Strap in, folks—this episode charges into the wild frontier of cybersecurity, where Shadow AI runs loose like a toddler with admin access. Whether your security plan is airtight or held together by paperclips and prayers, this deep dive into the IBM Cost of a Data Breach 2025 report offers plenty to think about. From eye-popping breach costs to the cringe of unsecured AI, we’re covering the good, the bad, and the downright reckless. Spoiler: “we don’t use AI” might be the biggest myth since “the check’s in the mail.”
In this episode:
Shadow AI: The Wild West of Cybersecurity – Ep 523
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Shadow AI: The Wild West of Cybersecurity
[02:37]Good News = Global Avg dropped for first time in 5 yrs to $4.44m USD
Bad News = The US cost still went up from $9.36m to $10.22m
More Bad News = Healthcare is still the most expensive industry and took the longest to identify and contain (279 days). That exceeds the global average days by 5 weeks.
Phishing is the #1 root cause but close behind is third-party vendor and supply chain compromise which is slightly more expensive. BTW, the most expensive one is a Malicious insider. At least that root cause dropped a bit! Compromised creds was the cause in the 2024 report (so during 2023) but not sure that will hold for the next report based on that number of those cases we have seen this year.
Interesting that they note this about the IT failure and Human error numbers:
“Human error and IT failure, which are preventable with robust employee training and proactive security measures”
That is the work part for all of us. 49% of the breaches could be handled with a stronger or better performing risk management program.
The costs are also higher when it takes longer to identify and contain a breach. That means detection and mitigation is the other area where we can get the best cost savings gains with improvement. This is an area where AI can help the most. The declines they see appear to have a lot to do with the advances in AI but we have to wait until those become ubiquitous to see the real impact.
[21:16]Recovery is still the hard part though.
When they talk about recovery they aren’t just talking about being back up and running. This is a real recovery.
When we talk about incident response and recovery most people still think of going to paper and restoring from backup. Nope. That will not be enough for your plan.
To truly recover expect it to take over 100 days – 76% reported that it was over 100 days. 26% said over 150 days. Oh and 65% say they have not fully recovered yet.
[25:19]AI is in the house!!!
First, let’s talk about the ChatGPT 5 madness.
13% of orgs had breaches involving their AI models/apps. That is still a small percentage of total but growing and expected to be rapid growth this year. Of those 97% say they didn’t have any access controls for AI.
Unsanctioned AI security incidents were more common than sanctioned AI
8% of breached organizations were unsure if their breach involved an AI security incident.
Shadow AI security incidents cost more. Breaches involving shadow AI add $670K to costs, compromise more PII (65%), and take longer to detect.
[35:00]AI adoption has outpaced oversight. This year’s research quantifies that governance gap and the costs it carries. Most organizations said they didn’t have governance policies to mitigate or manage the risk to AI. For those that do, less than half have strict approvals for AI deployments. That deficiency had consequences. Not only do these organizations leave themselves open to security, operational and reputational risks, but they’ve paid a steeper cost than average when breached.
When they asked if any of these organizations had policies in place for AI 63% said that they had none for managing AI’s use and 87% had no policies or procedures for mitigating the risk of using AI.
And they believe that Gen AI cuts phishing prep time from 16 hours to 5 minutes.
When it comes to AI we can sum it all up like this:
- The Good News – AI-powered defenses are speeding up detection and lowering global costs.
- The Bad News – AI is also the new favorite tool for attackers, and organizations are still leaving AI systems unsecured.
- The Ugly – Shadow AI is the wild west: hidden, unregulated, and expensive.
- The Fix – Governance, AI security tools, and automation as the new must-haves.
In this episode, we’ve learned that AI can either save your bacon or burn it to a crisp—and Shadow AI isn’t some misunderstood tech sidekick. It’s a digital gremlin throwing wild parties in your data. Still relying on a “go to paper” recovery plan? Might be time for a rethink. The bottom line: governance, training, and AI tools that actually work for you aren’t optional anymore—they’re your cybersecurity survival kit. Because ignoring Shadow AI is like hearing weird noises in your basement and assuming it’ll sort itself out—good luck with that.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
