It's commonly assumed that the risk of suffering a data breach, and the related costs, have broadly increased over the years. Surprisingly, despite substantial increases in business’s digital footprint, the answer isn't so straightforward, a recent comprehensive analysis from the Cyentia Institute found.
According to Cyentia Institute's Information Risk Insights Study (IRIS) 2025, there are significant variations in incident patterns across different types of organizations and industry sectors. Some of the findings are positive, while others reveal that substantial challenges persist. Cyentia's analysis examined over 150,000 security incidents spanning from 2008 to 2024. It paints a sobering picture of an evolving threat environment where cyber risk has become increasingly dynamic and contextual rather than static.
"The point impressed upon me from this research is that the answer to a seemingly simple question like 'Is cyber risk increasing?' is complicated and many factors can change the answer," explained Wade Baker, co-founder and partner at Cyentia Institute. "We see risk increasing in one firmographic but decreasing in another," Baker said. Baker added that he believes the study demonstrates the importance of organizations carefully assessing their actual risk exposures before acting on assumptions that may be outdated or simply incorrect.
Incident Frequency Reaches Record Highs
Perhaps the most striking revelation from the IRIS 2025 report is the significant increase in cyber incidents now occurring. The study found that approximately 3,000 significant security incidents were publicly reported or discovered each quarter in 2024, representing a 650% increase from the roughly 450 incidents reported quarterly 15 years ago.
"If it seems like a lot more incidents are happening these days, it's not just recency bias," the report noted, emphasizing that this increase reflects fundamental changes in the threat landscape rather than merely improved reporting.
The IRIS 2025 study found that the probability of any given organization experiencing a cyber event in any given year has nearly quadrupled since 2008, rising from 2.5% to 9.3%. However, this trend varies across organizational sizes, with smaller firms experiencing a more than double increase in incident probability. At the same time, very large corporations worth over $100 billion have experienced a 50% decline in their annual likelihood of breach.
Financial Impact Reaches Crisis Levels
The financial consequences of cyber incidents have escalated to new heights, with median losses from security incidents rising 15-fold from approximately $190,000 to nearly $3 million over the 15-year study period. More extreme loss events at the 95th percentile have ballooned to $32 million, representing a five-fold increase.
Perhaps even more concerning for business leaders, cyber events aren't just costing more in absolute terms—they're inflicting proportionally greater damage relative to company revenues. The study found an eight-fold increase in costs as a proportion of annual revenue, suggesting that organizations are struggling to scale their defenses appropriately in relation to their digital footprint.
The impact varies dramatically by industry, with professional services firms experiencing a 25-fold increase in median losses over the past 15 years. Conversely, the retail industry has bucked this trend, showing significant decreases in loss magnitude, possibly due to improved payment security measures and PCI compliance initiatives.
Fortunately, many factors affecting the costs of breaches are in an organization’s control. "We don't get into this in the report," Baker added, "but things contribute to the cost of an incident, and some of these can be controlled. For example, incident losses have declined substantially in the retail sector. I think that at least partially due to breaches being smaller because regulation and chip-and-pin tech have reduced card data stored in the environment," he said.
Additionally, in a previous study, Cyentia found incidents with apparent signs of poorly handled incident response were three times more costly. "Downtime is a huge cost factor, so steps taken to minimize that in the wake of an event will lower costs. I could go on here, but the point is that organizations can take proactive steps to help minimize the impact of security incidents," he said.
Attack Methods Evolve with Digital Transformation
The research also reveals significant shifts in how cybercriminals gain initial access to target systems. While compromising user credentials remains the most persistent attack vector—maintaining its position as the top technique throughout the entire study period—other methods have seen dramatic changes.
For instance, exploitation of public-facing applications has risen sixfold for smaller firms, while attacks targeting third-party relationships have doubled among large organizations. The techniques of exploiting web applications and misconfigured external remote services have both risen from single-digit percentages to heights of 38% and 30% respectively, reflecting the expanded attack surfaces created by digital transformation initiatives.
System intrusion continues to dominate as the most common incident pattern, but the unparalleled rise of ransomware has fundamentally altered the threat landscape. The study documents ransomware's moonshot from a relatively minor concern to a significant category of cyber incident, with median losses from ransomware events increasing 20-fold.
Industry Sectors Show Distinct Risk Patterns
The research identifies clear patterns of cyber risk across different industry sectors, with some sectors consistently showing high incident rates, while others demonstrate concerning upward trends. The Public and Management sectors historically exhibit very high relative incident frequencies, attributed in part to mandatory disclosure requirements that exceed those in the private sector.
Financial services, despite experiencing high incident rates, have seen those rates decline over time, possibly reflecting the industry's historically significant investments in security. However, the study expresses particular concern about increasing incident frequencies in critical infrastructure sectors, including utilities, mining, manufacturing, and transportation industries that include oil and gas pipelines.
The Professional Services sector has crossed into higher-risk territory, which the researchers find "quite concerning given that they offer advice and services to the rest of us."
Real-Time Intelligence Becomes Critical
The study highlights a significant challenge in cybersecurity risk assessment: the reporting lag that results from the time required to enter incident details into the public record. To address this limitation, the researchers incorporated real-time threat intelligence from Feedly's Cyber Attacks AI model, revealing that traditional datasets may be missing critical current event information.
The real-time data showed that the apparent downturn in Q4 2024 incidents was an artifact of reporting delays, with over 3,500 incidents identified during that timeframe. This finding underscores the importance of incorporating current event sources to supplement historical data for organizations conducting near-term risk analysis.
The IRIS 2025 findings carry implications for how organizations should approach cybersecurity risk management. The research demonstrates that cyber risk is constantly evolving and varies considerably between organizations. Ideally, organizations would continuously evaluate and revise risk models and security strategies to keep pace with evolving threats, organizational changes, and sector-specific threat changes.
"The data shows how fluid and contextual the cyber threat landscape is," the report emphasized, and the authors noted, "if your security strategy isn't recalibrating with these changes in risk, you're planning for a past that no longer exists."
The study advocates for a nuanced consideration of incident likelihood, financial impact, and attacker tactics that accounts for the organization, such as size, sector, and other characteristics, rather than applying broad generalizations across all entities.
