How much are data breaches costing Canadian businesses?

How much are data breaches costing Canadian businesses? | Insurance Business Canada

How much are data breaches costing Canadian businesses?

Data breaches have become more costly for Canadian businesses, hitting record-high figures in the past year as the COVID-19 pandemic gave rise to new cybersecurity risks, a recent study by IBM Security has revealed.

A data breach incident cost a Canadian firm $6.75 million on average, rising from $6.35 million last year and the highest since Canada was included in the survey seven years ago. The figure is also higher than the worldwide average of US$4.24 million (approximately CA$5.4 million) per incident, which was also the highest in the research’s 17-year history.

Ray Boisvert, associate partner at IBM security, noted that data breaches were already a huge challenge for companies, but the disruption caused by the coronavirus pandemic had exacerbated the situation.

“While it’s not a surprise that data breach costs rose to their highest level during the pandemic, it should be a stark reminder for businesses to not let security lag behind as they accelerate their digital transformation,” Boisvert said in a statement obtained by IT World Canada.

“For Canadian financial and technology companies in particular, who are digitizing faster than others in the country and paying more per lost or stolen record, investment in data security, AI, and encryption should go hand in hand with cloud migration.”

Read more: IBM delves into the "hidden" costs of data breaches

IBM analyzed data breaches experienced by more than 500 companies worldwide between May 2020 and March 2021. Of these businesses, 26 were based in Canada. The survey, which the tech giant conducted in collaboration with Ponemon Institute, had nearly 3,500 respondents.

Here are the survey’s findings about data breach incidents encountered by Canadian firms at the height of the pandemic and how they fared compared to those in other countries.

1. Canada ranked in the top three in the world for data breach costs

Canada had the third most expensive data breaches worldwide, costing companies around $6.75 million per incident and the highest since 2015 when the country was first included in the survey. Canada trails only the US, where the average cost of a data breach was US$9.05 million (~$11.5 million) per incident, and the Middle East, where a data breach incident cost US$6.93 million (~$8.8 million).

The average number of records exposed in data breaches against Canadian businesses was 24,400. Globally, the average cost of a mega breach, or those where between 50 million and 65 million records were exposed, was US$401 million (~$509 million). The figure was nearly 100 times higher than the majority of breaches studied in the report, which exposed between 1,000 and 100,000 records.

Read more: Report: Canada has the third highest average cost for data breaches

2. The cost of a data breach was the highest in the financial sector

In Canada, financial industry breaches cost the most at $383 per lost or stolen record. Globally, the sector ranked second, costing businesses US$5.72 million (~$7.2 million) per incident. The industry trailed only healthcare, which has been the most breached sector for 11 consecutive years. The average cost of a data breach for healthcare companies amounted to US$9.23 million (~$11.7 million), a US$2 million (~$2.5 million) increase from last year.

3. Compromised credentials were the most common attack method used

Stolen user credentials were the most common method used as an entry point by cyber attackers both in Canada and globally, accounting for 20% of all breaches. The survey also found that nearly half, or 44%, of the breaches exposed customer personal data, including names, emails, passwords, and healthcare data.

“The combination of these factors could cause a spiral effect, with breaches of usernames and passwords providing attackers with leverage for additional future data breaches,” the report said.

4. The average time to identify a data breach slightly improved but containment time lagged

While the average time it took Canadian firms to identify a data breach slightly improved from 168 days last year to 164 days in 2021, the average period it took them to contain an incident slowed from 58 days to 60 days. However, the figures were still better than the global average of 212 days to detect and 75 days to contain – a total of 287 days.

According to the study, data breaches that took longer than 200 days to identify and contain cost on average US$4.87 million (~$6.2million), compared to US$3.61 million (~$4.6 million) for breaches that took less than 200 days to detect and contain.

Read more: Federal privacy commissioner: Only 40% of firms have data breach response protocols

5. AI, encryption, and staff training reduced the cost of a data breach

The adoption of artificial intelligence (AI), encryption, and employee training were the top three mitigating factors that allowed businesses, both in Canada and globally, to reduce the cost of a data breach.

Canadian companies that used these three strategies saved around $1.2 million compared to firms who did not take advantage of those tools. Worldwide, companies that used the three methods saved between US$1.25 million (~$1.6 million) and US$1.49 million (~$1.9 million) compared to those who did not. 

For cloud-based data breaches, businesses around the world that implemented a hybrid cloud approach had data breach costs averaging US$3.61 million (~$4.6 million), lower than those in a public cloud environment at US$4.8 million (~$6.1 million) or private cloud environment at US$4.55 million (~$5.8 million).

The study also found that businesses that were able to respond effectively after a data breach and followed a tested incident response plan were able to cut the average cost of a data breach from US$5.71 million ($7.2 million) to US$3.88 million ($4.9 million). Companies that implemented a zero-trust architecture, meanwhile, slashed the average cost of an incident from US$5.01 million (~$6.3 million) to US$3.28 million (~$4.1 million).