CSOs who need a weapon to convince management to up the IT security budget can throw this at them: The average cost to an organization of a data breach in Canada last year was just over CDN$5.3 million —  about $2 million higher than the global average.

That’s according to research conducted by the Ponemon Institute and sponsored by IBM, which looked at the actual costs of data loss or theft suffered by 21 Canadian companies in 11 industry sectors. The costs were based upon estimates provided by the organizations interviewed over a 10-month period. Ponemon acknowledges that the 21 companies sampled were not statistically representative of all companies here that suffered a breach last year.

Note that’s an average cost: The study didn’t include organizations that lost over 100,000 records because they wouldn’t have been representative of most breaches. (The average number of lost records in the group was just over 20,400. The biggest number of lost records among the 21 firms studied was 74,550).

Among the report’s hightlights:

–The biggest component of the CDN$250 per record cost of data breach in the studied companies was detection and escalation ($91). Post data breach response (ex-post response) and lost business were $67 and $84, respectively. Customer notification costs represented $8 per compromised record;

–Certain industries had higher data breach costs. Financial, services, technology and energy had a per capita data breach cost substantially above the average $250. Public sector, education, and consumer organizations had a per capita cost well below that;

–Malicious or criminal attacks caused the most data breaches. Fifty-two percent of incidents involved a data theft (exfor criminal misuse. System glitch and employee negligence or human error both represented 24 percent of all data breaches;

— Incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement, CISO appointments, business continuity management and insurance protection decreased the per capita cost. However, third party involvement, lost or stolen devices, quick notification and engagement of consultants increased the cost.

The report was one of a series released last week covering Canada, U.S., the U.K., Germany, Australia, France, Brazil, Japan, Italy, India, and the Arabian region (United Arab Emirates and Saudi Arabia).

In a blog institute chairman Larry Ponemon noted the average total cost of a data breach for the participating 350 companies increased 23 percent over the past two years to US$3.79 million. That’s about $2 million less than the average in Canada.

Why the difference? In an email institute executive director Susan Jayson said the main reason for Canada’s higher cost per record is because 52 per cent of companies here that responded to the study said the root cause of their data breach was a malicious or criminal attack. In contrast,  malicious attacks globally was 47 per cent of root causes.

“Breaches due to malicious or criminal attacks are more costly to remediate than the other root causes,” she wrote, such as negligent insiders and system glitches. The cost per record for Canadian companies that had a malicious attack was CDN$227. The average for other countries studied was US$170.
She said another reason is that Canadian companies said they spend a higher portion of total costs on detection and escalation activities following a data breach. These costs typically include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors. This total average cost for a company was CDN$910,000.