The average cost of data breaches at Canadian companies is going up, it’s taking them longer to detect breaches and longer to contain them, new data suggests.
The numbers are contained in the annual Ponemon Institute’s international Cost of a Data Breach study, paid for by IBM, which was released Wednesday.
Just under 450 companies that suffered a breach in 15 countries, including 28 in Canada, were surveyed in 2017. The study included interviews with company officials Most of the breaches examined happened last year.
According to the study
• the average cost to the Canadian companies of a breach was $6.11 million, up 5.6 per cent from those who participated in the 2016 report. By comparison, the global average cost of a breach was US$3.86 million;
• the mean time for Canadian companies studied to identify the breach increased to 181 days from 173 days reported the year before. By comparison, the global average for the latest study was 197 days;
• the mean time Canadians took to contain the data breach increased to 69 days (the same as the global average), up from 60 days from 2016.
• Canada had the highest direct cost at US$81 per compromised record. Direct costs refer to the expense outlay to accomplish a given activity such as engaging forensic experts, hiring a law firm, or offering victims identity protection services. The United States had the highest indirect per capita cost at US$152. Indirect costs include employees’ time, effort, and other organizational resources spent notifying victims and investigating the incident, as well as the loss of goodwill and customer churn.
Canadian costs are high compared to other countries in part due to the value of the dollar, said IBM.
But note this: Ponemon figures companies that contained a breach in less than 30 days saved over US$1 million compared those that took more than 30 days to resolve.
Here’s another interesting factoid: Losing customer trust from a breach really hurts: Organizations that lost less than one per cent of their customers due to a data breach resulted in an average total cost of US$2.8 million. If four percent or more was lost, the average total cost was $6 million, a difference of US$3.2 million.
This report also takes a stab at figuring out if security automation helps cut costs. Ponemon says it does: The average cost of a breach for organizations that fully deploy security automation is US$2.88 million. Without automation, the estimated cost is US$4.43 million.
The report defines a breach as an event in which an individual’s name and a medical record and/or a financial record or debit card is potentially put at risk — either in electronic or paper format.
Forty-eight percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack was US$157. In contrast, system glitches cost US$131 per record and human error or negligence is US$128 per record. Companies in the United States and Canada spent the most to resolve a malicious or criminal attack ($258 and $213 per record, respectively). Brazil and India spent far less ($73 and $76 per record, respectively).
In an interview, Limor Kessem, an Israeli-based IBM [NYSE: IBM] executive security advisor, said one of the purposes of the study is to help organizations understand the risks and take action to mitigate the potential costs of a breach. “Companies that read this report want to understand what’s increasing costs, how can I lower the costs?”, she said.
The usual suspects influence these costs, she said — the number of records lost, the number of victims who need to be notified (and the notification costs may fluctuate depending on the province/country customers are in), the time it takes to contain the breach and get back to business, and post-breach costs (lawyers, public relations, whether outside forensic experts have to be hired), loss of business. As mentioned above the study notes that lowering the time to contain the breach can substantially lower costs. But Kessem noted the study also points out that having a prepared incidence response plan and team can have a big impact, reducing the cost by US14 a record.
For the first time the study considered the impact of network-attached Internet of Things devices involved in a data breach, and, as Kessem noted, they can add to costs in terms of requiring extra patching and controls to mitigate risk.
She was surprised at costs related to third-parties involved in a breach (for example, if the attack vector ran through a third party such as a supplier). That increased the cost by US$13 per record, Kessem noted.
The study is available here. Registration is required.