2023 CIRA Cybersecurity Survey

Is 2023 a watershed year for cybersecurity? 

If you’ve been reading the news lately, you know that the cyber threat landscape continues to evolve rapidly, with more critical and high-profile organizations facing cyber incidents than ever before. The sheer volume of attacks is rising, and the arrival of ChatGPT, DALL-E 2 and other generative AI platforms within the last year has lowered the bar for would-be cyber criminals looking to launch more sophisticated and damaging attacks faster and with less effort.  

Each year, CIRA Cybersecurity Survey asks Canadian cybersecurity professionals to share their views about the nature of current and future threats, their ability to fend them off and the enormous costs that cyber risks pose to their organizations—both financial and reputational.  

 
Discover the 2023 results! 

Executive summary

There’s no doubt that 2023 will be remembered as the year that inexpensive, easy-to-use AI tools came into their own—and CIRA’s 2023 survey results reflect it. The novel threats posed by generative AI are top of mind, with most organizations (68 per cent) expressing concern about their potential impact. Despite these concerns, few organizations are taking pre-emptive steps against this new category of threat, with only about a third (32 per cent) of cybersecurity experts reporting having an AI policy to protect and educate their teams.  

The survey findings also shed new light on the recovery costs following a cyber attack, which have reached unprecedented heights. Notably, of the 23 per cent of organizations that were victimized by a ransomware attack in the past 12 months, 70 per cent paid the attackers’ ransom demands. 

In addition to paying these exorbitant ransoms, nearly three in 10 organizations (29 per cent) reported experiencing a loss of revenue as a result of a cyber attack—nearly double the 2022 figure of 17 per cent—while one quarter (24 per cent) said they had suffered reputational damage. Organizations also reported taking a significant productivity hit following an attack as they tried to get back on track.  

While every organization is vulnerable to the impacts of cyber crime, the data shows those in the MUSH (Municipal, University, School and Hospital) sector are at the greatest risk of falling prey to malicious actors. These organizations are a persistent target because they hold large amounts of valuable personal data and deliver essential services to the public. Almost two-thirds (64 per cent) of MUSH organizations have used their cyber incident response plan in the last 12 months.  

The majority of Canadian organizations are putting measures in place to protect themselves, with almost three-quarters (73 per cent) indicating that the financial resources allocated to IT system management and cybersecurity have increased in the past year. But overall, the 2023 CIRA Cybersecurity Survey finds them still ill-prepared to handle the potentially devastating consequences of a major attack.  

Over the coming weeks, we will be breaking down the survey results in a series of blog posts (which you can find in this section below), each covering a key finding in greater detail.  Through our data, Canadian and global cybersecurity professionals will gain valuable insights to better understand Canada’s threat landscape. 

Key Findings

• Almost seven-in-10 (68 per cent) organizations are worried about potential cyber threats from generative AI, but only three in-10 (32 per cent) say their organization has an AI policy in place. 
• Among the organizations that experienced a ransomware attack, 70 per cent indicated that they paid the ransom demands. Out of those that paid the ransom, nearly one quarter (22 per cent) paid between $50K – $100K. 
• 40 per cent of organizations experienced an employee and/or customer data breach last year (an 11 per cent increase from 2022). 
• More than six-in-10 (64 per cent) of organizations have used their cyber incident response plan in the last 12 months.  

• Most say it took under a month to recover their organization’s IT systems to pre-incident capacity, and just under half (47 per cent) say it took less than a week.  
• Nearly 30 per cent of organizations experienced a loss of revenue as a result of a cyber attack (up from 17 per cent in 2022), and one quarter (24 per cent) experienced damage to their reputation.  
• Organizations face cyber risks by relying on outdated technology, as over one-third (37 per cent) of firms report using technology released prior to 2010. 
• Almost three-quarters (73 per cent) of Canadian organizations indicate that the financial resources allocated to IT systems management and cybersecurity have increased in the past 12 months.  

CIRA Cybersecurity Services

CIRA has leveraged its experience managing a network of over 3 million .CA domains to develop a suite of enterprise-grade cybersecurity products — made by Canadians, for Canadians: