether it’s for meeting requirements from their clients, securing sensitive assets, or preventing financial losses due to customer turnover following a data breach, implementing strong cybersecurity protections is essential in today’s digital world.

Data Breach Statistics For 2021

71% of all data breaches are financially motivated – An entire market on the dark web is dedicated to the reselling and purchase of leaked data after a data breach. This data is often used by attackers to connect into a company’s critical system by attempting to use the credentials of every employee they manage to find. This is not surprising for most experts in the industry, as statistics have shown that cybercrime is more profitable than the combined operations of drug trafficking worldwide.

20% of data breaches are motivated by cyber espionage – According to Verizon’s yearly report, 20% of data breaches are motivated by cyber espionage, such as corporate espionage.

43% of data breaches in 2020 occurred through cloud-based web applications – With the large amount of sensitive data stored on web applications, the risks associated with the large flexibility of configurations on cloud infrastructures (often misconfigured) and the critical vulnerabilities on these apps, they are becoming a primary target for attackers.

25% of data breaches in 2020 involved phishing as a vector of attack – No matter how strong a company’s cybersecurity measures are, phishing can circumvent a lot of these protections and render them ineffective.

Healthcare Cybersecurity Statistics For 2021

Medical devices have 6 vulnerabilities on average that cannot be patched – A majority of medical equipment relies on obsolete operating systems with many vulnerabilities that cannot be mitigated, although these risks can be alleviated with proper network segmentation and strong procedures.

62% of hospital administrators feel unprepared to deal with cyber risks – Considering the fact that hospitals spend 50% to 75% less on cybersecurity compared to other industries, administrators lack the necessary resources to protect their infrastructure against cyberattacks.

24% of healthcare employees have never received cybersecurity awareness training – A majority of incidents in the healthcare industry were caused by a lack of awareness regarding cybersecurity risks. Cyberattacks on hospitals are so frequent that many US government agencies, such as the FBI and CISA, recently issued a joint warning regarding the imminent threat they pose. These attacks generally result from phishing emails on which an employee clicked, as one in seven hospital employees are said to open phishing emails. A recent ransomware attack that targeted a hospital in the US forced them to divert ambulances to nearby hospitals and to delay surgeries after an employee clicked on a malicious attachment in an email. Thorough cybersecurity awareness is the most effective way to prevent these incidents and reduces the risk of a cyberattack drastically in an organization.

A penetration test is a simulated hacking attempt that identifies opportunities for real hackers to break through your defences and perform various malicious acts. It generally leverages tools used by hackers and various professional methodologies to replicate the steps that modern hackers would take to intrude into your IT systems.

A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.

These services allow your organization to answer the following questions, among several others:

  • Can a hacker gain access to any sensitive information?
  • Can a hacker hijack my technologies for any malicious acts?
  • Could a malware infection spread through the network?
  • Can an attacker escalate access to an administrative user?

Learn more about penetration testing →

There are many contexts in which a penetration test should be performed.

Here are some common use cases for a pentest:

  • As part of the development cycle of an application. (To test the security of a new feature/app)
  • To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
  • To secure sensitive data from exfiltration.
  • To prevent infections by malware. (Ransomware, spyware, etc.)
  • To prevent disruptive cyberattacks. (Such as denial of service)
  • As part of a cybersecurity risk management strategy.

All businesses are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, we generally recommend that quarterly tests are performed.

Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.

For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which  corrective measures need to be implemented quickly.

While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when  assessing the risk level of each vulnerability:

  • Potential impact: The potential impact of an attack based on a vulnerability, combined with its  potential effect on the availability of the system, as well as the confidentiality and integrity of  the data.
  • Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to  exploit increases the number of potential attackers and thus the likelihood of an attack.  Different factors are considered when evaluating the exploitability potential of a vulnerability  (e.g.: access vector, authentication, operational complexity, etc.)

Related Vumetric Blog Posts

Cyberattack impact

How Cyberattacks Impact Your Organization

A cyberattack is a malicious assault by cybercriminals aiming to damage a computer network or …

Read The Article
penetration test vs bug bounty

Penetration Testing vs Bug Bounty

Due to the recent spate of ransomware incidents, organizations and nervous IT administrators are wondering …

Read The Article
How Wordpress Gets Hacked and How to Prevent

How WordPress Sites Get Hacked And Fixes to Prevent it

WordPress sites get hacked on a regular basis, as it is by far the most …

Read The Article


We've Earned Internationally-Recognized Certifications

Contact a Certified Expert

Talk with a real expert. No engagement. We answer within 24h.
penetration testing provider

Stay Updated on Cyber Risks!

Subscribe to the Vumetric Monthly Bulletin to keep up with breaking news in the cybersecurity industry.

Want to Uncover Your
Cyber Risks?

or give us a call directly at: