Cost of IT security breaches jumps 97 per cent

IT security breaches at Canadian firms account for an average annual loss of $834,149, a figure that reflects a 97 per cent increase from the $423,469 average cost reported in 2008, according to a national study released Tuesday.

The Rotman School of Management at the University of Toronto and Telus Corp. released the results of their 2009 Joint Study on Canadian IT Security Practices during a briefing to executives at the Toronto Board of Trade.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

The study, which looks at the state of IT security at Canadian organizations with over 100 employees, is the second in a series of annual studies Rotman and Telus plan to develop in subsequent years.

The results are based on over 600 responses from Canadian IT security professionals and nine focus groups across Canada. A full copy of the 80-page report is available at rotman.utoronto.ca/securitystudy. A benchmarking tool is available at telus.com/securitystudy.

The average number of breaches have also raised from 3.0 in 2008 to 11.3 in 2009. In both categories, security breaches increased most for government as opposed to private and publicly traded organizations.

"Government organizations more than tripled their average annual cost of breaches to $1 million in 2009, up from $321,000 in 2008. Private companies more than doubled their cost of breaches to $807,000, up from $294,000 in 2008. Publicly traded companies reported a moderate increase of only six per cent year-over-year," states the report.

Dr. Walid Hejazi, professor of business economics at the Rotman School of Management, said government "is a natural target" for security breaches.

Governments are custodians of confidential information and breaches that increase during economic downturns tend to be related to identity theft, he said. "But it's really important to note that per dollar, government organizations are performing quite effectively," said Hejazi.

The average cost per breach has decreased significantly across all organizations, according to the study. "For example, publicly traded organizations decreased breach costs to $75,014 in 2009, down from $213,926 in 2008," states the report.

Hejazi linked the breach results to the downturn in the economy. "On the one side, you've got organizations cutting budgets. On the other side, you've got layoffs mounting ... you can predict an increase in the number of breaches and this is what we've seen," he said.

The increase in breaches is also linked to greater detection capabilities. "Threats are up, but it is partially because organizations have improved their capabilities to detect unknown security events. Organizations are also improving their response to breaches, which has lowered individual breach costs," states the report.

Unauthorized access to information by employees is the fastest rising breach category, up by 112 per cent. Bots within an organization and financial fraud follow second and third, rising by 88 per cent. Theft of proprietary information rose by 75 per cent and laptop or mobile-device theft by 58 per cent.

The five breach categories that remained constant or declined include password sniffing, phishing and pharming, denial of service attacks, sabotage of networks and exploiting DNS.