IT security breaches In Canada more than triples in 2009

From a TELUS press release:

A new study from TELUS in partnership with Rotman School of Management released today reveals a major increase in annual losses related to Information Technology (IT) security breaches.

According to the study which surveyed more than 600 IT security professionals across the country:

  • IT security breaches cost the average Canadian organization an estimated $834,000 in 2009 – a 97 per cent increase from the $423,000 reported by the study last year.
  • Similarly, the average number of reported IT security breaches also increased 276 per cent to 11.3 per organization in 2009 – compared with an average of three in 2008.

While every type of organization incurred an increase in breach costs during 2009, the increases were different across sectors:

  • Government organizations more than tripled their average annual cost of breaches to $1,000,000 in 2009, up from $321,000 in 2008.
  • Private companies more than doubled their cost of breaches to $807,000 up from $294,000 in 2008.
  • Publicly traded companies reported a moderate increase of only six per cent year-over-year.

“The significant increase in reported breaches is sobering, however there are several reasons for this activity and some of them are actually positive,” said Dr. Walid Hejazi, Professor of Business Economics, Rotman School of Management. “Our research indicates that one of the contributing factors behind the surge in IT security-related losses is compliance regulations. Although this factor does not explain all instances of breach increases, it is important to note that because compliance has become a much stronger driver for private companies and government organizations in 2009, capabilities to detect and respond to security compromises have greatly improved. The result is that organizations are now detecting more security threats than ever before and consequently need to allocate more budget to address them appropriately.”

“Canadian organizations are finding it difficult to improve their security posture within the current economic climate. However, we found several organizations that performed well despite the adversity. Those organizations tended to review whether or not they were focusing on the right threats and conducted regular assessments of their capabilities to prevent, detect and respond to security concerns,” said Alan Lefort, managing director, TELUS Security Labs. “Too often organizations take a checklist approach to managing security. Without a threat-based view to security management that measures end-to-end capabilities, they are often unprepared when a new type of attack or vulnerability rises to prominence.”

The study also uncovered a rise in employee-related security breaches specifically related to intellectual property. IT security breaches by employees doubled over the past 12 months, with 36 per cent of all IT security incidents in Canada resulting from insider activity. When compared to results from last year’s Rotman-TELUS study, the results from 2009 revealed:

  • Unauthorized access to information by employees increased by 112 per cent.
  • Theft of proprietary information increased 75 per cent.
  • Laptop or mobile hardware device theft increased by 56 per cent.

For more information, or to request a copy of the study, visit

About the author: Dissent

2 comments to “IT security breaches In Canada more than triples in 2009”

You can leave a reply or Trackback this post.
  1. riskpundit - October 4, 2009

    I read the 2008 and 2009 Telus/Rotman studies and I have to say I feel the claim of breaches tripling is not valid. While the average is 11.3, the mode is 3.5. There are significant outliers that make the average less significant. Also the wording of the incident/breach question varied significantly from 2008 to 2009. I wrote a post on my blog with the details.

  2. admin - October 5, 2009

    Thanks for posting that and for your own analyses. I found some of the survey results to Q47 surprising when compared to what we actually read about/hear about it in the media, but given there’s no mandatory disclosure law, I guess I shouldn’t be so surprised.

Comments are closed.