TORONTO – IT security breaches are costing publicly traded Canadian companies an average loss of more than $637,000 annually, says a new study released by Telus and the Rotman School of Management.
In government, the cost is $320,000 per organization, while the cost to private companies is $294,000 a year.
Similar studies in the U.S. show the cost of data security breaches more than doubling year over year, rising to an average of US$345,000 in 2007 from US$167,713 in 2006 for public companies. There is no similar benchmark data for Canada, but Rotman business economics professor Dr. Walid Hejazi says the trend towards increased loss is likely similar here.
"IT security is a C-suite level business issue," said Dr. Hejazi, in a press release. "In an increasingly information-based society, managing data security is fundamental to business strategy. Security breaches come with indirect and direct costs. The damage to brand and customer confidence can last a very long time, and as our study shows, while direct costs are significant and measurable. Simply put, our study clearly shows that lacking the ability to collect and store information safely will severely limit the success and growth potential of any business."
There are many IT security studies available that are either global or U.S.-centric, or specific to certain industries. To better understand the nature of IT security in Canada, Telus and the Rotman School of Management partnered in the Rotman-Telus Joint Study on Canadian IT Security Practices to provide clarity on the state of IT security specifically in Canada. The study examines the IT security practices of more than 300 Canadian businesses.
Other key findings from the study include:
* Not every industry fares the same in terms of IT security performance. Those performing above the average include IT companies, healthcare and financial institutions.
* Canada has caught up with the U.S. in terms of IT security investment. This has been driven by requirements to comply with Canadian regulations such as Payment Card Industry (PCI) and Personal Information Protection and Electronic Documents Act (PIPEDA).
* The best practices for IT security include having a focus on performance measurement, balancing staffing investments in proportion to the growth of technology, and utilizing application security outside of the network, like encryption, to protect customer data.
