Skip to main content
  • Cybersecurity

2022 CIRA Cybersecurity Survey

New reality for Canadian organizations and the people they serve

At a time when Canadians are very concerned about online privacy and security issues and when organizations must deal with ever-evolving threats, CIRA continues to mobilize and support its online communities. As part of its role of providing essential resources to better understand the challenges of the Internet, CIRA publishes its annual Cybersecurity Survey.

You can read more about this year’s survey results and how the pandemic has changed the game and created a new reality for many organizations in the sections that follow.

Full survey results

The 2022 CIRA Cybersecurity Survey was conducted by The Strategic Counsel in August of 2022, collecting 500 online responses from cybersecurity decision-makers across Canada. The goal was to identify industry trends in perceptions and attitudes.

You can find the full survey results here and a summary of the findings below.

Full survey results

Executive summary

Fewer restrictions, evolving cyber threats and new legislation make 2022 a critical year for cybersecurity

The transformation in how we work—whether in-office, virtual or hybrid—has had a profound impact on how businesses and organizations protect themselves from cyber threats and secure personal data. The proliferation of cybersecurity tools, including artificial intelligence (AI) and cloud computing, has resulted in a constantly evolving threat landscape where new malicious actors and novel tactics are seen almost daily. The 2022 CIRA Cybersecurity Survey unpacks how Canada’s cybersecurity professionals are managing these threats and provides insight into the solutions they employ to keep their data, networks and users safe.

Through this report, cybersecurity professionals have indicated just how much their responsibilities have changed over the last year in the face of these mounting threats. Accordingly, 96 per cent of organizations indicate that they conduct mandatory cybersecurity awareness training for at least some employees. This is a notable increase since the start of the pandemic when only 87 per cent conducted such training.

A trend that was both unexpected and encouraging saw 63 per cent of respondents indicate that data sovereignty—the principle of ensuring user data and traffic stays in Canada—was a major consideration for cybersecurity professionals when seeking cybersecurity vendors, beating out price as a factor.

Of course, government plays a significant role in helping protect Canadians online—both through legislation and programs that enhance the cybersecurity landscape. Bill C-27, The Digital Charter Implementation Act—which could have a significant impact on how user data is protected and stored—is currently making its way through Parliament. However, only 55 per cent of cybersecurity professionals were aware of the bill. Notably, nearly six-in-ten (59 per cent) of those who were aware of the bill stated that they were concerned about how it could affect their organization. This highlights the need for more government outreach on this pending legislation, explaining its impact on Canadian organizations of all sizes.

No network is 100 per cent secure, so, to protect against the threats that do get through, it is important that organizations have a cyber response plan. This year’s survey found that 82 per cent of organizations have a plan in place to respond to a cyber attack. The importance of having a plan cannot be understated, as developing one in the middle of an attack is less than ideal, and we know that six-in-ten Canadian organizations have been required to deploy their response plan in the face of an active threat.

A telltale sign of an evolving risk to business is the reaction of the insurance industry. Insurance companies in Canada have been ahead of the cyber threat curve which can be seen in the gradual increase of cybersecurity policies. While still an emerging trend, the number of organizations with cybersecurity insurance increased to 15 per cent in 2022. This is a trend we only expect to gain momentum in the coming years.

Over the coming weeks, we will be breaking down the results of the 2022 CIRA Cybersecurity Survey into a series of blog posts (which you can find in this section below), each covering a key insight in greater detail. It is our hope that cybersecurity professionals can gain some insight from our data that will inform their understanding of the threat landscape in Canada.

Key Findings

  • Three-in ten (29 per cent) organizations experienced a breach of customer and/or employee data. Before the pandemic, only 18 per cent said they experienced it.
  • The most common impact of cyber attacks is preventing employees from carrying out work. Also, 15 per cent of organizations reported a loss of customers following an attack. This number has doubled from pre-pandemic levels.
  • Organizations that paid a ransom typically paid at least $25,000.
  • Just over half cybersecurity professionals (55 per cent) are aware of Bill C-27 and of those ones, six-in-ten (59 per cent) are concerned about the potential impact of the bill on their organization. The private sector appeared to be less prepared to implement new requirements.
  • MUSH organizations* (30 per cent)are more likely to rate privacy protection for consumers in Canada as poor.
  • Most organizations (63 per cent) consider data sovereignty as more important than price when selecting a cybersecurity service vendor.
  • 25 per cent more Canadian organizations have cybersecurity insurance in 2022, despite increasing costs and requirements.
  • Nearly all organizations (96 per cent) conduct cybersecurity awareness training that is mandatory for at least some employees. This number has increased from 87 per cent before the pandemic.
  • Most security professionals (82 per cent) indicate that their organization has a cyber incident response plan while six-in-ten organizations have used their cyber incident response plan in the last 12 months.
  • Just over half (55 per cent) characterize their organization as more vulnerable to cyber threats because its employees work remotely. 

* (public sector, including only municipal government or agency, hospital or other health care organization, primary or secondary school, college or university, or school board)


Visual highlights

The most common impact of cyber attacks is preventing employees from carrying out work. And 15% of organizations reported a loss of customers following an attack which is double the pre-pandemic level.

Canadian organizations and the threats they face


Just over half 55% of IT professionals characterize their organization as more vulnerable to cyber threats because its employees work remotely.

The biggest perceived threats are ​​​​​​unauthorized access/theft of data and malicious software. Organizations that paid a ransom typically paid at least $25,000.

In 2022, 73% of organizations admit to paying the ransom, up from 69% the previous year.

More organizations across the country have decided to invest in cybersecurity insurance, a notable increase from 59 per cent last year to 74 per cent in 2022, despite increasing costs and requirements.


82% of IT professionals indicate that their organization has a cyber incident response plan with six-in-ten adding that they have used it in the last 12 months.

Does your organization conduct cybersecurity awareness training for its employees?

2022: 96% yes

2019: 87% yes

2022: 4% no

2019: 11% no

Most organizations conduct cybersecurity awareness training quarterly or less. The proportion that conducts training at least quarterly is higher in 2022 (67 per cent) than in previous years.Data suggests there is a gap between the volume of threats organizations face and the frequency with which training is conducted.

Focusing on privacy, data sovereignty and new policy

Three-in ten (29 per cent) organizations experienced a breach of customer and/or employee data last year against 18 per cent before the pandemic.

Among these, a total of 44% informed their customers.

In June 2022, the Canadian government tabled Bill C-27 to update Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), to create a new tribunal, and to propose new rules for artificial intelligence (AI) systems.

Just over half of Canadian organizations (55%) are aware of Bill C-27 and of those who are aware, six-in-ten (59%) are concerned about the potential impact on their organization.

Half of organizations (49 per cent) rate privacy protection for consumers in Canada as excellent or good with the exception of MUSH organizations. They are more likely (30 per cent of them) to rate privacy protection for consumers in Canada as poor.

With the heavy volume of personal and professional data stored in the cloud as well as the data in motion, organizations have to be cautious. Data sovereignty means that digital data is subject to the laws of the country in which it is located. Data stored in Canada falls within Canadian privacy laws, as well as data that flows only within our borders. Once an organization’s data travels outside of Canada’s borders it is open to the laws of the land.

Most organizations (63 per cent) consider data sovereignty as more important than price when selecting a cybersecurity service vendor.

Blog Series

As part of October’s Cybersecurity Month, CIRA is publishing a series of blog posts based on the findings of the 2022 Cybersecurity Survey.

Below you will find links to each piece in the series as it is published: 

  1. Personal data and cyber threats: is your brand protected?
  2. The value Canadian organizations place on data sovereignty
  3. Bill C-27 is here: will you be ready?
  4. The challenges associated with the rise of remote work
  5. The state of ransomware in Canada

CIRA Cybersecurity Services

CIRA has leveraged its experience managing a network of over 3 million .CA domains to develop a suite of enterprise-grade cybersecurity products — made by Canadians, for Canadians:

  • CIRA DNS Firewall: a cloud-based cybersecurity solution that protects organizations from malware, ransomware, phishing, and other cyberattacks.
  • CIRA Canadian Shield: a free cybersecurity service that improves privacy by anonymizing DNS queries. It helps Canadian households block viruses, ransomware, and other malware.
  • CIRA Cybersecurity Awareness Training: an integrated courseware and phishing simulation platform that enables organizations to educate their staff to protect themselves from cyber risks like social engineering and ransomware.

You can learn more about CIRA Cybersecurity Services here.

Read more