A new report by Statistics Canada found that while the pandemic made businesses rely more on digital transactions and virtual work, their cyber concerns also increased.
The release of Statistics Canada’s “Canadian Survey of Cyber Security and Cybercrime” report coincides with international Cyber Security Awareness Month, which is held every October. According to the report, 18% of Canadian businesses were impacted by cyber security incidents in 2021, compared to 21% of businesses in both 2019 and 2017. But this varied considerably when broken down per business size, with 16% of small businesses (with 10 to 49 employees), 25% of medium businesses (50 to 249 employees), and 37% of large businesses (250 or more employees) reporting being impacted by cyber security incidents in 2021.
Statistics Canada found that the most common types of cyber security incidents identified by businesses in 2021 were incidents to steal money or demand ransom payments (7%) and incidents to steal personal or financial data (6%). About 39% of Canadian businesses affected by a cyber incident indicated that there was no clear motive to the attack launched against them.
While a good 61% identified external parties as the perpetrator of cyber security incidents, 38% could not identify the perpetrator. Other perpetrators identified by businesses included internal parties (5%) and known third parties (6%), such as a supplier or a customer.
The report noted that Canadian businesses spent more than $10 billion on cyber security in 2021. Some 61% of businesses surveyed said they spent to detect or prevent cyber security incidents in 2021, compared to 62% in 2019. But the amount of money spent increased by about $2.8 billion in 2021 to $9.7 billion, compared to 2019.
When the $9.7 billion total spent on cyber security in 2021 is broken down per business type, large businesses spent $4.4 billion, followed by small businesses with $2.9 billion, and medium businesses at $2.4 billion.
It was also found that for 2021, more than one in 10 (11%) of businesses were impacted by ransomware, but there were fewer ransom payments made. Eighty-two per cent (82%) of businesses said they did not pay the ransom, with only 18% indicating that they paid. Among those who paid, 1% said they paid a ransom of more than $500,000, and 14% said they paid using cryptocurrency.
Canadian businesses that were impacted by a cyber security incident spent a total of slightly over $600 million to recover – this is a noticeable increase of about $200 million from 2019. Statistics Canada also said that businesses that identified being impacted by cyber security incidents went on to spend more money to prevent and detect incidents and were also more likely to employ dedicated cyber security employees. Those types of businesses were also more concerned about cyber security incidents.