Introduction

2025 highlights

In today’s tumultuous environment, cybersecurity concerns have risen to a new level. Beyond the basic business and public sector concerns about data security and privacy, cybersecurity risk is now a geopolitical issue. This shift in perspective is reflected in The World Economic Forum Global Risks Report 2025 released by the World Economic Forum. Possibly of most concern are the rankings of ‘state-based armed conflict’ as the third-ranked global risk in the upcoming two-year time horizon and ‘geoeconomic confrontation’ being ranked ninth.¹On the technology front, ‘misinformation and disinformation’ topped the list of shorter-term risks in 2025, as it did in 2024. Cybersecurity risk eased from fourth to fifth in a ranking of global short-term risks. However, while the 2024 category of ‘cyber insecurity’ included concerns about cyberwarfare and cyber espionage, the moniker was changed to ‘cyber espionage and warfare’ for 2025.²Another notable categorization shift by the World Economic Forum was breaking out specific ‘adverse outcomes of AI technologies’ from 2024’s broader frontier technologies category. For 2025, adverse outcomes of AI technologies ranked sixth on the longer-term, 10-year horizon list, while misinformation and disinformation ranked fifth, and cyber espionage and warfare dropped from eighth to ninth.³One global response to this ever-present global risk is the World Economic Forum's Centre for Cybersecurity, an independent and impartial global platform committed to fostering international dialogues and collaboration between the global cybersecurity community in both the public and private sectors. The centre has the following objectives:

Building cyber resilience. Enhance cyber resilience by developing and scaling forward-looking solutions and promoting effective practices across digital ecosystems.

Strengthening global cooperation. Increase global cooperation between public and private stakeholders by fostering a collective response to key cybercrimes and jointly addressing key security challenges.

Navigating cyber frontiers. Identify and explain future cybersecurity challenges and opportunities related to Fourth Industrial Revolution technologies and envision solutions which help build trust.⁴

In addition to resilience-building projects in the oil and gas, manufacturing, and electricity industry sectors, centre efforts include addressing the global cybersecurity skills gap and a public-private initiative to combat cybercrime. Under the ‘Navigating cyber frontiers’ objective, the centre has launched an AI and cyber initiative to develop actionable guidance for adopting AI in a secure manner.⁵2025 highlights The following highlights from the IBM Cost of a Data Breach Report 2025, which is based on research conducted by the Ponemon Institute under the sponsorship of IBM, reflect the increasingly complex cybersecurity threat landscape. The adoption of AI and the lack of security and governance around AI deployments drive much of the concern this year. In addition to incidents involving the sanctioned use of enterprise AI models, shadow AI breaches, which involve the unsanctioned use of AI, are becoming increasingly frequent and costly. Attackers are also using AI tools to craft AI-driven breaches. While AI security and governance are currently lagging, leading enterprises using AI and automation extensively in their security efforts are realizing benefits.⁶Phishing continues to be the most frequent type of attack at 16% of breaches. Phishing is also expensive at $4.8 million and a leading AI-driven attack target. Malicious insider attacks continue to be the most expensive at $4.92 million, followed closely by third-party vendor and supply chain compromise at $4.91 million. Supply chain compromise was the most common cause of security incidents involving AI models and applications. Customer personally identifiable information (PII) records were the most frequent types of data compromised at 53%. Intellectual property, while less frequent at 33%, was most expensive at $178 per record. The lack of security skills continues to be problematic, as does having data distributed across multiple environments.⁷While the number of organizations that said they planned to make post-breach security investments declined to 49% after a jump to 63% last year, 45% of those intending to make such investments are focused on AI-driven security solutions. Similarly, there was a drop in plans to pass breach costs along to customers from 63% last year to 45%. That said, nearly a third (30%) plan to raise prices 15% or more.⁸

Average cost of a data breach

$4.44 million — a return to 2023 levels
$10.22 million — U.S. average
$5.08 million — extortion or ransomware
$5.22 million — high-level skills shortage

Sanctioned AI use breaches

13% reported breaches involving their AI models
97% of these lacked proper access controls

Shadow AI breaches (unsanctioned AI use)

20% reported shadow AI breaches
$670 k added cost

AI – driven breaches

16% of attacks used AI
Primarily phishing (37%), deepfake (35%)

Security AI and automation

32% of companies using AI and automation extensively
$1.9 million lower breach costs with extensive use⁹

Against this background, the CGMA Cybersecurity Tool provides insights and recommendations for management accounting and finance professionals facing the ever-changing complexities and risks in our increasingly digital business environment.