In the first government study of busines victims of cyber crime, just over one-fifth (21 per cent) of over 10,000 Canadian firms reported that they were impacted by a cyber security incident which affected their operations. On average they suffered 23 hours of downtime.
The report by Statistics Canada, released Monday, said large businesses (41 per cent) were more than twice as likely as small businesses (19 per cent) to have identified an impactful incident.
Of those businesses that were impacted by a cyber security incident, 39 per cent couldn’t identify the motive of the attack, while 38 per cent believed an attempt to steal money or demand a ransom payment was the motive. In just over one-quarter (26 per cent) of incidents perpetrators attempted to access unauthorized or privileged areas, while 23 per cent faced an incident where there was an attempt to steal personal or financial information.
Perhaps alarmingly, only 13 per cent of businesses surveyed said they had a written policy in place to manage or report cyber security incidents. Some industries were above the average, including banking institutions (excluding investment banking) and those in the pipeline transportation and rail transportation subsectors.
That will have to change Nov. 1 for many firms across the country when the new mandatory data breach reporting law kicks in. That law obliges companies coming under the federal privacy law to record all breaches of data safeguards.
Among the 58 per cent of businesses that undertook any activities to identify cyber security risks in 2017, most (85 per cent) monitored their network and business systems, while 38 per cent monitored their employees’ behaviours, presumably with behaviour analytic software.
As expected, large businesses were more aggressive in cyber security. The vast majority of large businesses (93 per cent) undertook at least one activity to identify cyber security risks. These large businesses were more likely to report using specialized external services to assess their cyber security risks compared with other business sizes, with 45 per cent hiring an external party to conduct a penetration test of their security, 37 per cent having their IT systems completely audited and 33 per cent obtaining a formal risk assessment of their cyber security practices.
Just over half of large businesses conducted cyber security risk assessments on a scheduled basis. By comparison 59 per of small-sized businesses and 56 per cent of medium-sized businesses conducted assessments only irregularly.
In a LinkedIn post, Canadian cyber security analyst David Senf urged readers to be careful with the numbers. He believes the report “vastly” overestimates how much organizations spent last year on cyber security, “and dramatically underestimates breaches.” In a survey of 201 Canadian security pros, 89 per cent indicated their organization had suffered a breach in 2017, he said. A Canadian vendor which surveyed 421 IT security and risk and compliance professionals at firms of 250 employees or more found 87 per cent said their organization suffered a breach.
“As broad strokes guidance (the StatsCan report) is very useful data,” he added.
StatsCan admits that since businesses are not always aware of cyber security incidents that have impacted them or are unwilling to report certain incidents the survey results may have been affected by underreporting. Businesses were only asked to report on incidents that impacted them. Therefore, StatsCan says, incidents that businesses deemed not to be impactful were not captured in these data.
Among the goals of the soon-to-be opened RCMP National Cybercrime Co-ordination Unit, announced months ago in the federal budget, is to create a national reporting service to improve data collection.
The survey was done between January and April this year, with responses from about 10,800 businesses with Canadian operations and with 10 or more employees.
The report was released as part of Cyber Security Awareness Month.
Just over half of impacted businesses reported that cyber security incidents prevented employees from carrying out day-to-day work, while 53 per cent reported that incidents prevented the use of resources or services (for example, desktop computers or email). Close to one-third of businesses faced additional repair or recovery costs, 10 per cent lost revenue and four per cent reported that they had to reimburse external parties or make a ransom payment.
Almost 60 per cent of businesses experienced some downtime as a result of an incident. On average, the total downtime for businesses in 2017 was 23 hours, and included mobile devices, desktops and networks.
Businesses in certain sectors were more likely to be impacted by cyber security incidents. Banking institutions (excluding investment banking) (47 per cent), universities (46 per cent) and businesses in the pipeline transportation subsector (45 per cent) reported the highest level of incidents.
For all types of incidents, 65 per cent of businesses reported that they believed an external party was responsible for the cyber security incident, as opposed to an internal employee, supplier, customer, partner or unknown actor.
Canadian businesses reported to StatsCan that they spent $14 billion to prevent, detect and recover from cyber security incidents in 2017, which represented less than one per cent of their total revenues. Approximately $8 billion was spent on salaries for employees, consultants and contractors who worked on cyber security, while $4 billion was invested in cyber security software and related hardware. Several other prevention and recovery measures accounted for the remaining $2 billion of the total expenditure.
Annual average expenditures on cyber security differed greatly based on size of business in 2017. Large businesses (250 employees or more) spent $948,000, medium-sized businesses (50 to 249 employees) spent $113,000 and small businesses (10 to 49 employees) spent $46,000.