The average cost of a data breach is still going up, according to a new survey.
The 25 Canadian companies that suffered a breach in the 12-month period ending in March paid an average of $7 million in recovery costs per incident. By comparison, the average of 550 companies studied around the world was $5.5 million (all amounts in Canadian dollars).
The numbers are contained in the latest annual cost of data breach survey by IBM and the Ponemon Institute, which was released today. (Registration required)
“It’s scandalous,” Evan O’Regan, associate partner in IBM Canada’s cybersecurity and digital trust practice, said in an interview. Those costs, he said, are spread across a victim organization’s supply chain to become a “hidden cyber tax” paid by customers.
“Costs are going up for organizations that aren’t prepared for responding to these incidents,” he said, “and the costs are going down dramatically for those that are prepared.”
Among the report’s highlights:
–Canada recorded the third highest average cost of a data breach worldwide once again – after the United States and the Middle East region.
–companies in the financial sector are paying the highest cost for data breaches in Canada, at CA$520 per record. Canadian technology companies paid $433 per record, the second most expensive by industry in the country, followed by the services industry at $362 per record. The national average cost across all sectors was $298 per record;
–stolen or compromised user credentials were again the most common method used as an entry point by attackers targeting Canadian organizations; those breaches were also the costliest. The average cost of a data breach by stolen and compromised credentials was as high as $8.86 million;
–Canadian companies with a mature zero trust adoption observed $3.79 million lower breach costs than organizations with only early adoption of zero trust. Basically, says the report, the zero trust mindset of ‘we have to put our defense on the offense and assume the adversary is already in our environment’ is a money-saver.
There is slightly good news: Canadian firms in the study reported a drop in the average number of days it took to detect an attack: 160, compared to 164 days in the previous year’s study. Still, O’Regan called that number “disappointing.”
The average time Canadian firms took to contain a data breach dropped to 48 days from the 60 days in the previous years’ study.
The combination of defences — particularly identity and access management, participating in threat information sharing networks, and using security products with artificial intelligence — are big factors in cutting the costs of a data breach, O’Regan said.
The biggest cost factors in a data breach are detection and escalation costs (including finding what systems are affected), remediation, and loss of business.
The increase in staff working from home since the pandemic began is a factor in the recent rise in data breaches, says O’Regan. But “blaming the end user, the home worker, for security breaches is abdicating responsibility … Companies are not evolving fast enough to the threat environment and the work environment. By most indications the increase in home working is here to stay. And remote working is neither complicated nor particularly expensive to secure. A great example is zero trust.”
The proof, he added, is that companies that have mature zero trust adoption have data breach costs half the size of other firms.
“The success of a company [against cyber attacks] depends on their approach,” O’Regan said. “If they’re approaching cybersecurity as a cost, then you’re going to do the minimum amount. What we definitely see is that companies that see cybersecurity as an enabler –taking a zero trust approach … and having a mature identity and access management program realize this isn’t a cost centre.”