IBM has released its annual 2025 Cost of a Data Breach Report, revealing that the average financial impact of a data breach on organizations in the Middle East fell to SAR 27 million — a notable 18 percent decrease from SAR 32.80 million in 2024.
The report attributes this decline to key mitigation strategies increasingly adopted by regional businesses, including AI and machine learning-driven insights, encryption technologies, and the implementation of DevSecOps practices. Despite the overall drop in costs, the financial toll of a breach remains significant.
Lost business continues to be the most expensive consequence for companies in the region, averaging SAR 11.63 million per incident. This was followed by post-breach response costs at SAR 7.50 million, detection and escalation at SAR 6.55 million, and notification expenses at SAR 1.32 million.
Financial, energy sectors see highest breach costs
Industry-specific data showed that the financial sector endured the highest average cost of breaches in 2025, reaching SAR 34 million. The energy and industrial sectors were close behind, with average costs of SAR 32 million, underscoring the heightened risk exposure in these critical industries.
Proactive AI governance in the Middle East
The report highlighted the region’s proactive stance on securing artificial intelligence systems. Notably, 41 percent of Middle Eastern organizations reported implementing access controls to protect AI models — a stark contrast to the global average of just 3 percent among breached organizations.
Additionally, 38 percent of businesses surveyed in the region have formal AI governance policies in place, while another 24 percent are in the process of developing them.
Among those with governance frameworks, the most common measures include:
- Formal AI deployment approval processes (45 percent)
- Adversarial testing protocols (44 percent)
- Use of AI governance technologies (43 percent)
Complex systems, IoT, and staffing gaps drive up costs
IBM’s analysis found that several factors can drive breach costs higher. Security system complexity added an average of SAR 867,378 to breach expenses. Breaches involving IoT or operational technology (OT) environments increased costs by SAR 839,750, while shortages in security personnel contributed an additional SAR 818,997 per incident.
Leading attack vectors and their costs
The most common initial attack vectors for breaches in the Middle East this year were:
- Third-party vendor and supply chain compromises (17 percent of breaches), with an average cost of SAR 29.60 million
- Denial of service (DoS) attacks and phishing (each accounting for 14 percent), costing SAR 27.20 million and SAR 28.00 million respectively
- Malicious insider threats (11 percent), which, while less frequent, resulted in the highest average cost at SAR 33 million
Report methodology
The 2025 Cost of a Data Breach Report was conducted by the Ponemon Institute and sponsored by IBM. It analyzed real-world data from over 600 organizations worldwide — including entities in Saudi Arabia and the UAE — affected by breaches between March 2024 and February 2025. Over the past two decades, the report has examined nearly 6,500 data breaches globally.
