We have a newer version of this report, with survey data from 2022.
The pandemic has shifted Canada’s cybersecurity landscape
CIRA has a mandate to promote a trusted internet—and improving Canada’s cybersecurity awareness is an important part of that effort.
To advance the national conversation about cybersecurity, CIRA publishes its Cybersecurity Survey on an annual basis.
You can learn more about the findings of this year’s survey—and how the pandemic has forced cybersecurity professionals to adapt new, lasting measures—in the sections that follow below.
Full survey results
The 2021 CIRA Cybersecurity Survey was conducted by The Strategic Counsel in July and August of 2021, collecting 510 online responses from cybersecurity decision-makers across Canada. The goal was to identify industry trends in perceptions and attitudes.
You can find the full survey results here and a summary of the findings below.
COVID-19 will have a lasting effect on Canada’s cybersecurity landscape
The pandemic has been a challenge for all of us, but it has been especially challenging for Canada’s cybersecurity professionals. Hackers continue to ramp up pressure to try and take advantage of the new challenges facing organizations across the country. As a result, additional cybersecurity protections have been put in place that this year’s Cybersecurity Survey shows will remain long after the pandemic ends.
In March of 2020, many workers migrated out of the office and into their homes. The pivot to remote work expanded the security surface area of organizations, and with it came new risks. Additional protections have been introduced to bolster organizations’ defenses and 95 per cent of security professionals say that at least some of the new protections will remain permanent. The changes were needed to defend against increased pressure from hackers, with 36 per cent of organizations indicating they faced more cyber attacks during the pandemic.
More risk has organizations looking for new ways to mitigate it. Cybersecurity insurance is a popular option to buttress against increased risk, with six in 10 organizations saying they have cybersecurity coverage as part of their business insurance, and three in 10 holding a cybersecurity-specific policy. But the data also shows that coverage is getting more expensive and difficult to keep.
Keeping security professionals awake at night is the prospect of finding a ransom note and encrypted files on their systems. In the past 12 months, almost one in five (17 per cent) organizations have been the victim of a successful ransomware attack. Of that group, a majority (69 per cent) say their organization paid the ransom demands, while 59 per cent report that data was exfiltrated. Organizations may be paying extortion fees because they fear damage to their public image.
Security professionals are also rising to challenge. They are rallying their colleagues to fight back against hackers, with 61 per cent of organizations now creating training material and promoting it internally to improve security awareness, up from 54 per cent in 2019. It could be said that 10 years of organizational IT innovation happened in 10 weeks.
This pandemic may not be over quite yet, but organizations are moving ahead. The CIRA 2021 Cybersecurity Survey provides insights on the challenges facing organizations and the lasting changes they’ve made to build resilience.
Nearly all (95 per cent) indicate that at least some of their new COVID-19-related cybersecurity protections will be permanent.
Survey data suggests a substantial majority of Canadian organizations pay ransomware demands. Of the almost one in five (17 per cent) that experienced a ransomware attack in the past 12 months, most (69 per cent) say they paid the ransom.
Nearly two-thirds (64 per cent) support legislation that would prohibit paying ransom demands.
Over one-third (36 per cent) indicate that the number of cyber attacks has increased during the pandemic, up from 29 per cent saying so this time last year.
Six in 10 (59 per cent) organizations have cybersecurity insurance coverage as part of their business insurance. Three in 10 (29 per cent) have a cybersecurity-specific policy.
Most organizations with cybersecurity coverage say their provider has increased premiums or requested new forms of proof of the corporate cybersecurity measures in place.
One-third cite tying up employees’ time. 19 per cent cite reputational damage, up from 6 per cent in 2018.
Canadian organizations paying ransomware demands
17% hit with ransomware
69% paid the ransom on average
Survey data suggests a substantial majority of Canadian organizations paid ransom demands over the past 12 months.
Should paying ransom be illegal?
Almost two-thirds of cybersecurity professionals support legislation that would prohibit ransom payments.
In Canada, cybersecurity insurance has become a popular tool for managing risk.
The most common changes are increased premiums and new proof/verification of security measures in place.
Are cybersecurity measures becoming a more common contract requirement?
Over half indicate that cybersecurity requirements have become more common in contracts with third party vendors.
Will the new cybersecurity protections be permanent?
58% yes, all
37% yes, some
Almost all respondents (95 per cent) indicate that at least some of the new COVID-19 related protections will be permanent.
The volume of cyber attacks has increased during the pandemic
2021: 36% yes
2020: 29% yes
Over three in ten indicate that the volume of cyber attacks has increased during the pandemic, up from 29 per cent last year.
Worry amongst cybersecurity professionals
Almost half of Canadian cybersecurity pros say they are more worried about their IT security footprint and policies in light of the pandemic this year.
47% are more worried
Organizations that conduct cybersecurity awareness training
61% create and promote materials
44% conduct phishing simulations
Most commonly, organizations create training material and promote them internally (up from 54 per cent in 2019), with four in ten conducting phishing simulations.
As part of October’s Cybersecurity Month, CIRA is publishing a series of blog posts based on the findings of the 2021 Cybersecurity Survey.
Below you will find links to each piece in the series as it is published:
- Cybersecurity insurance popular in Canada, despite imperfections.
- Should ransomware payments be illegal in Canada?
Pandemic cybersecurity measures become part of the new normal for Canadian organizations.
How often should you conduct cybersecurity awareness training?
Private sector lags behind public in cybersecurity investment
CIRA Cybersecurity Services
CIRA has leveraged its experience managing a network of over 3 million .CA domains to develop a suite of enterprise-grade cybersecurity products — made by Canadians, for Canadians:
- CIRA DNS Firewall: a cloud-based cybersecurity solution that protects organizations from malware, ransomware, phishing, and other cyberattacks.
- CIRA Canadian Shield: a free cybersecurity service that improves privacy by anonymizing DNS queries. It helps Canadian households block viruses, ransomware, and other malware.
- CIRA Cybersecurity Awareness Training: an integrated courseware and phishing simulation platform that enables organizations to educate their staff to protect themselves from cyber risks like social engineering and ransomware.