IBM’s annual Cost of a Data Breach report has revealed that the average cost of a breach in the public sector rose 12 percent over the past 12 months reaching $2.86 million. Although it is significantly lower that the global average, measured at $4.44 million, there is still much for the sector to digest and deal with over the coming months.
The report, conducted by the Ponemon Institute on behalf of IBM, is based on data breaches experienced by 600 organisations globally from March 2024 to February 2025.
Cost of a data breach down
Let’s start with the good news. The average cost of a data breach has reduced, for the first time in five years. 2024 saw the average global cost rise to a, $4.88 million, 2025’s report has revealed that the cost has dropped to a slightly less staggering, $4.44 million. This trend is reflected in the UK too. 2024 saw the average cost in the UK work out to be £3.40 million with 2025 the number reducing to £3.29 million.
Public sector taking too long to deal with breaches
Another of the key figures coming from the report for the public sector was the amount of time taken to identify and contain a breach. The average length of time for a public sector organisation to identify that they had suffered a breach stood at 202 days. Once identified it took another 74 days to contain the breach.
This is above the global average, which stood at 181 days to identify a breach and 60 days to contain it. The longer it takes to identify and contain a breach the more damage can be done by the cybercriminals, the more data can be taken and the more it costs the organisation.
Indeed, the report highlighted the cost associated with longer containment times. For those companies in the UK, that can identify a breach and contain it within 200 days there is a significant drop in the average cost, marked at £2.84 million. For those hit by a supply chain attack or are simply struggling to deal with the situation, when the breach takes over 200 days to resolve the cost rises considerably to £3.74 million. So, for the public sector standing at 202 days there is nearly one million pounds in extra costs.
The threat from the supply chain remains critical
As we have seen from the high-profile attacks that have taken place in the UK since the beginning of the year, the threat from the supply chain and third and fourth parties is now huge. Cybercriminals will always find the path of least resistance to gain access to their primary target. With many companies continuing to invest in frontline defences, cybercriminals have turned to using the ‘backdoor’ to secure data and access to systems.
This has been reflected in the 2025 report where a supply chain breach in the UK has been identified as the most expensive factor that will increase the cost of the data breach, measured at £241,620. The global report also highlights the added complexity of a supply chain attack with ‘Third-party vendor and supply chain compromise’ being identified as having the longest, and therefore most costly data breach lifecycle. With costs going up each day from compromise to resolution, supply chain attacks took on average, 267 days to resolve, a full week longer than malicious insider attacks.
Attacks originating in the supply chain was the second highest attack vector, with 15 per cent of attacks being identified as supply chain compromise. Phishing attacks was the top initial attack vector, only one percent point above supply chain at 16 percent.
If you liked this content…
UK Cyber Resilience Advice ‘Too Bland’, Says Northdoor
Police Scotland Hit by Multiple Data Breaches Involving Sensitive Personal Information
UK councils report 2,400 suspected data breaches
MOJ investigates after Legal Aid Agency hit by data breach
Russian cybercriminals behind NHS hospitals critical incident
AI: The Good, the Bad and the Ugly
The implementation of AI tools throughout businesses is rising dramatically and is expected to continue to do so over the coming years.
This has had some positive outcomes in terms of security breaches. The global report found that those organisations who extensively used AI and automation throughout their security operations saved on average $1.9 million in breach costs and reduced the breach lifecycle by 80 days – a significant reduction in the level of disruption caused to a business. In the UK specifically for companies using AI extensively within their security networks the average cost of a breach is £3.11 million, for those with no AI or security automation the average increases to £3.78 million.
Unfortunately, for the public sector only 26 percent of public sector organisations have extensive use of security AI and automation, which may well point to why the sector is so far behind the global average in identifying and containing threats.
However, like all trends, the implementation of AI and particularly the unsanctioned use of AI by employees (shadow AI) can cause real issues within businesses. This is especially the case when the security protocols and governance levels have not kept up with the implementation of new tools.
The public sector is struggling, like others, to contain this new threat. When asked about the prevalence of governance policies to manage the use of AI and to prevent shadow AI, only 33 percent of organisations within the public sector said they had such policies in place, with 67 percent saying they had none or that they were still in development. Indeed, of those organisations who had experienced an AI linked breach, 97 percent lacked the proper AI access controls.
It is the ‘uncontrolled’ use of AI that is causing the most pain for public sector organisations. With employees using AI tools increasingly within their day-to-day roles, businesses must come to grips with controlling what is used and when. The report acknowledged that many breaches originating within unsanctioned use of AI by an employee may go undetected but for those that were identified, incidents involving shadow AI accounted for 20 percent of breaches, seven percentage points higher than incidents originating from sanctioned use of AI. It is the 11 percent of organisations who remain ‘unsure’ whether an incident came from the use of shadow AI that perhaps points to the reality, with many companies still struggling to come to grips with what AI is being used and by who.
Like most trends it will take time for public sector organisations to implement controls on employees utilising new tools; what they must be aware of though is that in the meantime cybercriminals will be making the most in the gap between shadow AI and associated controls.
Third-party IT consultants can help the public sector
While the average cost of a data breach has reduced, IBM’s 2025 report has highlighted several areas that businesses need to address urgently if they are to remain secure and compliant.
None of these areas will probably come as a surprise to IT and security teams. So, if it is not a lack of knowledge of education within teams how are cybercriminals still able to gain access to so many organisations? The answer, of course, is resource with internal teams struggling with a lack of time and numbers in dealing with an increasingly sophisticated and numerous threats.
This is where third-party IT consultancies can help. Many are turning to consultancies to help plug gaps within their internal teams and to ensure that they have the right expertise to combat cybercriminal threats. With attacks coming from internal and external sources having a team of experts on your side who can help identify threats, highlight what new threats look like and how to deal with them, implementing new solutions that can help secure systems, highlighting vulnerabilities within your supply chain and ensure compliance to an increasingly complex regulatory landscape, all helps to reduce the chance of a breach and the huge, associated costs.
