Security breaches are costing Canadian companies more than their American counterparts, according to a joint Rotman - Telus study on Canadian IT Security practices. The 2007 annual losses associated with breaches per respondent  was calculated at $423,469, compared to the the U.S. Computer Security Institute’s (CSI) survey average of $345,000. Even more distressing were the numbers for 2008 showing that annual losses have increased to $834, 169 per organization in Canada, a whopping 97% increase!

The results were based upon nine focus groups from across Canada  with over 600 responses from Canadian IT security professionals employed by Canadian companies with over 100 employees. The study also compared the satisfaction levels for company IT security postures which were dependent on a number of factors including budget levels,  organization type, awareness training, outsourcing mandate and technology adoption, to name a few. The report is available at www.telus.com/securitystudy, along with the IT Security Assessment Tool used by the respondents.

Overall Breach Costs have risen

The trend should not come as a surprise, however, the study showed that “For Canadian owned companies the average annual loss $397,887, for U.S. owned companies doing business in Canada the average annual loss is $499,859 and for organizations doing business in Canada with headquarters in Europe, South America or Asia the average annual loss due to breaches is $449,950.Annual loss for a private company is $293,750, for publicly traded companies the average annual loss is $637,500 and government it is $321,429. These figures compare to the average loss per respondent in the U.S. CSI survey at $345,000 in 2007, up substantially from $167,713 in 2006.”

Although the average number of breaches reported annually in Canada has almost quadrupled to 11.3 between 2008 and 2009, the average single breach cost is significantly lower. This can be attributed partially to the fact that organizations have improved their ability to detect security events and are also improving their response to breaches, thereby, lowering individual breach costs.

Canadian companies reported equivalent or higher amounts of breaches as their southern neighbour in 2009, however, insider breaches almost doubled and are now comparable to USA numbers. “In 2008, 17% of Canadian organizations reported breaches related to insider activity, while the USA statistic was about 60%. In 2009, this has increased to 36% in Canada and decreased to 44% in the USA, based on the latest CSI survey.”

Supporting this trend, the 4 fastest rising breach categories were:

1.       Unauthorized access to information by employees (increased 112%)

2.       Bots within an organization (increased 88%)

3.       Financial fraud (increased 88%)

4.       Theft of proprietary information (increased 75%)

Another subtle difference is the extent to which security is linked to personal performance evaluation. About  40% of Canadian respondents indicated that security is part of their personal performance evaluation, whereas this number was 50% in the U.S., compare this to 85% in Europe and Asia!

The study showed that although Canada has caught up with the U.S. in terms of security investment due to compliancy requirements for regulations, such as PCI and PIPEDA . “This catching up has come at a cost: organizations have not developed the skill sets and organizational maturity required to fully leverage their investment”, according to the study.  ”Generally speaking, the maturity of compliance programs in Canada lags that of the U.S., and this is reflected in lower tendencies to measure security performance, communications related to risk and security, and attitudes towards accountability.”