Average Canadian company faces $3.7 million in cyber exposure

The cost to recover from security breaches in Canada averages $3.7 million in direct and indirect costs per organization, including network down time, employee work days, lost files and compromised information, according to a new survey.

Of that amount, the majority – about $3.5 million – is lost in revenue and productivity, while $215,080 is spent in direct dollars addressing the breaches.

The study, The Cyber Security Readiness of Canadian Organizations, said that the average company finds itself under attack by hackers more than once a day. Almost nine in 10 (87%) polled organizations suffered at least one successful breach in the past year, reported 420 people with on-the-job responsibility for cybersecurity in their organizations.

In Canada alone, cybersecurity breaches cost companies a total of more than $9.6 billion in recovery in the past year, Scalar Decision’s chief security architect, Theo Van Wyk, wrote in a related blog post on Thursday, when the study was released. The report was done by IDC Canada for Scalar Decisions. Along with that huge financial hit, these companies experienced a total of more than 813,000 days of down time and had over 100-million sensitive data records stolen.

Out of the 100-million records stolen, sensitive data was exposed 41% of the time in 2017. One in five breaches was classified as “high impact” because sensitive customer or employee information was exposed. Over 60 million of the sensitive data records stolen had data regarding “financials and product secrets.”

For Canadian organizations, key cybersecurity weaknesses still exist, the survey found, including:

• Understanding exposure and vulnerabilities.
• Security training for employees.
• Speed of installing security updates and patches.
• Security incident response planning.

In particular, only 26% of respondents across organization sizes conduct formal training for employees. Firms also face organizational blind spots about risk areas, with the top concerns being: exposure to insider threats from employees or contractors; getting the organization to conduct regular cybersecurity risk assessments and audits; and inability to identify the threats that could jeopardize infrastructure and data.