The Real Price of Data Breaches
Key Points
- Security spending should be justified by the true costs of breaches—downtime, reputational damage, and lost trust—rather than just budget constraints.
- IBM’s 2025 Cost of a Data Breach Report surveyed 600 breached organizations and 3,500 leaders, providing real‑world insights rather than theoretical estimates.
- The average global cost of a breach fell 9% to **$4.44 million**, a realistic figure that excludes extreme outliers that would skew the mean.
- Mean Time to Identify (MTI) and Mean Time to Contain (MTC) together improved modestly, dropping from **257 days to 241 days**, indicating progress but still leaving organizations vulnerable for many months.
- Although the trend shows incremental gains, the report underscores that most breaches are preventable and that data‑driven security investments remain essential.
Sections
- Rethinking Security Investment Costs - The speaker urges firms to base security spending decisions on IBM's 2025 Cost of a Data Breach Report, emphasizing that while breach costs have dropped 9%, the hidden downtime, reputation loss, and preventable incidents make under‑investment riskier than overspending.
- Rising US Data Breach Costs - The speaker notes that U.S. data breach expenses have jumped 9% to roughly $10‑22 million—nearly twice the global average—due to higher regulatory fees and detection costs, while also introducing AI‑related insights in the latest report.
- Third-Party Risk and AI-Driven Phishing - The speaker highlights third‑party access and phishing—particularly AI‑enhanced phishing—as the most costly and frequent attack vectors, urging improvements in both technology and employee training.
- AI‑Driven Security Cuts Costs - While many firms lack clear success metrics, those leveraging AI for security see incident response times drop by 80 days and savings of about $1.9 million, highlighting the need for stronger identity and access management.
- Uncovering and Safeguarding Shadow AI - The speaker stresses the necessity of automated discovery of hidden AI applications and sensitive data, followed by comprehensive security measures—model testing, protection against prompt‑injection attacks, strong IAM controls, and encryption—to secure data, models, and usage.
Full Transcript
# The Real Price of Data Breaches **Source:** [https://www.youtube.com/watch?v=7ypI1oojoII](https://www.youtube.com/watch?v=7ypI1oojoII) **Duration:** 00:15:14 ## Summary - Security spending should be justified by the true costs of breaches—downtime, reputational damage, and lost trust—rather than just budget constraints. - IBM’s 2025 Cost of a Data Breach Report surveyed 600 breached organizations and 3,500 leaders, providing real‑world insights rather than theoretical estimates. - The average global cost of a breach fell 9% to **$4.44 million**, a realistic figure that excludes extreme outliers that would skew the mean. - Mean Time to Identify (MTI) and Mean Time to Contain (MTC) together improved modestly, dropping from **257 days to 241 days**, indicating progress but still leaving organizations vulnerable for many months. - Although the trend shows incremental gains, the report underscores that most breaches are preventable and that data‑driven security investments remain essential. ## Sections - [00:00:00](https://www.youtube.com/watch?v=7ypI1oojoII&t=0s) **Rethinking Security Investment Costs** - The speaker urges firms to base security spending decisions on IBM's 2025 Cost of a Data Breach Report, emphasizing that while breach costs have dropped 9%, the hidden downtime, reputation loss, and preventable incidents make under‑investment riskier than overspending. - [00:03:05](https://www.youtube.com/watch?v=7ypI1oojoII&t=185s) **Rising US Data Breach Costs** - The speaker notes that U.S. data breach expenses have jumped 9% to roughly $10‑22 million—nearly twice the global average—due to higher regulatory fees and detection costs, while also introducing AI‑related insights in the latest report. - [00:06:10](https://www.youtube.com/watch?v=7ypI1oojoII&t=370s) **Third-Party Risk and AI-Driven Phishing** - The speaker highlights third‑party access and phishing—particularly AI‑enhanced phishing—as the most costly and frequent attack vectors, urging improvements in both technology and employee training. - [00:09:13](https://www.youtube.com/watch?v=7ypI1oojoII&t=553s) **AI‑Driven Security Cuts Costs** - While many firms lack clear success metrics, those leveraging AI for security see incident response times drop by 80 days and savings of about $1.9 million, highlighting the need for stronger identity and access management. - [00:12:19](https://www.youtube.com/watch?v=7ypI1oojoII&t=739s) **Uncovering and Safeguarding Shadow AI** - The speaker stresses the necessity of automated discovery of hidden AI applications and sensitive data, followed by comprehensive security measures—model testing, protection against prompt‑injection attacks, strong IAM controls, and encryption—to secure data, models, and usage. ## Full Transcript
How many times have you heard this?
We really can't afford to spend that much on security.
Maybe instead, we should be asking ourselves
if we can afford not to.
After all, it's not just about dollars.
It's downtime. Reputation. Lost trust.
And the fact is that many of these breaches are preventable.
But let's face the decision regarding security investments
on actual numbers rather than just gut feel.
The good news is that we have the information that can help guide
those decisions in the form of IBM's 2025 Cost of a Data Breach Report.
In this video, we're going to take a look at some of the key
findings from the report and lessons learned
that you can apply to your own environment.
So stay tuned.
Okay.
What did the 2025 report tell us?
Well, first of all, a little bit of background on this.
We went out and talked to 600 different organizations
that actually experienced a data breach.
So this is not theoretical. And interviewed
approximately 3,500 leaders from those organizations.
So, these are people with direct knowledge,
firsthand knowledge of what occurred.
And those are the ones who can tell us
and give us these insights that we're looking for. Okay.
What did the report tell us?
Drumroll, please.
Let's take a look.
Cost of a data breach.
The actual number.
Raw numbers.
And we've got a little bit of good news
and a little bit of bad news to counteract it.
First of all, the good news. Worldwide,
the cost of a data breach number
actually went down 9%.
So, congratulations world.
We did a little better. Um,
and that number was 4.44 million dollars as
the average cost of the data breach.
So, that's big breaches, small breaches.
By the way, in the report,
we always take the really mega breach, the really huge numbers.
We take those out because they would skew the average.
So, this is a realistic average when you get a number like that.
Another thing that I thought was really encouraging.
It's something that I've watched over the years,
is the numbers that relate to
mean time to identify and mean time to contain.
So, this is how long.
If uh the bad guy broke into your house, how long is he in there?
That's mean time to identify
before you realize that you've, in fact, got somebody living in your house.
And then meantime to contain is how long does it take
'til you get him out of the house? Well,
these numbers actually improved a little bit,
and we've seen a little bit of improvement over the last bunch of years.
I'm going to tell you, they're still not great, but it's an improvement.
So, if we look back, uh say 4 or 5 years ago,
this number combined was about
257 days for mean
time to identify and then contain.
Most of that time is on the identify side.
But, in the most recent report,
we moved down to 241 days.
Now you say, well, that's not a huge improvement,
but hey, we'll take small victories at this point and keep chopping away at this.
Bottom line is there's still work that needs to be done.
That's not acceptable. To have the bad guy in your environment
and doing what they're doing,
and us not be in control of that situation for 241 days.
That's again, still the better part of a year.
But, keep up the faith.
We're we're doing some good work here. Now,
a little bit of bad news.
Okay, folks in the US. We
need to do better.
Uh, the number here was up 9% in terms of cost.
So it was 9% more expensive than it used to be.
And the cost of a data breach in the US
has always run higher than the rest of the world. Well,
now it's even higher still.
So, we're in the range of two point
or 10.22 million dollars.
That's a really big number.
So, you're looking at a number that's almost twice what the worldwide average is.
And this number is continuing to grow.
Now why was it more expensive? Um. There's
a number of different factors that go into this.
One of the things that increased are regulatory fees.
So, when you actually experience a data breach,
maybe uh ah a law is requiring you to pay
certain kinds of things in order to get that back.
Uh. Another thing that went up were the detection costs.
So, in this case,
the cost to do detection
and putting in the tooling and all this kind of stuff,
that was also driving up some of these costs.
So, again, we've got some good news.
We've got some not so good news,
but, overall we've got news.
A new feature of this year's report,
because it's a new feature in everyone's environment
these days, artificial intelligence.
And what we found was that 13% of organizations
experienced a data breach related to AI. And
that caused a ripple effect. Of the 13%,
then, we had 60%
that experienced a data compromise.
And another 31% experienced operations disruptions.
So, that is showing that AI is not only doing some good stuff for us,
but it's also introducing some new attack vectors,
which is not a surprise or shouldn't be a surprise to anyone.
Another thing that we found in this was shadow AI. Now,
what is that?
There were 20% of organizations found that they had AI,
unauthorized AI implementations in their environment.
So nobody approved this,
and maybe no one was aware of it until it became a problem.
So clearly this is an area we need to start focusing on,
because this stuff will just start popping up all over the place.
Now let's take a look at what were the main vectors that were causing
these big numbers that we had. Well,
the number one in in terms of vectors.
So causes of these attacks, uh,
turned out to be insider threat.
Insiders have an advantage
because they understand what the environment already looks like. So,
they were doing the attacks that were the most costly. Again,
with that inside knowledge,
they're able to go right to the heart of what they need to get,
and they can do a lot of damage that way
without having to trip around in the dark.
What we found.
Almost a dead heat tie, though,
was third-party risk. Third-party, uh,
situations where we had
other types of of people having access into the systems
or third-party software,
a number of these different kinds of things, those were also contributing.
So these were really the top most costly.
But, in terms of frequency, this is another way of looking at
what's the most important attack vectors.
In this case, 16%
were the result of phishing. And phishing
has continued to be
at the top of these lists in one way
or another for the last few years.
So, phishing attacks are essentially social
engineering attacks on your people.
So if you look at this, here's an attack where an individual is doing
this. Here's an attack that's on the individual.
So, we're going to have to do a lot to
not only make our technology better,
but make our people better too.
Continuing with that theme of AI,
let's take a look at what the impact of the cost of a data breach
was from the attacker's use of AI versus
the organization's use of AI.
So, what we found in the report was that 16%
of organizations experienced data breaches
as a result of attackers' AI.
And the breakdown on that was that it was roughly 37%
were involving phishing attacks.
So, that's a case where,
in fact, we did some research once and found
that you could automate a phishing attack
and make it uh nearly as convincing
as the best phishing attack a person could come up with.
And we spent 16 hours
with a skilled cybersecurity person
to come up with a phishing attack
versus five minutes with a chatbot.
And the chatbot was able to do nearly as well as the person.
So, expect to see more of this impact of AI
in making more convincing phishing attacks,
because it doesn't make the spelling and grammar errors,
and it can come up with a very convincing scenario
in a very short period of time.
Another area that we're starting to see some impact from in
35% of cases are deepfakes,
which is another use of generative AI
where you basically do an imitation of a person.
Their voice, their likeness, their image.
And you convince a person to do something
that they're really not supposed to do.
So, that's another thing that we've got to take a look at.
The attackers will be using AI,
and we're already seeing its impact
on costing of the data breach.
Now, how about the organizations' use of AI? Well,
what have we found in this case? Well,
what we've found in, this is unfortunate,
is that uh and it's a big negative
in this case, that 63% of organizations
have no governance policy
or are still in the process of developing one.
So, if you don't have a policy,
then you don't really know where it is
you're going and what you're trying to achieve.
Security and governance are really important that they work together.
I'll talk more about that later.
But a significant number of organizations really have not even defined
what success looks like. So it's going to be pretty hard to achieve.
Now, on the positive side, in terms of organizational use of AI,
we see that organizations that have an extensive use
of AI in the security space.
So they're using AI in order to do a better job of security. Well,
they actually saw a big impact.
In fact, they saw their number of days go down to
do that mean time to identify,
mean time to contain, it decreased by 80 days.
Now, time is money. So, guess what?
That's what we also saw
is that the numbers went down for the cost here as well.
And the number in that case was in the range of 1.9 million dollars less.
So, we can use
AI to do a better job
of securing our systems and responding and containing these costs.
And the bad guys are going to be using it to attack us.
Okay. Now we know the numbers.
The cost of a data breach.
I reviewed those numbers with you.
The causes of those data breaches as well.
Now, what are we supposed to do about it?
Let's take a look at some recommendations.
First of all, we continue to see that attackers
find it's easier to log in than it is to hack in.
So that means they're exploiting
login capabilities. Authentication.
What's our answer to that?
Well, it's stronger identity and access management capabilities.
So here we're seeing a need to focus
not only on the regular user identities
that are associated with people,
but also a focus on non-human identities
Some of these system-level accounts
that have super-level access, very high levels of access,
but, in many cases are not being managed.
The passwords are not changing very frequently on them.
We need basically a system of secrets management
that allows us to do a better job of those.
And some of those secrets, as I mentioned, could be passwords.
They could be API keys.
So for instance, maybe I've got ah an application
and it's got one of these non-human IDs
that goes and queries a database.
And it's got an API key. These kinds of functions.
Crypto keys, because we want to keep all this information encrypted.
So, a lot of different information that needs to be kept secret.
It's too much to scale and manage all of this
if you don't have a good secrets management tool in place.
Some other things that we can do and I'm a big proponent of this,
we recommend this in the report
is the thing that's better than a password is a passkey.
Nobody can steal your password if you don't have one. Passkeys
sound like a similar kind of thing, but it's actually a much stronger technology
that's based on cryptographic techniques.
And we're seeing more and more even consumer-level sites
adopt this technology. So the more we can move to that,
potentially the better we'll be and the harder
these things are to break into. In particular,
think about those phishing attacks. Well,
it's these things are pretty resistant to phishing types of attacks.
So that would make a big difference in that case.
Another big area. Ah.
I mentioned the impact of AI on this year's report. Well,
we don't have AI if it weren't for data.
So all of that is based on data.
And what we need to be able to do now is discover.
So I've got to discover my, all my uses
and all of my cases of sensitive data in the organization
and all of my uses of AI in the organization.
In other words, I have to shine a light on the shadows, the shadow
AI, the shadow data, all of these things that are sitting out there
that might be issues for me.
So I need tools that can do that sort of discovery automatically.
People are not always going to tell me. If they were,
it wouldn't be shadow in the first place.
Another thing is, for these AI implementations,
once I've found them, now I've got to do some things to secure them.
I need a secure the posture of that AI. I
need to be able to test the models.
So I need to be able to add in security for AI models.
And I need to be able to secure the usage of these systems as well.
Ah. In other words, things like prompt injection attacks and things of that sort.
Those are usage-based attacks against the AI.
So secure the data, secure the models and secure the usage.
Now, on the data side, also,
we need to have strong access controls.
So, that kinda leads back into this IAM topic.
Identity and access management as well.
This was more about the authentication.
This is about the authorization.
I need to have all of my sensitive data encrypted
because, if I don't, then
potentially anyone would be able to see it.
And I need to be able to monitor
the use of that data.
Just because I put all of these controls in place doesn't mean everything's okay.
Someone might be abusing their privileges. Again,
we talked about insider threats.
That's why we need to be able to monitor.
And then ultimately, as I mentioned, a lot of organizations are using
AI more and more, and we're starting to see it more
and more as a vector of attack into the organization. But,
at the same time, we see most organizations
don't have these two dots connected.
Governance and security.
And I can tell you they're very important in AI in
both cases. We need these in non-AI environments.
But in AI it's particularly important.
And there's a lot of overlap in these areas.
The things that we need to do to do right in security
can also be complemented by the things that we do in governance.
So, a big emphasis on this moving forward.
If you take care of these kinds of things,
hopefully next year when we come back to look at this video again,
the cost of a data breach will be even lower.
So there's a quick summary of the 2025 Cost of a Data Breach Report.
There's lots more details.
To read the full report and do your own analysis of the data,
click on the link in the description below and download your own copy now.