What IBM’s latest Cost of a Data Breach Report means for you
Based on IBM Cost of a Data Breach Report 2025 · Ponemon Institute Research · 600 organisations studied globally
TL;DR
- The global average cost of a data breach is now USD $4.44 million — and climbing in most regions.
- Australia’s average breach cost sits at USD $2.55 million — not cheap for an SMB.
- Organisations using AI-powered security saved an average of USD $1.9 million per breach.
- “Shadow AI” — staff using unapproved AI tools — adds USD $670,000 to the average breach cost.
- 63% of breached organisations had no AI governance policy in place. That gap is costing them dearly.
- Phishing remains the #1 attack vector — and AI is making those attacks faster and more convincing than ever.
IBM has spent 20 years tracking the financial fallout of data breaches. Their 2025 report — covering 600 organisations across 17 industries and 16 countries — lands with a clear message for business leaders: the threat landscape is evolving faster than most organisations are prepared for. And the bill for unpreparedness has never been higher.
Here is what the data says, what it means for your business, and — critically — what you can do about it.
The numbers that should keep your CFO up at night
For the first time in five years, global average breach costs dipped slightly — down to USD $4.44 million from $4.88 million in 2024. Good news, right? Not entirely. The drop was largely driven by faster breach detection, thanks to AI-powered security tools. Organisations that did not adopt those tools? They are still on the wrong side of a very expensive equation.
The Australian Picture
Australia recorded an average breach cost of USD $2.55 million in 2025 — a decrease from $2.78 million the prior year, which reflects improving detection capabilities regionally. Even so, for an SMB, a seven-figure incident is a business-defining event. For many, it is a business-ending one.
The $1.9 million argument for AI-powered security
If you have been on the fence about investing in AI-driven security tools, IBM’s report makes the business case for you. Bluntly.
Organisations that used AI and automation extensively across their security operations saved an average of USD $1.9 million per breach compared to those that used none. They also identified and contained breaches a full 80 days faster.
Speed is money when a breach is in progress. Every day of undetected intrusion adds to the final bill.
Yet here is the uncomfortable truth: only 32% of organisations, like Symsafe, use these tools extensively. The majority are still leaving significant savings — and significant protection — on the table.
Shadow AI: the invisible threat hiding in plain sight
Here is a scenario playing out in businesses everywhere: an employee discovers a free AI tool online, uses it to process customer data, and tells nobody. That is shadow AI — and it is now one of the top three costliest factors driving breach expenses.
Key Finding
Organisations with high levels of shadow AI paid an average of USD $670,000 more per breach than those with little or none. Shadow AI incidents were also more likely to compromise customer personal data (65%) and intellectual property (40%).
20% of breached organisations suffered an incident directly linked to shadow AI. A further 63% of all breached organisations had no AI governance policy whatsoever. With AI tools proliferating at extraordinary speed, the absence of a usage policy is no longer a minor oversight — it is an open door.
Phishing just got a dangerous upgrade
Phishing has reclaimed the top spot as the most common initial attack vector, accounting for 16% of all breaches at an average cost of USD $4.8 million each. What has changed is the sophistication of the attacks. Generative AI has slashed the time required to craft a convincing phishing email from 16 hours to just five minutes.
1 in 6 breaches in 2025 involved attackers using AI — primarily through AI-generated phishing (37%) and deepfake impersonation attacks (35%). Your staff are now up against synthetic voices, fabricated video, and hyper-personalised emails that are increasingly difficult to spot.
Strategic question for leadership
When did your organisation last update its phishing and security awareness training? If the answer is “last year,” consider that the threat has changed significantly — and your training may not have kept pace. This is your friendly reminder to reach out to your IT provider and request updated training for your team.
The real cost of doing nothing
Beyond the direct financial hit, 86% of breached organisations experienced operational disruption. Recovery — defined as restoring operations, meeting compliance obligations, and rebuilding customer trust — took more than 100 days for 76% of those that eventually recovered fully. At the time of the study, 65% of breached organisations were still in recovery.
Malicious insider attacks were the costliest attack type at USD $4.92 million, followed closely by supply chain and third-party vendor compromise at USD $4.91 million. Vulnerabilities in the ecosystem around your business are just as dangerous as those within it.
What the smart businesses are doing differently
IBM’s report identifies the investments that measurably reduce breach costs. The top three cost-reducing factors were a DevSecOps approach to software development, AI and machine-learning security insights, and a SIEM (security information and event management) platform. The common thread: visibility, speed, and coordinated response.
For SMBs, the practical takeaway is this — partnering with a managed security provider that embeds these capabilities is often more cost-effective than building them in-house. The skills shortage is real (48% of organisations reported a high level of security skills gaps), and those gaps translate directly to higher breach costs: USD $5.22 million on average versus $3.65 million for organisations without significant shortages.
Not sure where your business stands?
Symsafe helps businesses demystify cybersecurity, close the gaps, and implement the right protections — before the breach happens.
1300 002 001 | info@symsafe.com.au
This article was crafted in collaboration our AI sidekick, Toolip 🤖
Source: IBM Cost of a Data Breach Report 2025, conducted independently by Ponemon Institute. Study covered 600 organisations across 16 countries and 17 industries, with data collected between March 2024 and February 2025. All figures in USD. Read the full report at ibm.com/security.
