Cyber Incidents Have Exploded 650% — But Why?

Introduction

 For years, we’ve all heard it: “Cyber threats are on the rise.” But how much is hype, and howmuch is reality?

According to the IRIS 2025 report by Cyentia, it’s not hype. Since 2008, the number of publicly reported cyber incidents has increased by over 650%, climbing from 450 to nearly 3,000 per quarter.

But here’s the nuance that matters: this rise isn’t just about more attacks. It’s also about how attackers evolve, how we detect threats, and how regulation drives transparency. From the stealthy era of APTs to the ransomware boom and the pandemic’s IT transformation, every major spike has a cause.

As risk managers and CISOs, this isn’t just trivia—it’s critical context. Understanding these shifts helps us future-proof our strategies, rather than plan for a past that no longer exists.

 

TL;DR – IRIS 2025 in 12 Takeaways

1. Cyber incidents are up 650% since 2008, but the rise is driven not only by more attacks — also by better detection, stricter regulation, and broader definitions.
2. Regulations drive visibility. Laws like HIPAA, GDPR, NY DFS, SEC rules, and CIRCIA have massively expanded what gets reported.
3. Bigger firms = bigger targets. Large enterprises face more complex and costly incidents, especially from supply chain and credential abuse.
4. Median breach losses are now ~$130K, but for >$10B companies, the median is $20M+ — and 10% of incidents exceed $10M.
5. Third-party and ransomware breaches are the most expensive, both in median and extreme loss events.
6. Incident type matters: Phishing is frequent but lower cost; third-party failures and ransomware cause the most financial damage.
7. Attack methods have shifted. Credential abuse, phishing, and exploit chaining dominate — while removable media and physical vectors fade.
8. Your company size determines your threat profile. Smaller firms see phishing, mid-sized firms see SaaS abuse, and large firms are attacked via federated identity and vendors.
9. What’s reported is not the whole picture. Many incidents (e.g. cloud outages, service degradation) don’t meet breach thresholds but still cause heavy damage.
10. Feedly-sourced incidents have a median cost of $28.5M — 30× higher than structured breach reports — proving traditional data underestimates real-world loss
11. DORA forces firms to quantify all ICT disruptions, not just data breaches. Risk now includes downtime, impact, and third-party fallout.
12. Most expensive incidents are complex and slow to detect. Fast response and supply chain visibility are critical cost controls. 

Why the Number of Reported Incidents Isn’t Even Higher (Despite Everything)

“While a 650% increase in reported incidents since 2008 sounds alarming, it might actually be understated.

We’ve seen the digital world multiply in complexity, cloud services proliferate, ransomware surge, and regulations tighten globally. Yet, reporting hasn't exploded in proportion. Why? Because public data is filtered through layers of regulatory thresholds, detection blind spots, underreporting, and legal caution.

The real number of incidents is certainly higher—what’s growing is not just the threat surface, but also our incomplete visibility of it.

The report scratches the surface in some areas, one key driver often overlooked in cyber incident data is the regulatory lens. As laws like GDPR, NIS2, and DORA have come into force, they’ve brought a wave of mandatory breach disclosures across industries. In other words, the 650% rise in reported incidents isn’t just about more attacks—it’s also about more visibility.

Below I provide a mapping of data from the IRIS Report and Key Regulatory Breach Disclosure Regulation : 

Data Source: IRIS 2025 / Mapping : Zoller

If you want a real understanding of risk trends, map reporting legislation timelines alongside incident data. Only then can you separate signal from regulation-induced noise. In partiular the U.S., breach visibility isn’t just about more attacks—it’s the result of an expanding patchwork of disclosure laws, from HIPAA to the SEC. With over 50 state and federal laws in play, the rise in incidents also reflects a widening regulatory spotlight.

Regulatory Expansion ≠ Full Transparency

• Thresholds for “materiality” or “significant harm” vary widely.
• Loopholes exist in how “personal data breach” is interpreted.
• Disclosure doesn’t always mean public.

📌 Example: Under HIPAA, if data is encrypted, no breach reporting is required—even if an attack occurred.

Reporting ≠ Detection

Many incidents are, Never detected (e.g., supply chain, insider threats, APTs), Detected but not recognized as breaches, Quietly resolved without formal disclosure.

The underground iceberg of cyber incidents is far larger than what public data reveals.

Public Disclosures Are Delayed or Omitted

• End-of-year dips in IRIS data reflect reporting lag.
• Private settlements and NDAs suppress publication.
• Less-regulated sectors underreport heavily.

Disincentives to Report

• Reputation damage
• Stock price volatility
• Regulatory scrutiny and legal exposure

The real number of incidents is certainly higher—what’s growing is not just the threat surface, but also our incomplete visibility of it.

Are All Types of Incidents Trending the Same Way ?

While overall incident volume has grown, not all incident types follow the same trend. Using a time-series view of incident patterns from 2009 to 2024, Cyentia reveals:

• System Intrusions have consistently ranked as the most frequent type of cyber event — this hasn't changed in 15 years.
• Ransomware has seen a dramatic, unprecedented rise since ~2019.
• Accidental Disclosures, on the other hand, have plummeted in frequency.
• Other patterns (e.g., Defacement, DoS, Insider Misuse) show mild or declining trends.

Data Source: IRIS2025 CYENTIA

"While it's tempting to talk about 'cyber risk' as one monolithic trend, the IRIS 2025 data shows that not all incidents are created equal. System intrusions continue to dominate — they’re the cyber equivalent of gravity. But what really transformed the landscape is ransomware. Its explosive growth since 2019 is the clearest driver behind the surge in high-impact events.

Interestingly, some threats have faded into the background. Accidental data disclosures have dropped dramatically, and insider misuse is far rarer than common narratives suggest. These shifts matter. 

If your security posture is still built around yesterday’s dominant risks, you may be planning for a world that no longer exists.

Physical threats and insider misuse have declined. Remote, scalable attacks now dominate.

• Accidental disclosures may reappear if vigilance lapses.
• Insiders rarely rank higher than 4th in attack vectors.

Takeaway:  If your threat model still revolves around a disgruntled employee stealing files with a USB stick, you may be decades behind the threat curve. IRIS 2025 confirms what many of us have sensed: the era of physically dependent attacks is over. Security incidents today are about speed, scale, and software.

That said, accidental errors haven’t disappeared — they’ve just been temporarily reduced by better defaults and automation. And remember, employees are most often victims, not villains. Building trust and equipping teams with secure tools may be more effective than monitoring them into paranoia."

Do Incident Trends Differ Across Organizations?

The report shifts from “how many incidents are happening” to “who they’re happening to.” The key question is whether organizational characteristics — like size or sector — affect incident frequency. Initial findings:

• Smaller businesses (< $100M in annual revenue) account for the largest absolute share of incidents.
• But this is misleading without context, because there are far more small businesses than large ones.

Relative Risk Reveals a Very Different Story :

(Log Scale) - Relative Risk of Data Breach per Revenue Bracket (IRIS 2025)

This is revealing:

• The “We’re Too Small to Target” Fallacy - Small firms are absolutely targeted, but less frequently on a per-company basis. However, they may also be less likely to detect and report incidents, so actual exposure could be underrepresented.
• Large Organizations Are Attractive Targets - Bigger firms face orders of magnitude higher incident frequency per entity. Why ? Larger attack surfaces, More valuable data, More complex third-party ecosystems, Higher regulatory visibility.
• Security Spending Still Isn’t Proportional - Smaller firms often lack the resources for strong defenses, larger firms are better defended, but also face more motivated adversaries.
• Risk Scales Faster Than Revenue - You can’t assume cyber risk grows linearly with business scale — it grows exponentially. A $10B company is not 10× riskier than a $1B company. It may be more than double that.

Takeaway : Not all organizations face the same cyber risk exposure. IRIS 2025 shows that while small businesses account for most breaches in total, large enterprises face exponentially higher risk on a per-company basis. A $100B+ organization is 620x more likely to report a breach than a microbusiness. Cyber attackers go where the value is. Your security strategy must account not just for your budget, but for your firm’s attractiveness to threat actors.

Small businesses are often painted as the softest targets in cybersecurity — but IRIS 2025 flips that script. While small firms account for more breaches in absolute terms, large enterprises face exponentially greater risk per company. If your revenue exceeds $10B, you're nearly 80× more likely to suffer a reportable incident than a mid-market peer — and over 600× more than a microbusiness. Cyber attackers follow value. And that value scales far faster than most defenses.”

Not All Organizations Are Breached the Same Way

Cyentia’s analysis shows that as company size increases, the type of incident they experience changes dramatically. It's not just how often they’re attacked — it’s how.

Attackers Adapt by Revenue Tier - Smaller firms: attacked via broad, low-effort campaigns (e.g. phishing, credential stuffing), Larger firms: targeted by sophisticated actors exploiting ecosystem complexity (vendors, suppliers, code pipelines)

Ransomware Is Everywhere- But Grows With Size - Present across all tiers, but more devastating at the top, High-value orgs more likely to face multi-stage extortion (data theft + encryption + public pressure)

Physical Threats Are a Small Biz Problem - Device theft, local errors, poor endpoint controls remain mostly a small business issue

Takeaway : Cyber threats don’t just increase with scale — they evolve. What’s dangerous to a $10M business isn’t what takes down a $10B one. Enterprise CISOs must focus on ecosystem risk: third-party software, service providers, and vendor exposure. SMBs need to get the basics right: passwords, phishing defense, endpoint visibility.

“Cybersecurity isn’t one-size-fits-all — and IRIS 2025 shows why. A 15-person SaaS startup and a $100B bank don’t just have different risk appetites — they’re playing different games. One faces phishing and device loss. The other is managing vendor exposure across continents.”

CISOs must tailor defenses not just to their sector, but to their scale. The attack surface, attacker incentives, and technical complexity shift at every level.

Is the Probability of a Cyber Incident Increasing?

For years, cybersecurity leaders have watched incident reports climb. But volume ≠ probability.

The IRIS 2025 report goes beyond raw counts. It asks: Are organizations more likely to experience a cyber incident today than they were 5 or 10 years ago?

Short answer: Yes — but not uniformly. More than a 3× increase in breach probability for large firms over the past 13 years. For $100M–$1B firms, the increase is smaller but still significant. For sub-$10M companies, breach probability has stayed largely flat.

 

• The Breach Is Coming — Especially If You’re Big - A $1B+ company in 2024 has a 7% chance of suffering a public cyber incident — and that’s just what’s reported.
• Regulatory Pressure and Maturity Drive Visibility - Large firms are more likely to report incidents, both because of legal requirements and better monitoring capabilities.
• Small Firm Risk Is Likely Understated - Flat risk at the bottom doesn’t mean safety — it may mean blindness. Many small orgs are breached and unaware, or breached and silent.

Takeaway : Cyentia’s IRIS 2025 report doesn’t just show a rise in breach counts — it shows a rise in breach probability. If you’re a $1B+ company, your odds of experiencing a public cyber incident in 2024 are 1 in 14. Cybersecurity isn’t just a ‘cost of doing business’ anymore — it’s a statistical certainty. Are you managing risk… or managing luck?

Have Security Incidents Gotten More Costly?

This is where IRIS 2025 separates myth from measurable fact. While headlines often shout about “record-breaking breach costs,” Cyentia examines real data across 8 years and 4,000+ incidents to understand how costs have evolved.

Incident Costs Have Risen — But Not Exploded

• Median losses increased from ~$50k (2017) to ~$130k (2024)
• That’s a 2.6× rise — significant but not exponential
• Costs have plateaued slightly in the past 2 years

 This suggests a maturing response ecosystem: companies detect faster, contain quicker, and understand cost factors better.

 Losses Are Strongly Skewed

• Median = $130k
• But 10% of incidents cost more than $10M
• A few mega-incidents distort average loss figures

This is the classic "fat tail" risk — and why median is more informative than mean for planning.

Takeaway : IRIS 2025 confirms it: cyber incidents are more expensive than ever, but not uniformly. While the median breach cost has risen to ~$130k, the real danger lies in the tail risks: 10% of events now exceed $10 million. For enterprises over $10B, median losses pass $20 million. Cybersecurity isn’t a sunk cost — it’s a hedge against existential damage.

• Breaches Have Gotten Costlier — But Predictably So The rise in cost mostly tracks with inflation, complexity, and regulation.
• Outliers Wreak Havoc 1 in 10 incidents costs 8 figures or more. These are the ones boards and insurers care about.
• Cost Scales Nonlinearly with Size. A 10× increase in revenue leads to 100–1000× more financial exposure. This underscores the importance of risk transfer (cyber insurance) and response maturity.

Are Intrusion Methods Changing Over Time?

Spoiler: Yes — and the evolution isn't just technical, it's strategic. IRIS 2025 digs deep into how attackers get in, and more importantly, how that has shifted over the past 8 years. The result is a clear signal for CISOs and threat modelers.

Data Source : IRIS2025 - Presentation ZOLLER

How Have These Methods Changed Since 2016?

• Phishing keeps rising - Still the #1 initial access vector Now includes SMS, chat apps, collaboration tools.
• Credential abuse has exploded - Fueled by data breaches, dark web dumps, and MFA gaps Attacks often automated — bot-driven access at scale
• Exploiting software vulnerabilities is surging - Spike post-2020 (e.g., Exchange, MOVEit, Log4Shell)
• Remote access (VPN/RDP) falling in % - But still dangerous — often used post-intrusion for movement, VPNs are more locked down, but attackers shift to SSO/IdP
• Physical intrusions are flatlined - Rare, expensive, high-risk — not scalable

Attacker behaviour changes

• Attackers now blend phishing + credential stuffing + exploit chaining.
• They prefer cloud-native paths over traditional infrastructure.
• Speed of exploitation has increased — days or hours from CVE to active campaigns.

Data Source: IRIS2025 / Presentation ZOLLER

“Today’s attacker doesn’t break in — they log in. Or worse, they walk in through your supplier’s credentials.”

TLDR : Attackers aren't breaking in — they're logging in. If your budget isn’t prioritizing identity, patch visibility, and third-party telemetry, you’re building defenses for a decade that’s already over. IRIS 2025 is blunt: attackers don’t need zero-days. They need your users, your credentials, or your vendors. Over 70% of breaches start with phishing or password abuse — and both are on the rise. Cloud-first requires identity-first security. Who’s logging into your future breach?”

What Are We Missing From Current Events?

This section is a candid admission: even with thousands of reported incidents analyzed, we’re still missing part of the picture. Cyentia zooms in on the gaps, biases, and blind spots in cyber incident data — and why they matter for risk modeling.

What Makes an Incident “Reportable” Biases the Dataset - Cyentia highlights that IRIS 2025 — like most breach datasets — is drawn from: Public disclosures, Regulatory filings, Lawsuits ,Media coverage

The result is data skew as data overrepresents sectors with mandatory reporting (finance, healthcare, listed companies) and underrepresents smaller firms, quiet outages, or non-personal-data disruptions.

Strategic Implications

Breach stats ≠ total cyber risk - If you're only modeling what's reported, you're likely underestimating risk — especially operational risk and third-party exposure.

Incident detection ≠ incident disclosure - Many companies detect and handle incidents without ever disclosing them — by design or by loophole.

You need multiple data streams - Feedly-like unstructured intelligence can catch blind spots your GRC system won't.

Takeaway : IRIS 2025 reminds us: most breach data is like starlight — delayed, distorted, and incomplete. For every reported breach, there are 2–3 disruptions that never meet the threshold for disclosure. If your risk model only sees what regulators see — it’s incomplete by design.