Skip to main content

Every year CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey was conducted by The Strategic Counsel in July and August, and collected over 500 responses from IT professionals across the country. This is blog three of four in the series for 2021.


“Never let a good crisis go to waste” may be credited to Winston Churchill, but it’s also apparently the motto of hackers.

Like any predator, cybercriminals prey on any vulnerability they can find. When COVID-19 disrupted companies’ cybersecurity landscape, they pounced.

Hackers exploited the situation in several different ways over the past year and a half as documented by the Canadian Centre for Cyber Security. They targeted workers forced out of the office and into the home to evade firewalls. And they designed their phishing messages to use COVID-19 as a lure to sneak past psychological defences.

As we see in the results of the CIRA 2021 Cybersecurity Survey, most organizations are responding to the threats with new investments and measures of protection.

Just over one-third (36 per cent) of cybersecurity professionals surveyed say that the volume of cyber attacks has increased during the pandemic. That’s an increase from 29 per cent saying so in 2020. About half say that the volume has stayed the same and only three per cent say there’s been a decrease. These results align closely with what’s being observed south of the border, where many companies report seeing more attacks during the pandemic, and even more are concerned about being attacked.

Over three in ten (36 per cent) say the volume of cyber attacks has increased during the pandemic. 

Almost half of Canadian organizations say they are more worried about their IT security footprint and policies in light of the pandemic this year, and another 46 per cent say there is no change in how worried they are.  

47% more worried

Nearly half of cybersecurity professionals are more worried about their organization's IT security footprint and policies in light of the COVID-19 pandemic.

When the World Health Organization declared a global pandemic on March 11, 2020, it started a chain of events that would disrupt the security footprints of organizations around the world. The sudden shift to remote work kept security pros awake at night. Instead of working on company-issued devices behind a corporate firewall, non-essential workers were made to work from home. Overnight, consumer-grade routers and laptops were pencilled-in to network architecture diagrams. 

In 2021, the issues posed to security pros earlier in the pandemic continue to play out even as more workers return to the office. In Canada, 69 per cent of security professionals say they were required to work from home during the pandemic. Doing so was more common in the public sector (76 per cent) than in the private sector (66 per cent), or at municipalities, universities, schools, and hospitals (MUSH) with 73 per cent reporting that they worked from home. 

Seven in ten (69 per cent) say they were required to work from home as a result of the COVID-19 pandemic. 

While working from home, 71 per cent indicate they are working on employer-provided devices in 2021. That’s up from 65 per cent in last year’s survey. 

Many organizations provide tools and cover expenses to support remote work

Most commonly, employers provide portable tools that can be moved between the organization and the home office (45 per cent), purchase additional tools for the home office (40 per cent), or reimburse employees for a variety of expenses including home office upgrades (34 per cent), mobile phone costs (29 per cent), and home internet (29 per cent).  

Supporting security professionals and other workers in their home office set-up is an important measure to scale up security with your organization’s expanded footprint, advises KPMG. Extra resources can help deter the use of insecure shadow IT options, close off common threat vectors such as old printers and USB drives, and prepare remote security professionals for monitoring and dealing with attacks.  

Beyond helping employees improve their home office, 45 per cent of organizations are implementing new cybersecurity protections in response to COVID-19, according to our survey. That is a decrease from 52 per cent of organizations doing so in 2020.  

The most popular new measure is to protect the devices of remote workers with 71 per cent of organizations doing so. New policies are being put in place by 54 per cent of organizations, and new platforms have been deployed by 41 per cent of organizations. 

The most common new measures are additional protections for devices (71 per cent) and new IT policies (54 per cent). 

Whatever new measures they’ve put in place, 95 per cent of organizations anticipate at least some of them will be made permanent. Of those, 58 per cent say all measures will be permanent. It really gives a cybersecurity spin to the phrase “the new normal.”

Remote work is just one aspect of the pandemic that hackers are exploiting

They’re also using COVID-19 as a specific lure in their phishing messages. Given how compelling new daily updates on COVID-19 case counts and vaccine availability have become, hackers want to capitalize when workers let their guard down. Other distractions while working from home can make workers even more susceptible to phishing, cautions Deloitte.

Slightly more than one-quarter of Canadian organizations have been targeted by a COVID-19 themed cyber attack, according to CIRA’s survey.