Canadian companies paying high cybercrime bills

Malicious insiders and malware attacks are costing Canadian companies.

New research from global professional services company Accenture and data protection research firm Ponemon Institute pegged the average cost of cybercrime to a Canadian company at more than $12 million in 2018.

Malware and people-based cyberattacks, like phishing and social engineering, were most to blame, according to interviews with 179 senior leaders from 25 companies in Canada.

Businesses recorded an average of 75 cyberattacks in 2018 – that’s 1.5 attacks every week. And it’s expensive, with business disruption costing almost $4 million and information loss valued at more than $5 million. The most expensive attacks are malicious insiders and malicious code, costing companies upwards of $4.5 million, as they take twice as long to resolve compared to ransomware and phishing attacks.

Part of the problem is playing catch up. Four in five Canadian business leaders said new business models create technology vulnerabilities faster than they can be secured. Canadian leaders point to automation, artificial intelligence and machine learning technologies as being able to provide the highest cost savings when fully deployed.

“As business innovation propels forward, so too does the expanding threat landscape, leading to an increase in cyberattacks,” Ahmed Etman, managing director of security at Accenture Canada, said in a statement. “Canadian organizations must prioritize protecting people, take a data-centric approach to security to limit information loss and business disruption, and implement AI technology and analytics to reduce the rising cost of attacks.”

Part of a global study, which spoke with more than 2,600 security and information technology professionals at 355 organizations worldwide, the research found that costs due to malware spiked 11 per cent last year – up US$2.6 million per company on average around the world compared to 2017.

The study also zeroed in on insiders with nefarious intentions – employees, temporary staff, contractors and business partners – as being responsible for a 15-per-cent increase globally, an average US$1.6 million more per organization.

The costs associated with cybercrime include what a company spends to discover, investigate, contain and eventually recover from a cyberattack over a four-week period. It also adds up related costs after the fact, such as incident response protocols that are implemented to prevent more attacks, and efforts to keep business disruption minimal and not lose customers.

The report highlights three ways companies can get the best bang for their cybersecurity buck.

First, put people-based attacks at the top of the threat list. Internal threats are one of the biggest challenges. Nurture a security-first culture with training and education, while reinforcing safe behaviours.

“Training employees to think and act with security in mind is the most underfunded activity in cybersecurity budgets,” the report said.

Second, invest in information protection. Have a responsible attitude towards critical information. Take a data-centric approach to security, implement loss-prevention technology and use cryptographic technology.

And find technology that keeps costs down. Technologies like security intelligence and threat sharing can help to cybercrime cost reduction. Cloud services can make investigations more efficient, the report said.