IBM’s 2025 Cost of a Data Breach Report: 7 Key Findings for Small and Medium Enterprises

There were some surprises on IBM’s 2025 Cost of a Data Breach Report: for the first time in five years, the global average cost of a data breach dropped from $4.88M to $4.44M. This decrease is likely due to global currency exchange rates. This does not mean that threat actors are scaling back at all. In the US, the average cost rose to a new high of $10.22M, signaling both continued attacks and increasing regulatory fines.

Meanwhile, certain findings of the report aligned with prior expectations: threat actors’ use of AI has enabled more advanced phishing schemes and deepfake attacks. Conversely, organizations have enhanced their defensive capabilities, in some cases also leveraging AI, leading to faster detection and containment of incidents and reducing average attacker dwell time to 241 days – the lowest level in nearly ten years. But for the average SME, the threat actors dwelling time goes from a few hours to a few days as threat actors race to deliver ransomware, hence the importance of the 24/7 Managed Detection & Response (MDR) function.

IBM examined approximately 6,500 breaches across 16 countries and 17 industries as part of this report. While many of the report’s findings are relevant to organizations of various sizes and sectors, there are issues pertinent to SMEs that are highlighted as follows:

1. While the global average cost of a data breach declined over the past year, the US average increased during this period, highlighting the importance for US businesses to maintain effective cybersecurity measures and appropriate cyber risk insurance to address residual risk.
2. The adoption of AI solutions without proper governance could pose serious risks to any organization. About 13% percent of the companies in the study reported experiencing an AI-related breach. An astonishing 97% of those companies lacked proper AI governance and security controls. Without a proper AI management program in place, AI adoption could lead to eventual compromise or data leakage for the average SME.
3. Insider threats continue to represent a significant concern for organizations of all sizes. Although most breaches related to insider threats are the result of accidental or negligent actions, breaches involving malicious insiders have proven to be the most costly, averaging $4.92M in 2024. Therefore, organizations should adopt effective security practices during talent acquisition, manage third-party vendor and contractor risk, and monitor their environments for suspicious activity.
4. Third-party and supply chain compromises represented 15% of all breaches, indicating that trust boundaries are common areas of vulnerability for most organizations. Accordingly, SMEs should proactively and continuously monitor the security posture of their supply chain to respond promptly to any changes in vendors’ risk profiles.
5. Phishing remains the top initial vector used by threat actors at 16% of all compromises in the study. Leveraging AI, threat actors are now able to accelerate the creation of phishing emails, making them more targeted towards their victims based on social media and publicly available information. Phishing attacks are not as obviously egregious as they were in the past, making it harder for employees to discern between real and phishing emails. Without a proper Security Operations Center (SOC) function in place, phishing emails that land could result in Business Email Compromise (BEC) incidents that could eventually result on financial losses.
6. Multi-environment breaches, that span cloud and on-premises systems, were the costliest ($5.05M) and slowest to contain (276 days). Although cloud systems typically provide higher security assurances than on-premises systems, misconfigurations such as services overexposure make cloud a suitable target for threat actors. SMEs must monitor their attack surface closely and stay on top of configuration management and patching.
7. Nearly half of organizations (49%) in the study decided to invest in comprehensive cybersecurity measures only after they were breached. That’s like installing seatbelts in your car after having crashed. The cost of a breach is not only measured by immediate financial losses but also by reputational damage and the organization’s inability to focus on strategic initiatives post breach.

Just like the enterprise-level organizations in the IBM study, SMEs are being targeted by the same threat actors leveraging AI in their attacks. However, SMEs budget constraints do not allow for critical functions such as detection, response, and threat hunting to be insourced. For this reason, SMEs should continue to focus on addressing their cyber risk and compliance requirements by partnering with reputable MDR and compliance services providers like Abacode.