Almost 9 out of 10 Canadian Companies Were Breached by Cyber Attacks Last Year

February 9, 2018

Cybersecurity is becoming one of the most important precautions a company can take right now, and a new report shows that those worries are well-founded.

A new report from Scalar Decisions finds that Canadian companies are under almost constant attack and that close to 9 out of 10 companies (87 per cent) in the country suffered from a successful breach from an attacker in 2017. The study surveyed 420 Canadian IT and security workers and was conducted independently by IDC Canada. Of those workers, 29 per cent worked for enterprise businesses, 51.5 per cent for medium/large businesses, and 19.5 per cent for small businesses.

Canadian organizations are attacked in varying degrees of severity more than 450 times per year, and that 46 per cent of companies are not confident in their ability to defend against attacks.

“As cyber security breaches become the new normal, organizations can’t be complacent,” said Theo Van Wyk, Chief Security Architect at Scalar Decisions. “Many companies are still reporting gaps in their defences despite hiring full-time security staff, which may point to a deficit in the availability of highly skilled IT workers. The rising number of high-impact breaches coincides with the increasing costs of recovery.”

The report also went on to find that of the 87 per cent of companies that suffered a breach, 47 per cent had some form of sensitive data stolen. One out of every five breaches was considered “high-impact,” meaning sensitive customer or employee data was exposed.

The average company tends to spend $3.7 million in direct and indirect costs to recover from security breaches, and in smaller organizations, the average cost of a breach per employee is $12,392. In larger organizations that figure shrinks to $755 as they tend to have a more robust IT department and access to more resources.

Still, when it comes to how much of an IT budget is dedicated to security, it only comes in around 10 per cent. A majority of respondents do not train their employees to identify attacks such as phishing scams or to update their software with the latest security measures. This often comes down to many companies assuming their employees already know these kinds of preventative measures.

“Canadian companies are getting better at prioritizing cybersecurity, but there is still a substantial lack of training and planning,” said Van Wyk. “Organizations need to look beyond their infrastructure and weigh the insider and third-party risks they face. If this can’t be tackled in-house, then external expertise is an efficient way to shore up their defences.”

Another big player is the advent of many companies integrating other kinds of software or platforms into their own company. Close to three-quarters of respondents do not comprehensively analyze how a third-party relationship may affect their overall cybersecurity planning, leading to possible vulnerabilities.

Canadians, and the whole tech sector, know that cybersecurity is incredibly important, however attacks and breaches often make news and then are quickly forgotten. Nissan Canada saw more than 1.1 million Canadians affected by a hack on their systems, while Equifax’s massive breach had an impact on over 100,000 Canadians. Other major breaches by Uber and Yahoo were either covered up or not fully disclosed.

The Bank of Canada’s governor Stephen Poloz addressed cybersecurity at the end of 2017, noting it is a major concern every company must pay attention to, with a particular emphasis on financial institutions.

“It is vital that we be able to ‘fail over’ quickly so our key functions will be maintained in the event of a major disruption, be it a cyber attack, natural disaster or some other crisis,” said Poloz. “This is a matter not just of operational continuity, but of maintaining confidence in our financial system in stressed situations.”

Some companies have begun to address cybersecurity with specialized labs recently, such as RBC’s new lab in Waterloo or Trend Micro’s newest lab in Toronto that built off TELUS Security Labs’ work.