Every year, IBM publishes one of my favorite industry reports — their annual "Cost of a Data Breach Report," typically released in late July. In anticipation of the 2025 edition, let's take a dive into the 2024 report. Spoiler alert — if you don't have tight governance over the open-source packages being used in your enterprise, be prepared to open your checkbook.

Here are the stats that should have every security, engineering, and compliance team sitting up straight:

Up 10% YoY-the largest increase since COVID. Driven by business disruption and customer support costs. 🔗 Root causes?

  • Phishing (15%)
  • Stolen credentials (16%)
  • Malicious insiders (7%, but costliest at $4.99M)

Unmanaged data = unmanaged risk. → Breaches involving shadow data cost $5.27M on average → They took 291 days to detect and contain-25% longer than other breaches.

This is the price of development without visibility or governance.

  • 40% of breaches involved data spread across multi-environment architectures
  • Public cloud breaches: $5.17M average cost, up 13%
  • On-premises breaches were cheapest and fastest to contain

Decentralized architectures with inconsistent controls = risk acceleration.

  • 292 days: Time to detect/contain breaches caused by compromised credentials
  • These cost $4.81M on average Credential governance, access hygiene, and secrets management are still failing.
  • 70% of orgs experienced significant business disruption
  • Even "low-disruption" breaches still cost $4.63M
  • Only 12% of breached orgs had fully recovered when surveyed
  • Org's using AI across all 4 security domains (prevent, detect, investigate, respond) cut breach costs by $2.2M
  • They also shortened breach lifecycle by nearly 100 days Manual governance is dead weight.

If your dev teams are pulling unvetted public packages, building off DockerHub containers, or piping AI models into production without scanning for tampering…

You're not building software-you're building risk exposure.

Let's be blunt.

The real takeaway from this report isn't just about breach costs-it's about the causes. And increasingly, those causes point to a failure to govern:

  • Open-source packages
  • Public containers
  • Credential sprawl
  • Shadow data
  • AI model inputs
  • Third-party components

This is software supply chain security. And it's not a niche problem anymore-it's the problem.

When 1 in 3 breaches involve unmanaged data and third-party risks amplify your losses, it's clear: 🔐 Governance is the new perimeter. Every unscanned dependency, public image, and unmanaged artifact is a breach just waiting to invoice you for $4.88M.

Supply chains aren't just for widgets and shipping containers anymore. In software, the supply chain is code. And it's time we treated it like the critical infrastructure it is.

Is your organization serious about governing its code, data, and dependencies-or are you hoping for the best?

Keep your eyes out for a review of the "2025 Cost of a Data Breach Report" once it is officially published.

In the meantime, 📩 Let's connect. 🎯 Let's secure the backbone.

EPG

Originally published at https://www.linkedin.com.