An annual global analysis of 113,620 data breaches published by IBM today finds the cost of the average data breach decreased by 9% year over year, thanks mainly to faster discovery and containment.

Conducted in collaboration with the Ponemon Institute, the report finds the global average breach cost dropped to $4.44 million from $4.88 million in 2024, which is consistent with the cost levels that were previously experienced in 2023. However, the global cost would be even lower if it were not for attacks in the U.S., where the average cost surged by 9% to $10.22 million.

Kevin Albano, global lead for X-Force Intelligence Services at IBM, said that while the volume of cyberattacks continues to increase in some regions, it would appear that, in general, cybersecurity teams have become more adroit in responding to them in the last year than in years prior. That suggests that cybersecurity teams are achieving higher levels of maturity in terms of adopting best practices to both prevent and recover from cyberattacks in less than 100 days, he added.

For the second year in a row, malicious insider attacks resulted in the highest average breach costs at $4.92 million, followed closely by supply chain compromises at $4.91 million and phishing attacks at $4.8 million.

The report also notes that more ransomware victims refused to pay a ransom in 2025 (63%) than 2024 (59%). However, the average cost of an extortion or ransomware incident remains high, particularly when disclosed by an attacker ($5.08 million). At the same time, fewer ransomware victims reported involving law enforcement (40%) this year versus 53% last year.

Additionally, the IBM report also finds there was a significant reduction in the number of organizations that plan to invest in security following a breach (49%) compared to last year (53%), with less than half of those who plan to invest in a security plan to focus on security solutions or services based on artificial intelligence (AI) even though security teams using AI and automation extensively shortened their breach times by 80 days and lowered their average breach costs by $1.9 million.

The report also finds that AI is starting to be more widely employed by cyberattackers. On average, 16% of data breaches involved attackers using AI, most often for AI-generated phishing (37%) and deepfake impersonation attacks (35%).

At the same time, the report notes that incidents involving attacks on AI models and applications remain limited (13%), with 97% of those issues stemming from a lack of proper access controls. Among the organizations studied this year, 20% said they suffered a breach due to security incidents involving shadow AI. A majority of breached organizations (63%) either don’t have an AI governance policy or are still developing one. Even when they have a policy, less than half have an approval process for AI deployments, and 61% lack AI governance technologies.

Among organizations that have governance policies in place, only a minority (34%) perform regular audits for unsanctioned AI, according to the report.

Assessing the cost of a data breach will naturally vary from one organization to the next. IBM, for example, is including reputation costs involving millions of dollars. Regardless of what metrics are used, the one thing that is clear is that even as cybersecurity becomes more challenging to maintain, the same basic game of whack-a-mole continues to persist.