Survey sees global decline in data breach costs

Investments in cyber resiliency and data protection platforms might be starting to pay off. An annual global analysis of 113,620 data breaches published by IBM finds the cost of the average data breach decreased for the first time in five years. The number decreased by 9% year over year thanks mainly to faster discovery and containment.

Conducted in collaboration with the Ponemon Institute, the report finds the global average breach cost dropped to $4.44 million from $4.88 million in 2024, which is consistent with the cost levels that were previously experienced in 2023. For the second year in a row, malicious insider attacks resulted in the highest average breach costs at $4.92 million, followed closely by supply chain compromises at $4.91 million and phishing attacks at $4.8 million.

However, the global cost of data breaches would be even lower if it were not for attacks in the U.S., where the average cost surged by 9% to $10.22 million, largely because of increased costs attributed to higher penalties for failing to comply with regulations.

Impact on security investment

It’s not clear to what degree those increased costs might encourage organizations in the U.S. to improve their overall cybersecurity posture to reduce penalties in the event of a breach, but it’s clear that organizations around the world are finally making progress. More ransomware victims also refused to pay a ransom in 2025 (63%) than 2024 (59%).

However, the average cost of an extortion or ransomware incident remains high, particularly when disclosed by an attacker ($5.08 million). At the same time, fewer ransomware victims reported involving law enforcement, 40% this year versus 53% last year.

Additionally, the IBM report also finds there was a significant reduction in the number of organizations that plan to invest in security following a breach (49%) compared to last year (53%).

The report also noted that less than half of those who plan to invest in a security plan to focus on security solutions or services based on artificial intelligence (AI), even though security teams using AI and automation extensively shortened their breach times by 80 days and lowered their average breach costs by $1.9 million. The report also finds AI is starting to be more widely employed by cyberattackers. On average, 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).

Looking ahead

Assessing the actual cost of a data breach is, of course, an inexact science. Much of the assessments being made, for example, include losses from reputational damage that might be recovered at a later date.

Regardless of how costs are calculated, there is obviously still much work to be done. In fact, a downturn in costs in a single year might still prove to be little more than an aberration as cybercriminals continuously evolve their tactics and techniques using, for example, various types of AI tools. The worst thing any organization could do right now is become even more complacent about cybersecurity than they already are.

Hopefully, when this survey is conducted next year there will be even more progress to applaud. The challenge, as always, is trying to stay a few steps ahead of adversaries that, comparted to most organizations, have almost unlimited financial resources to not just discover vulnerabilities but also create novel ways to exploit them.