A new study says IT security breaches cost the average Canadian company more than $800,000 in 2009.

The Telus/Rotman School of Management said the $834,149 average is a 97 per cent jump from last year. The average number of incidents rose from three per organization to 11.3.
Alan Lefort of Telus Security Labs says better monitoring systems and the economic downturn are the main culprits.

“Last year, organizations told us they were spending a lot of resources in putting together technologies to help them monitor and detect potential breaches, and as a result of that investment, they’re now able to find more things,” he said.

“(Another) thing that really stood out for us was the amount of insider-related breaches going on,” Lefort added. “When organizations are forced to make a difficult decision and let people go, those people have to think about what happens next.”

This leads not to sabotage, but to staff using confidential information — like a security plan they’ve created — as work samples to help get another job, unintentionally compromising their former employers. “A breach is not necessarily something where there is a hacker involved,” he said.

The $834,139 includes labour lost when a breach freezes systems, the cost of repairing the damage and replacing faulty security.

“Training your people how to properly handle information is so important and can have such a positive effect on the number of breaches, especially when they’re related to information” Lefort said.

“Make it so they have to consciously make information public — don’t make public the default.”

Banks are popular targets for attackers and phishers, but the real danger is in lax security by customers, says Maura Drew-Lytle of the Canadian Bankers Association.

“A lot times, the problem is more that somebody’s home computer is infected with viruses, or key-stroke loggers, and they could lose money that way,” she said.

Banks counter that with security so if you log in from a computer the bank doesn’t recognize, it steps up the security questions.

“They are always electronically monitoring transactions, looking for anything unusual,” she said.

If your regular $100-a-week withdrawal suddenly turns into two large transactions, a red flag is raised and the bank investigates.

“Banks have a lot of personal, financial information, and they work very hard at protecting it.”