Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

If there is one thing that all cyber security professionals agree on is how data and statistics on cybersecurity and cybercrime are misleading and unreliable. This is unsurprising considering that most statistics created, until now, came from the cybersecurity industry itself. By being economically motivated at selling security products, this industry has an unequivocal bias. Fortunately, today, we enter a new era:  Statistics Canada has just released the results of the first Canadian Survey of Cyber security and Cybercrime (CSoCC).

The data was collected from January to April 2018 and included 12,597 Canadian businesses with 10 or more employees and across all sectors, except public administration. The survey’s results attempt to provide a picture of the Canadian threat environment for the year 2017.

« The survey includes information on investment in cyber security measures, cyber security training, the volume of cyber security incidents, and the costs associated with responding to these incidents” (Statistics Canada).

An official summary of Statistics Canada’s survey findings is available online, along with interactive dashboard figures. We provide a summary of the main statistics below, along with relevant links for anyone wishing to learn more about the survey’s results.

 

Cyber security Incidents

Figure 1 – Percentage of enterprises in an Industry having Experienced a Cybersecurity Incident in 2017. (Statistics taken from Table 22-10-0076-01 Cyber security incidents experienced by industry and enterprise size)

 

According to the data shared by Statistics Canada, one fifth (20.8%) of Canadian enterprises surveyed have experienced a cyber security incident in 2017. If we break down the data by industry sectors (based on the North American Industry Classification System (NAICS)), as shown in Figure 1, the sectors that have experienced the most incidents (above 30%, on average) are management companies (e.g. securities or financial assets), finance and insurance enterprises (e.g. banks and insurance companies), utility services (e.g. electric, natural gas, water) as well as information and cultural industries (e.g. telecommunication, broadcasting). Interestingly, these industries are related -or closely related- to critical infrastructure systems.

These aggregated statistics encompass enterprises of all sizes. However, if we break down the numbers based on whether the enterprises surveyed are considered small enterprises (between 10 and 49 employees), medium enterprises (between 50 and 249 employees) or large enterprises (250 and more employees), we find that the probability of having experienced a cyber security incident is greater for large enterprises, regardless of the kind of incidents surveyed by Statistics Canada. Indeed, 41% of large enterprises reported having experienced at least one cyber security incidents, compared to 18.8% for small enterprises.

The incidents that have the highest prevalence across all industries are the ones aiming at stealing money or demanding a ransom payment. As ransomware has been an issue discussed extensively in the media, it is interesting to add that Statistics Canada reports that among the companies who have been targeted by this threat, only 1.6% of them paid the ransom. Figure 2 depicts the percentage of cyber security incidents experienced by enterprise sizes and based on incident types.

 

Figure 2 – Percentage of Cyber security Incidents Experienced by Enterprise Size. (Statistics taken from Table 22-10-0076-01 Cyber security incidents experienced by industry and enterprise size)

 

For further risk assessments, we invite you to look at Statistics Canada’s data, to find what is the percentage of companies that have experienced cybersecurity incidents in 2017, based on your industry and the size of your enterprise.

 

Cyber security Defensive Measures in Place

According to the survey, 76% of Canadian firms have anti-malware software in place to protect against viruses, 73.9% have email security and 68% have network security (firewall, proxy servers). This is not surprising: these security solutions are the most common products or practices for cybersecurity defense.

Yet, the survey also reports that less than half of Canadian businesses invest in Web application security (45%) and 44% have identity and access management, such as password complexity rules.  Even more critical, only 34% of businesses reported having data protection and controls, like encryption and rights management, and only 28% reported having software and application security, such as applications whitelisting and scheduled patching. Moreover, only 28% reported having hardware and asset management (inventory of IT equipment).

Such findings support our own experience in the field as cybersecurity professionals. Firewalls and anti-malware software products are common and protect against massively spread malware, but not against opportunistic attackers. Our ethical hacking team gains access to systems, most of the time, through a software vulnerability on which a patch has not been applied or using password spraying attacks, something that is possible when there are no complexity rules (or ineffective ones) or when two-factor authentication is not enabled.

These statistics show that numerous Canadian enterprises do not have many cybersecurity measures in place. Yet, such security posture is common because most firms make a cost-benefit analysis and decide to accept certain levels of risks. When the data above is broken into enterprise sizes, as shown in Figure 3, we find that large enterprises have a much higher number of security measures in place compared to smaller ones (on average).

 

Figure 3 – Percentage of Enterprises with Cyber security Measures in Place by Enterprise Size in 2017 (Statistics taken from Table 22-10-0001-01 Cyber security measures in place by industry and enterprise size)

 

Again, for further risk assessments, we invite you to look at Statistics Canada’s data, to find the percentage of enterprises that reported having specific security measures in place, based on your industry and the size of your enterprise.

 

Reasons for Spending Money in Cyber security

Figure 4 – Percentage of Enterprises Having Chosen this Reason as the Main One to Implement Security Measures  (Statistics taken from Table 22-10-0056-01 Main reasons for spending time or money on cyber security measures and/or related skills training by industry and enterprise size)

 

 

 

The survey also provides information, by industry and enterprise size, on the main reasons for “spending time or money on cyber security measures and/or related skills training”. As shown in Figure 4, across all industries and enterprise sizes, a main reason is found to be, for 68% of enterprises, to protect information of employees, suppliers, customers or partners, followed by to prevent fraud and theft (41%), to secure the continuity of operations (31%) and to protect the reputation of the business (30%). Compliance with laws, regulations or contracts was found to be one of the main reasons for only 27% of enterprises.

Also, in their communications, Statistics Canada has stated that:

« Canadian businesses report spending $14 billion on cyber security »

In total, $8 billion was spent on « salaries for employees, consultants and contractors, $4 billion on cyber security software and related hardware and $2 billion on other cyber security measures » (Statistics Canada).

 

Impacts of Cybersecurity Incidents

Statistics Canada reports that 53.8% of enterprises that have experienced a cyber security incident said it prevented employees from carrying out day-to-day work. A total of 53.2% reported that it prevented them the use of resources or services (desktop, email) and 10.5% mentioned that the incident generated a loss of revenue.

Moreover, 34.9% reported that the impact of the incident was minimal. Such information can also be broken down by sector and by enterprise size.

Figure 5 – Proportion of businesses having reported a cybersecurity incident to the police

Reporting to the Police

According to Statistics Canada communication, of all the enterprises surveyed that have experienced an incident, only 10% of them reported the incident to the police. This indicates that cybersecurity incidents may be largely under-reported. Some incidents may also not be worth the time or energy to be reported and some may have been reported to the CRTC CASL program, which aims to protect  « harmful effects of spam and related threats to electronic commerce« .

 

Finally, Some Good News!

On a final note, Statistics Canada reports that 79.2% of the businesses surveyed did not experience a cybersecurity incident. However, it is possible that these businesses have not been aware of a cyber security incident(s) that happened in their environment.

Still, with this kind of data being available to the public, a new narrative on cyber crime and cyber security can now be formed, one that is more nuanced and more reliable.

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

DERNIER COMMUNIQUÉ DE PRESSE

BLOGUE GOSECURE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858