2025 Cost of a Data Breach: AI Risks, Shadow AI, & Solutions

πŸš€ Add to Chrome – It’s Free - YouTube Summarizer

Category: Cybersecurity

Tags: AIBreachesDataPhishingSecurity

Entities: 2025 Cost of a Data Breach ReportAIIBMUS

X
Building WordCloud ...

Summary

    Cost of Data Breaches
    • The average cost of a data breach worldwide decreased by 9% to $4.44 million.
    • In the US, the cost increased by 9% to $10.22 million, almost twice the global average.
    • Regulatory fees and detection costs are significant contributors to the increased costs in the US.
    Data Breach Vectors
    • Insider threats are the most costly attack vector due to insider knowledge.
    • Third-party risks and phishing are also major contributors to data breaches.
    • Phishing remains a frequent attack vector, often leveraging social engineering.
    Impact of AI on Data Breaches
    • 13% of organizations experienced data breaches related to AI, leading to data compromises and operational disruptions.
    • Shadow AI, or unauthorized AI implementations, was found in 20% of organizations.
    • AI can both help and harm; attackers use it for sophisticated phishing and deepfake attacks.
    Recommendations for Security
    • Stronger identity and access management is needed, focusing on both human and non-human identities.
    • Adopting passkeys instead of passwords can enhance security and resist phishing attacks.
    • Organizations need tools to discover and secure shadow AI and sensitive data.
    • Governance and security must be integrated, especially in AI environments.
    Actionable Takeaways
    • Invest in stronger identity and access management systems.
    • Adopt passkeys to enhance security against phishing.
    • Implement tools to discover and secure shadow AI and sensitive data.
    • Integrate governance with security, particularly in AI contexts.
    • Focus on monitoring and mitigating insider threats.

    Transcript

    00:00

    How many times have you heard this? We really can't afford to spend that much on security.

    Maybe instead, we should be asking ourselves if we can afford not to. After all, it's not just about dollars.

    It's downtime. Reputation.

    Lost trust.

    00:15

    And the fact is that many of these breaches are preventable. But let's face the decision regarding security investments on actual numbers rather than just gut feel.

    The good news is that we have the information that can help guide those decisions in the form of IBM's 2025 Cost of a Data Breach Report.

    00:33

    In this video, we're going to take a look at some of the key findings from the report and lessons learned that you can apply to your own environment. So stay tuned.

    Okay. What did the 2025 report tell us?

    Well, first of all, a little bit of background on this.

    00:50

    We went out and talked to 600 different organizations that actually experienced a data breach. So this is not theoretical.

    And interviewed approximately 3,500 leaders from those organizations.

    01:05

    So, these are people with direct knowledge, firsthand knowledge of what occurred. And those are the ones who can tell us and give us these insights that we're looking for.

    Okay. What did the report tell us?

    Drumroll, please. Let's take a look.

    Cost of a data breach.

    01:21

    The actual number. Raw numbers.

    And we've got a little bit of good news and a little bit of bad news to counteract it. First of all, the good news.

    Worldwide, the cost of a data breach number actually went down 9%. So, congratulations world.

    01:37

    We did a little better. Um, and that number was 4.44 million dollars as the average cost of the data breach.

    So, that's big breaches, small breaches. By the way, in the report, we always take the really mega breach, the really huge numbers.

    01:54

    We take those out because they would skew the average. So, this is a realistic average when you get a number like that.

    Another thing that I thought was really encouraging. It's something that I've watched over the years, is the numbers that relate to mean time to identify and mean time to contain.

    02:11

    So, this is how long. If uh the bad guy broke into your house, how long is he in there?

    That's mean time to identify before you realize that you've, in fact, got somebody living in your house. And then meantime to contain is how long does it take 'til you get him out of the house?

    Well,

    02:27

    these numbers actually improved a little bit, and we've seen a little bit of improvement over the last bunch of years. I'm going to tell you, they're still not great, but it's an improvement.

    So, if we look back, uh say 4 or 5 years ago, this number combined was about 257 days for mean

    02:44

    time to identify and then contain. Most of that time is on the identify side.

    But, in the most recent report, we moved down to 241 days. Now you say, well, that's not a huge improvement, but hey, we'll take small victories at this point and keep chopping away at this.

    03:02

    Bottom line is there's still work that needs to be done. That's not acceptable.

    To have the bad guy in your environment and doing what they're doing, and us not be in control of that situation for 241 days. That's again, still the better part of a year.

    But, keep up the faith.

    03:18

    We're we're doing some good work here. Now, a little bit of bad news.

    Okay, folks in the US. We need to do better.

    Uh, the number here was up 9% in terms of cost. So it was 9% more expensive than it used to be.

    And the cost of a data breach in the US

    03:34

    has always run higher than the rest of the world. Well, now it's even higher still.

    So, we're in the range of two point or 10.22 million dollars. That's a really big number.

    So, you're looking at a number that's almost twice what the worldwide average is.

    03:50

    And this number is continuing to grow. Now why was it more expensive?

    Um. There's a number of different factors that go into this.

    One of the things that increased are regulatory fees. So, when you actually experience a data breach, maybe uh ah a law is requiring you to pay

    04:07

    certain kinds of things in order to get that back. Uh.

    Another thing that went up were the detection costs. So, in this case, the cost to do detection and putting in the tooling and all this kind of stuff, that was also driving up some of these costs.

    04:22

    So, again, we've got some good news. We've got some not so good news, but, overall we've got news.

    A new feature of this year's report, because it's a new feature in everyone's environment these days, artificial intelligence. And what we found was that 13% of organizations

    04:41

    experienced a data breach related to AI. And that caused a ripple effect.

    Of the 13%, then, we had 60% that experienced a data compromise. And another 31% experienced operations disruptions.

    04:59

    So, that is showing that AI is not only doing some good stuff for us, but it's also introducing some new attack vectors, which is not a surprise or shouldn't be a surprise to anyone. Another thing that we found in this was shadow AI.

    Now, what is that?

    05:15

    There were 20% of organizations found that they had AI, unauthorized AI implementations in their environment. So nobody approved this, and maybe no one was aware of it until it became a problem.

    So clearly this is an area we need to start focusing on,

    05:31

    because this stuff will just start popping up all over the place. Now let's take a look at what were the main vectors that were causing these big numbers that we had.

    Well, the number one in in terms of vectors. So causes of these attacks, uh,

    05:46

    turned out to be insider threat. Insiders have an advantage because they understand what the environment already looks like.

    So, they were doing the attacks that were the most costly. Again, with that inside knowledge,

    06:02

    they're able to go right to the heart of what they need to get, and they can do a lot of damage that way without having to trip around in the dark. What we found.

    Almost a dead heat tie, though, was third-party risk. Third-party, uh, situations where we had

    06:19

    other types of of people having access into the systems or third-party software, a number of these different kinds of things, those were also contributing. So these were really the top most costly.

    But, in terms of frequency, this is another way of looking at

    06:35

    what's the most important attack vectors. In this case, 16% were the result of phishing.

    And phishing has continued to be at the top of these lists in one way or another for the last few years. So, phishing attacks are essentially social

    06:51

    engineering attacks on your people. So if you look at this, here's an attack where an individual is doing this.

    Here's an attack that's on the individual. So, we're going to have to do a lot to not only make our technology better, but make our people better too.

    07:06

    Continuing with that theme of AI, let's take a look at what the impact of the cost of a data breach was from the attacker's use of AI versus the organization's use of AI. So, what we found in the report was that 16% of organizations experienced data breaches

    07:23

    as a result of attackers' AI. And the breakdown on that was that it was roughly 37% were involving phishing attacks.

    So, that's a case where, in fact, we did some research once and found that you could automate a phishing attack

    07:41

    and make it uh nearly as convincing as the best phishing attack a person could come up with. And we spent 16 hours with a skilled cybersecurity person to come up with a phishing attack versus five minutes with a chatbot.

    07:57

    And the chatbot was able to do nearly as well as the person. So, expect to see more of this impact of AI in making more convincing phishing attacks, because it doesn't make the spelling and grammar errors, and it can come up with a very convincing scenario

    08:13

    in a very short period of time. Another area that we're starting to see some impact from in 35% of cases are deepfakes, which is another use of generative AI where you basically do an imitation of a person.

    Their voice, their likeness, their image.

    08:30

    And you convince a person to do something that they're really not supposed to do. So, that's another thing that we've got to take a look at.

    The attackers will be using AI, and we're already seeing its impact on costing of the data breach. Now, how about the organizations' use of AI?

    Well,

    08:47

    what have we found in this case? Well, what we've found in, this is unfortunate, is that uh and it's a big negative in this case, that 63% of organizations have no governance policy or are still in the process of developing one.

    09:04

    So, if you don't have a policy, then you don't really know where it is you're going and what you're trying to achieve. Security and governance are really important that they work together.

    I'll talk more about that later. But a significant number of organizations really have not even defined what success looks like.

    So it's going to be pretty hard to achieve.

    09:22

    Now, on the positive side, in terms of organizational use of AI, we see that organizations that have an extensive use of AI in the security space. So they're using AI in order to do a better job of security.

    Well, they actually saw a big impact.

    09:38

    In fact, they saw their number of days go down to do that mean time to identify, mean time to contain, it decreased by 80 days. Now, time is money.

    So, guess what? That's what we also saw is that the numbers went down for the cost here as well.

    09:56

    And the number in that case was in the range of 1.9 million dollars less. So, we can use AI to do a better job of securing our systems and responding and containing these costs.

    10:11

    And the bad guys are going to be using it to attack us. Okay.

    Now we know the numbers. The cost of a data breach.

    I reviewed those numbers with you. The causes of those data breaches as well.

    Now, what are we supposed to do about it? Let's take a look at some recommendations.

    10:26

    First of all, we continue to see that attackers find it's easier to log in than it is to hack in. So that means they're exploiting login capabilities.

    Authentication. What's our answer to that?

    Well, it's stronger identity and access management capabilities.

    10:42

    So here we're seeing a need to focus not only on the regular user identities that are associated with people, but also a focus on non-human identities Some of these system-level accounts that have super-level access, very high levels of access,

    10:59

    but, in many cases are not being managed. The passwords are not changing very frequently on them.

    We need basically a system of secrets management that allows us to do a better job of those. And some of those secrets, as I mentioned, could be passwords.

    11:14

    They could be API keys. So for instance, maybe I've got ah an application and it's got one of these non-human IDs that goes and queries a database.

    And it's got an API key. These kinds of functions.

    Crypto keys, because we want to keep all this information encrypted.

    11:31

    So, a lot of different information that needs to be kept secret. It's too much to scale and manage all of this if you don't have a good secrets management tool in place.

    Some other things that we can do and I'm a big proponent of this, we recommend this in the report is the thing that's better than a password is a passkey.

    11:49

    Nobody can steal your password if you don't have one. Passkeys sound like a similar kind of thing, but it's actually a much stronger technology that's based on cryptographic techniques.

    And we're seeing more and more even consumer-level sites adopt this technology. So the more we can move to that,

    12:06

    potentially the better we'll be and the harder these things are to break into. In particular, think about those phishing attacks.

    Well, it's these things are pretty resistant to phishing types of attacks. So that would make a big difference in that case.

    Another big area. Ah.

    12:21

    I mentioned the impact of AI on this year's report. Well, we don't have AI if it weren't for data.

    So all of that is based on data. And what we need to be able to do now is discover.

    So I've got to discover my, all my uses

    12:38

    and all of my cases of sensitive data in the organization and all of my uses of AI in the organization. In other words, I have to shine a light on the shadows, the shadow AI, the shadow data, all of these things that are sitting out there

    12:54

    that might be issues for me. So I need tools that can do that sort of discovery automatically.

    People are not always going to tell me. If they were, it wouldn't be shadow in the first place.

    Another thing is, for these AI implementations, once I've found them, now I've got to do some things to secure them.

    13:10

    I need a secure the posture of that AI. I need to be able to test the models.

    So I need to be able to add in security for AI models. And I need to be able to secure the usage of these systems as well.

    Ah. In other words, things like prompt injection attacks and things of that sort.

    13:28

    Those are usage-based attacks against the AI. So secure the data, secure the models and secure the usage.

    Now, on the data side, also, we need to have strong access controls. So, that kinda leads back into this IAM topic.

    Identity and access management as well.

    13:45

    This was more about the authentication. This is about the authorization.

    I need to have all of my sensitive data encrypted because, if I don't, then potentially anyone would be able to see it. And I need to be able to monitor the use of that data.

    14:01

    Just because I put all of these controls in place doesn't mean everything's okay. Someone might be abusing their privileges.

    Again, we talked about insider threats. That's why we need to be able to monitor.

    And then ultimately, as I mentioned, a lot of organizations are using

    14:17

    AI more and more, and we're starting to see it more and more as a vector of attack into the organization. But, at the same time, we see most organizations don't have these two dots connected.

    Governance and security.

    14:33

    And I can tell you they're very important in AI in both cases. We need these in non-AI environments.

    But in AI it's particularly important. And there's a lot of overlap in these areas.

    The things that we need to do to do right in security can also be complemented by the things that we do in governance.

    14:49

    So, a big emphasis on this moving forward. If you take care of these kinds of things, hopefully next year when we come back to look at this video again, the cost of a data breach will be even lower.

    So there's a quick summary of the 2025 Cost of a Data Breach Report.

    15:05

    There's lots more details. To read the full report and do your own analysis of the data, click on the link in the description below and download your own copy now.