If there is one thing that all cybersecurity professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era: Statistics Canada has just released the results of the first Canadian Survey of Cybersecurity and Cybercrime (CSoCC).
The data was collected from January to April 2018 and included 12,597 Canadian businesses with 10 or more employees and across all sectors, except public administration. The survey’s results attempt to provide a picture of the Canadian threat environment for the year 2017.
"The survey includes information on investment in cybersecurity measures, cybersecurity training, the volume of cybersecurity incidents, and the costs associated with responding to these incidents” (Statistics Canada).
An official summary of Statistics Canada’s survey findings is available online, along with interactive dashboard figures. We provide a summary of the main statistics below, along with relevant links for anyone wishing to learn more about the survey's results.
According to the data shared by Statistics Canada, one fifth (20.8%) of Canadian enterprises surveyed have experienced a cybersecurity incident in 2017. If we break down the data by industry sectors (based on the North American Industry Classification System (NAICS)), as shown in Figure 1, the sectors that have experienced the most incidents (above 30%, on average) are management companies (e.g. securities or financial assets), finance and insurance enterprises (e.g. banks and insurance companies), utility services (e.g. electric, natural gas, water) as well as information and cultural industries (e.g. telecommunication, broadcasting). Interestingly, these industries are related -or closely related- to critical infrastructure systems.
These aggregated statistics encompass enterprises of all sizes. However, if we break down the numbers based on whether the enterprises surveyed are considered small enterprises (between 10 and 49 employees), medium enterprises (between 50 and 249 employees) or large enterprises (250 and more employees), we find that the probability of having experienced a cybersecurity incident is greater for large enterprises, regardless of the kind of incidents surveyed by Statistics Canada. Indeed, 41% of large enterprises reported having experienced at least one cybersecurity incidents, compared to 18.8% for small enterprises.
The incidents that have the highest prevalence across all industries are the ones aiming at stealing money or demanding a ransom payment. As ransomware has been an issue discussed extensively in the media, it is interesting to add that Statistics Canada reports that among the companies who have been targeted by this threat, only 1.6% of them paid the ransom. Figure 2 depicts the percentage of cybersecurity incidents experienced by enterprise sizes and based on incident types.
For further risk assessments, we invite you to look at Statistics Canada's data, to find what is the percentage of companies that have experienced cybersecurity incidents in 2017, based on your industry and the size of your enterprise.
Cybersecurity Defensive Measures in Place
According to the survey, 76% of Canadian firms have anti-malware software in place to protect against viruses, 73.9% have email security and 68% have network security (firewall, proxy servers). This is not surprising: these security solutions are the most common products or practices for cybersecurity defense.
Yet, the survey also reports that less than half of Canadian businesses invest in Web application security (45%) and 44% have identity and access management, such as password complexity rules. Even more critical, only 34% of businesses reported having data protection and controls, like encryption and rights management, and only 28% reported having software and application security, such as applications whitelisting and scheduled patching. Moreover, only 28% reported having hardware and asset management (inventory of IT equipment).
Such findings support our own experience in the field as cybersecurity professionals. Firewalls and anti-malware software products are common and protect against massively spread malware, but not against opportunistic attackers. Our ethical hacking team gains access to systems, most of the time, through a software vulnerability on which a patch has not been applied or using password spraying attacks, something that is possible when there are no complexity rules (or ineffective ones) or when two-factor authentication is not enabled.
These statistics show that numerous Canadian enterprises do not have many cybersecurity measures in place. Yet, such security posture is common because most firms make a cost-benefit analysis and decide to accept certain levels of risks. When the data above is broken into enterprise sizes, as shown in Figure 3, we find that large enterprises have a much higher number of security measures in place compared to smaller ones (on average).
Again, for further risk assessments, we invite you to look at Statistics Canada's data, to find the percentage of enterprises that reported having specific security measures in place, based on your industry and the size of your enterprise.
Reasons for Spending Money in Cybersecurity
The survey also provides information, by industry and enterprise size, on the main reasons for “spending time or money on cybersecurity measures and/or related skills training”. As shown in Figure 4, across all industries and enterprise sizes, a main reason is found to be, for 68% of enterprises, to protect information of employees, suppliers, customers or partners, followed by to prevent fraud and theft (41%), to secure the continuity of operations (31%) and to protect the reputation of the business (30%). Compliance with laws, regulations or contracts was found to be one of the main reasons for only 27% of enterprises.
Also, in their communications, Statistics Canada has stated that:
"Canadian businesses report spending $14 billion on cybersecurity"
In total, $8 billion was spent on "salaries for employees, consultants and contractors, $4 billion on cybersecurity software and related hardware and $2 billion on other cybersecurity measures" (Statistics Canada).
Impacts of Cybersecurity Incidents
Statistics Canada reports that 53.8% of enterprises that have experienced a cybersecurity incident said it prevented employees from carrying out day-to-day work. A total of 53.2% reported that it prevented them the use of resources or services (desktop, email) and 10.5% mentioned that the incident generated a loss of revenue.
Moreover, 34.9% reported that the impact of the incident was minimal. Such information can also be broken down by sector and by enterprise size.
Reporting to the Police
According to Statistics Canada communication, of all the enterprises surveyed that have experienced an incident, only 10% of them reported the incident to the police. This indicates that cybersecurity incidents may be largely under-reported. Some incidents may also not be worth the time or energy to be reported and some may have been reported to the CRTC CASL program, which aims to protect "harmful effects of spam and related threats to electronic commerce".
Finally, Some Good News!
On a final note, Statistics Canada reports that 79.2% of the businesses surveyed did not experience a cybersecurity incident. However, it is possible that these businesses have not been aware of a cybersecurity incident(s) that happened in their environment.
Still, with this kind of data being available to the public, a new narrative on cybercrime and cybersecurity can now be formed, one that is more nuanced and more reliable.