CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, conducted by research firm The Strategic Counsel in August, collected over 500 responses from IT professionals across the country. This is the second blog post in a series of four for 2023.
Canadian organizations in virtually every sector continue to fall prey to cybercriminals with alarming frequency. In recent months, the likes of Suncor Energy, Indigo, The Weather Network and Sick Kids have all been the victims of devastating and costly cyber attacks. And those are just the headline grabbers. Data from the 2023 CIRA Cybersecurity Survey found that four in ten organizations (41 per cent) have experienced a cyber attack in the last 12 months.
If cybersecurity professionals are understandably worried about their ability to step up their defences to protect their organizations, they’re equally concerned about the rising costs associated with recovery. For organizations unlucky enough to be victims of a successful attack, one thing is crystal clear: recovering from a cyber incident is enormously costly.
Paying off hackers after a ransomware attack is one of the most obvious costs victims find themselves on the hook for. These types of attacks are now commonplace in Canada and will continue to grow with the widespread availability of fee-based “ransomware-as-a-service” schemes , which enable low-skill hackers to launch attacks with the click of a button.
In this year’s survey, just under a quarter of organizations (23 per cent) say they experienced a ransomware attack in the last 12 months. Of these, the majority (70 per cent) agreed to pay the ransom. Overall, organizations that paid a ransom typically paid at least $25,000, while nearly one quarter (22 per cent) paid their attackers between $50,000 and $100,000.
In some cases, paying the initial ransom still isn’t enough to get started on the road to recovery. With a so-called double-extortion attack, the victim pays not one ransom, but two: one to regain access to their data and a second to prevent the attacker from exposing that data on the dark web.
Paying off hackers is just the start.
As costly as ransom payments are, they’re often just the tip of the iceberg when it comes to the total financial impact of a successful attack. Take lost revenue. Any type of cyber incident can result in lost sales, and often does. Nearly 30 per cent of organizations say they experienced a loss of revenue as a result of a cyber attack, which is up from 17 per cent in 2022.
Indigo is a case in point. When Canada’s biggest bookstore experienced a catastrophic ransomware attack in February 2023, it was unable to process debit or credit card transactions in its stores for several days, and online sales were severely impacted for close to a month. In explaining the reasons for its $50 million loss in the 2023 fiscal year, the company specifically cited the cyber attack. Repairing the damage to an organization’s IT infrastructure following an attack is a costly endeavour. Six in-10 (61 per cent) organizations say they sought external help for incident response and recovery in connection to cyber attacks or incidents in the last 12 months. Of these, 63 per cent say they turned to a cybersecurity consulting firm for help, while 36 per cent sought the assistance of a government agency with cybersecurity expertise.
Most organizations say it took under a month to recover compromised or stolen data, and 44 per cent say it took less than a week. And in terms of restoring their organization’s IT systems to pre-incident capacity, most say it took under a month to recover, and just under half (47 per cent) say it took less than a week. For organizations with sophisticated operational technology (OT) with long life cycles, this recovery time is sure to be longer.
Big reputation?
It might not be top of mind when managing a cyber incident, but reputations take a long time to recover. One quarter of Canadian organizations (24 per cent) say they experienced damage to their reputation in the aftermath of a cyber attack. Negative publicity and a backlash on social media can be extremely challenging to counter, and if consumers have doubts about an organization’s ability to deliver services securely or safeguard their data, they may be inclined to spend their money elsewhere.
For Canadian organizations the path forward is clear. The cost of implementing the latest cybersecurity protections, training and best practices is much less than the cost of recovering from a major attack. You don’t want to be another headline, and you don’t want to have to dedicate time and resources when you could be doing business-as-usual.
If you’re looking for enterprise-level protection from malicious threats to your organization, check out CIRA’s suite of enterprise-grade cybersecurity products.
Eric is a Product Marketing Manager with CIRA Cybersecurity Services. His background in digital marketing has led him to appreciate the vital role data plays for Canadian organizations and individuals, and the need to keep it safe. Eric has an MBA in International Business from Sup de Co La Rochelle.
