CIRA publishes an annual survey of Canadian IT and cybersecurity professionals to better understand how they are coping with cyber threats. The survey of 500 cybersecurity professionals across the country was conducted by research firm The Strategic Counsel in August. This is the first blog post in a series of four documenting 2024 cybersecurity trends.
In Canada, coverage of malicious cyber attacks is now a regular feature of the weekly news cycle. The last 12 months have seen many well-known Canadian businesses, public institutions and not-for profits hit by major cyber incidents. London Drugs, Giant Tiger, Laurentian University, Global Affairs Canada and FINTRAC are just some of the many high-profile organizations that have fallen prey to cyber criminals and seen their operations disrupted, their data put at risk and their reputations tarnished.
In September 2023, Pelmorex, The Weather Network’s parent company, was victimized by a devastating ransomware attack that took down its operations for several days. While the company was in the process of restoring its services, millions of Canadians looking to get daily forecasts and alerts from the company’s website or mobile app were out of luck. Pelmorex ultimately opted not to pay the ransom, even though the LockBit ransomware group, which launched the attack, had acquired some of the company’s data and threatened to make it public.
As part of its investigation, Pelmorex sought assistance from the RCMP. Just five months later, in February 2024, the RCMP itself announced that it had been the target of a major cybersecurity incident. Yes, even an organization responsible for investigating crime in Canada—including cyber crime—is vulnerable. Although the agency characterized the attack as “alarming” in a statement, it also said that it posed no known threat to Canadians.
Operational disruption, lost productivity and reputational damage
The impacts of these and other cyber incidents are multifaceted. Operational disruption is a given; the most common impact of a cyber attack this year is the prevention of employees from carrying out their work (32 per cent). This leads to lost productivity and lost revenue (26 per cent). When hackers acquire valuable private data, victims find themselves in a no-win situation. They can either pay a significant ransom or deal with the fallout from their data being leaked publicly and potentially exploited by other bad actors. Perhaps worst of all, any cyber attack results in a loss of trust from the organization’s customers, employees, donors or constituents, which in almost every case leads to some degree of reputational damage that is extremely difficult to recover from. It’s a heavy price to pay.
Damaging cyber attacks still on the rise in Canada
While the specific details of individual attacks vary, malicious cyber incidents are very much on the rise in Canada, and it’s not just the organizations you’re hearing about in the news that are being affected.
According to the results of the 2024 CIRA Cybersecurity Survey, more than four in 10 cybersecurity professionals (44 per cent) say their organization experienced an attempted or successful cyber attack in the last year. While no sector was immune, public sector (58 per cent) and MUSH sector (55 per cent) organizations reported more attacks than their private sector (41 per cent) counterparts.
Ransomware attacks are one of the top threats, with 28 per cent of organizations reporting they have been the victim of such an attack in the last 12 months, up from 17 per cent in 2021. Among these organizations, 73 per cent said that their data was exfiltrated and 79 per cent said they paid ransom to their attackers. Organizations in this latter group typically paid at least $25,000 in ransom, with 27 per cent handing over between $50,000 and $100,000 and 11 per cent handing over more than $100,000.
Cyber criminals are getting better at acquiring your data
Another key finding from this year’s survey is that cyber criminals are getting better at acquiring data from their victims. Just under four in 10 (38 per cent) organizations that suffered a cyber attack experienced a breach of customer data, employee data or both, up from 29 per cent in 2022.
Among organizations that experienced a data breach, over half informed senior leadership (53 per cent), and just under half informed the board (46 per cent) or their customers (45 per cent). About four in 10 informed a regulatory body (42 per cent) or law enforcement (38 per cent).
The reputational damage that organizations have suffered following a cyber incident has also trended up over time. Just over a quarter (28 per cent) report damage to their organization’s reputation as an impact, compared to only six per cent in 2018 and 19 per cent in 2022, while 26 per cent report losing customers following an attack.
As this year’s survey data makes clear, we know that cyber attacks will continue to affect Canadian organizations in every sector. How an organization prepares for an attack and responds in the moment is vitally important, not only for avoiding costly disruptions and data theft in the first place, but also for protecting themselves from the loss of trust and long-term reputational damage that is an inevitable consequence of any successful attack.
