Canadian businesses hit hard by data breach costs

Even as Canadian companies become more aware of their cyber risk, threat actors are hardly deterred, a new report shows.  

Canadian companies are paying nearly $7 million Cdn, per incident, in data breach costs. That’s the third highest in the world, according to the IBM’s 2023 Data Breach Report. 

The average cost of an incident is now $6.94 million Cdn — only a modest improvement from last year’s $7.05 million Cdn. And this has happened despite tighter underwriting controls and better consumer risk awareness.  

Only the U.S. ($9.48 million US) and the Middle East ($8.07 million US) surpass Canada for per-incident data breach costs. 

Financial services and energy companies saw the highest breach costs in Canada, according to the report, which surveyed a total of 26 Canadian companies.

Both sectors’ data breach costs are higher than the global average. The financial sector paid nearly $12 million Cdn on average per breach, while the energy sector paid $9.37 Cdn million on average.  

Globally, healthcare tends to see the costliest data breaches at $10.93 million US in 2023, followed by the financial industry at $5.90 million US. The energy sector is the fourth costliest sector for breaches at $4.78 million US. 

The most common attack type in Canada is phishing, about 17% of breaches experienced by Canadian companies and costing an average $6.98 million Cdn.  

More financially devastating but less common (8%) are malicious insider breaches, which cost $7.98 Cdn million on average. 

But Canadian companies are being phished more than before — and more than firms in other countries — signaling a trend in attackers relying on human error for their breach success, IBM suggested.  

Social engineering (a type of phishing) jumped 9% in Canada year over year. The costs associated with social engineering also jumped 37% compared to last year’s report. 

Comparatively, phishing and stolen or compromised credentials were the two most common attack types globally, accounting for 16% and 15% of breaches respectively.  

Despite all the doom and gloom, however, there are ways that companies can reduce the costs of data breaches, while also preventing cost increases for consumers.

“Globally, most companies are passing the cost on to consumers when they could be improving security. To cope with breach costs, 57% of breached companies are opting to increase the price of products or services,” the report read.  

Yet, only about half (51%) planned on increasing security budgets.

Given the rise in phishing breaches across Canada, employee training is the best way to squelch data breaches, IBM said.  

“Canadian companies that combine this training with threat intelligence, encryption, identity, and access management (IAM), proactive threat hunting and AI, can significantly reduce the total cost of a breach.” 

Using AI can both reduce workload and increase the efficiency of a company’s cyber security. 

Canadian organizations that extensively use AI and automation in their security had breach lifecycles that were 33 days shorter and cost $1.74 million Cdn less on average than those that didn’t, IBM reported.  

Feature image by iStock.com/JuSun