10 Cybersecurity Statistics That Every Business Should Know [New Research]

Oct 16, 2019

GetApp's cybersecurity statistics provide insight into the tools and practices businesses use—and don't use.

Gitanjali Maria and Zach Capers Content Analyst

GetApp’s 2019 cybersecurity statistics identify numerous insights into the tools and practices that businesses use-or don’t use-to shape their IT security posture.

We recently conducted a comprehensive data security survey to better understand how businesses in the U.S. are contending with various facets of IT security such as the use of security software, deployment of data classification, preparation for privacy regulations, and the administration of employee security training. The following are some of the most interesting cybersecurity statistics we pulled from the results.

1. Only 69% of companies use a data backup system

Imagine losing all of your most important files, application data, and intellectual property. It might mean the end of your business. Unfortunately, countless businesses are taking that chance. A data backup system is the only way to guarantee recovery from a devastating ransomware attack, network failure, or natural disaster. Every company should have one.

Have you ever wondered about the most common IT security tools used across businesses? Our survey results answer that question.

2. 48% of companies allow more data access than necessary

Nearly half of all businesses allow employees to access to more data than needed to perform their jobs. This jeopardizes data security, makes compliance efforts more difficult, and provides unnecessary opportunities for insider threats.

Restrict employee access to data using controls such as identity management and privileged access management. You can also make sensitive data easier to protect by developing a data classification policy.

Discover more of our security survey results and download a free template in our report:How to Select Data Classification Levels for Your Business

3. Only 64% of businesses use 2-factor authentication

Authentication tools verify the identity of persons seeking access to your business resources. Two factor authentication requires two methods of identification and prevents many of the most common cyber attacks and data breaches. Unfortunately, less than two thirds of companies in our survey use two factor authentication.

Biometric authentication is the use of a physical trait, such as a fingerprint or iris scan, to access a secure facility. The technology is a costly investment and often considered an invasion of privacy-issues that likely factor into biometric authentication’s relatively low adoption rate. Our survey found that 27% of companies report the use biometric authentication.

Read our recent report: Evolved risks demand newer authentication methods

4. Only 27% of businesses provide social engineering training for employees

Social engineering is at the root of numerous criminal schemes including phishing, business email compromise, pretexting, baiting, and piggybacking. Increased awareness of the methods used to manipulate employees will sharply reduce these risks.

Read our recent report: Social Engineering Techniques that Hack Your Employees

The IT security landscape is complicated and requires an array of training on many topics. Unfortunately, businesses often provide security training only on a portion of these concerns while leaving employees in the dark on others. Our 2019 security survey asked employees about the types of security training provided by their employer.

In addition to social engineering training, the responses for social media guidelines, acceptable use policy, and bring your own device (BYOD) were all less than 50%. If your business has overlooked any of these policies, use our resources to get started:

5. 43% of employees do not receive security training on a regular basis

Your employees are the weakest link in your security chain if not trained adequately. The easiest way for hackers to reach your data and systems is by manipulating employees to reveal login credentials. Despite this, 43% businesses do not provide employees with regular security training. In fact, 8% report never receiving security training.

We recommend that employees be trained in basic security measures every six months.

6. 43% of employees admit that they or their colleagues have opened phishing emails

Phishing is a type of social engineering attack that tricks individuals into downloading malware or revealing sensitive information. Modern spear phishing attacks target people by name, are professionally written, and appear to come from a company you recognize making them difficult to stop.

Read our recent report: How to Prevent Business Email Compromise and Spear Phishing Attacks

7. Only 30% of companies conduct phishing tests

A phishing test is used to gauge employee susceptibility to social engineering through email. These tests can be designed by your internal IT department or administered by a third-party security company.

8. More than 50% of the companies prefer computer-based tools for security training

Readily available and less expensive computer-based security training (CBT) tools have become a central component of security awareness programs. More than half of the businesses (50.3%) reported using CBT.

But according to Gartner (full content available to clients), computer-based training alone is not enough to build a security-conscious workforce. Businesses must design holistic security training programs that incorporate mentoring sessions, security advocacy programs, activities, contests, and online meetings/webinars.

9. 34% of IT professionals not familiar with GDPR; 43% not familiar with CCPA

More than a year after going into effect, a full third of the IT professionals we surveyed reported no familiarity at all with GDPR. Fines for violating the European privacy law can reach €20 million or 4% of annual revenue, whichever is higher. That’s why all IT professionals should have at least some familiarity with the regulation.To learn more about GDPR, read our primer.

Improve your knowledge about GDPR:

One of the most concerning cybersecurity statistics from our survey is the fact that 43% of IT professionals have no familiarity at all with the California Consumer Privacy Act (CCPA). That’s a problem because it’s set to take effect January 1, 2020.

Inspired by GDPR, the CCPA will enshrine California’s web users with several new rights. Violations of the CCPA can reach $7,500 each-which can add up quickly. That’s why IT professionals should learn about the law’s implications and stay on top of other state regulations it’s already inspiring across the United States.

If you are among them, here are some resources to help you learn more about CCPA:

10. 27% of IT professionals admit their business does not have cyber insurance

Cyber insurance protects against liability for internet-based threats to IT systems and infrastructure. Today’s digital businesses are vulnerable to costly cyber risks including data breaches, malware, spear phishing, and ransomware. Cyber insurance policies vary and may cover costs such as legal fees, business down-time, or regulatory fees.

Cyber insurance should never be thought of as a replacement for strong cybersecurity, but if something does go wrong, 38% of businesses in our survey will probably be glad they have it.

Stay on top of cybersecurity statistics

Data security tools and practices are continually evolving. Stay up-to-date on IT security trends, cybersecurity statistics, and data privacy issues by following us on Twitter.

Looking for cybersecurity software?

Click here

*This document, while intended to inform our clients about cybersecurity statistics, is in no way intended to provide legal advice or to endorse a specific course of action.


The cybersecurity statistics referenced in this article resulted from a survey that was conducted by GetApp in June, 2019, among 714 respondents who reported full-time employment in the United States. Of the 714 respondents, 207 identified as IT professionals.

About the author

Gitanjali Maria and Zach Capers

Content Analyst