One in Five businesses Affected by Cybersecurity Incidents in 2019
Oct 27, 2020
Despite there being several high profile cybersecurity incidents disclosed publicly by Canadian businesses in 2019, about one-fifth (21%) of the overall Canadian business population reported being impacted by cybersecurity incidents, which was the same proportion as in 2017. Over two-fifths (43%) of large businesses (250 or more employees) were impacted by cybersecurity incidents in 2019, compared with 29% of medium-sized businesses (50 to 249 employees) and 18% of small businesses (10 to 49 employees).
The industrial sectors that most commonly reported being impacted by cybersecurity incidents in 2019 were the information and cultural industries sector (37% in 2019 compared with 30% in 2017), the wholesale trade sector (34% in 2019 compared with 27% in 2017) and the professional, scientific and technical services sector (32% in 2019 compared with 27% in 2017).
The two most frequently identified motives of cybersecurity incidents that impacted businesses remained the same in 2019 as in 2017, with 9% of businesses in 2019 identifying that they were impacted by attempts to steal money or demand a ransom payment and 8% identifying that they were impacted by incidents with an unknown motive. The third most common motive of incidents that impacted businesses in 2019 was attempts to steal personal or financial information (6%).
Although motives related to stealing money or financial information were common in 2019, a total of 12% of businesses impacted by cybersecurity incidents reported that they lost revenue and 3% reported that they made a ransom payment.
Most Canadian businesses continue to not report cybersecurity incidents to police services
While a slightly larger percentage of Canadian businesses impacted by cybersecurity incidents reported incidents to police services in 2019 (12%) than in 2017 (10%), most businesses continue to not report incidents to police services. A higher proportion of businesses that reported incidents to police services indicated that they had insurance policies (34%) than the overall average (17%). Businesses that reported incidents to police services also reported an average cost of $27,000 to recover from cybersecurity incidents, compared with the overall average cost to recover of $11,000.
The most common reasons businesses identified for not reporting incidents to police services in 2019 were because the incidents were resolved internally (49%), the incidents were too minor to be reported (31%) or the incidents were resolved through an information technology (IT) consultant or contractor (29%).
Canadian businesses report spending a total of $7 billion directly on cybersecurity in 2019
Canadian businesses reported spending a total of $7 billion directly on measures to prevent, detect and recover from cybersecurity incidents in 2019, which represented less than 1% of their total revenues. Approximately $2 billion was spent on the portion of employee salaries related to cybersecurity, another $2 billion was invested in cybersecurity software and $1 billion was spent on IT consultants and contractors hired for cybersecurity reasons. Expenditures on various other prevention, detection and recovery measures accounted for the remaining $2 billion of the total cybersecurity expenditure.
Average annual direct expenditures on cybersecurity differed greatly based on size of business in 2019. On average, large businesses spent $699,000, medium-sized businesses spent $74,000 and small businesses spent $11,000. Close to one-third of small businesses (32%) reported no direct expenditures on cybersecurity, compared with 21% of medium-sized businesses and 19% of large businesses.
More Canadian businesses are implementing formal policies for cybersecurity
In 2019, 18% of Canadian businesses had written policies in place to manage cybersecurity risks or to report cybersecurity incidents, an increase compared with the 13% of businesses that reported having such policies in 2017. Increases in the usage of written policies were reported by small businesses (14% in 2019 compared with 10% in 2017), medium-sized businesses (29% in 2019 compared with 23% in 2017) and large businesses (58% in 2019 compared with 51% in 2017). Also contributing to the overall increase in written policy usage were increases in the finance and insurance sector (57% in 2019 compared with 48% in 2017) and the utilities sector (47% in 2019 compared with 36% in 2017).
Having insurance policies to protect against cybersecurity risks and threats was also more common among businesses in 2019 (17%) than in 2017 (9%). Among large businesses, the increase in the percentage that had a cybersecurity insurance policy was even more pronounced, going from 24% in 2017 to 38% in 2019. The increase was also more pronounced for businesses in the finance and insurance sector (55% in 2019 compared with 41% in 2017).
Canadian businesses continue to use many of the same cybersecurity techniques
Most Canadian businesses continue to use anti-malware software (76% in 2019 and 2017), email security (73% in 2019 compared with 74% in 2017) and network security (69% in 2019 compared with 68% in 2017) to protect their information and communication technologies infrastructure. However, a lack of usage of other cybersecurity techniques may still result in businesses being vulnerable to cybersecurity incidents. For example, while 37% of businesses reported that they used Internet-connected smart devices or Internet of Things devices (excluding smartphones, tablets, laptops and desktop computers) in 2019, 17% of businesses with these devices assessed the security of them. Most businesses (65%) also indicated that they did not install security updates for their software and operating systems on a monthly or more frequent basis.
In 2019, 44% of businesses reported that they were required to implement cybersecurity measures by suppliers, customers, partners or regulators, or to meet the requirements of cybersecurity standards or certification programs. The industrial sectors that most commonly reported that they were required to implement cybersecurity measures included the finance and insurance sector (70%), the information and cultural industries sector (60%) and the utilities sector (57%).
Three-fifths of Canadian businesses have employees that regularly complete cybersecurity tasks
In 2019, 60% of Canadian businesses had at least one employee that completed tasks related to cybersecurity as part of their regular responsibilities. Almost all large businesses (85%) had at least one employee with this description, while fewer medium-sized businesses (67%) and small businesses (58%) reported having this type of employee.
Among the 35% of businesses that reported not having any employees that completed tasks related to cybersecurity as part of their regular responsibilities in 2019, 48% indicated that one of the main reasons they didn’t have this type of employee was because cybersecurity was not a high enough risk for their business, while 47% indicated that they used consultants or contractors to monitor cybersecurity.
Source: Statistics Canada, www150.statcan.gc.ca/n1/daily-quotidien/201020/dq201020a-eng.htm?CMP=mstatcan