1 in 5 Canadian Businesses Hit by Cyberattack in 2017, StatCan Survey Shows

A survey conducted by Statistics Canada (StatCan), Canada’s national statistical office, showed that 1 in 5 Canadian businesses were hit by a cyberattack last year.

From January 2018 to April 2018, StatCanconducted the first of its kind survey that aimed to provide a snapshot of the cybersecurity challenges encountered by Canadian businesses – those with 10 or more employees.

StatCan’s survey results showed that over one-fifth or 21% of Canadian businesses reported that they were hit by a cyberattack last year which affected their operations. The survey showed that large businesses (41%) were more than twice as likely as small businesses (19%) to identify an impactful cyberattack.

Direct Costs of Cyberattacks

Listed below are the direct costs of cyberattacks inflicted on Canadian businesses last year:

-58% of impacted businesses in the survey conducted by StatCan reported downtime in mobile devices, desktops and networks; average downtime was 23 hours

-54% reported that cyberattacks prevented their employees from carrying out day-to-day work

-53% reported that cyberattacks prevented the use of resources or services, including desktop computers or email

-30% reported they faced additional repair or recovery costs

-10% reported they lost revenue

-4% reported they had to reimburse external parties or make a ransom payment

StatCan’s survey results showed that last year, Canadian businesses spent a total of $14 billion to prevent, detect and recover from cyberattacks. The said amount represents less than 1% of the total revenues of Canadian businesses last year.

Out of the total $14 billion cost of cybersecurity and cyberattacks last year, $8 billion was spent on salaries for employees, consultants and contractors who worked on cybersecurity; $4 billion was spent in cybersecurity software and related hardware; and $2 billion was spent for prevention and recovery measures.

Motive Behind the Cyberattacks

Of the Canadian businesses that reported that they were impacted by a cyberattack, 39% said that they could not identify the motive of the attack; 38% identified the motive as an attempt to steal money or demand a ransom payment; 26% identified the motive as an attempt to access unauthorized or privileged areas; and 23% identified the motive as an attempt to steal personal or financial information.

Sixty-five percent of the non-impacted and impacted businesses of cyberattacks believed that an external party was behind the cyberattack, as opposed to internal party, including an employee, supplier, customer or partner.

Vulnerable Sectors of Cyberattacks

The survey conducted by StatCan showed that businesses in certain sectors were more likely to be impacted by cyberattacks, with the banking sector, not including investment banking (47%), universities (46%) and pipeline transportation subsector (45%) reported the highest level of cyberattacks.

Cybersecurity Measures

StatCan’s survey found that almost all or 95% of Canadian businesses used some form of cybersecurity measures to protect themselves, their partners and their customers. The survey, however, found that the usage of the most commonly used cybersecurity measures wasn’t universal, with 32% not using network security such as firewalls; 24% of businesses not using anti-malware software; and 26% not using email security. The above-mentioned cybersecurity measures, however, were nearly universal among large businesses.

The survey also found that 59% of large businesses provided cybersecurity training to their employees, while 32% of medium-sized and 16% of small businesses did the same.

The survey further found that nearly all or 93% of large businesses conducted at least one activity to assess cybersecurity risk in 2017, with 45% hiring an external party to conduct a penetration test of their IT systems, 37% completely auditing their IT systems; and 33% conducting a formal risk assessment of their IT systems.

The survey found, however, that only close to half or 52% of large businesses conducted cybersecurity risk assessments on a regular basis in 2017, while 56% of medium-sized businesses and 59% of small-sized businesses conducted risk assessments on an irregular basis.

Almost one-quarter or 24% of large businesses reported that they had cyber liability insurance in 2017, compared with 14% of medium-sized businesses and 7% of small businesses. Cyber liability insurance taken by said businesses covered direct losses from an attack (82%), business interruption (72%), restoration expenses (71%) and third-party liability and financial losses (66%).

Reporting Cyberattacks

The survey conducted by StatCan found that most Canadian businesses didn’t report cyberattacks to law enforcement agencies in 2017, with only 10% of businesses impacted by a cyberattack reported the incident to a law enforcement agency.

Out of the 10% of businesses that reported, 79% did so as the cyberattack was meant to steal money or demand a ransom payment, while 56% did so as the cyberattack was meant to steal personal or financial information.

Almost half or 53% of businesses impacted by cyberattacks didn’t report them to a law enforcement agency as the cyberattacks were resolved internally; 35% didn’t report as the cyberattacks were resolved through IT consultants or contractors; and 29% didn’t report the cyberattacks as they considered the impact to be too minor.

Next month, specifically November 1, reporting a cyberattack to government authority, in particular, the Privacy Commissioner of Canada and to the affected individual, is no longer optional. Starting November 1, 2018, it’s mandatory for every Canadian business to report a cyberattack to the Privacy Commissioner of Canada and to inform the affected individual in the event that such cyberattack poses a “real risk of significant harm” to any individual.

Under Canada’s Digital Privacy Act, failure to comply with this mandatory data breach reporting obligation will subject a business to a fine of up to $100,000. Deliberately failing to keep or destroying data breach records will also subject a business to a fine of up to $100,000.

Contact ustoday if your organization needs assistance in preventing, detecting and recovering from cyberattacks.