The average cost of data breaches in Canada rose 6.7 per cent since 2019 totalling $6.35 million, but a cybersecurity expert says the increase is in line with previous years, and that Canada has been proactive in safeguarding information.
IBM’s “Cost of Data Breach Report 2020” which was released on July 29, said 42 per cent of Canadian data breaches were caused by malicious attacks, 35 per cent from a system glitch, and 23 per cent from human error.
Sumit Bhatia, director of communications and knowledge mobilization with Ryerson’s Cybersecure Catalyst, said in an interview that despite an increase, the average cost of data breaches in 2020 is not far off from what was reported in 2016 ($6.03 million) and 2018 ($6.11 million).
“The fact that we’ve actually managed to contain [breaches] despite the sophistication of attacks, I think is a positive trajectory,” he said. “Those numbers are not surprising nor is it dismal at this point, but it’s pretty much in line with the trend that we’ve seen over the last few years.”
The chart above shows the total cost of data breaches from 2015 to 2020. In 2015 it totalled to $5.32,
2016 to $6.03 million, in 2017 to $5.78 million, 2018 to $6.11 million, in 2019 to $5.95 million, and in 2020 to $6.35 million.
Bhatia also said that the increase in data breaches is correlated with COVID-19 forcing many people to work from home, where security on laptops might not be as effective.
“A lot of these attackers, their point of entry is compromised employee accounts and cloud computing. And those are a result of, as I see, a rapid digital transformation initiative that’s happening both right now and has been taking place in the last few years,” he said.
The report noted that the average time to identify a data breach decreased from 176 days to 168 days and that the average time to contain a data breach improved from 65 to 58 days.
Bhatia said this is a reflection of companies starting to look at “fully deploying security automation.”
In the past five years, Bhatia said Canadian companies have seen a shift in ensuring there is better cybersecurity protection.
“It has a lot to do with a combination of the investment in the technology infrastructure, plus the advancement in security technologies that have allowed companies to deal with some of these issues going forward,” he said.
Ray Boisvert, IBM Canada’s security expert, said in the report that Canadian businesses need to make “cyber resiliency a top priority; to mitigate not just the financial impact but the impact on customer and employee privacy as well.”
“The onus isn’t just on government and businesses, however, we all have a role to play in protecting and safeguarding our information,” Boisvert said, who is also a former assistant director of the Canadian Security Intelligence Service (CSIS).
Bhatia agreed that Canada needs to ensure any policy that helps safeguard privacy should incorporate different industries, as one policy might not fit all industries.
“There are certain industries that demonstrate different types of the root cause for the attack. We saw the root cause of attacks was malicious attacks. But we know this isn’t the case for all industries.
“When we look at industries like the public sector and consumer industries, we saw human error as being the largest percentage of data breaches. That’s an important distinction to make. Policies can really help certain sectors. There need to be policies that support small-and-medium-sized businesses in creating a place for them to go through this digital transformation process,” he said.