IBM has published the Cost of a Data Breach report for 19 consecutive years. The 2025 edition analyzed 604 real breaches across 16 countries and 17 industries. The numbers are the worst they have ever been.
Global average cost: $4.88M per breach. United States average: $10.22M. Healthcare average: $10.93M — the most expensive industry for the 14th consecutive year. Time to identify a breach: 194 days. Time to contain it: 292 days total. That is 10 months from breach to containment.
I run an engineering studio. We are not a cybersecurity firm. But every application we build handles data, and how we build it determines how vulnerable that data is.
The Numbers That Matter
Cost by country (top 5):
- United States: $10.22M
- Middle East: $8.75M
- Canada: $5.40M
- Germany: $5.31M
- Japan: $4.53M
Cost by industry (top 5):
- Healthcare: $10.93M
- Financial services: $6.08M
- Pharmaceuticals: $5.10M
- Technology: $5.07M
- Energy: $4.72M
Cost by attack vector:
- Phishing: $4.88M (most common)
- Stolen credentials: $4.81M (second most common)
- Supply-chain compromise: $4.91M
- AI-enabled attacks: $5.30M (16% of breaches now involve AI)
What reduces cost:
- Security AI and automation: saved $2.22M per breach
- Incident response team and tested plan: saved $1.49M
- DevSecOps adoption: saved $1.68M
- Encryption (data at rest and in transit): saved $1.09M
The Engineering Connection
Most breach reports focus on the security team: incident response, threat detection, compliance. But the most impactful decisions happen during software development, months or years before the breach occurs.
Architecture decisions compound
A database designed without field-level encryption is vulnerable from day one. An API without rate limiting is an invitation for credential stuffing. An admin panel without MFA is a breach waiting to happen. A third-party dependency that has not been updated in 2 years carries every vulnerability discovered since the last patch.
These are not security team decisions. They are engineering decisions made during sprint planning. The IBM data is clear: DevSecOps adoption (security integrated into the development process) saves $1.68M per breach. That is not a security tool. That is a development practice.
Dependencies are the new attack surface
16% of breaches now involve the software supply chain. Attackers compromise a library, an SDK, or a build tool, and every application that depends on it becomes vulnerable. Supply-chain breaches cost $4.91M on average and take 267 days to contain.
We run automated dependency scanning in every CI/CD pipeline. npm audit, Snyk, or Dependabot on every build. When a vulnerability is published in a dependency we use, we know the same day. Not the same quarter. The same day.
Our own website runs on Astro with every dependency audited. When we found 9 moderate vulnerabilities in transitive dependencies during our last audit, we traced each one, confirmed they were dev-time-only (locked in @astrojs/check and @sanity/cli), and documented the decision. That is what dependency management looks like.
HTTPS and headers are not optional
Every application we deploy uses HTTPS with proper TLS configuration. Content Security Policy headers are deployed in report-only mode first, then enforced. Strict-Transport-Security ensures browsers never connect over plain HTTP.
These are not advanced security measures. They are baseline engineering practices. IBM data shows that encryption (at rest and in transit) saves $1.09M per breach. CSP headers prevent cross-site scripting. HSTS prevents downgrade attacks. These cost nothing to implement and protect against the most common attack vectors.
What We Do About It
We are a software development studio, not a security vendor. But every application we build includes security practices that directly reduce breach risk:
Security-first architecture. MFA on admin interfaces. Field-level encryption for sensitive data. Role-based access control with least-privilege defaults. Audit logging for every data access. These are not add-ons. They are built into the first sprint.
Automated dependency scanning. Every CI/CD pipeline includes vulnerability scanning. Every dependency update is tested. Every critical vulnerability is patched within the sprint it is discovered.
CSP and security headers. Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options. Deployed on every application.
HIPAA compliance when required. For healthcare clients like RiseMD and WinitClinic, we deploy on HIPAA-eligible infrastructure (AWS, GCP), sign BAAs, implement mandatory encryption, MFA for ePHI access, and maintain audit trails. The IBM data shows healthcare breaches cost $10.93M. The compliance overhead is not optional.
Regular security audits. We run npm audit, OWASP checks, and CSP validation on every build. For production applications, we recommend annual penetration testing through a third-party security firm.
The $2.22M Savings
IBM found that organizations using security AI and automation saved $2.22M per breach. That sounds like a sales pitch for security tools. What it actually means is: organizations that automated their security practices — scanning, monitoring, alerting, response — caught breaches faster and contained them more cheaply.
Automated dependency scanning is security automation. CI/CD pipelines that run security checks on every commit are security automation. Alert systems that notify the team when an anomaly is detected are security automation. These are engineering practices, not security products.
The average breach takes 292 days to contain. Organizations with automated security practices cut that by 108 days. 108 days of breach containment is millions of dollars in reduced impact.
The Business Case for Engineering Quality
$10.22M is the average US breach cost. $10.93M for healthcare. $4.91M for supply-chain attacks. These numbers make the case for security-conscious engineering better than any sales pitch ever could.
Every hour spent on security-first architecture, dependency scanning, CSP headers, and encrypted data at rest is an hour invested against a $4.88M global average loss. The ROI calculation writes itself.
We build software with these practices from the first commit. Not because we are a security company. Because we are an engineering company that understands what the data says about the cost of not doing it.
Last updated March 15, 2026