Skip to main content

Key Findings

  • 71 per cent of organizations reported experiencing at least one cyber-attack that impacted the organization in some way, including time and resources, out of pocket expenses, and paying ransom.
  • While 96 per cent of respondents said that cybersecurity awareness training was at least somewhat effective in reducing incidents, only 22 percent conducted the training monthly or better.
  • Only 41 per cent of respondents have mandatory cybersecurity awareness training for all employees.
  • Among those businesses that were victimized by a cyber-attack, 13 per cent indicated the attack damaged their reputation. This perception is a sharp contrast to the findings of CIRA’s recent report: Canadians deserve a better internet, which indicated that only 19 per cent of Canadians would continue to do business with an organization if their personal data were exposed in a cyber-attack.
  • 43 per cent of respondents were unaware of the mandatory breach requirements of PIPEDA.
  • Of those businesses that were subject to a data breach, only 58 per cent reported it to a regulatory body; 48 per cent to their customers; 40 per cent to their management and 21 per cent to their board of directors.
  • 43 per cent of respondents who said they didn’t employ dedicated cybersecurity resources cited lack of resources as the reason. This is up from 11 per cent last year.

Download the 2019 CIRA Cybersecurity Survey Infographic.

Introduction

A lot has happened since our last cybersecurity survey. The good news is that more attention, time and resources are being directed towards cybersecurity. The Canadian Centre for Cyber Security entered the scene, the federal government unveiled its CyberSecure cyber certification program, and the revamped Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect.

However, it’s not all good news. Canadian banks, schools, governments and businesses are still being taken down by cyber attacks, exposing customer data, paying ransoms to hackers, and losing valuable time recovering from breaches.

According to the annual Accenture Cost of Cybercrime survey, the average cost of investigating and remediating an attack among Canadian organizations last year was $9.25 million.

Our goal with this survey is to provide insight into the Canadian cybersecurity landscape and understand just how Canadian businesses are preparing and coping with the new IT security reality.

Methodology

CIRA contracted the research firm, The Strategic Counsel, to interview 500 individuals with responsibility over IT security decisions. The sample included those who manage a minimum of 50 users of desktops or mobile devices for at least 20% of their work.  All the respondents had budgetary authority over cybersecurity decisions.

In our sample, 92 per cent indicated that they were at least somewhat familiar with the organizations' computer and IT functions while 8 per cent held budgetary control but were less familiar with the systems in place.

Among those surveyed, 53 per cent indicated they were very familiar with their organization’s IT and computer function, while 47 per cent said they were somewhat familiar.

Finally, among the sample, 28 per cent indicated they belonged to an organization with 50 to 99 employees who use computers or mobile devices. Additionally, 31 percent represented organizations with 100 to 229 devices, 14 per cent were in 250 to 499 employees category, 12 per cent in the 500 to 999 range, and 15 per cent worked for organizations with more than 1000 employees who use desktop or mobile devices. In short, this survey presents a wide range of viewpoints that allows us to draw some interesting conclusions about the cybersecurity landscape in Canada.

IT areas included within job
52% System administration
50% Desktop IT
49% Cybersecurity
49% Networking
36% Other technical
35% Non-technical decision making

About the organizations

While our survey included a variety of organizations, the majority had been in operation for quite some time with 56 per cent indicating they have been in business for more than 20 years. In total, 59 per cent of businesses in our sample indicated they do business in Canada only.

Private sector organizations represented 67 per cent of the sample, while public or not-for-profit organizations represented 33 per cent.

Now more than ever, Canadians need trust in the internet. We believe that security is the foundation of that trust which is why we have leveraged our experience safeguarding the .CA domain to help Canadian organizations protect themselves and their users.

Byron Holland President and CEO, CIRA

Employees and Training

While cybersecurity is now a mainstream topic (for better or worse), we wanted to dig deeper to find out how organizations are preparing to meet the challenge being presented to them by the hackers, thieves and foreign spies of the world.

Reliance on vendors

If you have a kid in school, unless they are the next Bianca Andreescu, start dropping not-so-subtle hints about the demands for cybersecurity jobs now. A 2018 report by Deloitte indicated that 5,000 cybersecurity jobs would need to be filled in Canada between 2018 and 2021, and organizations across the country are scrambling to try to fill the gap.

Naturally, this means that for the time being outsourcing is going to continue to be a central part of the cybersecurity mix. It also reflects that in many organizations dedicating a full-time resource to cybersecurity may not be deemed to be necessary; while the time and effort needed to be on top of the latest threats can’t generally be taken on as a part-time job.  

Among our sample, 68 per cent relied either fully or partially on external resources, with 20 per cent saying they outsource all of their cybersecurity needs. Only 31 per cent reported the exclusive use of internal resources. This underscores the importance of understanding the security footprint of your managed service provider and ensuring they have a complete suite of cybersecurity solutions.

Reliance on internal resources or external vendors to meet cybersecurity needs
20% External suppliers/vendors
31% Internal resources
48% Both equally
1% Don't know
Number of employees who have a primary job responsibility in IT
3% None
6% 1
29% 2-5
15% 6-10
15% 11-20
8% 21-29
7% 30-50
17% More than 50
1% Don't know

To get a clearer picture of the level of commitment among our sample to cybersecurity, we asked how many people in their organization worked in information technology. The most common response, at 29 per cent, was two to five employees dedicated to IT. Interestingly, when broken down to public and private organizations, the difference is vast. While private organizations typically have 1-5 employees with a primary job responsibility in IT, public organizations often have 30 or more.

Number of employees who have a primary job responsibility in cybersecurity
7% None
14% 1
37% 2-5
18% 6-10
9% 11-20
3% 21-29
3% 3-50
7% More than 50
3% Don't know

When we focused in on cybersecurity, private organizations have between one and five employees responsible for cybersecurity. This suggests that in general, all IT employees have at least some responsibility for cybersecurity (versus relying on specialists). Conversely, among public organizations, the ratio of IT to security drops quite significantly. Public organizations that answered “more than 50 people” in IT had proportionally fewer responsible for security. The takeaway here seems to be, if you have more people you can afford to specialize but in smaller shops, everyone has to pitch in. It is a risk to smaller organizations as security has become quite a specialty.

Lack of resources

Among the respondents, the primary reason cited for having no employees dedicated to cybersecurity was the use of external contractors (51 per cent). However, given the importance of having institutional knowledge of cyber threats and risk factors in the organization, it was surprising to see that fully 43 per cent indicated that they didn’t have the resources to employ a dedicated internal cybersecurity resource.

Main reasons for having no employees primarily responsible for cybersecurity
51% We use external consultants
43% We don't have the resources
27% All employees are responsible to a certain degree
11% Cyber threats are not a high enough risk
11% We have cyber liability insurance
3% We can't find an adequate cybersecurity professional
5% Other

This represents a significant increase over last year where 27 per cent of respondents indicated a lack of resources as a barrier. Perhaps it is the increased public awareness of cybersecurity as a critical function for businesses that have increased the demand (and therefore cost) of having internal resources. It may also reflect the desire of larger IT teams to keep their internal resources focused on their users and to outsource cybersecurity to experts.

 

43 per cent of respondents said a lack of resources is preventing them from hiring a dedicated cybersecurity professional.

This is up from 27 per cent last year.

Training

Cybersecurity is about more than just the IT department and the tools they use. Every user, every employee and every contractor has a role to play in keeping an organization safe. With this in mind, we asked our respondent some questions about cybersecurity awareness training.

First, we asked how many organizations provide some kind of cybersecurity awareness training for their employees. In total, 87 per cent of respondents indicated that some form of training was offered at their employer. Interestingly, this number was identical among both private and public organizations. However, only 41 per cent indicated that the training was mandatory for all employees.

You don’t have to be in IT, or even use a desktop regularly, to click on a bad link or pop a USB drive into a laptop without thinking about the consequences. Quality training has been shown to deliver improved security by reducing all types of incidents.

Incidence of conducting cybersecurity awareness training
32% Yes, mandatory training for some employees
41% Yes, mandatory training for all employees
15% Yes, optional training
11% No
1% Don't know

Only 41 per cent of respondents indicated that cybersecurity training was mandatory for all employees.

Next, we asked for more detail on what exactly the training entails to understand whether organizations were investing  in newer methods and more sophisticated tools.

Ways of conducting cybersecurity awareness training
54% We create training material and promote it internally
36% Lunch and learns/workshops
35% Standalone computer-based training
32% Third-party seminar-style training programs
21% Standalone phishing simulations
21% Integrated training, phishing and reporting platform
1% Other
1% Don't know

Of those who indicated that they had some form of cybersecurity awareness training at work, only 21 per cent said they used an integrated training, phishing and reporting platform; and the same number said they conducted standalone phishing simulations. Just over 50 per cent indicated they created and delivered their own internal training material, which might be ok if they have the in-house expertise to do so. To deliver in-house training effectively, IT needs to know more than just cybersecurity best practices; they also need to know how the majority of their employee base – non-technical adults – learn and retain training.

Do you like pizza? We do, and 36 per cent of respondents indicated that their training consists of lunch and learn workshops. Free pizza is a great way to attract people but it is unlikely that most attendees were drawn in by their desire to learn more about how to be safe from botnets. We posit that within a few weeks (at best) the attendees will have forgotten what they learned

Frequency of conducting cybersecurity awareness training
40% Annually or less
36% Quarterly
12% Monthly
10% More than monthly/ongoing
2% Don't know

Anyone who had a service job as a teenager probably vaguely remembers being given WHMIS training on the first day. Where is the eyewash station? How do I handle bleach? What chemicals might blow up? That kind of thing. While the nature of bleach doesn’t change much over time, cybersecurity changes daily. That’s why we asked respondents about the frequency of their cybersecurity awareness training.

If we’re being generous, 22 per cent of respondents indicated a frequency that could pass as vigilant—monthly or better. While 76 per cent indicated their cybersecurity awareness training took place quarterly or worse, a full 40 per cent said it was annually or less which is barely enough to keep up with trendy memes, let alone hackers.

Ways of measuring the impact of cybersecurity awareness training
46% Monitoring training results and risk scores over time
42% Conducting end-user perception and knowledge assessments
33% Comparing training results to industry peers
27% Saved time on security incidents
25% Reduced cost on security incidents
1% Other
11% None/no ability to measure impact

What is the impact of cybersecurity awareness training? With the rate of change in cyber threats, constant vigilance must have some kind of impact, right? We asked respondents how they measured the impact of cybersecurity awareness training. In total, 46 per cent of respondents indicated that they tracked training results and risk scores over time. This kind of tracking allows IT managers to see in real-time if their efforts are having an impact on behaviour. In terms of bottom-line impacts, 27 per cent indicated they had saved time, and 25 per cent said they reduced costs on security incidents.

Overall, 96 per cent of respondents said that cybersecurity awareness training was at least somewhat effective in reducing incidents or risky online behavior. It would seem that while organizations are increasingly delivering training, there are still some challenges when it comes to confidently measuring the success and ROI of their training efforts. This isn’t surprising, given the majority of our respondents are doing in-house training and lunch-and-learns without the support of a fully integrated web platform.

 

96 per cent of respondents said that cybersecurity awareness training was at least somewhat effective in reducing incidents.

Finally, the most common answer for why an organization doesn’t conduct cybersecurity awareness training came down to insufficient IT human resources (44 per cent) and uncertainty on the best approach (32 per cent).

While we can assume those respondents see some value in adopting training, 36 per cent of respondents that do not do training either are not considering it for now, don’t do it because previous training was unsuccessful, or just simply do not believe it works. Even though training adoption is increasing, there is still a ton of work for the cybersecurity industry to do when it comes to learning about the value of…learning.

While technical solutions are important, the best layer of security for any organization are cyber-aware employees. We are happy to see more organizations embracing cybersecurity awareness training as a critical element of their defense. However, there is more work to be done to ensure the quality and rigor of the training offered keeps pace with the ever-changing world of cybersecurity.

Jacques Latour CTO, CIRA

Impacts and Response

How organizations are responding

In total, 71 per cent of organizations reported experiencing at least one cyber-attack that impacted the organization in some way, including time and resources, out of pocket expenses, and paying ransom.

We gathered several of the newer, or perhaps less used, cybersecurity services to see if organizations were adopting them to help mitigate the threats. Topping the list were deploying DNS firewalls at 57 per cent, password managers at 51 per cent, and security training at 41 per cent. At the bottom of the list, though still a large number, were the use of a SIEM at 27 per cent, outsourcing to an MSSP at 25 per cent  and cybersecurity insurance at 25 per cent. These are all fast-growing industries and the numbers show tremendous potential for further growth. 

CIRA provides cybersecurity services in three core areas.  The first is a global secondary DNS service, the second is a DNS firewall and the third is cybersecurity awareness training. So naturally, we asked a few questions in these areas.

How organizations are responding
57% DNS firewall
51% Password manager
41% Online security training programs
40% Network behaviour analysis and anomaly detection hardware
39% Penetration testing
37% Phishing simulations
34% Cloud packet-based firewall
27% Security Information and Event Management (SIEM)
26% Managed security service provider (MSSP)
25% Cybersecurity insurance
4% None of the above

Impact of training 

As organizations get larger they tend to estimate significantly more random-looking numbers as it relates to the number of cyber incidents (i.e. everything from a breach to a minor DDoS event). This suggests that organizations aren’t keeping good track of the number of incidents that they are dealing with. Smaller with fewer IT people had a better handle on the numbers, probably because they individually responded to each of them. That said, the averages did tell compelling stories.

Organizations with under 1000 users that reported doing integrated cybersecurity awareness training that included both computer-based learning and phishing simulation reported 2.2 times reduction in incidents that impacted desktop users. This is consistent with our own analysis from CIRA’s Cybersecurity Awareness Training service that showed a 3 times reduction in users clicking on phishing emails when they are using a platform (remember that not every bad click is going to lead to a problem). In essence, awareness training is correlated to fewer problems.

One of our hypotheses was that organizations that are mature in how they conduct training may also be mature in other advanced cybersecurity tools that they deploy and that this could skew the data. It was to our surprise that those who reported using phishing simulation didn’t use other new cybersecurity tools at a rate any higher than those who didn’t. By “new” we meant tools like a SIEM, password managers, cloud firewalls, cyber insurance, etc. Of the 154 organizations that reported not doing phishing simulations, they reported using 858 of the new tools. Of the 188 that reported doing phishing simulation, they reported 873 other new tools.

Impact of DNS firewall

A DNS firewall is a type of malware and phishing filter that sits outside the organization and blocks users and botnets from accessing malicious content. It is a useful layer of security when it uses unique data science to deliver a threat block list that is different from those that feed the other layers (like antivirus, traditional firewall, etc.).

When compared to training, blocking content at the DNS layer is a more mature category and fully 62 per cent of organizations reported doing it specifically with a third-party supplier (versus URL blocking in the firewall).

When we correlated those that use a DNS firewall with the incident report, we found that those with a DNS firewall reported 16 per cent fewer desktop incidents. Again, this is a multi-variate analysis given the various tools available to organizations, so the reason we focused on the desktop was because a DNS layer has a higher direct impact at that layer. It is harder to measure when a botnet gets in through a desktop, but ultimately impacts servers or databases elsewhere and the original vector may not get uncovered.

Organizations that reported doing integrated cybersecurity awareness training reported 2.2 times reduction in incidents that impacted desktop users*.

*organizations with fewer than 1000 users 

Attack impacts

Of course, no amount of preparedness, resources or vigilance can stop cyber-attacks altogether. We have spent 100 years trying to make roads safer and there are still daily accidents in the thousands, the same is true of cybersecurity.

So, just how prevalent is the problem?

Estimated number of cyber attacks in the last year
11% None
7% 1
9% 2
9% 3-4
10% 5-9
18% 10 or more
37% Don't know

In total, 37 per cent of respondents reported not knowing how many cyber-attacks that they faced last year – which is probably 73 per cent lower than what the right answer probably is. It is great that, on whole, IT people know that it is difficult to estimate what is happening in such a grey area where their job is to mitigate risk. Among those that did attempt to estimate the number of attacks, 18 per cent experienced 10 or more while 11 per cent reported zero.

Estimated number of attacks that impacted organization
29% Zero
13% 1
11% 2
6% 3-4
3% 5-9
6% 10 or more
33% Don't know

While it is nice to estimate the number of attacks, what matters most is how many had real impact. Respondents indicated that the average number of attacks with a measurable impact was 19 per cent. Another 33 per cent responded not knowing how many impacted the organization, 6 per cent indicated they were impacted by 10 or more threats while 29 per cent reported no impact from cyber threats.

Ways in which organization was impacted by cyber attacks in last 12 months
30% Minor incident
28% Additional time required to respond to incident
28% Prevented employees from doing day-to-day work
26% Prevented use of resources or services
23% Additional repair or recovery costs
13% Damage to reputation
11% Loss of revenue
7% Loss of customers
7% Discouraged us from carrying our future planned activity
7% Loss of suppliers or partners
7% Fines from regulators or authorities
6% Paid ransom
1% Other
16% No impact
6% Don't know
5% No answer

When we think about the impact or a cyber-attack, we often focus on the direct financial costs; but what about the indirect costs? To find out more, we asked respondents to tell us how these attacks impact their organization.

Although 30 per cent indicated the incident was minor (indicating little to no observed impact), the top consequences included the time required for employees to respond to the attack (28 per cent); the inability of employees to carry out their regular work (28 per cent); and the prevented use of resources or services (26 per cent). All those impacts carry indirect monetary and productivity costs. An additional 13 per cent indicated the attack damaged their reputation. This perception is a sharp contrast to the findings of CIRA’s recent report: Canadians deserve a better internet, which indicated that only 19 per cent of Canadians would continue to do business with an organization if their personal data were exposed in a cyber-attack.

Actions taken to prevent future cyber attacks
57% Employee training
48% Security audit
46% Installation of new software
31% Installation of new hardware
29% Installation of new cloud-based security
24% Hiring of new IT staff
1% Other
3% No actions taken
4% No answer

In response to experiencing a cyber-attack, the most common action undertaken by our respondents was to engage employees in cybersecurity training (57 per cent). This an increase from last year where only 44 per cent of respondents with 50 or more devices in their organization indicated the same. We know that more than 90 per cent of all cyber-attacks originate with some kind of user action so increasing awareness of cyber threats is always a good move.

A security audit was the choice of 48 per cent of respondents (up from 37 per cent last year), while the installation of new software actually dropped (46 vs. 50 percent) from the same group last year.

Overall, 56 per cent of respondents said they are more concerned about the prospects of future cyber-attacks. This is not surprising, given the frequency of high-impact data breaches in Canada with extremely high costs this past year.

Resource impacts

To mitigate their future risk, 45 per cent of respondent are planning to increase their human resources dedicated to cybersecurity in the next 12 months. This is an increase over last year when 35 per cent of respondents with 50 or more devices in their organization indicated they planned to increase human resources.

Another 45 per cent say their resources will stay the same, and five per cent expect a decrease.

Anticipated change in human resources devoted to cybersecurity in the next 12 months
5% Decrease
45% Stay the same
45% Increase
5% Don't know

In terms of financial resources, 54 per cent say their organization will increase their cybersecurity investment next year. This is a dramatic increase from the 35 per cent who said the same last year.

 

Anticipated change in financial resources devoted to cybersecurity in the next 12 months
6% Decrease
35% Stay the same
54% Increase
5% Don't know

54 per cent of respondents expect to spend more on cybersecurity resources next year.

While protecting the personal information of customers is the top rated reason for devoting more resources to cybersecurity (59 per cent); it is interesting to note that complying with laws and regulations is still far down the list (though up from last year).

Main reasons for devoting resourses to cybersecurity measures
59% To protect personal information of customers
59% To secure continuity of operations
56% To prevent fraud and theft
56% To protect personal information of employees, suppliers and partners
53% To protect the reputation of the organization
46% To prevent downtime and outages of website or ecommerce
43% To comply with laws, regulations or contracts
40% To protect trade secrets or intellectual propoerty
20% Our organization suffered an attack previously
2% We don't devote any resources to cybersecurity
2% Don't know

It is encouraging to see the increase in awareness of cyber threats but there is still much to do. There is no silver bullet for cybersecurity, it requires constant vigilance, multiple layers, and employee awareness. We are committed to helping Canadian businesses and institutions implement the tools, platforms and processes that are required to protect their networks.

Dave Chiswell Vice President of Product, CIRA

The Canadian Context

Regulatory environment

One thing that has changed significantly in the last couple of years is the regulatory environment in which businesses and organizations operate. The impact of the European Union's General Data Protection Regulation (GDPR) and well as Canada’s Personal Information Protection of Electronic Documents Act (PIPEDA) continue to impact the world of cybersecurity. While it is inevitable that more privacy related acronyms are coming, we wanted to ask organizations how the regulatory environment impacted them.

While not all businesses are impacted by the EU GDPR regulation, in a world of global trade and commerce a business doesn’t have to be located physically in a certain jurisdiction in order to be affected.

Familiarity with European General Data Protection Regulation (GDPR)
13% Very familiar
36% Somewhat familiar
21% Not very familiar
24% Not familiar at all
6% Don't know

Overall, 49 per cent of respondent were familiar with GDPR. Among organizations with 50 or more devices, this is an increase from 44 per cent last year. Given that the majority of our respondents do business exclusively in Canada, these numbers are not surprising.

Similarly, only 26 per cent indicated making any changes due to GDPR. This number has increased from last year when only 17 per cent of businesses with 50 devices or more indicated making GDPR-related changes to their online presence or business practices. It seems more Canadian businesses are realizing that if they have customers outside Canada, other regulatory schemes may apply.

Closer to home, significant changes went into effect last November due to the Personal Information Protection of Electronic Documents Act (PIPEDA). The most significant change is mandatory breach disclosure rules, as well as potential fines for non-compliance.

Level of familiarity with Canada’s Personal Information Protection of Electronic Documents Act (PIPEDA)
26% Very familiar
43% Somewhat familiar
18% Not very familiar
9% Not familiar at all
5% Don't know

PIPEDA directly addresses the responsibilities of non-public organizations in disclosing breaches of personal information. 

Overall, 69 percent of respondents were familiar with PIPEDA, which is nice. Whether you are over or under this number, the fact remains that all Canadian organizations should be familiar with PIPEDA even if it’s simply to figure out that it doesn’t apply to you. In the modern economy, virtually every private organization has data that is governed by PIPEDA, whether its customers, suppliers, employees or vendors. This number is basically unchanged from last year when 70 per cent of respondents with more than 50 devices indicated the same.

Awareness that changes to PIPEDA will require disclosure of data breaches
57% Yes
29% No
5% Prefer not to answer
10% Don't know

Unfortunately, only a little more than half of respondents (57 per cent) were aware of PIPEDA’s mandatory disclosure requirements (remember this for later). While this is better than last year (50 per cent among those with 50+ devices), it is also concerning as disclosure carries real consequences.

Overall, 53 per cent of respondents were concerned with the recent changes to PIPEDA, which may reflect the business impact of more stringent data governance requirements in the Act. On that front, 64 per cent of respondents indicated that they stored the personal information of customers, employees, suppliers, vendors or partners on their systems. However, it seems likely that this number should be higher; who doesn’t have data on employees on file somewhere? Even organizations relying on cloud vendors aren’t safe because even though you use another company for storing billing or patient records, you are still responsible for a breach at that supplier OR through (for example) weak passwords that your employees may be using.

Only 57 per cent of respondents were aware that PIPEDA now has mandatory breach disclosure requirements.

Incidence of storing personal information of customers/employees/suppliers/vendors/partners
64% Yes
18% No
13% Prefer not to answer
5% Don't know

How secure was that personal data? Well, 42 percent of respondents said they did not experience a data breach last year. The average among organizations that reported was five breaches in the last year. What we like best about this answer is that 40 per cent said they didn’t know if they had been breached – if we were to be intellectually honest, that is probably the right answer to any cybersecurity question.  Cybersecurity attacks and breaches are a perfect example of a “known unknown”. 

Estimated number of breaches in last year
42% Zero
4% 1
4% 2
3% 3-4
3% 5-9
4% 10 or more
40% Don't know

And now the kicker…remember the 43 per cent of respondents who weren’t aware of the mandatory breach requirements in PIPEDA? Well, of those who experienced a breach last year, only 58 per cent reported it to a regulatory body. Of course there are exceptions to PIPEDA but it seems highly likely that some breaches are not being reported. That’s…a problem.

Who was informed about data breaches
58% Regulatory body
48% Customers
40% Management/senior leadership
21% Board of directors
2% Prefer not to answer

It gets worse from there. Only 48 per cent reported the breach to their customers; 40 per cent to their management and 21 per cent to their board of directors. In case you were wondering, this was an anonymous survey so we couldn’t tell you who if we wanted to. The fact that 37 per cent reported the breach to law enforcement reflects a sad reality that many businesses face, there’s not much that can be done by the police in many situations. It is well established that the vast majority of cybercrime goes unreported so the true scope of the problem is much worse.

Of those organizations who experienced a data breach, only 58 per cent told a regulatory body; 48 per cent told their customers; and only 21 per cent told their board.

Data Sovereignty

What is data sovereignty anyway? At its core, data sovereignty means ensuring that your data, IT infrastructure, and network traffic stay within Canada as much as humanly possible. The minute your data crosses a border it is subject to the laws of the country it enters—and the policies that you may not even be aware of (*cough Snowden).

Many Canadians are unaware that a portion of Canada’s network infrastructure moves data through the United States while en route to another destination in Canada. That meme you send your friend in Windsor from your condo in Hamilton may very well pass through more than one internet hub in the US before reaching its destination.

There are a lot of national benefits to having a good national infrastructure that helps to keep data in Canada, but it is also a big boost for your cybersecurity footprint and reduces your risk factors.

Level of concern about data flow through countries outside Canada
32% Very concerned
37% Somewhat concerned
17% Not very concerned
9% Not concerned at all

In that light, we asked respondents if they were concerned about data flowing through other jurisdictions. In all, 69 per cent said they were concerned with 32 per cent indicating they were very concerned. Both numbers are an increase over last year when only 55 per cent were concerned and 19 per cent very concerned among organizations with 50+ devices.

While 57 per cent of respondents said they outsource their network or IT infrastructure, 83 per cent of those said they contracted only Canadian firms.

Use of Canadian or U.S. firms for outsourced needs/services
83% Canadian
25% U.S.
9% Other country
5% Don't know
4% Prefer not to answer

While the commitment to buying Canadian is notable, one thing to remember is that there is no guarantee that a Canadian firm doesn’t still use infrastructure outside Canada. It is best to check to determine exactly where your data is housed, routed, and whether or not any cloud infrastructure has a Canadian presence.

 

Conclusion

As part of our mandate to build a better online Canada, CIRA considers the ability to use the internet safely and securely to be a major pillar of our responsibility to Canadians. Since diving into the world of cybersecurity more than four years ago, CIRA has steadily broadened its footprint in the space as the threat to Canadian businesses, organizations and individuals have expanded.

Our goal with the second annual CIRA Cybersecurity Survey is to provide a clear overview of the threat landscape in Canada and to learn more about how businesses are coping.

So, what have we learned?

Training is making a difference but more needs to be done

While many technical layers have been thrown at the cybersecurity problems for years, the one weak link has always been people. We know that more than 90 per cent of all cyber-attacks begin with some sort of user action. Education is essential, and it is no longer just the IT department that needs to know.

The good news is that Canadian businesses seem to be catching on. In our survey, 87 per cent of respondents indicated that some form of cybersecurity awareness training was available in their organizations.

The bad news is that, in many cases, the training is inadequate. Cyber-threats are constantly evolving and bad actors are always evolving their techniques. In that light, we saw that only 41 per cent made such training mandatory for all employees; and 22 per cent conduct the training on a monthly basis or better.

While their remains some uncertainty as to how to measure the effectiveness of cybersecurity awareness training, most respondents believe it is working, and that can only be good news as we tackle the ongoing cybersecurity threat.

The importance of disclosure is still not fully understood

As cybersecurity goes mainstream, many organizations are still struggling with how to communicate the threat with their stakeholders. While a physical break-in, a flood at a facility, or a labour dispute are all visible risks that are easy to communicate, a cyber-attack still leaves many organizations struggling with how to respond. We found that despite the new disclosure requirements in PIPEDA, only 58 per cent of those who experienced a data breach had disclosed it to a regulatory body. Only 48 per cent had informed their customers; and 21 per cent told their board. This lack of disclosure leads to mistrust and, in some cases, severe consequences.

It seems there is still a stigma surrounding cyber-attacks that doesn’t exist with more traditional business risks. Hopefully, as businesses come to grips with the reality that cyber threats are no different than physical ones (and in many cases are actually more severe), they will begin to understand that disclosure actually reduces risk and potential harm by bringing more visibility to the problem.

Organizations are adapting but the threats remain

As cybersecurity becomes more mainstream, we are seeing positive momentum among Canadian organizations that are adapting to the threat. Canadian organizations are investing in training, resources and technical solutions to protect their data and their customers.

However, the threat doesn’t stand still and we are still seeing gaps in resources and training that beg for broader solutions. At CIRA, we are doing our part to address these gaps. Our suite of cybersecurity solutions is specifically built with Canada in mind. Our more than 20 years of managing the .CA has allowed us to deploy our expertise in managing and protecting the DNS to create products like D-Zone DNS Firewall, a critical layer of your cybersecurity footprint.

By reporting on cybersecurity trends and data we hope to continue to build up Canada’s cybersecurity capacity—in knowledge, people and solutions—to ensure our internet remains strong and free.