What a Data Breach Costs: The Verified 2026 Numbers
The average data breach costs $4.44 million globally and a record $10.22 million in the United States, per IBM’s Cost of a Data Breach Report 2025 — the latest edition as of July 2026. Verizon’s DBIR 2026 puts ransomware in 48% of breaches with a median ransom payment of $139,875, the FBI logged $20.9 billion in reported cybercrime losses for 2025, and for small businesses the sharpest verified finding is that in extreme cases a breach costs more than 7% of annual revenue.
The headline numbers, edition-labelled
Breach-cost statistics get misquoted constantly — many sites cite "2026" figures that are actually recycled from older editions. Every number below names its exact source edition. The IBM Cost of a Data Breach Report 2025 is the most recent IBM edition available as of July 2026.
| Metric | Figure | Source edition |
|---|---|---|
| Global average cost of a data breach | $4.44 million (first decline in five years, down 9%) | IBM Cost of a Data Breach 2025 |
| United States average | $10.22 million — an all-time regional high, driven partly by higher regulatory fines | IBM Cost of a Data Breach 2025 |
| Most expensive industry | Healthcare, $7.42 million (highest for the 14th straight year) | IBM Cost of a Data Breach 2025 |
| Mean time to identify and contain | 241 days — a nine-year low | IBM Cost of a Data Breach 2025 |
| Breaches involving the human element | 62% | Verizon DBIR 2026 |
| Breaches involving ransomware | 48% | Verizon DBIR 2026 |
| Reported US cybercrime losses, 2025 | $20.9 billion across 1,008,597 complaints (both records) | FBI IC3 2025 Annual Report |
| US data compromises, 2025 | 3,322 — an all-time record | ITRC 2025 Annual Data Breach Report |
Sources: IBM Cost of a Data Breach Report 2025 (ibm.com/reports/data-breach); Verizon Data Breach Investigations Report 2026 (verizon.com/dbir); FBI Internet Crime Complaint Center 2025 Annual Report (ic3.gov); Identity Theft Resource Center 2025 Annual Data Breach Report (idtheftcenter.org). Verified July 4, 2026.
What it costs a small business
There is no credible single "average breach cost for a small business" — most numbers offered for that phrase are unsourced. What the primary data does show:
- Verizon’s DBIR 2026 confirmed 7,152 breaches at small and mid-size organizations in one year — essentially all financially motivated, with vulnerability exploitation (26%), stolen credentials (13%) and phishing (9%) as the top entry points, and a third party involved in 55% of them.
- Verizon’s companion 2026 Breach Impact Study, built on roughly 70,000 cyber-insurance claims, found that in extreme cases (the worst 2.5%), a breach cost a small business more than 7% of its annual revenue.
- The FBI’s 2025 average reported loss per cybercrime complaint was $20,699; business email compromise alone cost US organizations $3.05 billion across 24,768 complaints.
- Verizon’s own framing: ransomware disproportionately targets small businesses, which face the same threats with fewer resources to counter them.
The ransomware numbers
Per Verizon DBIR 2026: ransomware appeared in 48% of all breaches (up from 44%), the median ransom payment was $139,875, and 69% of victims paid nothing at all. IBM’s 2025 report similarly found 63% of ransomware victims refused to pay.
Sophos’s State of Ransomware 2025 survey (a vendor survey of 3,400 organizations that were hit — treat as directional, not census data) put the average ransom payment at $1.0 million and average recovery costs excluding any ransom at $1.53 million, both roughly half the prior year’s figures.
Where compliance shows up in the cost
IBM’s 2025 report analyzes factors that raise or lower breach costs in isolation: noncompliance with regulations was a cost-amplifying factor adding $173,692 to the average breach, while extensive use of security AI and automation was associated with costs $1.9 million lower and a breach lifecycle 80 days shorter. The report also names higher regulatory fines as one driver of the record US average.
The honest read for a small organization: a documented, operated security program does not prevent every breach, but the enforcement math compounds — a breach at an organization that never did its risk assessment or documented its controls invites the regulatory penalties on top of the incident costs. The documentation layer (risk registers, security policies, incident-response and breach-notification procedures) is the cheapest part of that program to get right, and it is exactly what regulators and auditors ask to see first.
Frequently asked questions
- What is the average cost of a data breach in 2026?
- The most recent verified figure is $4.44 million globally, from IBM’s Cost of a Data Breach Report 2025 — the latest edition as of July 2026 (the 2026 edition had not yet been published). The US average is $10.22 million, an all-time regional high. Figures quoted online as "2026 IBM numbers" are usually recycled from the 2024 edition.
- How much does a data breach cost a small business?
- No credible single average exists for small businesses specifically. The best verified data points: Verizon’s 2026 Breach Impact Study (~70,000 insurance claims) found extreme cases cost a small business more than 7% of annual revenue, and the FBI’s 2025 average reported loss per cybercrime complaint was $20,699. Verizon confirmed 7,152 small-business breaches in a single year.
- What is the average ransomware payment?
- The median ransom payment was $139,875 per Verizon’s DBIR 2026, and 69% of victims refused to pay entirely. Sophos’s 2025 vendor survey put the average payment at $1.0 million with average recovery costs of $1.53 million excluding the ransom — averages skew far above the median because of a small number of very large payments.
- How long does it take to detect a data breach?
- An average of 241 days to identify and contain, per IBM’s Cost of a Data Breach Report 2025 — 181 days to identify plus 60 to contain. That is a nine-year low, and organizations making extensive use of security AI and automation shortened the lifecycle by a further 80 days on average.
- Does compliance reduce the cost of a breach?
- IBM’s 2025 report found noncompliance with regulations added $173,692 to the average breach cost as an isolated factor, and cited higher regulatory fines as a driver of the record $10.22 million US average. Compliance does not prevent breaches, but documented, operated controls reduce both the incident cost and the regulatory exposure that follows it.
Related guides: ISO/IEC 27001 · SOC 2 · NIST CSF 2.0
Toolkits that help
ISO 27001 Complete Toolkit
All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.
SOC 2 Complete Toolkit
22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.
NIST CSF 2.0 Complete Toolkit
15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.
HIPAA Compliance Toolkit — Medical Practices
18 editable HIPAA policies plus the Security Risk Assessment workbook and audit evidence checklist, written for small medical practices and clinics.
Related articles
- How Many Documents Each Compliance Framework Actually Requires
- Compliance Questions, Answered
- Encryption Requirements for ISO 27001, SOC 2, HIPAA & GDPR
- Where to Buy ISO 27001 Policy Templates (2026): Free, Paid & Consultant Options
- WISP Template for Tax Preparers (2026): The Free IRS Option and Paid Toolkits
