Eighty-two per cent of companies that were victims of ransomware last year denied paying a ransom to attackers, according to a new Statistics Canada survey, a number met with skepticism by two experts who believe more firms pay, but refuse to admit it.
“I am not dismissing Statistics Canada’s methodology,” David Swan, Alberta-based director of the Center for Strategic Cyberspace + International Studies, said in an email, “but Canadian organizations refuse to report.”
“I believe their results are based on skewed data because experience has taught me the overwhelming majority of Canadian firms do not want to talk about cybersecurity, that Canadian firms strongly prefer not admit to having being hacked, that when hacked by ransomware the preferred option is to pay up if that can be done discreetly, and if ransom is paid, the overwhelming preference is to not report anything to law enforcement or to corporate reporting.”
David Shipley, head of New Brunswick-based Beauceron Security, noted in an interview to be published later today in IT World Canada’s Cyber Security Today podcast that studies paid for by vendors say upwards of 70 per cent of business ransomware victims admit paying a ransom. “We’ve seen that people can be really skittish about telling the government that they paid,” he said on the podcast. He also noted the RCMP recently said that after recovering cryptocurrency paid by Canadian firms to the Netwalker ransomware gang, some firms refused to take the money back, fearing publicity over admitting they were hit by the malware.
One of the more recent Canadian studies was released in August by the Canadian Internet Registry Authority (CIRA). Among those that experienced a ransomware attack, 73 per cent said their organization paid ransom demands. This was a survey of 500 respondents.
In a survey released in March by Telus, 44 per cent of respondents whose organizations were hit by ransomware said they paid a ransom. The Telus survey methodology differed from the StatsCan survey. Telus questioned 463 respondents, including public and private sector organizations, with over 50 employees. StatsCan questioned over 8,000 respondents from businesses that had more than 10 employees.
A Palo Alto Networks survey released last December reported 58 per cent of Canadian respondents whose organizations were hit by ransomware said they paid a ransom. Again, the sample size was much smaller than the StatsCan survey.
For its part, Statistics Canada defended its numbers. “While there are limitations to all surveys that involve self-reported responses (including hesitancy to respond to potentially sensitive questions), respondents to this survey are informed that the data they provide is protected under the Statistics Canada Act,” Maryse Carrière, a StatsCan media relations officer, said.
“What this means is that any data they provide to us will be protected by strict security and confidentiality measures. This protection ensures that their responses to our survey questions will not be used to identify or make decisions about them as individual enterprises but, rather, only for research and statistical purposes.”
The StatsCan report, a bi-annual survey released this week, surveyed about 8,800 firms with 10 or more employees.
Eighteen per cent said they were impacted by a cyber incident in 2021. That compares to 21 per cent in 2019 and 2017. Of those 18 per cent, 11 per cent said they had been hit by ransomware. Eighty-two per cent of them said their firm didn’t pay a ransom, while 18 per cent said they did. Of those, one per cent said the ransom was more than $500,000.
Not surveyed was the public sector, including federal, provincial, and municipal governments and school boards.
The survey also only collected data on those who said they were “impacted” by a cyber event. Incidents that businesses deemed not to be impactful weren’t captured in the data.
Respondents also said the amount of money their businesses spent to detect or prevent cybersecurity incidents increased by roughly $2.8 billion in 2021 to $9.7 billion when compared with 2019. Large businesses contributed to just under half of the total ($4.4 billion), followed by small businesses ($2.9 billion) and medium businesses ($2.4 billion).
Canadian businesses that were impacted by a cyber security incident spent a total of slightly over $600 million to recover, an increase of roughly $200 million from 2019.
As for spending more money on cyber security, Swan said the majority of firms he encounters skimp on network administration, network maintenance, “and especially cyber security. I have encountered CFOs who believe it is better to pay a ransomware demand than pay for the operating costs of cybersecurity. I have stood in businesses under cyber attack, summoned by an employee, [only] to have management insist there was nothing to see – but sign this NDA [non-disclosure agreement]!”
There is some evidence to back this up. Police and industry experts have for years said that data breaches are under-reported to law enforcement.
Robert Gordon, strategic advisor to the Canadian Cyber Threat Exchange (CCTX), said two things struck him from the report: First, 18 per cent of businesses impacted translates into approximately 58,000 businesses out of all firms across the country. “That’s impacting a lot of businesses and people,” he said.
Second, almost all businesses are now in the data business. It’s what businesses require to operate, he noted. “We have difficulty equating value to data compared to other losses such as a traditional theft of something tangible. Some businesses have difficulty in ascribing a value to data until they don’t have access to it — for example, when a ransomware attack denies access to the data. Businesses that are impacted by a cyber security incident are real victims in the same way as when someone steals their inventory.”