There is a lot to glean and learn from data breaches in 2025. Two recent reports make it abundantly clear: the cost of being unprepared is high, and organizations that adopt proactive, identity-centric, and automated security measures see measurable returns.
Bright Defense's 120 Data Breach Statistics for 2025 draws together data from IBM's Cost of a Data Breach Report, Verizon's Data Breach Investigations Report (DBIR), UpGuard, ITRC, etc., to provide an up-to-date view of breach costs, attack vectors, and defense effectiveness.
Meanwhile, IBM's Reactive to Resilient article highlights how identity threat defense can shift an organization's mindset—and its posture—from waiting for breaches to preventing them in the first place.
Here are several of the most important data points from Bright Defense's report, with implications:
The global average cost of a data breach fell somewhat this year to USD 4.44 million (from USD 4.88 million in 2024), a decrease of approximately 9%. But in the United States, the average cost rose to USD 10.22 million, remaining the highest region globally.
Among breach types, malicious insider attacks and supply-chain breaches cost around USD 4.9 million, while phishing attacks averaged USD 4.8 million. Breaches that span multiple environments cost still more—about USD 5.05 million.
Breaches resolved in less than 200 days cost around USD 3.87 million, with those unresolved past 200 days rising significantly—about USD 5.01 million.
Organizations with skills shortages see much higher costs: average breach cost was USD 5.22 million for those with high cybersecurity staffing gaps versus about USD 3.65 million for those with more adequate staffing.
The use of AI/automation, strong observability tools (SIEM, analytics), and DevSecOps practices correlates with lower cost of breaches; for example, using AI/ML insights reduced costs (from ~$4.9M to ~$3.8-3.9M) compared with low usage.
Critical infrastructure breaches had a high cost (≈ USD 4.82 million on average), highlighting that attackers aren't just targeting sensitive data, they're going after systems for which disruption can have broad consequences.
IBM's article emphasizes that identity threat vectors—stolen credentials, unmanaged privileged access, weak MFA, identity abuse—are central to many breaches. Rather than simply responding after an identity-based intrusion occurs, IBM argues for:
Strong identity threat detection and response (ITDR): continuous monitoring of identity usage, anomalous login attempts, credential misuse
Shifting security programs to assume that identity is a perimeter: i.e., the "identity perimeter" needs to be defended with tools, automation, and policies just as rigorously as the network perimeter.
Investing in proactive controls: identity policy enforcement, periodic audit of identity privileges, rigorous onboarding/offboarding, phishing-resistant MFA, etc.
Putting together insights from both reports, here are what I see as the major challenges organizations face, and the areas where there's opportunity for meaningful improvement.
Long containment / detection windows: Breaches stretching past 200 days (or detection more than 200 days after intrusion) are very expensive. The lag gives attackers more time to move laterally, exfiltrate, or deploy extortion tools.
Underinvestment in identity security: Many organizations still have weak identity threat detection capabilities, gaps in MFA, or unmanaged privileged accounts—making it easy for attackers to exploit identity weaknesses rather than technical (software vulnerability) ones.
Skills and resource gaps: As the Bright Defense statistics show, organizations with fewer cybersecurity skilled staff are paying significantly more when breaches happen. Hiring/training remains a bottleneck.
Fragmented security architectures and observability gaps: The environments that span on-prem, public cloud, hybrid cloud, and multiple SaaS platforms are harder to secure as a whole. Observability and log analytics often fall short across all environments.
Proactive measures pay off: Using AI/ML, observability, DevSecOps, and automation correlates with lower breach costs. Investment here appears to reduce both cost and time to recover.
Zero-trust and least-privilege identity models: Given how identity compromise is central to many breaches, tightening identity posture (rigid least privilege, strong MFA, timely offboarding) offers strong defensive leverage.
Shortening the breach lifecycle: Faster detection and faster containment makes a quantifiable difference. Teams should aim to resolve incidents well before 200 days.
Preparing for hybrid / multi-environment risks: With breaches that span multiple environments costing more, designing security to cover cloud, on-prem, SaaS, and hybrid setups in an integrated manner is essential.
Building resilience over fear: IBM's mindset shift from reactive (patch, respond) to resilient (anticipate, detect, limit damage) can be transformative—especially if identity threat detection and response become central pillars rather than side-carried functions.
Based on these reports, here are some concrete steps that CISOs, Security Ops, Identity/IAM, and DevSecOps leaders should prioritize:
Conduct an identity risk audit: Map all privileged/inter-machine identities, service accounts, third-party integrations; assess MFA coverage and identity abuse risk.
Implement strong Identity Threat Detection & Response (ITDR): Leverage tools that monitor for credential misuse, lateral movement, anomalous authentications, especially across multiple environments.
Accelerate breach lifecycle metrics: Set internal goals (e.g., detection <100 days, containment <200 days) and build monitoring and response workflows to measure and improve those.
Embed automation and observability everywhere: SIEM, SOAR, AI-driven analytics, unified logging across cloud/on-prem/SaaS; feed identity and credential telemetry into dashboards that track risk.
DevSecOps and least privilege: Enforce code review, access restrictions, privilege escalation audit; use least privilege and eliminate "just to make it easier" full admin rights.
Invest in people, not just tools: Skills shortages correlate with higher costs. Training, staffing, and role clarity (identity owner, privilege reviewer) are essential.
The data from Bright Defense and the identity-centric thinking advocated by IBM mark a pivotal moment. Organizations can no longer afford to wait until after a breach to clean up. The cost difference between preparedness and negligence is real, measurable, and oftentimes dramatic.