Select your country

Not finding what you are looking for, select your country from our regional selector:


A year in attacks – CyberSOC statistics

It’s no secret that the number of cybersecurity incidents and attacks has been growing over the past few years. But what exactly are the numbers? As part of our Security Navigator report, we conducted extensive research into the incident landscape of 2021. What kind of attacks did we see occur the most? Are the effects different for large or small organizations? And which sectors got hit the most? 

About the data

From October 2020 to September 2021, we identified a total of 94.806 incidents from our customers, up from 45.398 in 2020. Of the incidents, 36% can be confirmed as security incidents.  

A note on terminology: we log an event that has met certain conditions and is thus considered an Indicator of Compromise, Attack or Vulnerability. An Incident is when this logged Event, or several Events, are correlated or flagged for investigation by a human – our security analysts. An Incident is considered ‘confirmed’ when, with help of the customer or at the discretion of the analyst, we can determine that security was indeed compromised. 

Types of incidents

In 2021, we detected the following incident types: 

  • Malware is malicious software such as ransomware.  

  • Network & Application Anomalies, such as tunneling, IDS/IPS alerts and other attacks related to network traffic and applications. 

  • Account Anomalies, such as brute force attacks, reusing credentials, lateral movement, elevation of privileges or similar kinds of incidents. 

  • System Anomalies are events directly related to the OS and the components around it like drivers that stop working or services that are terminated unexpectedly. 

  • Policy Violations, such as installing unsupported software or connecting an unauthorized device to the network. 

  • Social Engineering is any attempt to fool users; including, but not limited to, phishing and spoofing. 


One thing that stands out in all the data is that we see a shift in our incident type distribution. With 38% of total incidents, malware has become the number one incident type

Network & Application Anomalies, which was the number one incident type in 2020 with 35%, has moved to second place with 22%. A significant decrease. 

The increase of malware incidents can partly be explained by some of our larger customers increasing their detection capabilities towards malware. Additionally, there generally was more malware activity over the past 12 months, especially during March 2021 and June 2021, where we saw the highest amount of confirmed security incidents. 


Incidents by business size 

Within our observations, we make a distinction between organizational size to classify our customers. We differentiate between business sizes as the following: 

  • Small – Employee Count = 101-1,000 
  • Medium – Employee Count = 1,001-10,000 
  • Large – Employee Count = 10,000+  

Of all the customers considered in our report: 

  • 37% are classified as small and represent 17% of all detected incidents 
  • 41% are classified as medium and represents 30% of all detected incidents 
  • 22% are classified as large and represents 53% of all detected incidents 

Small organizations

We see incident volumes that correlate to the business size, thus larger operations see more incidents. There is one exception that stands out this year: small businesses were alerted more on potential Malware incidents than medium-sized, and resulting from this, experienced 38% more confirmed malware incidents than medium-sized businesses. 

One explanation for this statistic could be that small-sized organizations have less time and resources for their IT security, therefore making it “easier” for malware to find its way into an organization.  

Medium organizations

The organizations categorized as medium-sized stand out for their high amount of raised network & application anomalies this year. The number of incidents was even higher than those for large organizations. Additionally, this group has a smaller number of confirmed incidents in comparison to small organizations in the categories of policy violations, malware and social engineering. Making medium-sized businesses go against the ‘normal’ of incident volume vs. sheer size in four out of the seven incident categories. 

Large organizations

Overall, large organizations see the highest number of malware incidents, with almost twice as many confirmed incidents compared to last year. For instance, similar to last year, large-sized organizations had almost half of the amount of network-related incidents compared to small organizations.  

One interesting observation is that when zooming in to incidents concerning confirmed ransomware-related incidents, large organizations have had as few confirmed incidents as small organizations. Or to turn this around, small organizations had as many confirmed ransomware-related incidents as large organizations. 


Incidents by sector

In addition to business size, we reviewed our data across the different business sectors. Even though differences can be detected, in the end we see all industries struggle with increasingly advanced attacks. 

In our research, we have collected a great number of statistics for the different sectors. Here are a few interesting highlights: 

  • Of all the sectors we analyzed, Manufacturing is the most popular industry being targeted by cyber extortion groups.  
  • Healthcare is once again the sector with the highest amount of Network-related security incidents. Additionally, we saw a noticeable increase in the number of Phishing attacks. As a sector, Healthcare has historically been challenged with its own users posing the highest risk – the insider threat. 
  • The Finance and Insurance sector remains one of the verticals with the highest amount of confirmed Social Engineering incidents (12%). 
  • The lowest distribution of Policy violations can be found in the Professional, Scientific and Technological Services sector. It is very difficult to say whether this is because users in this sector comply with policies to a greater extent than in other industries, whether they don’t have as many policies implemented or detection capabilities are focusing on the other incident types. 
  • Phishing as a Social Engineering attack was the largest component recorded under Social Engineering incidents for the Retail and Trade sector, followed by opportunistic Spam and more targeted Spear Phishing incidents. 
  • Most of the categories saw an overall reduction in their share of incidents for the Real Estate, Rental and Leasing sector, but with a sharp increase in Network & Application Anomalies. 
  • We saw a marked increase in the number of Malware incidents for the Transport and Warehousing sector, with activity centered around attempted malware installation on workstations meaning that malware activity was thwarted early. 
  • Although they represent only 4% of the customers that were included in this year’s report, Accommodation and Food Services, contributed to many incidents for its size, with a sizable chunk categorized as Malware.  


With more than 30% of all confirmed incidents, we saw a shift this year with malware being the number one incident. It is a trend that not necessarily shows in the overall threat landscape’s current status but does provide insight into what we are seeing our customers struggling with the most. 

Although differences occur in the type of incidents across different business sizes and industries, we see organizations of all shapes and sizes dealing with similar issues. In the end, everyone is a target of the evolving adversary with a refined set of advanced tools. 

Discover the Security Navigator

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.