A special report in the Government of Canada’s Business Insights (GC Insights) Newsletter for February 2023 issued by Innovation, Science and Economic Development Canada, explored cyber security and cybercrime in 2021. The Covid-19 pandemic, it pointed out, has further highlighted the use of digital technology use among Canadian businesses. Since the onset of the pandemic, work and business transactions have increasingly been conducted virtually rather than in-person, and along with this increase comes more awareness and added concerns about privacy, data protection and cyber security.
Most Canadian businesses, the report said, have recognized this and have taken appropriate steps to ensure that they’re protected. The Canadian Survey of Cyber Security and Cybercrime report measures these precautions and policies put in place by Canadian businesses and shows how cybercrime incidents can impact business operations. Bottom line: Just under one-fifth of Canadian businesses were impacted by cyber security incidents in 2021.
A cyber security incident can impact businesses in many ways – by threatening the privacy and security of their customers’ information, monetary losses, damages to reputation and corporate brand, etc. In 2021, just under one-fifth (18%) of Canadian businesses were impacted by cyber security incidents, compared with 21% of Canadian businesses in both 2019 and 2017. This varied significantly by business size, with16% of small businesses (10 to 49 employees), 25% of medium businesses (50 to 249 employees), and 37% of large businesses (250 or more employees) reporting being impacted by cyber security incidents in 2021.
The most common types of cyber security incidents identified by business in 2021 were incidents to steal money or demand ransom payments (7%) and incidents to steal personal or financial data (6%). More than one-third (39%) of Canadian businesses impacted by cyber security incidents indicated that there was no clear motive. While most impacted businesses identified external parties (61%) as the perpetrator, 38% could not identify the person. Other perpetrators identified were internal parties (5%) and known third parties (6%), such as a supplier or a customer.
Overall, Canadian businesses reported spending over $10 billion on cyber security in 2021. The percentage of businesses that reported spending some money to detect or prevent cyber security incidents remained relatively the same in 2021 (61%) compared with 2019 (62%). However, the amount of money Canadian businesses spent to detect or prevent cyber security incidents increased by roughly $2.8 billion in 2021 (to $9.7 billion) when compared with 2019. Large businesses contributed to just under half of the total ($4.4 billion), followed by small businesses ($2.9 billion) and medium-sized businesses ($2.4 billion).
Among the roughly one in five (18%) businesses that were impacted by a cyber security incident, about 40% experienced downtime as a result, with an average downtime duration of 36 hours. Other commonly reported impacts included additional time that was required by employees to complete their day-to-day work (21%), prevention of employees from carrying out their day-to-day work (18%), and loss of revenue (14%). Canadian businesses that were impacted by a cyber security incident spent a total of slightly over $600 million to recover, an increase of roughly $200 million from 2019.