In what can only be described as the least surprising headline of the year, the 2025 Cost of a Data Breach Report was released, confirming for the 20th year in a row that having your data stolen is, in fact, bad for your bottom line. Sarcasm aside, the latest report continues to excel in serving its annual role as the industry’s collective conscience. And as always, it’s packed with fascinating data, sobering statistics, and one overarching conclusion: yes, data breaches are still very, very expensive.
But this year’s report comes with a twist. For the first time in five years, the global average cost of a breach actually went down, dropping to $4.44 million. Before we celebrate, however, there’s a catch. Here in the United States, the average cost went in the complete opposite direction, surging to a record-breaking $10.22 million.
This isn’t just a numbers game; it’s a story about habits. While defenders globally are getting faster thanks to AI and automation, U.S. organizations are being weighed down by operational friction, regulatory complexity, and a few costly habits that are turning manageable incidents into nine-figure problems.
Let’s look at the four most expensive habits the 2025 report tells us your organization might need to kick.
Habit #1: The “It Won’t Happen to Us” Mentality
For years, the cybersecurity industry has been obsessed with prevention, building ever-higher walls to keep attackers out. But as the 2025 report makes painfully clear, breaches are not just possible; they are inevitable. This isn’t a failure of prevention; it’s a failure of philosophy.
Try this on for size: there is a .24% chance per year your house will catch fire, yet we still fund city fire departments and train firefighters. Comparatively, 60% of businesses experience a significant security incident in any given year, but security teams and business leaders are still talking about even just funding the company’s “fire department”? This doesn’t make sense – it seems like common sense that we’d be much more prepared for the 60% chance event rather than the .24% chance event.
Gartner has been a vocal proponent of shifting from a prevention-only mindset to one of cyber resilience. This means accepting that you will be breached and focusing your energy on how quickly and effectively you can respond and recover. An organization that can minimize the impact of an incident and maintain business continuity is a resilient one. This proactive stance requires a different set of tools and a different way of thinking – one that moves beyond the outdated “if” to the essential “when.”
Habit #2: The “Trust Thy Neighbor (Implicitly)” Approach to Supply Chain Security
The report reveals a sobering truth: a full 17% of breaches are caused by a compromise at a third-party supplier. These supply chain breaches are not just common; they are costly. They add an average of $207,914 to the total cost of a breach and take a staggering 314 days to identify and contain – a full month longer than the average incident.
This “trust thy neighbor” approach, where organizations have limited visibility into the security posture of their vendors, is a disaster waiting to happen. Breaking this habit means moving from implicit trust to explicit verification. It requires a proactive program to manage third-party risk and a response plan that accounts for the added complexity of working with your “neighbor” to resolve a security incident. Without it, you are leaving your organization’s fate in someone else’s hands.
Habit #3: The “It’s an Inside Job (But We’re Not Looking)” Mentality
While external threats get most of the headlines, the 2025 report confirms that the most expensive breaches are the ones that come from within. Malicious insiders, whether they are disgruntled employees or credential thieves, cause breaches that cost an average of $5.07 million, significantly more than any other attack vector.
The high cost is driven by the fact that these attackers have legitimate access to sensitive systems, allowing them to cause more damage and remain undetected for longer. Breaking this habit requires a shift from a prevention-based security model to one that assumes threats can and will come from within. This means implementing stronger access controls, better internal monitoring, and a clear plan for responding to insider threats.
Habit #4: The “Compliance is a Checkbox, Not a Culture” Philosophy
In the United States, the high cost of breaches is inextricably linked to the complex and unforgiving regulatory landscape. The report shows a clear correlation between high levels of non-compliance and higher breach costs, adding an average of $207,914 to the final bill for compliance alone. When a breach occurs, the fines and penalties for non-compliance can be devastating.
Too many organizations treat compliance as a reactive, “check-the-box” exercise. This habit of doing the bare minimum to get by is a costly gamble. A resilient organization, by contrast, builds compliance into its culture. It understands that regulations are not just a nuisance but a roadmap to demonstrate effective security and privacy practices over time. This proactive approach not only reduces the risk of fines but also builds trust with customers, partners, and regulators – especially when you need it most.
Breaking the Cycle
These habits are deeply ingrained in many organizations, but they are not unbreakable. The common thread running through all of them is a lack of a modern, proactive, and automated approach to incident response.
Here’s where you need to start to break these expensive habits:
- Build resilience, not just prevention: Prepare for the inevitable by operationalizing your response plans for a swift and effective recovery.
- Manage third-party risk: Be ready to manage the complexities of a supply chain breach, ensuring a coordinated response with your vendors.
- Build clear plans for every threat: Whether the threat is internal or external, you need plans that provide the structure and guidance to manage each effectively (and the plans probably aren’t the same).
- Understand regulatory requirements: Ensure you understand your compliance obligations with customers, partners, and regulators – they are all different – so you can avoid the financial impacts of losing customers, increased regulatory scrutiny, and potentially costly fines.
The 2025 IBM report makes one thing abundantly clear: the cost of a data breach is no longer just about the attack itself. It’s about the maturity of your response. Continuing with old, chaotic habits is a choice – and it’s a $10.22 million one for U.S. companies.