The Evolution of Cyber Risks Over 15 Years: Lessons from the IRIS 2025 Report
After a three-year break, the Cyentia Institute is back with its highly anticipated IRIS 2025 Report. Covering the period from 2008 to 2024, this massive study analyzed more than 150,000 cybersecurity incidents spanning industries and organizational sizes. It offers a clear—and at times sobering—picture of how cyber risks have evolved over the last 15 years. Let’s dig into the key takeaways and what they mean for today’s cybersecurity leaders.
1. Incidents Are Up. Way Up.
The first—and perhaps most dramatic—finding is that reported cybersecurity incidents have exploded. On average, around 3,000 major security incidents were reported each quarter in 2024, compared to just 450 in 2008. That’s a 6.5x increase. And no, it’s not just better reporting or increased awareness. Ransomware, digital transformation, and the shift to remote work have all added fuel to the fire.
For the average organization, the annual probability of suffering a major cyber event has nearly quadrupled: from 2.5% in 2008 to 9.3% in 2024. That means if you're not planning for a breach, you're planning to be surprised by one.
Interestingly, not all organizations experienced the same change in risk. Small firms saw their risk more than double, while the largest enterprises (≥$100B in annual revenue) managed to reduce their incident likelihood by a third.
2. Industry Trends: Not All Sectors Age the Same
While it's tempting to treat all industries equally when building security strategies, the data proves this approach is flawed.
Industrial sectors (e.g., manufacturing and transportation) saw their relative cyber risk triple.
Finance, already a magnet for attackers, remained consistently high.
Utilities and sectors like mining experienced a surprising decline in incident frequency.
Professional services, meanwhile, have seen one of the steepest increases in incident costs. Median losses for that industry are up 25x over the 15-year period, and extreme events are four times more damaging.
Retail, on the other hand, seems to have gotten its act together. Losses have dropped dramatically, likely due to stricter compliance (PCI-DSS) and tech like chip-and-PIN, which limit how much valuable data can be stolen.
The key insight? One-size-fits-all security simply doesn’t work. Cyber defenses must align with sector-specific threats, regulatory pressure, and business models.
3. The Financial Impact: Up and to the Right
If you think attacks are just more common, wait until you see the price tag.
Median losses from cyber incidents have jumped from $190K in 2008 to $2.9M in 2024—a 15-fold increase. Extreme losses (95th percentile) rose to $32 million. When measured relative to company revenue, the average financial impact has increased eightfold. In short, breaches today hurt more—and not just in absolute dollars.
The pain is felt differently depending on your size:
Small businesses (<$100M in revenue) suffer median losses of around $357K.
Enterprises in the $1B–$10B range report median losses nearing $2M.
Megafirms ($100B+) face extreme losses north of $260M.
And while those big numbers make headlines, smaller businesses often feel the sting more. For them, a few hundred thousand dollars can mean the difference between survival and shuttering operations.
4. Tactics Are Evolving, But Old Tricks Still Work
Attackers may be innovating, but they haven’t given up on what works.
Compromised credentials (a.k.a. valid accounts) continue to be the most popular way in. Phishing and exploitation of public-facing applications are also on the rise, especially for smaller firms. The data shows a sixfold increase in web application exploits and a surge in attacks leveraging misconfigured remote access tools.
On the bright side, some threats are declining. Accidental disclosures and insider misuse have both trended downward, likely due to better endpoint controls and security training.
Ransomware, unsurprisingly, is a major driver of financial damage. Its median loss has increased twentyfold over the last 15 years. It's not just encrypting files anymore—ransomware actors are exfiltrating data, threatening leaks, and making negotiation a full-time job.
5. So What Should Cybersecurity Leaders Do?
The IRIS 2025 report doesn’t just chronicle doom and gloom. It provides a data-driven foundation for action:
Tailor your security program to your company’s size, sector, and risk appetite.
Invest in detection and response, not just prevention.
Get serious about identity and access management—credentials are still the front door.
Rehearse your incident response like your business depends on it. Because it does.
Measure and track cyber risk using industry trends and real-world data, not assumptions.
Cyber risk is no longer static. It shifts over time, varies by context, and requires an adaptive, intelligence-led approach.
The good news? We have more data than ever before. The bad news? If you’re not using it to guide your cybersecurity strategy, you’re flying blind.
IRIS 2025 helps remove that blindfold. Now it’s time to act.