For modern businesses, regardless of industry or size the financial impact of a data breach is substantial. IBM’s latest Cost of a Data Breach report discovered that, from March 2024 to February 2025, the average cost of a data breach globally fell 9% to $4.44 million, the first decline in five years.
Faster identification and containment of breaches — much of it from organizations’ own security and service teams, with help from AI and automation — drove this decline, according to IBM.
The 2025 report, conducted by Ponemon Institute and sponsored by IBM, is based on an analysis of data breaches experienced by 600 organizations globally.
The average time to identify and contain a breach (including restoring services) dropped to 241 days, a 17-day reduction from the 2024 report.
Healthcare breaches remained the most expensive across all studied industries — averaging $7.42 million — despite the sector achieving a $2.35 million reduction in costs compared to 2024.
Phishing attacks (16%) were the most commonly reported root causes of data breaches. Supply chain compromise surged to become the second most prevalent attack vector (15%), overtaking compromised credentials.
Eric O’Neill, former FBI counterintelligence operative and now national security strategist at NeXasure.ai, tells CSO that it was difficult to make any better than an educated guess about breach costs — so IBM’s report is best viewed as a useful indicator on industry trends.
“The variables — breach scope, litigation, remediation, operational disruption, reputational damage, and regulatory penalties — are too numerous and unpredictable for precise calculation,” O’Neill says. “IBM’s figures are valuable for identifying trends, but they are still approximations rather than exact measurements.”
Several experts quizzed by CSO named the cybersecurity skills gap, supply chain vulnerabilities, and the escalating threat landscape as the three main factors in making breaches more expensive and harder to manage.
Regional costs
Despite the global decrease, US enterprises bucked the overall trend, with estimated costs rising to $10.22 million in 2025, a 9% increase over 2024’s estimation.
This rise was driven in part by steeper regulatory penalties and rising detection costs, according to the IBM-sponsored study.
The Middle East, which considered Saudi Arabia and the United Arab Emirates for the report, was No. 2 of the 16 countries and regions surveyed, at $7.29 million.
Canada ($4.84 million) and the UK ($4.14million) remain in the top 10 hardest hit, with ASEAN or Association of Southeast Asian Nations ($3.67 million), Australia ($2.55 million), and India ($2.51 million) among the top 15.
Breaches by industry
Healthcare remains the industry hit with the highest costs per breach by far, at $7.42 million despite a drop from $9.77 million last year.
Attackers continue to value and target the industry’s patient personal identification information (PII), which can be used for identity theft, insurance fraud, and other financial crimes. Healthcare breaches took the longest to identify and contain at 279 days — more than five weeks longer than the global average.
Average breach cost by industry
Reputational damage still a big cost of being breached
In many ways immeasurable, reputational damage remains among the most significant costs in the wake of a breach. “Ultimately, customer trust is very easy to break, and very difficult to build,” Allie Mellen, senior analyst at Forrester, tells CSO.
Bob Dutile, chief commercial officer at UST, agrees: “The cost of a data breach is typically realized in relative competitive change in the marketplace. Companies find that their brand does not command the same price premium, customer conversion costs are higher, and market share is lost. For a public company, the near-term assessment of the cost impact is reflected in stock price movement.”
According to Dutile, research shows that between $8 million and $10 million is a good planning number in the US for a midsize business facing a modest breach of under 250,000 records. About a third of that cost will be loss of business due to reputation damage.
How a company responds to and communicates a breach can have a large bearing on that reputational impact, Forrester’s Mellen notes. “Understanding how to maintain trust with your consumers and customers is really critical here,” she adds. “There are ways to do this, especially around building transparency and using empathy, which can make a huge difference in how your customers perceive you after a breach. If you try to sweep it under the rug or hide it, then that will truly affect their trust in you far more than the breach alone.”
Severe business downtime can cost millions
Business downtime can be significantly costly for a breached organization, depending on the level and extent of the downtime and how technology-dependent the firm is.
Nearly all the organizations studied suffered operational disruption, taking an average of 100 days to recover from a security incident.
Jason Hicks, field CISO at Coalfire, tells CSO: “Often a breach is not going to take a company completely offline, but it can happen. The more critical systems that are taken down, the more significant the cost.”
Manufacturing tends to have the best metrics around this, as it’s relatively simple to measure the cost per minute if an assembly line is down, Hicks says. “This can translate into millions of dollars a day for a large manufacturing company. This can be more nebulous for other industry verticals, but there are models to get a reasonable feel that can be applied to each vertical.”
Regulation and litigation add to data breach costs
Increasingly strict data protection and privacy laws along with litigation are seeing a growing number of companies issued large fines, paying hefty settlements, and stumping up for legal fees following data breaches and non-compliance.
The IBM-sponsored report found that a third of organizations paid a regulatory fine because of breaches. US organizations paid the highest fines, a factor that drove up overall breach costs.
“Regulated industries suffer not only the immediate cost of responding to, containing, and remediating vulnerabilities but also the long-term effects of additional penalties from their regulatory bodies and legal settlements,” Nick says. Highly regulated industries, such as healthcare and financial services, typically run one and two in order of cost per breach because they will pay more non-compliance fines than others, he adds.
“Investigation and adjudication often take years for the victim organization to reach a monetary settlement with affected parties.” Legal costs are one of the largest expenditures organizations face in data breaches, Nick states. “Organizations rarely have the legal and privacy expertise in-house. To ensure compliance, they must hire outside counsel to lead their reporting.”
The role of cyber insurance
Cyber insurance is one way companies mitigate the cost risks of breaches. Sharp increases in cyber insurance premiums have been stabilizing of late, but even organizations covered by insurance can expect to dole out extra cash to make good after a breach. One definite cost hit will be a hike in their premiums, Guidehouse’s Nick says.
“Some organizations have reported post-breach increases in premiums of approximately 200%,” he adds.
Insurers are also implementing more coverage limitations, meaning that even with a policy in place, businesses could find themselves financially responsible for certain breach-related costs.
In fact, Forrester’s Mellen says any notion that policies will allow organizations to fully recover financially from a cyberattack is folly. “In reality, it’s not going to cover all of the costs associated with any type of cyberattack, and we see some insurance firms not even covering ransomware at this point as part of their payouts,” she adds.
Another factor to consider is that cyber insurance providers typically have a list of approved service providers such as lawyers and forensics firms, Hicks says.
“If your preferred provider is not on their list, you may have to work with them to get them included, or potentially have to change providers. This can be costly, as firms are often leveraging their existing service providers to secure the maximum discounts based on the volume of work done with the partners,” Hicks says.
Victims balk at ransomware payments
Last year more organizations refused to pay ransoms (63%) compared to the year prior (59%). However, the average cost of a ransomware incident was still estimated at $5.08 million.
Fewer ransomware victims reported these criminal attacks to law enforcement — 40% of organizations this year versus 53% last year.
[Related: “To pay or not to pay: CISOs weigh in on the ransomware dilemma“]
Insufficient security staffing leads to higher breach costs
The cybersecurity skills shortage has challenged the industry for years. This year’s report found 48% of organizations had a high level of security skills shortage, down from 53% last year.
According to IBM’s latest report, the security skills shortage is one of the biggest data breach cost amplifiers, with the average additional cost of data breach due to cyber skills shortage pegged at $1.57 million.
If insufficient security staff equates to greater data breach costs, organizations should heed Mellen’s warning about the impact a poorly handled data breach can have on employees.
“If they don’t feel like the organization is able to protect them or customers in the event of a breach, or that they blame their employees for a breach, then they’re likely going to start looking for jobs elsewhere because it creates a bit of a hostile environment for them,” she says. “It is very important for organizations to recognize that they need to accept responsibility and protect both their employees and their customers.”
Taking a DevSecOps approach to software development was the No. 1 factor that reduced breach costs, according to the report, ahead of use of AI and machine-learning insights. Running a security information and event management (SIEM) platform for detecting and responding to threats rounded out the top three factors.
One in five organizations (20%) said they suffered a breach due to security incidents involving shadow or unsanctioned use of AI tools. Shadow AI is starting to rival supply chain breaches and security system complexity as a leading factor in exacerbating breach costs, according to the report.
Security AI and automation
In the face of staff and skills shortages, CISOs are increasingly turning to AI and automation to close the gap.
According to IBM’s latest report, the average cost saving per breach for organizations using security AI and automation tools was $2.22 million, up from $1.76 million in 2023.
UK organizations using AI and automation across their security operations saw data breach costs drop to £3.11 million per year, much lower than the £3.78 million average cost for those not using these technologies. Less than one-third of UK organizations were making extensive use of AI technologies in their security operations, up slightly from last year’s figures.
In the UK, organizations reporting extensive use of security AI and automation achieved a mean time to identify (MTTI) and contain (MTTC) data breaches of 148 and 42 days, respectively — cutting breach response by 42 days compared to those not using these technologies (168 and 64 days).
AI can sift through massive volumes of data in real-time, flag suspicious behaviour, and even take immediate containment actions — often before a human analyst can react.
“This is the difference between responding in hours versus days, which results in lower costs,” says Craig Watt, threat intel analyst at Quorum Cyber. “But AI still doesn’t eliminate the breach.”
Watt adds: “Automation may buy time, but it’s not yet curbing the broader financial fallout.”
Ensar Seker, CISO at threat intelligence platform vendor SOCRadar, agrees that security AI and automation can be effective in reducing breach response times, largely by enabling faster detection, containment, and remediation without waiting for manual intervention.
“Organizations that have integrated AI-driven threat detection with automated response workflows can cut incident lifecycles dramatically, which directly impacts breach costs by limiting the window of damage,” Seker says.
However, these benefits are uneven. “Companies without mature processes or the right data pipelines often don’t realize the full gains AI promises,” Seker warns. “Companies without mature processes or the right data pipelines often don’t realize the full gains AI promises.”
AI-related security breaches
Security incidents involving an organization’s AI infrastructure remain limited — for now. On average, 13% of organizations reported breaches that involved their AI models or applications. But among those that experienced an AI-related security incident, almost all (97%) lacked proper AI access controls.
The most common of these security incidents occurred in the AI supply chain, through compromised apps, APIs, or plug-ins. These incidents sometimes had a cascading effect: leading onto broader data compromise (in 60% of cases) and operational disruption (31%).
Preparedness is key to managing data breach costs
There was a significant reduction in the number of global organizations that said they plan to invest in security following a breach (49% in 2025 compared to 63% in 2024). Less than half of those that plan to invest post-breach will focus on AI-driven security solutions or services.
No matter the specific costs involved, experts agree that preparedness is key to mitigating the financial repercussions of a breach.
“Faster incident response continues to be a clear driver for lowering the cost of a breach,” UST’s Dutile says. “The worst losses are those that go undetected for an extended time or have a slow or ineffective response.”
Modern cybersecurity requires a post-breach mindset which understands that, eventually, a successful data breach is going to occur, Forrester’s Mellen adds.
“Operating under those conditions, you need to figure out how you’re going to handle that and build your resiliency to respond better and faster. This isn’t just about the security function either, and it needs to be spread across an organization, considering what marketing is going to do, what sales is going to do, etc. — how, as a business, you can demonstrate you value your customers and that you want to make it right as quickly and effectively as possible,” she says.
No Responses