(Calgary) Increased corporate awareness and a series of high-profile incidents do not appear to have helped reduce the financial burden of cybercrime in Canada, a new report reveals.
The average cost to businesses of a cybersecurity breach in Canada in 2023, according to a survey by global giant IBM of 26 victim organizations, is $6.94 million, down slightly from $7.05 million last year. The average amount is still the second highest in the nine-year history of this study.
In addition to the technical, legal and public relations costs incurred by companies in the aftermath of such incidents, the report shows that organizations victimized by a cyberattack spend considerable time repairing the damage.
According to IBM, it takes an average of 215 days for organizations to identify and contain a data breach. This means that many companies spend a good part of the year dealing with the fallout from a successful cyberattack.
“In reality, the cleanup process is very long,” observed Chris Sicard, security advisory manager at IBM Canada.
“Once you face an attack and work to contain that breach – even if it’s no longer in the news cycle – there’s a tremendous amount of investment and work that is needed to ensure it never happens again. »
IBM’s report follows a series of incidents that made headlines in Canada. Bookstore Indigo, grocer Sobeys, oil and natural gas producer Suncor Energy and Toronto’s SickKids Children’s Hospital have all publicly admitted to being victims of cybercrime in the past year.
According to IBM’s report, cybercriminals – especially those using ransomware – are more likely to prey on companies and industries that have little or no tolerance for downtime, and are more likely to pay a ransom quickly in order to get their systems back up and running as soon as possible.
Financial services and energy companies are the top targets of cybercrime, with the financial sector suffering an average of almost 12 million damages per attack, and the energy sector paying out 9.37 million on average, the report said.
High-profile incidents that make the news — like the 2021 ransomware attack on Colonial Pipeline in the United States, which forced a temporary shutdown of pipeline operations — have raised public awareness of the cybersecurity threat that exists.
And there are likely many more businesses that are victims of cyberattacks that we don’t know about, Sicard pointed out.
“Not everyone discloses that they have had a cyber incident or have been compromised. And that’s part of the problem, he said. It can be said that we are not yet doing a good job of sharing and supporting each other. »
Pass the costs on to customers
IBM’s report also suggests that more than half of hacked companies choose to pass the costs of a cybersecurity incident on to customers by raising prices, rather than investing in additional cybersecurity.
But even the smart companies investing in encryption, artificial intelligence and other tools to protect sensitive corporate and customer data aren’t moving the needle as significantly as Mr. Sicard would like. According to him, the average cost to Canadian businesses of a data breach has increased by more than $1.5 million since IBM began its investigation in 2015.
Part of the reason the financial fallout from cybercrime continues to grow, Sicard said, is that cybercriminals are becoming increasingly sophisticated.
They have the same access to technology as we do. It’s just that they use it for harm rather than good.
Chris Sicard, Head of Security Advisory at IBM Canada
There are also more entry points for hackers than ever before as companies move more and more sensitive data to the cloud, and the trend towards remote working increases the risk of a breach through an individual employee’s mobile device.
The war in Ukraine and the resulting geopolitical tensions have also increased the risk of state-sponsored hackers attempting to break into critical infrastructure for sabotage or espionage purposes.
“I would like to be optimistic, but I think it will get worse before it gets better,” said Mr. Sicard.
He added that he thinks most large companies should “accept” the fact that there is a good chance that they will one day become victims of cybercrime. Still, investing in things like employee training and threat detection can reduce those risks, he said.
“There are things companies can and should do to reduce their risk of being victimized. »