IBM’s Cost of a Data Breach Report 2025 provides a timely update on the shifting landscape of cyber risk, with artificial intelligence (AI) now playing a central role. For the first time in five years, the global average cost of a data breach has declined, down to approximately £3.5 million, largely due to faster detection and response enabled by AI and automation. However, the same technologies are increasingly being leveraged by attackers.
IBM’s research reveals that nearly two-thirds of organisations lack formal governance frameworks for AI, and 97% of AI-related breaches occurred in systems with weak or absent access controls. The use of unsanctioned AI tools, often referred to as shadow AI, added c. £530,000 to the cost of an average breach and frequently resulted in the loss of personal or intellectual property data.
Meanwhile, threat actors are using generative AI to enhance phishing and deepfake campaigns. Approximately one in six breaches now involve AI-driven attacks, many of which exploit human trust rather than technical vulnerabilities. This underscores a critical truth: in cyber risk, technological capabilities often outpace governance.
The report also highlights the tangible benefits of automation. Organisations that extensively deploy AI in their security operations saved an average of £1.5 million per breach and reduced breach resolution times by around 80 days. In contrast, companies with complex IT environments or significant skills shortages faced higher costs, averaging over £5 million per incident. Ransomware remains a costly threat, with attacks averaging £4 million, although a growing number of victims are now refusing to pay. Regulatory fines were reported in a substantial portion of breaches, further compounding financial impact.
Encouragingly, businesses are improving their response capabilities. Detection and containment times are at their lowest in nine years, and more organisations are prioritising long-term recovery strategies rather than passing costs on to customers. Yet, governance and resilience continue to be the key differentiators between firms that merely recover and those that emerge stronger.
Griffiths & Armour advises organisations to treat AI with the same rigour as any other enterprise system. Clear policies, defined accountability, and continuous testing should be considered essential, not optional. As cyber risk and AI become increasingly intertwined, the strongest defence lies not only in smarter technology, but in smarter governance.
The full IBM report is available here: IBM Cost of a Data Breach Report
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Griffiths & Armour, an Aon company believes to be reliable, Griffiths & Armour, an Aon company does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to 27 October 2025
