The average cost of a data breach suffered last year by 27 Canadian companies was $5.78 million, or $255 per lost or stolen record, according to a study released Tuesday.

It was the third annual report, paid for by IBM [NYSE: IBM] and conducted by the Ponemon Institute, part of a survey of 419 breached organizations in 11 countries and two regions.

The good news is that the Canadian numbers represent a four per cent decrease in the total cost of a data breach among the group studied, and a nine per cent decrease in the cost per lost or stolen record, compared to the 2015/2016 study period.

The bad news is it’s still a lot of money.

Of all nations studied the Canadian group had the second highest costs.

One important take-away from the report is how being proactive can reduce the cost of a breach per record, Raz Ghanaghounian of IBM’s X-Force incident response and intelligence services team said in an interview Tuesday. For example, for the group studied having an incident response team cut the average cost by $24, extensive use of encryption by almost $22 and employee training by almost $15 (see graph below).

CISOs also need to impress on the company the value not only of having the tactical team respond to a breach but also strategic (board and management) members as well, he said. And many decisions — such as how to make breach notifications, who to notify, when to notify law enforcement.. — need to be made before an incident and not at the last minute.

The costs are based on estimates provided by participating organizations.

The number of breached records per incident this year ranged from 4,300 to 69,844 and the average number of breached records was 21,750. Organizations with data breaches involving more than 100,000 compromised records weren’t included because few Canadian breaches are that large.

A breach is defined as an event in which an individual’s name and a medical record and/or a financial record or debit card is potentially put at risk—either in electronic or paper format.

The data also showed a number of interesting pieces of information that should resonate with CISOs, CIOs and boards of directors:

–Acting fast pays: Canadian organizations that contained a breach in less than 30 days saved $1.79M compared to those that took longer ($4.88M vs $ 6.67M);

–It still takes too long: On average, Canadian organization in the group took 173 days to identify a breach, and 60 days to contain it. Still, that was better than the global average.

Of all 419 organizations studied the days to identify the data breach dropped from an average of approximately 201 in 2016 to 191 days and the average days to contain the data breach from 70 to 66 days. The report’s authors attribute these improvements to investments in such enabling security technologies as security analytics, system information and event management (SIEM) software, enterprise-wide encryption and threat intelligence sharing platforms;

–The more records lost, the higher the cost of the breach: In this year’s study, the cost ranged from $3.81 million for data breaches involving 10,000 or fewer records to $7.25 million for the loss or theft of 25,001 to 50,000 records;

–Investments in incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement or participation in threat sharing were shown to reduce the per capita and total cost of data breach;

–In Canada, certain industries in the 27 organizations studied had higher data breach costs. Services, financial services and technology companies had a per capita data breach cost above the mean of $255. Public sector, hospitality and transportation companies had a per capita cost well below the overall mean value. Note, however, that the small sample size means this can’t be generalized for the sectors at large.

–Forty-eight per cent of incidents involved a malicious or criminal attack, 30 per cent involved negligent employees and 22 per cent involved system glitches, which includes both IT and business process failures.

–Four new factors were added to this year’s cost analysis that could influence data breach costs: Compliance failures, the extensive use of mobile platforms, the appointment of a chief privacy officer and the use of security analytics. The appointment of a CPO and the use of security analytics decreased the per capita cost of data breach by $4.4 and $7.6, respectively. Yet data breaches that were caused by compliance failures and the extensive use of mobile platforms increased the per capita cost by $17.2 and $19.6, respectively.

The graph below shows how  factors may affect data breach costs:  For example, a fully functional incident response process reduces the average per capita cost of data breach from $255 to $231 (decreased cost = $24) per compromised record. In contrast, third party error increases the average per capita cost
from $255 to $283.6 (increased cost = $28.6) per record.

Impact of 20 factors on per capita cost of data breach. Source: IBM-Ponemon report