About one-fifth of Canadian businesses were impacted by cyber security incidents in 2019
This release coincides with Cyber Security Awareness Month, which is an internationally recognized campaign held each October to inform the public of the importance of cyber security.
Despite there being several high profile cyber security incidents disclosed publicly by Canadian businesses in 2019, about one-fifth (21%) of the overall Canadian business population reported being impacted by cyber security incidents, which was the same proportion as in 2017. Over two-fifths (43%) of large businesses (250 or more employees) were impacted by cyber security incidents in 2019, compared with 29% of medium-sized businesses (50 to 249 employees) and 18% of small businesses (10 to 49 employees).
The industrial sectors that most commonly reported being impacted by cyber security incidents in 2019 were the information and cultural industries sector (37% in 2019 compared with 30% in 2017), the wholesale trade sector (34% in 2019 compared with 27% in 2017) and the professional, scientific and technical services sector (32% in 2019 compared with 27% in 2017).
The two most frequently identified motives of cyber security incidents that impacted businesses remained the same in 2019 as in 2017, with 9% of businesses in 2019 identifying that they were impacted by attempts to steal money or demand a ransom payment and 8% identifying that they were impacted by incidents with an unknown motive. The third most common motive of incidents that impacted businesses in 2019 was attempts to steal personal or financial information (6%).
Although motives related to stealing money or financial information were common in 2019, a total of 12% of businesses impacted by cyber security incidents reported that they lost revenue and 3% reported that they made a ransom payment.
Most Canadian businesses continue to not report cyber security incidents to police services
While a slightly larger percentage of Canadian businesses impacted by cyber security incidents reported incidents to police services in 2019 (12%) than in 2017 (10%), most businesses continue to not report incidents to police services. A higher proportion of businesses that reported incidents to police services indicated that they had insurance policies (34%) than the overall average (17%). Businesses that reported incidents to police services also reported an average cost of $27,000 to recover from cyber security incidents, compared with the overall average cost to recover of $11,000.
The most common reasons businesses identified for not reporting incidents to police services in 2019 were because the incidents were resolved internally (49%), the incidents were too minor to be reported (31%) or the incidents were resolved through an information technology (IT) consultant or contractor (29%).
Canadian businesses report spending a total of $7 billion directly on cyber security in 2019
Canadian businesses reported spending a total of $7 billion directly on measures to prevent, detect and recover from cyber security incidents in 2019, which represented less than 1% of their total revenues. Approximately $2 billion was spent on the portion of employee salaries related to cyber security, another $2 billion was invested in cyber security software and $1 billion was spent on IT consultants and contractors hired for cyber security reasons. Expenditures on various other prevention, detection and recovery measures accounted for the remaining $2 billion of the total cyber security expenditure.
Average annual direct expenditures on cyber security differed greatly based on size of business in 2019. On average, large businesses spent $699,000, medium-sized businesses spent $74,000 and small businesses spent $11,000. Close to one-third of small businesses (32%) reported no direct expenditures on cyber security, compared with 21% of medium-sized businesses and 19% of large businesses.
More Canadian businesses are implementing formal policies for cyber security
In 2019, 18% of Canadian businesses had written policies in place to manage cyber security risks or to report cyber security incidents, an increase compared with the 13% of businesses that reported having such policies in 2017. Increases in the usage of written policies were reported by small businesses (14% in 2019 compared with 10% in 2017), medium-sized businesses (29% in 2019 compared with 23% in 2017) and large businesses (58% in 2019 compared with 51% in 2017). Also contributing to the overall increase in written policy usage were increases in the finance and insurance sector (57% in 2019 compared with 48% in 2017) and the utilities sector (47% in 2019 compared with 36% in 2017).
Having insurance policies to protect against cyber security risks and threats was also more common among businesses in 2019 (17%) than in 2017 (9%). Among large businesses, the increase in the percentage that had a cyber security insurance policy was even more pronounced, going from 24% in 2017 to 38% in 2019. The increase was also more pronounced for businesses in the finance and insurance sector (55% in 2019 compared with 41% in 2017).
Canadian businesses continue to use many of the same cyber security techniques
Most Canadian businesses continue to use anti-malware software (76% in 2019 and 2017), email security (73% in 2019 compared with 74% in 2017) and network security (69% in 2019 compared with 68% in 2017) to protect their information and communication technologies infrastructure. However, a lack of usage of other cyber security techniques may still result in businesses being vulnerable to cyber security incidents. For example, while 37% of businesses reported that they used Internet-connected smart devices or Internet of Things devices (excluding smartphones, tablets, laptops and desktop computers) in 2019, 17% of businesses with these devices assessed the security of them. Most businesses (65%) also indicated that they did not install security updates for their software and operating systems on a monthly or more frequent basis.
In 2019, 44% of businesses reported that they were required to implement cyber security measures by suppliers, customers, partners or regulators, or to meet the requirements of cyber security standards or certification programs. The industrial sectors that most commonly reported that they were required to implement cyber security measures included the finance and insurance sector (70%), the information and cultural industries sector (60%) and the utilities sector (57%).
Three-fifths of Canadian businesses have employees that regularly complete cyber security tasks
In 2019, 60% of Canadian businesses had at least one employee that completed tasks related to cyber security as part of their regular responsibilities. Almost all large businesses (85%) had at least one employee with this description, while fewer medium-sized businesses (67%) and small businesses (58%) reported having this type of employee.
Among the 35% of businesses that reported not having any employees that completed tasks related to cyber security as part of their regular responsibilities in 2019, 48% indicated that one of the main reasons they didn't have this type of employee was because cyber security was not a high enough risk for their business, while 47% indicated that they used consultants or contractors to monitor cyber security.
Digital Economy and Society Portal
Visit the Digital Economy and Society Portal to find data, publications, and interactive tools related to the digital economy and society in one convenient location.
Note to readers
Data for this survey were collected from January to March 2020. The target population included enterprises with Canadian operations and 10 or more employees, across most economic sectors, with the exception of public administration. The final sample size was 12,274 enterprises and the response rate was 76%.
The questions on this survey asked respondents to report for reference year 2019 exclusively, so effects of the COVID-19 pandemic are not reflected in the results of this survey.
The total and average cost figures published for the 2019 iteration of this survey should not be compared with those published for the 2017 iteration due to changes in the imputation methodology. Respondents for this survey have indicated that some cyber security costs are difficult to report since they cannot be easily separated from general information technology and management expenses. The cost figures published for the 2017 survey included some adjustments to account for these cyber security costs respondents had difficulty reporting. After consulting with subject matter experts, it was determined that removing these adjustments from the 2019 cost figures would result in data that are easier for data users to interpret and use.
The average cost figures calculated for the 2019 iteration of this survey should also not be compared with those published for the 2017 iteration since responses of $0 were excluded in the calculations in 2017 and included in 2019.
Percentages published in this article represent a percentage of businesses.
Businesses were only asked to report on incidents that impacted them. Therefore, incidents that businesses deemed not to be impactful are not captured in these data.
For more information, or to enquire about the concepts, methods or data quality of this release, contact us (toll-free 1-800-263-1136; 514-283-8300; STATCAN.infostats-infostats.STATCAN@canada.ca) or Media Relations (613-951-4636; STATCAN.mediahotline-ligneinfomedias.STATCAN@canada.ca).