Back to Resources | Blogs

BARR’s Top Takeaways from the 2025 IBM Cost of a Data Breach Report

August 22, 2025 | Cybersecurity

IBM recently released its 20th annual Cost of a Data Breach Report, a comprehensive look at the causes and costs of cyberattacks for businesses around the world. 

This year’s report compiled data from 600 organizations across more than a dozen industries to uncover trends in areas such as artificial intelligence (AI), ransomware, security governance, attack vectors, and recovery times.

Here are six of our team’s top takeaways and tips for keeping your organization secure:

1. The average cost of a data breach has declined since last year, thanks in large part to AI.

IBM reports that the global average cost of a data breach has declined 9% since its last report to $4.44 million. This is the first decline they’ve seen in five years, a change they attribute to “faster breach containment” that has been “driven by AI-powered defenses.” With the help of AI-powered security tools, organizations are able to identify and mitigate data breaches faster than ever before. 

However, it’s not just product and service providers who are leveraging the power of AI. Bad actors are also taking advantage of this new technology to perpetrate more sophisticated attacks, especially phishing schemes. IBM reports that on average, “16% of data breaches involved attackers using AI”—and phishing attacks accounted for more than a third (37%) of AI-powered attacks.

2. Phishing was the most common attack vector.

Reflecting how AI is shaping the threat landscape, phishing was the most common initial attack vector across all data breaches studied by IBM, accounting for 16% of cyberattacks. Phishing attacks cost organizations an average of $4.8M per breach, IBM reported.

For organizations aiming to minimize the risk of their employees falling victim to phishing, implementing regular, engaging, and role-specific training is crucial. While phishing attacks are becoming more challenging to detect, your employees remain your first line of defense. Checking for suspicious links, out-of-place characters (like a lowercase “L” instead of an uppercase “I”), and undue urgency should be routine practices for all employees with access to a company email. Another best practice is to type a website’s known URL into your browser yourself, instead of clicking links embedded in an email. Sarah Varnell, manager on BARR’s attest services team, also advises checking in with the purported sender via another means of communication to verify the request.

“When in doubt, reach out to a contact in your organization’s IT department, whether that’s via email, phone call, or an internal communication tool like Slack or Teams,” Varnell said. “Do not reply to the email directly or call any number in the email. Pull those details from your company directory instead to ensure you have the right contact information.”

3. Nearly all organizations that experienced an AI-related data breach failed to implement adequate security controls.

While IBM reports that security incidents impacting AI products and services were rare, 97% of organizations that reported falling victim to an AI-related data breach “lacked proper AI access controls.” In fact, nearly two-thirds (63%) of major organizations that experienced any type of breach failed to establish comprehensive policies surrounding AI governance. This underscores the importance of building a strong governance, risk, and compliance (GRC) program, especially if your organization is leveraging AI technology.

For companies aiming to secure their AI systems, compliance frameworks like ISO 42001 and the HITRUST AI Security Certification are a great place to start. 

Designed specifically for organizations that use or produce AI tools and systems, ISO 42001 was built to help organizations attest that they have established effective processes for ensuring their use of AI is secure, ethical, and transparent. This includes implementing strong encryption and access controls, training staff on the safe and responsible use of AI, and continually improving your risk management strategy as technology evolves.

For organizations that have already achieved HITRUST e1, i1, or r2 certification, HITRUST’s AI Security Assessment is a seamless addition to your existing compliance program. Designed to be compatible with ISO 42001, the HITRUST AI Security Assessment outlines prescriptive, highly tailored controls, tools, and methodologies for implementing, testing, validating, and reporting on AI security.

“Implementing robust security measures, such as encryption and access controls, is essential to safeguard data from unauthorized access,” said Steve Ryan, senior manager and head of healthcare services at BARR Advisory. “Companies should also invest in employee training and education programs to ensure that individuals handling data understand the importance of privacy and are equipped to handle potential privacy risks effectively.”

4. Data breaches are most costly—and most time-consuming—for healthcare organizations.

According to IBM, data breaches in the healthcare sector were most expensive, costing organizations an average of $7.42 million—a decrease from the year prior, but still a hefty figure. It also took healthcare organizations an average of nine months to identify and contain breaches—the longest amount of time across any industry, and more than a month longer than the global average, IBM reported.

“It goes to show it’s a matter of if, not when, your organization may be impacted by a cyberattack,” Ryan said in the wake of a major breach impacting Change Healthcare, a subsidiary of UnitedHealth Group, in early 2024. “This is why organizations should be prepared for detection, containment, eradication, and recovery while working to limit damage to as minimal as possible.”

5. Vendor risk management is more important than ever.

Behind phishing, the second most common initial attack vector in the breaches studied by IBM was a third party. Vendor and supply chain breaches cost organizations an average of $4.91M, the second most of any attack vector.

It’s an issue that is especially prevalent in the healthcare industry, where “vendor security isn’t just an IT issue—it’s a patient safety issue,” Ryan wrote in a recent article.

“Even if your internal environment is highly secure, a single vulnerable vendor can serve as a direct line into your systems,” Ryan said. 

Ryan recommends that organizations establish strong vendor risk management programs that include comprehensive risk assessments. These assessments “should include requesting detailed security documentation and reviewing compliance reports and certifications such as SOC 2, ISO 27001, and HITRUST,” he advises.

“After all, if your organization is pursuing compliance attestations like these, your vendors should be held to a similar standard,” Ryan said. “This isn’t about mistrusting vendors. It’s about building transparent, accountable partnerships where both sides are committed to security.”

6. Nearly one-third of breaches involved data stored in multiple environments.

According to IBM, 30% of data breaches reported over the last year “involved data distributed across multiple environments, such as public clouds, private clouds[,] and on premises,” costing organizations an average of $5.05M per breach. 

Legacy systems often add to this risk, since they are harder to secure and integrate consistently across modern hybrid environments. 

“Limited or a complete lack of integration capabilities with modern cybersecurity tools and operating systems leads to larger, more exposed, and more easily exploited attack surfaces in legacy systems, and without official patch support, attacks take longer to resolve,” said Devin Olsen, a senior consultant on the attest services team at BARR Advisory.

“The best solutions are either upgrading infrastructure and software—which isn’t always feasible, due to niche applications with specific operating system (OS) requirements, limited finances, or an inability to migrate data safely—or to use multiple layers of defense strategies to overlap and protect vulnerable infrastructure,” Olsen added. “These strategies include multi-factor authentication (MFA), endpoint detection and response (EDR) agents, personnel training, enforced access controls, network segmentation, and continuous monitoring.”

The Bottom Line

IBM’s 2025 Cost of a Data Breach Report shows that while AI is helping organizations contain threats faster, it’s also arming attackers with new tools. Phishing, third-party risk, and weak AI governance remain top concerns—making proactive security measures and strong compliance programs more critical than ever.

Is your organization prepared to combat data breaches in the year ahead? Contact us today for a free consultation.

Let's Talk