Top 5 Takeaways for CISOs from the 2025 IBM Cost of a Data Breach Report

The latest IBM Cost of a Data Breach Report just dropped—and while the headlines focus on global averages, the real insights for CISOs lie deeper. This year, the report provides some much-needed clarity on how breach costs are shifting, what’s working (and what’s not), and what security leaders need to prepare for in 2026 and beyond.

Let’s break down the five most important takeaways—backed by data, grounded in real-world examples, and framed through the lens of operational action.

1. Global Average Cost Decreased—but Not Everywhere

The global average cost of a data breach in 2025 was $4.44 million, down from $4.88M in 2024—a 9% decrease. That might sound like progress. But it’s not the full picture.

The decline was largely driven by organizations that’ve invested in better internal security teams and automation. Faster detection and containment—especially through AI-driven tooling—has paid off. But this average hides major regional differences:

• United States: Breach costs surged 9% to $10.22 million, the highest in the world. This rise is tied to increased regulatory fines, legal fees, and escalation costs.
• United Kingdom: Costs remained above the global average, driven by higher customer turnover and compliance-related impacts.
• Middle East: Costs saw a modest decrease, showing that maturing security operations and rising adoption of automation are having a positive effect—but coverage is still uneven.

So while global averages can be misleading, CISOs must benchmark locally. In highly regulated markets like the US and UK, breach costs are accelerating. For regions like the Middle East, proactive investment today can help avoid that same fate.

2. Internal Discovery Is Rising—But Attacker-Driven Detection Still Hurts

IBM found that in 2025, only 33% of breaches were discovered by internal teams. Alarmingly, 17% were still reported by the attackers themselves.

This means many orgs are still finding out about breaches after the damage is done—through ransom notes, third-party alerts, or public leaks. These breaches cost significantly more due to delayed containment and public fallout.

The good news? Organizations that detect breaches quickly—especially via internal monitoring and real-time telemetry—see major cost savings. Time-to-containment directly correlates with total cost.

That’s where platforms like FrontierZero help. By surfacing shadow SaaS, dormant accounts, and risky OAuth scopes in real time, CISOs can shift detection left—before adversaries tip them off.

3. Shadow AI = Shadow Risk

One of the biggest shifts this year? The rise in breach costs associated with unmonitored AI usage.

Companies with Shadow AI, on average, paid $670,000 more than companies without it.

IBM’s data shows that shadow AI apps—like unsanctioned AI copilots, writing tools, and AI-enhanced file analysis—are quietly increasing breach complexity and cost. These tools often connect to cloud drives, email, or CRM systems, pulling sensitive data into unsecured hands.

CISOs are under pressure to "support innovation" while still keeping a handle on risk. But many orgs don’t even know where these AI tools are, let alone what data they touch or how long they retain access.

Here’s the operational reality: A single unmonitored AI plugin with wide-scoped access can silently copy or misuse customer PII, source code, or contracts. And it’s not always the attacker’s fault—sometimes it’s an employee trying to work faster.

To control this, security teams need OAuth visibility, data access mapping, and continuous risk scoring for every third-party AI connection.

4. Stolen Credentials and Misconfigured Cloud Are Still Leading Causes

24% of breaches involved stolen or compromised credentials—often from dormant accounts, over-permissioned OAuth tokens, or password reuse across unsanctioned SaaS apps.

Cloud misconfiguration is another repeat offender. Whether it's publicly exposed databases, unaudited guest access, or forgotten test environments, misconfigurations keep the door wide open.

This speaks directly to the value of SSPM (SaaS Security Posture Management). You need to know:

• What’s connected
• Who has access
• How configurations drift over time

FrontierZero helps teams map their full SaaS landscape—not just what’s sanctioned—and continuously monitor the dark web for potential leaks and the whole SaaS landscape for identity risks and configuration drift.

5. Third-Party Breaches Are Getting More Expensive

Third-party vendor and supply chain compromises almost topped the breach cost list at $4.91M per breach, surpassing even phishing and credential-related incidents.

These breaches are especially damaging because they often occur outside your visibility.

And here’s the kicker: you’re still held responsible, even if the breach happens upstream.

Remember the AT&T & Snowflake incident in 2024. AT&T wasn't breached directly, Snowflake was, but AT&T still paid a price for it.

That’s why third-party visibility—especially in SaaS environments—must be a central part of every CISO’s playbook. It’s not enough to vet vendors once. You need:

• Real-time integration monitoring
• Least-privilege access enforcement
• Automated deprovisioning when access is no longer needed

Trust is not a control. Visibility is.

Final Thoughts for CISOs

If there’s one clear message from this year’s IBM report, it’s this: what you can’t see will cost you.

In 2025, attackers aren’t just exploiting systems—they’re exploiting visibility gaps. Shadow SaaS, over-permissioned integrations, forgotten accounts, and unsanctioned AI tools are creating breach pathways that traditional controls simply miss.

At FrontierZero, we help CISOs manage it all in one place:

• Uncover unauthorized SaaS usage, shadow IT, and breached employee credentials.
• Map user-to-app identity sprawl and OAuth risk
• Detect AI tool access before sensitive data leaves your perimeter

Start a free trial and get real-time visibility into the blind spots that matter most.Because the real cost of a breach isn’t just financial—it’s operational, reputational, and long-term.

Want to dive deeper?

• SaaS Has Changed the Security Perimeter
• CISO Guide: Dark Web & SaaS Account Takeovers
• Why Homegrown Detection Fails

Visibility isn’t a luxury anymore—it’s the baseline.

Get in touch with us and see what your current tools might be missing.