Not that one can find too much good news in a report literally titled “Cost of a Data Breach 2025,” but IBM’s annual study offered some data points showing at least slight cybersecurity improvement among businesses:
- The global average cost of a data breach decreased by 9% compared to last year—from $4.88 million in 2024 to $4.44 million this year.
- The mean time that organizations took to find and contain a breach fell to 241 days, “reaching a nine-year low and continuing a downward trend that started after a 287-day peak in 2021.”
- The number of orgs paying ransomware actors decreased, with 63% of companies opting not to pay, compared to 59% in 2024.
The review, conducted by the Ponemon Institute and analyzed and published by IBM, studied 600 organizations breached between March 2024 and February 2025.
“When I saw that the overall cost of a data breach went down, I was like, ‘Yes, it’s working!” Kevin Albano, global head of threat intelligence at IBM X-Force, told IT Brew, referring to practitioners enacting proactive measures like an incident response plan.
The report also featured plenty of less-than-rosy news, along with security practices that need some work, including:
- US costs have actually risen in 2025, thanks to factors like data breach fines;
- One in six incidents this year involved “AI-driven” attacks like GenAI phishing messages and deepfakes; and
- 63% of orgs lack an AI policy.
Here’s what Albano and the report’s writers say about what’s working and why.
At what cost? The costs of a data breach include assessment services, customer notifications, credit monitoring, regulatory fines, and lost business.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
A leading factor reducing business compromise costs, according to the report, was “DevSecOps,” or what IBM defines as “an application development practice that automates the integration of security and security practices at every phase of the software development life cycle, from initial design through integration, testing, delivery, and deployment.”
According to Verizon’s annual data breach report, released in April, the exploitation of vulnerabilities initiated 20% of breaches.
Other cost mitigation factors, IBM’s annual study revealed, included SIEM technologies and AI-driven insights.
Crime doesn’t pay. IT Brew previously reported on a 2024 full of “full-on” ransomware attacks—and pros who expect more in 2025.
“People are beginning to understand that it doesn’t pay to pay the ransom,” Albano said. “Sometimes even if you pay the ransom, there’s no guarantee that you’re going to get that data back.”
The UK plans to prohibit public sector companies from paying ransoms—with differing opinions regarding the ban’s efficacy.
“We are complete advocates for not making a payment if it’s unnecessary,” Mark Lance, a ransomware negotiator and VP of digital forensics and incident response and threat intelligence at GuidePoint Security, told us this month.
Time doesn’t pay. The time to identify and contain a breach continues to decrease steadily. Albano sees “better detections in place” and greater information sharing between organizations as two factors driving shorter incident cycles.
The IBM report said security teams and their tools detected 50% of breaches—an improvement over last year’s total of 42% and 33% in 2023.
“Overall, organizations are beginning to understand that preparedness is the key to saving in the cost of a data breach,” Albano said.