- 71 per cent of organizations reported experiencing at least one cyber-attack that impacted the organization in some way, including time and resources, out of pocket expenses, and paying ransom.
- While 96 per cent of respondents said that cybersecurity awareness training was at least somewhat effective in reducing incidents, only 22 percent conducted the training monthly or better.
- Only 41 per cent of respondents have mandatory cybersecurity awareness training for all employees.
- Among those businesses that were victimized by a cyber-attack, 13 per cent indicated the attack damaged their reputation. This perception is a sharp contrast to the findings of CIRA’s recent report: Canadians deserve a better internet, which indicated that only 19 per cent of Canadians would continue to do business with an organization if their personal data were exposed in a cyber-attack.
- 43 per cent of respondents were unaware of the mandatory breach requirements of PIPEDA.
- Of those businesses that were subject to a data breach, only 58 per cent reported it to a regulatory body; 48 per cent to their customers; 40 per cent to their management and 21 per cent to their board of directors.
- 43 per cent of respondents who said they didn’t employ dedicated cybersecurity resources cited lack of resources as the reason. This is up from 11 per cent last year.
Download the 2019 CIRA Cybersecurity Survey Infographic.
A lot has happened since our last cybersecurity survey. The good news is that more attention, time and resources are being directed towards cybersecurity. The Canadian Centre for Cyber Security entered the scene, the federal government unveiled its CyberSecure cyber certification program, and the revamped Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect.
However, it’s not all good news. Canadian banks, schools, governments and businesses are still being taken down by cyber attacks, exposing customer data, paying ransoms to hackers, and losing valuable time recovering from breaches.
According to the annual Accenture Cost of Cybercrime survey, the average cost of investigating and remediating an attack among Canadian organizations last year was $9.25 million.
Our goal with this survey is to provide insight into the Canadian cybersecurity landscape and understand just how Canadian businesses are preparing and coping with the new IT security reality.
CIRA contracted the research firm, The Strategic Counsel, to interview 500 individuals with responsibility over IT security decisions. The sample included those who manage a minimum of 50 users of desktops or mobile devices for at least 20% of their work. All the respondents had budgetary authority over cybersecurity decisions.
In our sample, 92 per cent indicated that they were at least somewhat familiar with the organizations' computer and IT functions while 8 per cent held budgetary control but were less familiar with the systems in place.
Among those surveyed, 53 per cent indicated they were very familiar with their organization’s IT and computer function, while 47 per cent said they were somewhat familiar.
Finally, among the sample, 28 per cent indicated they belonged to an organization with 50 to 99 employees who use computers or mobile devices. Additionally, 31 percent represented organizations with 100 to 229 devices, 14 per cent were in 250 to 499 employees category, 12 per cent in the 500 to 999 range, and 15 per cent worked for organizations with more than 1000 employees who use desktop or mobile devices. In short, this survey presents a wide range of viewpoints that allows us to draw some interesting conclusions about the cybersecurity landscape in Canada.
About the organizations
While our survey included a variety of organizations, the majority had been in operation for quite some time with 56 per cent indicating they have been in business for more than 20 years. In total, 59 per cent of businesses in our sample indicated they do business in Canada only.
Private sector organizations represented 67 per cent of the sample, while public or not-for-profit organizations represented 33 per cent.
Now more than ever, Canadians need trust in the internet. We believe that security is the foundation of that trust which is why we have leveraged our experience safeguarding the .CA domain to help Canadian organizations protect themselves and their users.
Employees and Training
While cybersecurity is now a mainstream topic (for better or worse), we wanted to dig deeper to find out how organizations are preparing to meet the challenge being presented to them by the hackers, thieves and foreign spies of the world.
Reliance on vendors
If you have a kid in school, unless they are the next Bianca Andreescu, start dropping not-so-subtle hints about the demands for cybersecurity jobs now. A 2018 report by Deloitte indicated that 5,000 cybersecurity jobs would need to be filled in Canada between 2018 and 2021, and organizations across the country are scrambling to try to fill the gap.
Naturally, this means that for the time being outsourcing is going to continue to be a central part of the cybersecurity mix. It also reflects that in many organizations dedicating a full-time resource to cybersecurity may not be deemed to be necessary; while the time and effort needed to be on top of the latest threats can’t generally be taken on as a part-time job.
Among our sample, 68 per cent relied either fully or partially on external resources, with 20 per cent saying they outsource all of their cybersecurity needs. Only 31 per cent reported the exclusive use of internal resources. This underscores the importance of understanding the security footprint of your managed service provider and ensuring they have a complete suite of cybersecurity solutions.
To get a clearer picture of the level of commitment among our sample to cybersecurity, we asked how many people in their organization worked in information technology. The most common response, at 29 per cent, was two to five employees dedicated to IT. Interestingly, when broken down to public and private organizations, the difference is vast. While private organizations typically have 1-5 employees with a primary job responsibility in IT, public organizations often have 30 or more.
When we focused in on cybersecurity, private organizations have between one and five employees responsible for cybersecurity. This suggests that in general, all IT employees have at least some responsibility for cybersecurity (versus relying on specialists). Conversely, among public organizations, the ratio of IT to security drops quite significantly. Public organizations that answered “more than 50 people” in IT had proportionally fewer responsible for security. The takeaway here seems to be, if you have more people you can afford to specialize but in smaller shops, everyone has to pitch in. It is a risk to smaller organizations as security has become quite a specialty.
Lack of resources
Among the respondents, the primary reason cited for having no employees dedicated to cybersecurity was the use of external contractors (51 per cent). However, given the importance of having institutional knowledge of cyber threats and risk factors in the organization, it was surprising to see that fully 43 per cent indicated that they didn’t have the resources to employ a dedicated internal cybersecurity resource.
This represents a significant increase over last year where 27 per cent of respondents indicated a lack of resources as a barrier. Perhaps it is the increased public awareness of cybersecurity as a critical function for businesses that have increased the demand (and therefore cost) of having internal resources. It may also reflect the desire of larger IT teams to keep their internal resources focused on their users and to outsource cybersecurity to experts.
43 per cent of respondents said a lack of resources is preventing them from hiring a dedicated cybersecurity professional.
This is up from 27 per cent last year.
Cybersecurity is about more than just the IT department and the tools they use. Every user, every employee and every contractor has a role to play in keeping an organization safe. With this in mind, we asked our respondent some questions about cybersecurity awareness training.
First, we asked how many organizations provide some kind of cybersecurity awareness training for their employees. In total, 87 per cent of respondents indicated that some form of training was offered at their employer. Interestingly, this number was identical among both private and public organizations. However, only 41 per cent indicated that the training was mandatory for all employees.
You don’t have to be in IT, or even use a desktop regularly, to click on a bad link or pop a USB drive into a laptop without thinking about the consequences. Quality training has been shown to deliver improved security by reducing all types of incidents.
Only 41 per cent of respondents indicated that cybersecurity training was mandatory for all employees.
Next, we asked for more detail on what exactly the training entails to understand whether organizations were investing in newer methods and more sophisticated tools.
Of those who indicated that they had some form of cybersecurity awareness training at work, only 21 per cent said they used an integrated training, phishing and reporting platform; and the same number said they conducted standalone phishing simulations. Just over 50 per cent indicated they created and delivered their own internal training material, which might be ok if they have the in-house expertise to do so. To deliver in-house training effectively, IT needs to know more than just cybersecurity best practices; they also need to know how the majority of their employee base – non-technical adults – learn and retain training.
Do you like pizza? We do, and 36 per cent of respondents indicated that their training consists of lunch and learn workshops. Free pizza is a great way to attract people but it is unlikely that most attendees were drawn in by their desire to learn more about how to be safe from botnets. We posit that within a few weeks (at best) the attendees will have forgotten what they learned
Anyone who had a service job as a teenager probably vaguely remembers being given WHMIS training on the first day. Where is the eyewash station? How do I handle bleach? What chemicals might blow up? That kind of thing. While the nature of bleach doesn’t change much over time, cybersecurity changes daily. That’s why we asked respondents about the frequency of their cybersecurity awareness training.
If we’re being generous, 22 per cent of respondents indicated a frequency that could pass as vigilant—monthly or better. While 76 per cent indicated their cybersecurity awareness training took place quarterly or worse, a full 40 per cent said it was annually or less which is barely enough to keep up with trendy memes, let alone hackers.
What is the impact of cybersecurity awareness training? With the rate of change in cyber threats, constant vigilance must have some kind of impact, right? We asked respondents how they measured the impact of cybersecurity awareness training. In total, 46 per cent of respondents indicated that they tracked training results and risk scores over time. This kind of tracking allows IT managers to see in real-time if their efforts are having an impact on behaviour. In terms of bottom-line impacts, 27 per cent indicated they had saved time, and 25 per cent said they reduced costs on security incidents.
Overall, 96 per cent of respondents said that cybersecurity awareness training was at least somewhat effective in reducing incidents or risky online behavior. It would seem that while organizations are increasingly delivering training, there are still some challenges when it comes to confidently measuring the success and ROI of their training efforts. This isn’t surprising, given the majority of our respondents are doing in-house training and lunch-and-learns without the support of a fully integrated web platform.
96 per cent of respondents said that cybersecurity awareness training was at least somewhat effective in reducing incidents.
Finally, the most common answer for why an organization doesn’t conduct cybersecurity awareness training came down to insufficient IT human resources (44 per cent) and uncertainty on the best approach (32 per cent).
While we can assume those respondents see some value in adopting training, 36 per cent of respondents that do not do training either are not considering it for now, don’t do it because previous training was unsuccessful, or just simply do not believe it works. Even though training adoption is increasing, there is still a ton of work for the cybersecurity industry to do when it comes to learning about the value of…learning.
While technical solutions are important, the best layer of security for any organization are cyber-aware employees. We are happy to see more organizations embracing cybersecurity awareness training as a critical element of their defense. However, there is more work to be done to ensure the quality and rigor of the training offered keeps pace with the ever-changing world of cybersecurity.
Impacts and Response
How organizations are responding
In total, 71 per cent of organizations reported experiencing at least one cyber-attack that impacted the organization in some way, including time and resources, out of pocket expenses, and paying ransom.
We gathered several of the newer, or perhaps less used, cybersecurity services to see if organizations were adopting them to help mitigate the threats. Topping the list were deploying DNS firewalls at 57 per cent, password managers at 51 per cent, and security training at 41 per cent. At the bottom of the list, though still a large number, were the use of a SIEM at 27 per cent, outsourcing to an MSSP at 25 per cent and cybersecurity insurance at 25 per cent. These are all fast-growing industries and the numbers show tremendous potential for further growth.
CIRA provides cybersecurity services in three core areas. The first is a global secondary DNS service, the second is a DNS firewall and the third is cybersecurity awareness training. So naturally, we asked a few questions in these areas.
Impact of training
As organizations get larger they tend to estimate significantly more random-looking numbers as it relates to the number of cyber incidents (i.e. everything from a breach to a minor DDoS event). This suggests that organizations aren’t keeping good track of the number of incidents that they are dealing with. Smaller with fewer IT people had a better handle on the numbers, probably because they individually responded to each of them. That said, the averages did tell compelling stories.
Organizations with under 1000 users that reported doing integrated cybersecurity awareness training that included both computer-based learning and phishing simulation reported 2.2 times reduction in incidents that impacted desktop users. This is consistent with our own analysis from CIRA’s Cybersecurity Awareness Training service that showed a 3 times reduction in users clicking on phishing emails when they are using a platform (remember that not every bad click is going to lead to a problem). In essence, awareness training is correlated to fewer problems.
One of our hypotheses was that organizations that are mature in how they conduct training may also be mature in other advanced cybersecurity tools that they deploy and that this could skew the data. It was to our surprise that those who reported using phishing simulation didn’t use other new cybersecurity tools at a rate any higher than those who didn’t. By “new” we meant tools like a SIEM, password managers, cloud firewalls, cyber insurance, etc. Of the 154 organizations that reported not doing phishing simulations, they reported using 858 of the new tools. Of the 188 that reported doing phishing simulation, they reported 873 other new tools.
Impact of DNS firewall
A DNS firewall is a type of malware and phishing filter that sits outside the organization and blocks users and botnets from accessing malicious content. It is a useful layer of security when it uses unique data science to deliver a threat block list that is different from those that feed the other layers (like antivirus, traditional firewall, etc.).
When compared to training, blocking content at the DNS layer is a more mature category and fully 62 per cent of organizations reported doing it specifically with a third-party supplier (versus URL blocking in the firewall).
When we correlated those that use a DNS firewall with the incident report, we found that those with a DNS firewall reported 16 per cent fewer desktop incidents. Again, this is a multi-variate analysis given the various tools available to organizations, so the reason we focused on the desktop was because a DNS layer has a higher direct impact at that layer. It is harder to measure when a botnet gets in through a desktop, but ultimately impacts servers or databases elsewhere and the original vector may not get uncovered.
Organizations that reported doing integrated cybersecurity awareness training reported 2.2 times reduction in incidents that impacted desktop users*.
*organizations with fewer than 1000 users
Of course, no amount of preparedness, resources or vigilance can stop cyber-attacks altogether. We have spent 100 years trying to make roads safer and there are still daily accidents in the thousands, the same is true of cybersecurity.
So, just how prevalent is the problem?
In total, 37 per cent of respondents reported not knowing how many cyber-attacks that they faced last year – which is probably 73 per cent lower than what the right answer probably is. It is great that, on whole, IT people know that it is difficult to estimate what is happening in such a grey area where their job is to mitigate risk. Among those that did attempt to estimate the number of attacks, 18 per cent experienced 10 or more while 11 per cent reported zero.
While it is nice to estimate the number of attacks, what matters most is how many had real impact. Respondents indicated that the average number of attacks with a measurable impact was 19 per cent. Another 33 per cent responded not knowing how many impacted the organization, 6 per cent indicated they were impacted by 10 or more threats while 29 per cent reported no impact from cyber threats.
When we think about the impact or a cyber-attack, we often focus on the direct financial costs; but what about the indirect costs? To find out more, we asked respondents to tell us how these attacks impact their organization.
Although 30 per cent indicated the incident was minor (indicating little to no observed impact), the top consequences included the time required for employees to respond to the attack (28 per cent); the inability of employees to carry out their regular work (28 per cent); and the prevented use of resources or services (26 per cent). All those impacts carry indirect monetary and productivity costs. An additional 13 per cent indicated the attack damaged their reputation. This perception is a sharp contrast to the findings of CIRA’s recent report: Canadians deserve a better internet, which indicated that only 19 per cent of Canadians would continue to do business with an organization if their personal data were exposed in a cyber-attack.
In response to experiencing a cyber-attack, the most common action undertaken by our respondents was to engage employees in cybersecurity training (57 per cent). This an increase from last year where only 44 per cent of respondents with 50 or more devices in their organization indicated the same. We know that more than 90 per cent of all cyber-attacks originate with some kind of user action so increasing awareness of cyber threats is always a good move.
A security audit was the choice of 48 per cent of respondents (up from 37 per cent last year), while the installation of new software actually dropped (46 vs. 50 percent) from the same group last year.
Overall, 56 per cent of respondents said they are more concerned about the prospects of future cyber-attacks. This is not surprising, given the frequency of high-impact data breaches in Canada with extremely high costs this past year.
To mitigate their future risk, 45 per cent of respondent are planning to increase their human resources dedicated to cybersecurity in the next 12 months. This is an increase over last year when 35 per cent of respondents with 50 or more devices in their organization indicated they planned to increase human resources.
Another 45 per cent say their resources will stay the same, and five per cent expect a decrease.
In terms of financial resources, 54 per cent say their organization will increase their cybersecurity investment next year. This is a dramatic increase from the 35 per cent who said the same last year.
54 per cent of respondents expect to spend more on cybersecurity resources next year.
While protecting the personal information of customers is the top rated reason for devoting more resources to cybersecurity (59 per cent); it is interesting to note that complying with laws and regulations is still far down the list (though up from last year).
It is encouraging to see the increase in awareness of cyber threats but there is still much to do. There is no silver bullet for cybersecurity, it requires constant vigilance, multiple layers, and employee awareness. We are committed to helping Canadian businesses and institutions implement the tools, platforms and processes that are required to protect their networks.
The Canadian Context
One thing that has changed significantly in the last couple of years is the regulatory environment in which businesses and organizations operate. The impact of the European Union's General Data Protection Regulation (GDPR) and well as Canada’s Personal Information Protection of Electronic Documents Act (PIPEDA) continue to impact the world of cybersecurity. While it is inevitable that more privacy related acronyms are coming, we wanted to ask organizations how the regulatory environment impacted them.
While not all businesses are impacted by the EU GDPR regulation, in a world of global trade and commerce a business doesn’t have to be located physically in a certain jurisdiction in order to be affected.
Overall, 49 per cent of respondent were familiar with GDPR. Among organizations with 50 or more devices, this is an increase from 44 per cent last year. Given that the majority of our respondents do business exclusively in Canada, these numbers are not surprising.
Similarly, only 26 per cent indicated making any changes due to GDPR. This number has increased from last year when only 17 per cent of businesses with 50 devices or more indicated making GDPR-related changes to their online presence or business practices. It seems more Canadian businesses are realizing that if they have customers outside Canada, other regulatory schemes may apply.
Closer to home, significant changes went into effect last November due to the Personal Information Protection of Electronic Documents Act (PIPEDA). The most significant change is mandatory breach disclosure rules, as well as potential fines for non-compliance.
PIPEDA directly addresses the responsibilities of non-public organizations in disclosing breaches of personal information.
Overall, 69 percent of respondents were familiar with PIPEDA, which is nice. Whether you are over or under this number, the fact remains that all Canadian organizations should be familiar with PIPEDA even if it’s simply to figure out that it doesn’t apply to you. In the modern economy, virtually every private organization has data that is governed by PIPEDA, whether its customers, suppliers, employees or vendors. This number is basically unchanged from last year when 70 per cent of respondents with more than 50 devices indicated the same.
Unfortunately, only a little more than half of respondents (57 per cent) were aware of PIPEDA’s mandatory disclosure requirements (remember this for later). While this is better than last year (50 per cent among those with 50+ devices), it is also concerning as disclosure carries real consequences.
Overall, 53 per cent of respondents were concerned with the recent changes to PIPEDA, which may reflect the business impact of more stringent data governance requirements in the Act. On that front, 64 per cent of respondents indicated that they stored the personal information of customers, employees, suppliers, vendors or partners on their systems. However, it seems likely that this number should be higher; who doesn’t have data on employees on file somewhere? Even organizations relying on cloud vendors aren’t safe because even though you use another company for storing billing or patient records, you are still responsible for a breach at that supplier OR through (for example) weak passwords that your employees may be using.
Only 57 per cent of respondents were aware that PIPEDA now has mandatory breach disclosure requirements.
How secure was that personal data? Well, 42 percent of respondents said they did not experience a data breach last year. The average among organizations that reported was five breaches in the last year. What we like best about this answer is that 40 per cent said they didn’t know if they had been breached – if we were to be intellectually honest, that is probably the right answer to any cybersecurity question. Cybersecurity attacks and breaches are a perfect example of a “known unknown”.
And now the kicker…remember the 43 per cent of respondents who weren’t aware of the mandatory breach requirements in PIPEDA? Well, of those who experienced a breach last year, only 58 per cent reported it to a regulatory body. Of course there are exceptions to PIPEDA but it seems highly likely that some breaches are not being reported. That’s…a problem.
It gets worse from there. Only 48 per cent reported the breach to their customers; 40 per cent to their management and 21 per cent to their board of directors. In case you were wondering, this was an anonymous survey so we couldn’t tell you who if we wanted to. The fact that 37 per cent reported the breach to law enforcement reflects a sad reality that many businesses face, there’s not much that can be done by the police in many situations. It is well established that the vast majority of cybercrime goes unreported so the true scope of the problem is much worse.
Of those organizations who experienced a data breach, only 58 per cent told a regulatory body; 48 per cent told their customers; and only 21 per cent told their board.
What is data sovereignty anyway? At its core, data sovereignty means ensuring that your data, IT infrastructure, and network traffic stay within Canada as much as humanly possible. The minute your data crosses a border it is subject to the laws of the country it enters—and the policies that you may not even be aware of (*cough Snowden).
Many Canadians are unaware that a portion of Canada’s network infrastructure moves data through the United States while en route to another destination in Canada. That meme you send your friend in Windsor from your condo in Hamilton may very well pass through more than one internet hub in the US before reaching its destination.
There are a lot of national benefits to having a good national infrastructure that helps to keep data in Canada, but it is also a big boost for your cybersecurity footprint and reduces your risk factors.
In that light, we asked respondents if they were concerned about data flowing through other jurisdictions. In all, 69 per cent said they were concerned with 32 per cent indicating they were very concerned. Both numbers are an increase over last year when only 55 per cent were concerned and 19 per cent very concerned among organizations with 50+ devices.
While 57 per cent of respondents said they outsource their network or IT infrastructure, 83 per cent of those said they contracted only Canadian firms.
While the commitment to buying Canadian is notable, one thing to remember is that there is no guarantee that a Canadian firm doesn’t still use infrastructure outside Canada. It is best to check to determine exactly where your data is housed, routed, and whether or not any cloud infrastructure has a Canadian presence.
As part of our mandate to build a better online Canada, CIRA considers the ability to use the internet safely and securely to be a major pillar of our responsibility to Canadians. Since diving into the world of cybersecurity more than four years ago, CIRA has steadily broadened its footprint in the space as the threat to Canadian businesses, organizations and individuals have expanded.
Our goal with the second annual CIRA Cybersecurity Survey is to provide a clear overview of the threat landscape in Canada and to learn more about how businesses are coping.
So, what have we learned?
Training is making a difference but more needs to be done
While many technical layers have been thrown at the cybersecurity problems for years, the one weak link has always been people. We know that more than 90 per cent of all cyber-attacks begin with some sort of user action. Education is essential, and it is no longer just the IT department that needs to know.
The good news is that Canadian businesses seem to be catching on. In our survey, 87 per cent of respondents indicated that some form of cybersecurity awareness training was available in their organizations.
The bad news is that, in many cases, the training is inadequate. Cyber-threats are constantly evolving and bad actors are always evolving their techniques. In that light, we saw that only 41 per cent made such training mandatory for all employees; and 22 per cent conduct the training on a monthly basis or better.
While their remains some uncertainty as to how to measure the effectiveness of cybersecurity awareness training, most respondents believe it is working, and that can only be good news as we tackle the ongoing cybersecurity threat.
The importance of disclosure is still not fully understood
As cybersecurity goes mainstream, many organizations are still struggling with how to communicate the threat with their stakeholders. While a physical break-in, a flood at a facility, or a labour dispute are all visible risks that are easy to communicate, a cyber-attack still leaves many organizations struggling with how to respond. We found that despite the new disclosure requirements in PIPEDA, only 58 per cent of those who experienced a data breach had disclosed it to a regulatory body. Only 48 per cent had informed their customers; and 21 per cent told their board. This lack of disclosure leads to mistrust and, in some cases, severe consequences.
It seems there is still a stigma surrounding cyber-attacks that doesn’t exist with more traditional business risks. Hopefully, as businesses come to grips with the reality that cyber threats are no different than physical ones (and in many cases are actually more severe), they will begin to understand that disclosure actually reduces risk and potential harm by bringing more visibility to the problem.
Organizations are adapting but the threats remain
As cybersecurity becomes more mainstream, we are seeing positive momentum among Canadian organizations that are adapting to the threat. Canadian organizations are investing in training, resources and technical solutions to protect their data and their customers.
However, the threat doesn’t stand still and we are still seeing gaps in resources and training that beg for broader solutions. At CIRA, we are doing our part to address these gaps. Our suite of cybersecurity solutions is specifically built with Canada in mind. Our more than 20 years of managing the .CA has allowed us to deploy our expertise in managing and protecting the DNS to create products like D-Zone DNS Firewall, a critical layer of your cybersecurity footprint.
By reporting on cybersecurity trends and data we hope to continue to build up Canada’s cybersecurity capacity—in knowledge, people and solutions—to ensure our internet remains strong and free.