We’re undeniably more aware about cyber-security threats – hard to avoid all the headlines. And there’s been increased investment in personal, corporate and government data protection practices – but the costs associated with data breaches continue to rise.
Canadian businesses face an average cost of $6.03 million per incident! That’s according to results of an online security survey sponsored by IBM and conducted by the Ponemon Institute, a U.S.-based independent researcher on privacy, data protection and information security policy.
Hard to imagine that average, and sure, some of the big data breaches must have spiked that figure: Like Ashley Madison.
The dating site lost over 30 million data records in a data breach, and a $578 million class-action suit was filed as a result.
More typical (unfortunately): Vancouver-based PNI Digital Media’s experience with a breach of its online photo processing service, delivered to any number of retailers, including Walmart Canada. Without sharing details, the parent company noted in a quarterly financial report that $3 million in “PNI data security incident costs” were incurred.
Important to note, too, is that big data breaches are not just about big companies: small- and medium-sized businesses (SMBs) are clearly vulnerable, and the confidentiality, accuracy and availability of their data assets always at risk.
Key Findings about Data Breaches Specific to Canada:
Companies in the US and Canada spent the most to resolve a malicious or criminal attack ($236 and $230 per record, respectively)
54 percent of all breaches in Canada were due to hackers and criminal insiders
Detection and escalation costs were the highest in Canada out of the 12 countries in the report
The average per capita cost of data breach increased from $250 to $278
In fact, online safety and security studies show companies with 1,000 or fewer employees suffered more incidents of confirmed data loss than their big-business counterparts. More than half these incidents were in the retail and hospitality industries, which hold a wealth of credit card and other transactional data.
In general, the IBM study found that cyber-security incidents continue to grow in both volume and sophistication, with 64 per cent more security incidents reported in 2015 than in 2014. The study says the average cost of each data breach has increased 29 per cent increase since 2013.
Companies lose $158 per compromised record. Breaches in highly regulated industries were even more costly, with health care reaching $355 per record – a full $100 more than in 2013.
But the actual number of data breaches could be much higher: another IT security study found that more than half of its respondents in Canada said they believed threats sometimes fall through the cracks.
Websense, the U.S.-based security company that commissioned the study, noted that even well-protected companies can have breaches, but also that companies may not be aware – or may not report – such breaches.
In Canada, only one province — Alberta — has mandatory breach disclosure legislation (other provincial and federal legislators are looking at bring in such rules), so some data breach specifics may not be well or widely known.
What is known, and revealed through the IBM study, is that the single biggest factor associated with reducing the cost of a data breach is prompt incident response. Starting the ball rolling right away on incident forensics, communications, legal expenditures and regulatory mandates can save companies nearly $400,000 on average (or $16 per record).
Of course, the price of a data breach can include not just fines and penalties assessed pursuant to Canadian federal and provincial law, but also some hefty public relations expenses to mitigate any public concerns about its data safety and security.
As well, there are costs to retain a qualified data forensics firm to find out what happened in the first place, and how to prevent it from happening again.
Then, there are the costs of letting everyone know whose private information has been lost or stolen; as well as possible expenses from third-party financial claims, including legal fees and expenses incurred.
In other words, the actual out-of-pocket costs connected with privacy and data breaches can be a significant concern, much less the data loss itself.
The study also found the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. While breaches that were identified in less than 100 days cost companies an average of $3.23 million, breaches that were found after the 100 day mark cost over $1 million more on average ($4.38 million).
The average time to identify a breach in the study was estimated at 201 days, and the average time to contain a breach was estimated at 70 days.
So, yes, time is money, and in general the faster an entity responds to a data breach, the better. But more to the point, data is money: protection is not just as process, it is an attitude.
“Over the many years studying the data breach experience of more than 2,000 organizations in every industry, we see that data breaches are now a consistent ‘cost of doing business’ in the cybercrime era,” said Dr. Larry Ponemon. “The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.”
For more details on the study, the full report is available on the IBM X-Force Research Library.