For years, $10.5 trillion was the number that stopped conversations in boardrooms and security briefings alike. It was Cybersecurity Ventures‘ projected annual cost of global cybercrime for 2025, and it did its job as a wake-up call. Organizations cited it in risk assessments, regulators referenced it in policy frameworks, and CISOs used it to justify budget requests. The number was alarming enough to command attention towards data breach crisis.
Cybersecurity Ventures’ most recent published cybercrime report confirms that global cybercrime costs reached $10.5 trillion in 2025, and their own growth model, which projects cybercrime expanding at approximately 2.5% annually, puts 2026 costs higher still and on a trajectory toward $12.2 trillion by 2031. At 2025 rates, cybercriminals were extracting an estimated $333,000 in harm every single second.
The FBI’s Internet Crime Complaint Center, which receives voluntary reports from US victims alone, recorded $20.877 billion in reported cybercrime losses for 2025, the first time that figure has crossed $20 billion and a 26% increase over the $16.6 billion reported in 2024. That figure represents only what victims report. Given that only 26% of people who lose money to online crime report it to law enforcement, the FBI figure is a confirmed floor, not a ceiling.
Behind these numbers are organizations, patients, employees, and customers whose data, money, and trust have been compromised. In this blog, we will learn what is driving cybercrime to record levels in 2026, which industries and attack vectors are responsible for the most damage, and what the organizations managing this risk most effectively are doing differently.
What Cybercrime Actually Costs
The $10.8 trillion global figure is not a single cost category. It is an aggregation of distinct economic damages that affect organizations differently depending on their industry, geography, and security posture.
Direct financial theft covers funds stolen through business email compromise (BEC), investment fraud, and wire transfer fraud. According to the FBI IC3 2025 Annual Report, released in April 2026, investment fraud was the single largest loss category at $8.64 billion in reported US losses, a significant jump from $6.57 billion the prior year.
Operational disruption costs cover the downtime, lost productivity, and business interruption that follows a successful attack. IBM’s 2025 report found that 31% of organizations experiencing an AI-related breach reported direct operational disruption, including disruption to order processing, customer service, and supply chain operations. For large enterprises, even a few days of operational disruption can produce losses comparable to the direct theft figures.
Recovery and remediation costs include incident response, forensic investigation, system rebuilding, notification obligations, credit monitoring services for affected individuals, and legal fees. IBM found that recovery costs alone averaged $1.2 million per breach globally in 2025, with detection and escalation costs adding another $1.47 million.
Regulatory fines and compliance penalties are a growing cost category that the 2025 data highlights directly. The widening gap between the global average breach cost ($4.44 million) and the US average ($10.22 million) is substantially explained by regulatory penalties, particularly from SEC disclosure rules, state-level notification laws across 50 different legal frameworks, and sector-specific penalties in healthcare and financial services.
Reputational damage and customer loss are the hardest to quantify but often the most enduring. IBM’s research captures “lost business” as a distinct cost category, averaging $1.38 million per breach in 2025. Customer churn, partnership losses, and brand damage in competitive markets can extend well beyond the financial year in which the breach occurred.
Industries That Pay the Most
Some industries carry structural vulnerabilities, including high volumes of valuable personal data, critical operational dependencies, or complex supply chains, that make them disproportionately attractive targets and expensive to breach.
The sector-specific attack volume data below is drawn from the FBI IC3 2025 Annual Report, released April 2026, which provides the most current federal view of how the threat is distributed across critical infrastructure sectors.
| Industry | Average Breach Cost | Cyber Events | Notable Factor |
|---|---|---|---|
| Healthcare | $7.42 million (IBM 2025) | 642 total: 460 ransomware + 182 data breaches | Most targeted sector across all 16 critical infrastructure categories |
| Financial Services | $5.56 million (IBM 2025) | 447 total events (2nd highest) | High-value data, regulatory complexity, SEC/CFPB fines |
| Industrial / Manufacturing | $5.00 million (IBM 2025) | 61% YoY surge in attacks (Cyble, 2025) | OT/IT convergence; production downtime multiplies loss |
| Energy | $4.83 million (IBM 2025) | 80 ransomware incidents (FBI IC3 2025) | Critical infrastructure status; operational impact |
| Technology | $4.79 million (IBM 2025) | Top 5 targeted critical sector | IP theft; supply chain attack exposure |
| Government Facilities | $2.86 million (IBM 2025) | Top 5 targeted critical sector | Lower cost but highest public impact |
Attack Vectors Driving the Crisis in 2026
Understanding which attack vectors are generating the most damage in 2026 matters for prioritizing defensive investment.
Phishing overtook stolen credentials as the most common initial attack vector in 2025, responsible for 16% of breaches at an average cost of $4.8 million per incident. The reason phishing has reclaimed the top position after years of credential theft dominance is directly related to AI: 82.6% of phishing emails analyzed in late 2024 and early 2025 used AI to some extent, per ENISA’s 2025 threat landscape assessment. AI-generated phishing messages are significantly more convincing than the poorly written, grammatically suspicious messages that awareness training has conditioned users to spot.
Supply chain compromise was the second most prevalent attack vector at nearly 15% of breaches, with an average cost of $4.91 million and the longest average resolution time at 267 days. Supply chain attacks are particularly expensive because they are the hardest to detect and the most difficult to contain: the initial compromise happens in a third-party environment, and the damage propagates through every downstream organization that trusts that vendor’s software or services.
Stolen or compromised credentials remain the third-largest initial access vector and the foundation of the credential abuse ecosystem. Microsoft processes more than 600 million password attacks per day. Infostealers, malware specifically designed to harvest credentials at scale, accounted for a growing share of initial access in 2025, with multiple major ransomware-as-a-service (RaaS) groups listing them as their primary credential procurement method according to the CrowdStrike 2025 Global Threat Report.
Exploitation of unpatched vulnerabilities is accelerating and the Verizon 2026 Data Breach Investigations Report found that vulnerability exploitation rose to 31% of breaches as the most common initial access vector across its dataset, overtaking credential abuse for the first time. Among vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog, only 26% were fully remediated by organizations in 2025, with median remediation time rising to 43 days.
What Organizations Are Still Getting Wrong
The most actionable insight from the 2025 and 2026 breach data is not the attack volume or the cost figures. It is the consistent pattern of avoidable failures that appear across breaches of every type and size.
Detection speed: This remains the single largest cost lever. IBM’s data shows a direct and measurable relationship between breach detection time and breach cost. Breaches detected within 200 days cost $3.87 million on average. Breaches exceeding 200 days cost $5.01 million, a $1.14 million premium. The 200-day threshold represents the point at which lateral movement, large-scale exfiltration, and persistent access become fully established.
Supply chain security: Supply chain compromise at nearly 15% of initial attack vectors and a $4.91 million average cost per breach is the second most expensive and the longest to resolve attack pattern in IBM’s dataset. The Verizon 2026 DBIR’s finding that 48% of all breaches now involve a third party, a 60% increase year-over-year, confirms that the supply chain is the fastest-growing initial access pathway. Organizations that audit their own security rigorously but do not apply equivalent scrutiny to their software vendors, managed service providers, and code signing infrastructure are leaving a large and growing gap.
AI governance and adoption: IBM found that 63% of breached organizations had no formal AI governance policies. Only 34% conducted regular audits to detect shadow AI. Given that shadow AI was a contributing factor in 20% of breaches and added $670,000 to average costs, this is not a theoretical risk. Organizations deploying AI tools without corresponding governance frameworks are expanding their attack surface in ways that their security programs are not yet equipped to detect.
Slow Vulnerability remediation: With only 26% of CISA Known Exploited Vulnerabilities fully remediated in 2025 and median remediation time rising to 43 days, a substantial portion of the vulnerability exploitation that now accounts for 31% of initial access is exploiting known, patchable vulnerabilities that organizations simply have not closed. Prioritized, risk-based patch management has a higher ROI than almost any other security investment at current exploitation rates.
How Encryption Consulting Can Help
At Encryption Consulting, our work sits directly at the intersection of the patterns that define the 2026 breach landscape. The common thread across the costliest breaches, supply chain compromise, inadequate encryption governance, and poorly managed signing infrastructure, is a gap between the security controls organizations believe they have and the controls that actually hold under adversarial conditions.
Encryption and Key Management Advisory
Our Encryption Advisory Services help organizations move from encryption as a deployment checkbox to encryption as a governed, auditable discipline. We assess current encryption coverage across data at rest, data in transit, and data in use; evaluate key management practices against current standards; and identify the specific gaps, whether in key storage, rotation policies, access controls, or audit logging, that leave encrypted data vulnerable despite the encryption being technically in place.
Compliance Advisory Services
Our Compliance Advisory Services help organizations understand their obligations under the growing landscape of data protection regulations, including GDPR, HIPAA, the EU CRA, state-level US breach notification laws, and SEC disclosure requirements, and build the controls and documentation needed to demonstrate compliance before an incident occurs rather than scrambling to reconstruct it afterward.
Post-Quantum Cryptography Advisory
The encryption protecting sensitive data today and the signatures authenticating software today are both vulnerable to quantum computational attack. Our PQC Advisory Services help organizations plan and execute the migration to NIST-standardized post-quantum algorithms before the threat window opens, rather than after it has already been exploited.
Conclusion
At $10.5 trillion in confirmed 2025 damages and a trajectory that Cybersecurity Ventures projects reaching $12.2 trillion by 2031, cybercrime is not a problem that is going to peak and resolve. It is a structural feature of the digital economy, growing faster than global GDP and better resourced than most of the organizations defending against it.
Supply chain attacks are growing faster than most other vectors, targeting the trusted relationships between organizations rather than their perimeters. Regulatory penalties are making the cost of inadequate governance increasingly concrete.
This $10 trillion figure is large enough to be paralyzing if treated as a single number. It becomes actionable when broken into its components: the specific attack vectors your organization is most exposed to, the specific data categories you hold that carry the highest per-record cost, the specific gaps in your encryption governance, key management, and signing infrastructure that an attacker would target first.
Those are precisely the gaps that Encryption Consulting’s advisory services and product portfolio are designed to close.
