More than one in five Canadian companies say they were hit by a cyberattack last year, with businesses spending $14 billion on cybersecurity as they confront greater risks in the digital world, according to a new Statistics Canada survey.
The most common suspected motive was an attempt to steal money or demand a ransom payment, according to the survey. Theft of personal or financial information was less typical — less than one-quarter of the cyberattacks — though it was the most cited reason for investing in cybersecurity, StatCan said.
"Canadian businesses continue to rapidly embrace the Internet and digital technologies, which expose them to greater cybersecurity risks and threats," the agency said in a release Monday.
"However, the impact of these risks and threats on the investment and day-to-day decisions of businesses are not easily understood as cybersecurity incidents often go unreported."
Only 10 per cent of businesses affected by a cyberattack reported it to law enforcement agencies last year, StatCan said.
That may change after Nov. 1, when key provisions of the three-year-old federal Digital Privacy Act come into effect, requiring companies to tell Canadian consumers when their personal information is breached.
In Europe, a sweeping new privacy law introduced in May imposed strict rules around data security and personal privacy, affecting Canadian companies that offer products or services to European Union consumers — and that could face fines of up to 20 million euros for violations.
In 2017, Canadian businesses shelled out $8 billion on cybersecurity staff and contractors, $4 billion on related software and hardware and $2 billion on other prevention and recovery measures, the survey found. The total represented less than one per cent of their total revenues.
Large businesses — those with 250 or more employees — were more than twice as likely as small ones — between 10 and 49 employees — to be apparent targets, according to the report. It said the attacks resulted in an average of 23 hours of "downtime" per company in 2017.
Data breaches have become a familiar feature on the corporate landscape. Last week, Facebook said an attack on its computer systems announced two weeks earlier had affected 30 million users.
In August, some 20,000 Air Canada customers learned their personal data may have been compromised following a breach in the airline’s mobile app.
The Bank of Montreal and the Canadian Imperial Bank of Commerce both suffered data breaches last May. Equifax announced in 2017 that a massive data breach compromised the personal information and credit card details of 143 million Americans and 100,000 Canadians.
In the past three years, millions of consumers have been affected by hacks against a panoply of companies including British Airways, Uber, Deloitte, Ashley Madison and Walmart.
“There’s a lot more to come,” said Amir Belkhelladi, who runs cybersecurity for Deloitte in Eastern Canada. “Technology is becoming essential in our life, so cybercrime that leverages that technology is likely to increase.”
Belkhelladi welcomed the StatCan survey — the first of its kind in the country — as a basic metric to rank Canada against other countries, but stressed the less concrete consequences of cybercrime.
“The reality for many of the businesses and organizations out there, it’s an impact on their business reputation. That’s much less tangible, that’s much harder to quantify,” he said.
While many large companies now have sturdier safeguards — such as cyber-liability insurance — soft points along the supply chain can still open the backdoor to a breach.
“Very often you’ll see instances where the attack came through a supplier of some sort, or someone who’s in their ecosystem who’s trusted,” said Belkhelladi.
Data for the survey — titled the Canadian Survey of Cyber Security and Cybercrime and conducted on behalf of Public Safety Canada — were collected between January and April 2018, with a sample size of 12,597 businesses and a response rate of 86 per cent.