Survey Findings - Organizational Experience

We asked these groups a range of questions, tailored to their organization size. These questions sought their perspectives on their level of awareness of current threats, the impact they are seeing from these threats, and the steps they are taking to deal with them.

In addition to collecting responses from personal domain owners, we also surveyed people who own one or more .CA domains that they use exclusively for business purposes. This includes small businesses with 100 or fewer employees and larger organizations with more than 100 employees. Among the larger organizations, 58 per cent were companies, 34 per cent were not-for-profit organizations, and eight per cent were government organizations.

Types of organizational respondents

8% government, 34% non-profit, and 58% company.

We asked these groups a range of questions, tailored to their organization size. These questions sought their perspectives on their level of awareness of current threats, the impact they are seeing from these threats, and the steps they are taking to deal with them, including the IT security solutions they currently use and their level of investment in these solutions. 

Of those surveyed in the small business category, the majority of respondents (72 per cent) report that they have primary responsibility for IT operations and security for their business, while 11 per cent say they rely on internal technical resources, and 17 per cent use an external managed service provider or IT contractor.

Among those working for larger organizations, which include private sector, not-for-profit and government organizations, 90 per cent say they are involved in the IT security decision-making process. 
 

Cyber threats a major concern for Canadian businesses

Like their counterparts operating personal websites on their .CA domains, business domain owners likewise express high levels of concern about the potential impact of cyberattacks on their operations. 

Overall, 77 per cent of small businesses respondents rate their level of concern as a 7 or higher on a ten-point scale, with 1 being “not concerned” and 10 being “very concerned”. A significant proportion of respondents—about one fifth of the total—rated their concern at the highest level on the ten point scale, indicating that they consider themselves to “very concerned” about threats cyberattacks pose to their business.

Among larger organizations, respondents say they are worried about the impact of phishing and ransomware in their organizations, with 16 per cent saying they are “somewhat worried” about ransomware, and another 57 per cent saying they are worried or very worried about it, rating it between 7 and 10 on the ten point scale. 

Phishing is also a significant concern among larger organizations, with 18 per cent saying they are “somewhat worried” about it, and another 55 per cent saying they are worried or very worried about it.

The level of concern among Canadian businesses is justified by the research conducted in Canada’s Internet Factbook 2017 which found that 44 per cent of Canadians were unlikely to continue making purchases from an online business following a major cyberattack.

Impact and frequency of cyberattacks is increasing in Canada

As is the case with personal websites, the impact of cyberattacks in a Canadian business context is a major cause for concern. Among larger organizations in particular, these attacks are increasing in frequency daily. 

Twenty-two per cent of respondents from organizations with greater than 100 employees—nearly a quarter of those surveyed in this category—said theey had been the victim of a DDoS attack in the past year that negatively impacted business performance. Overall, 17 per cent said their organization had experienced between one and three DDoS attacks, three per cent had experienced between three and ten attacks, and two per cent had experienced more than ten attacks. It’s a similar story for ransomware, with 19 per cent of those surveyed in this category saying their organization had been the victim of a ransomware attack. Seventeen per cent of organizations report being victimized in this manner between one and three times, while another two per cent reported a breach between three and ten times. Phishing attacks are also a major cause for concern among large organizations, with 32 per cent reporting that users within their organization had unwittingly divulged important information to hackers within the last year.

DDoS experience in a year

1% of organizations experienced more than 1 DDoS attack, 3% from 3 to10, 18% from one to three and 78% none.

The results among the Canadian small businesses we surveyed were similar. The number of small businesses impacted by cyberattacks, while less than half the rate reported by large organizations, is nonetheless significant and a cause for serious concern. Ten per cent of those surveyed in the small business category report having their website brought down by a website hack or cyberattack within the past 24 months.

Loss of website in last 24 months

10% of smaller organizations report having had a website-impacting hack.

Canadian businesses see their peers in the cybersecurity community as trusted resource 

In terms of where IT professionals go to educate themselves on matters related to IT security services, respondents from small businesses and larger organizations alike indicated their peers were their go-to source. We excluded general search engine research from this question to understand where else organizations typically look. 

And while small businesses looked to their current vendor (35 per cent) and blogs (32 per cent) as their second and third choices, respondents from larger organizations listed IT security events (48 per cent) and their current vendor (43 per cent) as their second and third choices respectively.
 

Where IT managers look for cybersecurity information.

Peers is the most common choice, IT security events, current vendors, analysts, webinars and blogs all rank between 35% and 45% usage.

 

Types of security used by organizations

84% antivirus, 61% hardware-based firewalls, 54% software-based firewalls, 42% password managers, 26% email encryption, and 29% use DNS blocking.