(Calgary) Increased corporate awareness and a series of high-profile incidents do not appear to have helped reduce the financial burden of cybercrime in Canada, a new report reveals.
The average cost to businesses of a cybersecurity breach in Canada in 2023, according to a survey by global giant IBM of 26 victim organizations, is $6.94 million, down slightly from $7.05 million last year. The average amount is still the second highest in the nine-year history of this study.
In addition to the technical, legal and public relations costs incurred by companies in the aftermath of such incidents, the report shows that organizations victimized by a cyberattack spend considerable time repairing the damage.
“In reality, the cleanup process is very long,” observed Chris Sicard, security advisory manager at IBM Canada.
“Once you face an attack and work to contain that breach – even if it’s no longer in the news cycle – there’s a tremendous amount of investment and work that is required to ensure it never happens again. »
IBM’s report follows a series of incidents that made headlines in Canada. Bookstore Indigo, grocer Sobeys, oil and natural gas producer Suncor Energy and Toronto’s SickKids Children’s Hospital have all publicly admitted to being victims of cybercrime in the past year.
According to IBM’s report, cybercriminals – especially those using ransomware – are more likely to prey on companies and industries that have little or no tolerance for downtime, and are more likely to pay a ransom quickly in order to get their systems back up and running as soon as possible.
Financial services and energy companies are the top targets of cybercrime, with the financial sector suffering an average of nearly 12 million damages per attack, and the energy sector paying out 9.37 million on average, the report said.
High-profile incidents that make the news — like the 2021 ransomware attack on Colonial Pipeline in the United States, which forced a temporary shutdown of pipeline operations — have raised public awareness of the cybersecurity threat that exists.
And there are likely many more companies that are victims of cyberattacks that we don’t know about, Sicard pointed out.
“Not everyone discloses that they have had a cyber incident or have been compromised. And that’s part of the problem, he said. It can be said that we are not yet doing a good job of sharing and supporting each other. »
IBM’s report also suggests that more than half of hacked companies choose to pass the costs of a cybersecurity incident on to customers by raising prices, rather than investing in additional cybersecurity.
But even smart companies investing in encryption, artificial intelligence and other tools to protect sensitive corporate and customer data aren’t moving the needle as far as Mr. Sicard would like. According to him, the average cost to Canadian businesses of a data breach has increased by more than $1.5 million since IBM began its investigation in 2015.
Part of the reason the financial fallout from cybercrime continues to grow, Sicard said, is that cybercriminals are becoming more sophisticated.
There are also more entry points for hackers than ever before as companies move more and more sensitive data to the cloud, and the trend towards remote working increases the risk of a breach through an individual employee’s mobile device.
The war in Ukraine and the resulting geopolitical tensions have also increased the risk of state-sponsored hackers attempting to break into critical infrastructure for the purposes of sabotage or espionage.
“I would like to be optimistic, but I think it will get worse before it gets better,” Mr. Sicard said.
He added that he thinks most large companies should “accept” the fact that there is a good chance that they will one day become victims of cybercrime. Still, investing in things like employee training and threat detection can reduce those risks, he said.
“There are things businesses can and should do to reduce their risk of being victimized. »