New report highlights increased risk for Canadian companies
Canada is seeing the cost of data breaches surge once again, and this time, the culprit might just be the technology that was supposed to protect us.
According to IBM’s Cost of a Data Breach Report 2025, Canada now ranks fourth globally, with the average breach cost rising to $6.98 million, up 10.4% from 2024, bucking the trend of the global average which fell for the first time in five years.
Although the use of AI and automation has led to faster detection globally, the analysis from IBM Canada suggests too many Canadian organizations are rushing into AI adoption without the guardrails of governance.
Meanwhile, Canadian organizations extensively using security AI and autonomation report average breach costs of $5.19 million, compared to $8.53 million for those not using these tools.
The financial sector leads breach costs at $9.97 million in 2025, a 7.4% increase from $9.28 million in 2024, reflecting the high sensitivity and value of financial data.
“We’re at a critical inflection point,” said Ray Boisvert, IBM Canada’s Associate Partner, Security Services. “Canadian organizations are embracing AI, but they’re not doing it securely.”
Boisvert points to the fact that 63% of breached organizations in Canada lacked an AI governance policy, leaving systems open to attacks that target unmonitored and often unauthorized AI - what experts now call “shadow AI.” One in three Canadian businesses reported lacking access controls on AI systems.
IBM found that security incidents involving shadow AI cost organizations an average of $308,000 more per breach. They also disproportionately result in customer personally identifiable information (PII) being compromised, which now accounts for 65% of shadow AI-related breaches globally.
What’s worse, these breaches are now harder to contain. Shadow AI often operates across multiple environments - public cloud, private servers, and on-premises - making detection and mitigation a logistical nightmare. And when it’s finally detected, the average time to contain is nearly a week longer than other incidents.
The report highlights that organizations that embrace AI securely - investing in governance, using automation across the security lifecycle, and conducting regular audits - report average breach costs that are significantly lower. However, only 37% of breached organizations in the report had any AI governance policy at all.
"Cybersecurity isn't just about protecting data — it is about protecting your business's bottom line and reputation," said Daina Proctor, Security Delivery Leader, IBM Canada.
