Increased corporate awareness and a string of high-profile incidents have done little to reduce the financial burden of cybercrime in Canada, according to a new report.
The average cost to companies of a cybersecurity breach in Canada as of 2023, according to an IBM survey of 26 victimized organizations, is $6.94-million – down slightly from last year’s $7.05-million but still the second-highest annual price tag in the study’s nine-year history.
As well, in addition to the technical, legal and public relations costs incurred by companies in the wake of an incident, the report shows organizations that fall prey to a cyberattack are spending a significant amount of time mopping up the damage.
According to IBM, it takes companies an average of 215 days to identify and contain a data breach. That means many corporations spend a good part of a year dealing with the fallout after a successful cyberattack.
“The reality is the cleanup process has a very long tail,” said Chris Sicard, security consulting and delivery leader for IBM Canada.
“Once you are dealing with an attack, and you are working to contain that breach – even though it’s not in the news cycle anymore – there is an awful lot of investment and work that is required to make sure it never happens again.”
The IBM report comes in the wake of a string of headline-grabbing incidents in Canada. Book retailer Indigo, grocer Sobeys, oil and gas producer Suncor Energy Inc. and Toronto’s Hospital for Sick Children have all publicly admitted to being victims of cybercrime over the past year.
According to the IBM report, cybercriminals – in particular, ransomware attackers – are most likely to go after companies and industries that have little to no tolerance for downtime, and that are most likely to pay a ransom quickly in order to get their systems back and up running as soon as possible.
The report states that financial services and energy companies are the top targets of cybercrime, with the financial sector suffering nearly $12-million in damages on average per cyber breach, and the energy sector paying $9.37-million.
High-profile incidents that make the news – such as the 2021 ransomware attack against Colonial Pipeline in the U.S., which forced a temporary shutdown of pipeline operations – have raised the level of public awareness about the cybersecurity threat that exists.
And there are likely many more corporate victims that we don’t know about, Sicard said.
“Not everyone’s disclosing that they’ve had a cyber incident or that they’ve been compromised. And that’s part of the problem,” he said.
“One can argue we aren’t yet doing a good job of sharing and supporting each other.”
The IBM report also suggests that more than half of breached companies opt to pass the costs of a cybersecurity incident on to customers through increased prices, rather than investing in additional cybersecurity.
But even the smart companies that are investing in encryption, AI and other tools to protect sensitive corporate and customer data are not significantly moving the needle the way Sicard would like to see. He pointed out that the average cost to Canadian companies of a data breach has increased by more than $1.5-million since IBM first began its survey in 2015.
Part of the reason the financial fallout from cybercrime continues to grow, Sicard said, is that cybercriminals are getting more sophisticated.
“They have the same access to technology that we do. It’s just that they’re using it for evil instead of for good,” he said.
There are also more entry points for attackers than ever before, as companies move more and more sensitive data to the cloud, and the remote work trend increases the risk of a breach through an individual employee’s mobile device.
The war in Ukraine, and resulting geopolitical tensions, have also heightened the risk of state-sponsored hackers attempting to breach critical infrastructure for sabotage or espionage purposes.
“I wish I was an optimist, but I do think it’s going to get worse before it gets better,” Sicard said.
He added he believes most large companies should “come to terms” with the fact that the odds are good they may some day become a victim of cybercrime. Still, investing in things like employee training and threat detection can reduce those odds, he said.
“There are things that businesses can and should be doing to lessen their chances of being a victim.”