We have a newer version of this report, with survey data from 2022.
- Fewer organizations expect to increase human resources dedicated to cybersecurity in the next 12 months with one-third planning to do so, down from 45% in 2019.
- About three in 10 organizations have seen a spike in the volume of attacks during the pandemic.
- Slightly more than half of organizations implemented new cybersecurity protections directly in response to COVID-19.
- One-quarter of organizations experienced a breach of customer and/or employee data last year. Another 38% don’t know if they did or not.
- Organizations are less likely than in 2019 to inform a regulatory body of a data breach, with only 36% doing so compared to 58% last year.
- Decision-makers are divided in their concern about changes to PIPEDA, with 54% saying they are concerned.
Introduction – Pandemic heightens cybersecurity woes and regulatory fatigue
If you like movies where the bad guy wins, then you’re probably enjoying 2020. In the face of the global crisis posed by COVID-19, cyber-criminals are thriving. Not only are remote workers removed from the security of the company firewall and nearby technical support, but they’re also more anxious and willing to believe in fraudulent claims that come in the form of an email or social media message. The result is that while businesses face the increased risk posed by the pandemic, they are simultaneously facing the increased risk of more cyber attacks that also take advantage of that pandemic.
The setting of our “2020” movie is in the home. According to the 2020 CIRA Cybersecurity Survey, two-thirds of IT workers were required to work from home because of COVID-19. Forced remote work was even more prominent in the public sector, where 78 per cent of IT employees worked at home compared to 60 per cent from private firms. Working from home can leave workers more vulnerable to attack, as home Wi-Fi networks are generally less secure than corporate networks for a variety of reasons.
The opening scene features a barrage of cyber attacks. Three in 10 survey respondents report experiencing an increased volume of cyber attacks during the pandemic. That corresponds with CIRA’s observations of a 39 per cent increase in cyber threats against health care clients using its network security platform over 30 days from April to May, right after the start of the lockdown.
The plot looks to get even darker for IT in the next 12 months. Despite facing more attacks in a harder-to-secure scenario, only about one-third of workers anticipate an increase in human resources devoted to cybersecurity. That is down from 45 per cent anticipating more resources in 2019. About one-in-10 workers expect to have fewer resources to work with.
The twist comes out of nowhere. Adding to the pressure of cyber actors are those wielding a regulatory hammer. Organizations are beginning to show compliance fatigue, as more report being aware of recent changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), yet they are less likely to report data breaches than last year. Only 36 per cent informed a regulatory body after experiencing a data breach, down from 58 per cent in 2019. Also, 44 per cent informed customers of a breach in 2020, while 48 per cent did so in 2019.
Don’t roll the credits yet. Our goal with the 2020 Cybersecurity Survey is to provide insight into the cyber landscape at a unique and challenging time. We hope it shines a light on how Canadian businesses are standing up to the test and coping with the crisis in terms of IT security.
Cybersecurity Awareness Training for Organizations
It’s often said that the weakest link in cybersecurity is the human at the keyboard. That’s become even more significant during the pandemic, while workers at home are facing more phishing attempts from cyber thieves. The Canadian Centre for Cybersecurity is warning that hackers are taking advantage of COVID-19 and the attention the issue demands. Pandemic-themed malicious emails, attachments, and websites are commonplace. Hackers are shameless in their phishing attempts, taking advantage of the pandemic by launching attacks such as a fake COVID-19 contact tracing app, reports the National Post. Anxious mobile users that were looking to install the real COVID Alert app released by the federal government were instead stuck with ransomware.
More than one-quarter of IT workers say their organization has been targeted by a COVID-19 themed security incident. From our own observations of the data we get from delivering CIRA Canadian Shield and CIRA DNS Firewall, we can say that these new threats aren’t replacing the old ones but in fact, they are increasing the number of vectors that malicious actors are using to target organizations.
To counter that threat, organizations are adapting to work-at-home scenarios by offering specific cybersecurity training. Almost all (94 per cent) of organizations say they conduct cybersecurity awareness training and almost half (48 per cent) say it is mandatory, an increase from 41 per cent in 2019. Popular training topics include how to work remotely securely, with 78 per cent of respondents saying it’s provided by their organizations. Training on how to use video conferencing software, like Zoom for example, is also common with 74 per cent saying it’s provided. Fifty-six per cent of organizations are also training their employees on cyber threats specifically related to COVID-19.
The way training is delivered also looks a bit different in 2020. The most common method is to create in-house training material and promote it internally, with 57 per cent saying they do so. Phishing simulations, in which the IT department or a third-party imitates a phishing attempt and sees which employees fall for it, is more popular this year with 37 per cent saying they do it compared to 21 per cent in 2019. About one-third of companies are still conducting lunch-and-learn workshops, on par with 2019, but we imagine more of those have been virtual get-togethers.
Conducting some training is one thing. Doing it regularly is another. Most organizations indicate they do not conduct cybersecurity awareness training on a frequent basis, with 40 per cent doing it annually or less often, and about half doing quarterly. That’s not much when anxious workers are likely facing COVID-19 themed cyber attacks on a daily basis and all it takes is one mistake to breach security. Moreover, there are countless educational resources that point out the critical importance of repetition in training adult learners – something that a training platform can solve.
Still, almost all IT workers (93 per cent) believe that their training is at least somewhat effective in reducing security incidents and risky online behaviour. To measure the effectiveness of training, 46 per cent of those that have cybersecurity awareness training say they monitor results and risk scores over time, while 42 per cent say they look at reduced costs on security incidents, and 42 per cent also look at time saved in responding to security incidents.
While there are many cybersecurity training providers to assist with these efforts, survey respondents showed limited awareness of these vendors.
When it does come time to select a training platform, IT workers say that risk advisory and recommendations are the most important features to consider, with 39 per cent saying it’s critically important and another 48 per cent saying it’s somewhat important. IT staff also want modern, high-quality training courses (37 per cent saying it’s critical) and automated phishing simulations (36 per cent saying it’s critical.)
Remote workers are being peppered with constant fraudulent attempts, according to the Canadian Anti-Fraud Centre. An alert issued Aug. 31 shows that ongoing frauds related to COVID-19 include companies offering to fill out applications for the Canadian Emergency Relief Benefit (CERB), unauthorized charities asking for donations, and scammers that pose as authorities such as the Center for Disease Control or the World Health Organization. Training those employers to be vigilant against such efforts is an organization’s first line of defense. It is now more important to bolster that first line given the increase in the number of attacks, employees heightened state of vulnerability, and as we’ll see in the next section, the increasing negative impact seen from effective attacks.
Cyber-threat reality that organizations in Canada are facing today
Pre-COVID, IT’s sphere of influence was already limited in many organizations, with employees wilfully ignoring security policies and the adoption of shadow IT a commonplace occurrence. Now that more workers are operating out of their homes, IT has even less control. As a result, IT workers are feeling more concerned about cybersecurity in 2020.
While two-thirds of employees say they’re using devices issued by their companies, half also say they are using their personal devices at least some of the time as well. This manifests itself in the survey responses where fifty-four per cent of IT workers say they are more concerned about the possible damage from future cyber attacks this year. More than four-in-10 are worried about their organization’s IT security footprint and policies in light of the pandemic.
As a result, 52 per cent say more cybersecurity protections are being deployed in response to COVID-19 threats. The most popular choice for new protections, specifically in response to the pandemic, are new policies (adopted by 63 per cent) and device protections for remote workers (60 per cent). At least some of the newly deployed protections will be in place permanently for 91 per cent of respondents.
Additional cybersecurity layers are being added beyond a specific response to COVID-19. Almost six-in-10 are deploying a virtual private network this year. Half are deploying DNS firewalls in response to an increase in cyber threats. When asked if they already have a cloud-based DNS firewall, such as CIRA D-Zone DNS Firewall, 62 per cent said yes, up from 42 per cent in 2018. Among organizations that plan to add additional layers to combat the increase in cyber threats, 46 per cent are deploying password managers.
IT workers say they are devoting more resources to cybersecurity primarily because they want to prevent fraud and theft (55 per cent saying so), protect the reputation of their organization (53 per cent) and protect the personal information of customers (52 per cent).
That added security comes in response to not only facing more attacks, but also experiencing more negative impacts from those attacks. In the past year, eight-in-10 organizations faced at least one attack, with 21 per cent saying they faced more than 10 attacks. For those that faced attacks, 57 per cent say that at least one had a negative impact on their organization. Successful attacks were likely to impact network infrastructure and databases, with 86 per cent doing so. In addition, 94 per cent of attacks negatively impacted desktops and individual devices and 80 per cent affected user or customer data.
The costs of being attacked also affected productivity, with 30 per cent saying successful attacks prevented employees from being able to carry out day to day work. Attacks also lead to increased fines by a regulator for twice as many respondents as in 2019, with 14 per cent saying fines are up over time compared to 7 per cent saying so last year, and just 4 per cent in 2018.
To respond to the increased challenges of cybersecurity and the more severe negative impacts of attacks, IT departments are responding with employee training (61 per cent saying so), security audits (47 per cent), and the installation of new software (45 per cent). But whether the response will be enough to meet the increased risk is in doubt. We’ve already seen that fewer organizations are expecting an increase in headcount to help with cybersecurity. Only 43 per cent anticipate more financial resources devoted to cybersecurity in the next 12 months, down from 54 per cent that expected an increase last year.
There is a concern that negative consequences may result from of the disparity between risk and resources. Top of mind for IT workers is malicious software (like ransomware), with 57 per cent saying it could have the greatest negative impact in the future. Fifty-five per cent say that unauthorized access, manipulation, or data theft could have the greatest impact, and 55 per cent also worry about scams and fraud.
To watch for those risks, 64 per cent of workers plan to monitor the firewall, 44 per cent plan to monitor employees’ use of their computers and the internet, and 41 per cent plan to conduct penetration testing. Half of organizations will maintain a formal patching policy as well.
The overall picture is one of stretched IT resources and IT workers that have less influence over employees. Adding to the strain of the cybersecurity scenario is the increased pressure from regulators. We saw in the results in this section that double the number of firms are reporting increased fines from regulators or authorities when compared to 2019, but there are other signs that regulatory burden is leading to weariness among workers.
Desire to Enhance Data Sovereignty and Tire of Regulatory Requirements
In Canada, recent changes to PIPEDA bring more pressure to companies that falter in their cybersecurity, requiring firms that suffer a data breach to inform the Privacy Commissioner of Canada in many situations. That change first came in 2018, the same year that companies serving customers in Europe also had to begin complying with the Global Data Protection Regulation (GDPR) enforced by the European Union. We are seeing signs that firms are finding regulatory compliance more difficult with the added challenges posed by the pandemic.
Seven in 10 workers say they are familiar with PIPEDA in general, and 59 per cent are aware that PIPEDA now requires commercial organizations to disclose data breaches. That awareness has grown from just 42 per cent in 2018, when the change to the legislation was first made. The Office of the Privacy Commissioner of Canada (OPC) released statistics on data breach reports in October 2019 after its first year of implementing the requirement. OPC received 680 breach reports, six times the number it received compared to one year earlier, when reporting was voluntary. The reports show that 28 million Canadians were affected by a data breach, and that the most common cause of them was unauthorized access at 58 per cent of all breaches.
It will be interesting to see what the data looks like if OPC releases an update looking at its second year of mandatory reporting of data breaches. More organizations are storing the personal information of customers, employees, supplies, vendors, or partners in 2020, with 66 per cent saying they do so this year compared to 59 per cent saying they did in 2018. Slightly more organizations experienced a data breach in the past year, with one-quarter saying they had at least one breach compared to just 15 per cent one year ago. Also, 38 per cent admit they don’t know if they had a data breach.
Despite more organizations storing personal information and experience breaches, they are much less likely to report a data breach to authorities this year. Only 36 per cent say they reported a breach to a regulatory body, down from 58 per cent doing so in 2019. Only 31 per cent reported a data breach to law enforcement, also down from 37 per cent last year. Four-four per cent that experienced a data breach say they informed their customers of it, down from 48 per cent last year. Organizations are more likely to report a data breach to their management and senior leadership, with half doing so this year compared to just 40 per cent doing so last year. Similarly, 34 per cent informed their board of directors of, up from 21 per cent one year ago.
The reported non-compliance with PIPEDA doesn’t bode well for the future of privacy legislation in Canada. If companies are already wary of the tougher data breach reporting and willing to risk the penalties associated with the abdication of their responsibilities to file a report rather than face the certain regulatory hammer of making a report, future modernization of the privacy act could be difficult to enforce. Privacy Commissioner Daniel Therrien has called upon the government to update PIPEDA to give his office order-making powers, meaning they could fine companies that don’t comply with PIPEDA. At present, OPC must take non-compliant organizations to federal court to ensure enforcement.
The Federal Government released a discussion paper in the spring indicating its intent to enhance the OPC’s enforcement and oversight roles. There are also provincial efforts underway to strengthen commercial privacy laws in Ontario and Quebec. Fifty-four per cent of IT workers say they are concerned about changes to PIPEDA this year, which is consistent with last year’s report, but up from 38 per cent being concerned in 2018.
New privacy concerns were raised by a slew of popular mobile apps this past Spring. Apple’s beta release of its new mobile operating system, iOS 14, included a privacy feature that notified users when an app read the contents of their clipboard. The surprising thing is just how common it was for apps to snoop on the clipboard – this was far more than just a TikTok issue. Google Chrome, The New York Times, The Wall Street Journal, and Bejeweled are just a few of the popular apps that take a peek, reports MobileSyrup.
Four in 10 organizations say they use a mobile app for customers, suppliers, or partners. For those that do use one, 47 per cent of private sector apps track GPS or other location data, and 41 per cent are collecting data from users’ clipboards. Public sector mobile apps are less likely to collect this data, at 35 per cent collecting location data and 25 per cent collecting clipboard data.
Seventy per cent of IT workers say their organization has a formal data retention policy and 43 per cent say they’ve made policy or process changes to how it handles customer data specifically because of new PIPEDA requirements.
With a U.S. presidential election just around the corner, many IT workers are thinking about whether their data is exposed to the prying eyes of American intelligence or law enforcement agencies. The concept of data sovereignty, the idea that a nation should remain in control of its own data by storing it within their own jurisdiction, received more attention in July after a Court of Justice of the European Union voted to strike down the EU-US Privacy Shield. That sent many firms that do business internationally back to the drawing board to map out their data flows and put in place new contracts that would allow them to keep doing business. It may be that in order to maintain good business relations with the European Union, Canada will have to do more to demonstrate its own privacy laws are on par with recent legislation adopted in Europe and show it is able to operate outside of the reach of American jurisdiction.
CIRA advocates for a more resilient and secure internet infrastructure in Canada through increasing the number of Internet Exchange Points (IXPs) available. When major internet service providers form peering connections with IXPs on Canadian soil, less internet traffic is diverted south of the border. Interconnecting through these hubs also improves speeds, latency, and saves money.
Given that context, it’s no wonder that about seven-in-10 respondents are worried about the flow of data through countries other than Canada, up from 49 per cent in 2018 and about on par with last year. Six in 10 are concerned about the flow of data through the U.S. in particular, also up from 49 per cent in 2018.
Perhaps with data sovereignty in mind, 80 per cent of organizations say they choose Canadian firms to provide outsourced services. Three-quarters of IT workers agree that it is important for Canadian organizations to store customer information in Canada.
Almost as many agree that there are important benefits to keeping local Canadian internet traffic within Canadian borders. The biggest perceived benefit to keeping data flows north of the border are improved information security (65 per cent) and to mitigate geographically-sourced malicious attacks (46 per cent).
Conclusion – Organizations improve security but worry about dangerous threat landscape
Working towards a safe and secure internet for all Canadians is a major plank of CIRA’s mandate. After five years of experience in the cybersecurity field and with this third annual CIRA Cybersecurity Survey, we wanted to not only provide a comprehensive overview of the threat landscape in Canada compared to previous years, but also gain a unique understanding of the challenges posed by the pandemic.
Considering that COVID created a complicated scenario for many organizations, it’s no surprise to see that some of the new challenges around cybersecurity emerging in this year’s report. Organizations that used to rely on workers to gather in the same building and use hardware deployed by and monitored by IT staff are now trying to support their employees as they work across a distributed geography from home offices. Meanwhile, some organizations are reporting an increase in the number of attacks they’re facing, many of those themed to take advantage of COVID-19. As those employees anxiously make their way through government lockdowns and worry about their health, they are more susceptible to click on a phishing attempt.
It seems like there will be no cavalry to call in and save the day. Fewer organizations than last year are expecting to invest more resources into cybersecurity, both in terms of human and financial resources. Perhaps that’s why we see concern growing around the potential negative impacts on cybersecurity on organizations.
No one will be surprised at the additional burden of the pandemic scenario on cybersecurity. What is more surprising in this report is the apparent weariness of organizations to comply with regulatory bodies. In last year’s report, we expressed hope that more organizations would see the wisdom in being transparent about data breaches after finding that 58 per cent that were breached made a report to a regulatory body. This year, only 36 per cent reported a data breach to a regulator. It appears that despite being more aware of the new requirements of PIPEDA, more organizations are choosing to take the risk of non-compliance.
Political events set to unfold in the remainder of 2020 hold major implications for cybersecurity in Canada. If the federal government passes stricter privacy requirements as an update to PIPEDA, then organizations may be hard-pressed to maintain compliance. The government may have to further entice businesses to make good on their requirements with either a carrot (providing resource to those that report data breaches) or a stick (big fines for those that don’t report a breach soon after discovering it.)
Whatever happens, CIRA is here to help. With more than 20 years of managing .CA, Canada’s top-level domain, we have learned a thing or two about cybersecurity. That allows us to make products like the CIRA DNS Firewall, CIRA Anycast DNS, and CIRA Cybersecurity Awareness training. Each uniquely designed for Canadian organizations to provide a critical layer of defence for an organization’s overall cybersecurity strategy. We also hope this report on cybersecurity trends will help to strengthen Canada’s cybersecurity capacity and contribute towards an internet that’s both resilient and accessible.
About the respondents
- CIRA contracted The Strategic Counsel to interview 500 workers with responsibility for IT security.
- Surveyed users managed a minimum of 50 users of desktops or mobile devices for at least 20 per cent of their work.
- Respondents held budgetary authority over cybersecurity decisions.
- 100 per cent of respondents were at least somewhat familiar with their organization’s computer and IT functions.
- 26 per cent of respondents belong to an organization with 50 to 99 employees who use computers or mobile devices; 29 per cent represent organizations with 100 to 229 employees, 15 per cent represent the 250 to 499 employees company size, 13 per cent in the 500 to 999 range, and 18 per cent work for an organization with more than 1,000 employees.
About the organizations
While our survey included a variety of organizations, the majority of the sample indicated that they had been in operation for quite some time with 55 per cent indicating they have been in business for more than 20 years. In total, 64 per cent of businesses in our sample indicated they do business in Canada only.
Private sector organizations represented 65 per cent of the sample, while public or not-for-profit organizations represented 35 per cent.