The real cost of a data breach in 2025

The 2025 Cost of a Data Breach Report from IBM offers a mixed message for security leaders. On one hand, the average global cost of a data breach has declined for the first time in five years, dropping to USD 4.44 million from USD 4.88 million in 2024.

This improvement is largely credited to faster breach containment, often powered by AI-driven defenses.

On the other hand, the report warns that rapid, ungoverned AI adoption is introducing serious new risks. IBM found that 97% of AI-related breaches involved systems without proper access controls, and most affected organizations lacked governance policies to manage AI or prevent “shadow AI”—the unauthorized use of AI without employer oversight.

It's no surprise that data breaches can be devastating. However, this report serves as a big reminder that there are many ways to reduce the risk of experiencing a data breach, and just as many ways to reduce the damage and consequences should one still occur.

Before we explore strategies to reduce the impact of a breach, let’s first break down how these costs are calculated—and how AI is reshaping the equation.

How the costs of a data breach add up

Breach discovery, response, and recovery

How and when a breach is discovered can make a substantial difference in both the scale of damage and the final price tag. The report shows that organizations’ in-house security teams are playing a bigger role than ever in identifying threats before they escalate.

Over the past two years, detection rates by internal teams have climbed from 33% in 2023 to 42% in 2024, and now 50% in 2025.

The cost savings from early internal detection are clear. Breaches first identified by an organization’s security team averaged USD 4.18 million in costs, down from USD 4.55 million last year. In contrast, breaches disclosed by the attacker (often after more time to cause harm) averaged USD 5.08 million.

Speed is also improving. Internal teams identified breaches in an average of 172 days, six days faster than in 2024, and contained them two days quicker as well. This acceleration is likely tied to increased use of AI and automation, which the report notes are enhancing detection and response efficiency.

But containment is only part of the battle. Recovery from a breach can take months or even years and extends beyond technical fixes. In IBM’s study, “recovery” means:

• Affected business operations are back to normal
• Compliance obligations have been met
• Customer confidence and employee trust have been restored
• New security measures are in place to help prevent future breaches

While progress is evident, with 35% of organizations reporting full recovery in 2025 compared to just 12% in 2024, the majority (65%) are still in the process of rebuilding. The faster identification and containment times seen this year likely contributed to this improvement, underscoring that speed in the early stages of a breach can shorten the long road to complete recovery.

download free

The state of cybersecurity in 2025

Uncover emerging threats, key trends, and new best practices to bolster your cybersecurity efforts.

Download now

Customer PII

In 2025, attackers overwhelmingly set their sights on customer personally identifiable information (PII), making it the most compromised data type by a wide margin. Fifty-three percent of breaches in this year’s study involved stolen or exposed customer PII, which can include tax identification numbers, email addresses, and home addresses.

While customer PII was the most frequently compromised, company intellectual property (IP) was the most expensive, averaging USD 178 per record despite being targeted far less often.

The risks climb even higher in shadow AI incidents. In these breaches, 65% of compromised records were customer PII, a notable increase from the global average of 53%. And not only was it the most compromised data type, but also the most costly in these incidents at USD 166 per record.

Ransom demands

Ransomware fatigue appears to be setting in. In 2025, 63% of ransomware victims refused to pay their attackers, up four points from the year prior, showing a growing willingness among organizations to push back against extortion demands.

Despite this, the financial toll of ransomware remains steep. The average cost of an extortion or ransomware incident was USD 5.08 million when the breach was disclosed by the attacker.

One troubling shift is the drop in law enforcement involvement. Only 40% of organizations engaged law enforcement in ransomware cases this year, down from 52% in 2024.

These trends suggest that while organizations are more willing to reject ransom demands, many are also forgoing potentially cost-saving support from law enforcement. The result: ransomware remains one of the most disruptive and costly attack types—especially when attackers control the narrative by publicly disclosing the breach.

Lost business and reputation damage

While technical costs often get the most attention after a data breach, the financial hit from lost business can be just as damaging—if not more so—over the long term. Lost business costs encompass:

• Revenue lost during system downtime
• Customer churn
• The expense of acquiring new customers
• The lasting impact of reputational damage and diminished goodwill

In 2025, these costs averaged 6% lower than the previous year, marking a welcome shift after the 11% surge in 2024 that significantly drove up total breach costs.

Still, reputational harm can be harder to measure and slower to repair than technical fixes. Even when business operations resume quickly, negative headlines and eroded trust can linger.

Activities aimed at minimizing lost business, such as rapid customer communication, proactive PR, and visible investments in security, help to limit both the immediate and long-term fallout of a breach.

Legal and noncompliance penalties

In the 2025 report, one-third of surveyed organizations said they paid a regulatory fine because of a breach. Nearly half of these fines (48%) exceeded USD 100,000, and the distribution of fine amounts shifted notably from last year.

The share of organizations paying smaller fines (up to USD 50,000) grew by 45%, while those paying mid-tier fines between USD 50,001 and USD 100,000 dropped by 31%. Those facing penalties above USD 250,000 held steady.

The size of these fines varies significantly by region and industry. U.S. organizations paid the highest regulatory penalties, helping drive the country’s average breach cost to USD 10.22 million—a 9% increase over last year and the highest recorded for any region in the history of the report.

Fast-track your path to compliance with the insights in this white paper.

Download now

How to protect against a data breach

We've covered the different expenses your company may experience if it becomes the victim of a data breach. Now let's look at steps you can take to lower the cost of a breach or, ideally, avoid one entirely.

Raise awareness company-wide

Raising companywide awareness about data breaches is a smart first step. While some breaches are intentional and malicious, many are purely accidental. Boosting cybersecurity education and training can help prevent these types of mishaps.

Picture this: an employee accidentally sends confidential customer data to the wrong email address, or they click on a link in a cleverly disguised phishing email, unknowingly launching malware. By educating your team about these kinds of cyber risks, you can reduce the likelihood of accidental breaches.

Cybersecurity is everyone's responsibility because anyone in your company can be targeted. To get the best results, ensure all employees are familiar with common attack tactics, techniques, and procedures so they can recognize when they're being targeted.

It's also crucial that employees know and follow cybersecurity best practices, like using strong passwords and enabling multi-factor authentication whenever possible.

Understand and reduce your threat surface

Your company's threat surface consists of people and accounts, software, hardware, and cloud-based services—anything an attacker can exploit. With a better understanding of all your risks, you can take consistent steps to resolve them and reduce the chance of an attack.

For example, you can correct misconfigured software that might be putting confidential data or critical systems at heightened risk of compromise. It's also best practice to delete old accounts of former employees and ensure that current employees only have access to the data and systems necessary to complete their tasks.

You should also make sure all software is running on the most recent version. Patching can be tedious and time-consuming—sometimes requiring a reboot to complete. But it's necessary. Patches fix bugs, add new features, improve performance, and address critical security vulnerabilities.

Create and maintain data backups

While having data backups won’t reduce your risk of experiencing a breach, they are a crucial component of recovering quickly from one.

They provide copies of essential files that can be quickly restored after a cyberattack or any event compromising your data. In the event of an incident that limits access to critical files, a reliable backup system can significantly expedite recovery, helping you get back to business faster.

There are several data backup methods, such as external hard drives, self-service cloud storage, and dedicated backup providers. Each option has its pros and cons, so it’s important to choose the one that best fits your company’s unique needs.

For instance, using an external hard drive to store business-critical data might not be ideal for remote-only companies or those without IT professionals to manage it. However, it could be a practical choice if you have a physical office and an in-house IT team to support it.

Be prepared for an incident

Incident response (IR) planning and testing is one of the two most popular areas of security investment this year, according to the IBM report.

And it’s no wonder why. Planning and regularly rehearsing your incident response process can not only minimize the negative impacts of a breach and help you get back to business quicker, but also reduces the stress of dealing with an incident.

It’s also important for customers, partners, and stakeholders. An efficient response to incidents proves that you take cybersecurity seriously, maintaining your reputation and others’ trust in your organization.

There are IR plan templates and guidelines available online, but creating your own can be time-consuming and may be out of scope for many smaller businesses.

Investing in an incident response (IR) preparedness service is often easier as you'll work with experts to assess your company's cybersecurity posture, identify key assets and roles, and develop step-by-step incident response playbooks.

Put the right solutions in place

Studies have found that using automated technology to identify and contain cybersecurity incidents instead of manual processes drastically decreases the breach life cycle and, in turn, reduces breach costs.

In fact, the IBM report found that the more organizations used AI and automation, the lower their average breach costs

Download the eBook and learn how to choose the right cybersecurity solution.

Download now

But not just any automation will do. Simply layering point solutions (one for your endpoints, one for the cloud, and so on) often results in visibility gaps, an unmanageable volume of alerts to open and investigate, and inadequate security. Having the right solutions in place is paramount.

Field Effect MDR combines automation and human intelligence to detect and respond to threats and vulnerabilities across your network, cloud-based services, and endpoints. And, with automated blocking of major cyber threats like ransomware and advanced persistent threats, you can sleep soundly knowing your cybersecurity is handled.

Reduce your risk of a breach today

The cost of a data breach can devastate your company. That's why there's no time like the present to take preventative action. We can help you do that with Field Effect MDR. Book a demo today to see how Field Effect MDR reduces cyber risk and improves your defense.

If you think you're experiencing a cyberattack or security event now, our incident response (IR) team is available 24/7 to investigate, remediate, and get you back to business. Please contact our team if you need immediate IR assistance.