New Cyber Security and Business Survey Reveals Majority of Businesses Have Experienced Cyber Incidents – But Nearly Three Quarters Didn’t Report It

A recent Cyber Security and Business Survey revealed nearly two thirds (61 per cent) of businesses have experienced a cyber security incident, yet almost three-quarters (74 per cent) of businesses didn’t report it. Delivered through a partnership between the Canadian Centre for Cyber Security (the Cyber Centre) and the National Chambers Insight Community (NCIC), which comprises the provincial and territorial Chambers of Commerce across Canada, the Cyber Security and Business Survey was conducted to identify how prepared businesses are for cyber security threats. The findings of this survey will help inform future education offerings, resources, and programs from the Cyber Centre for small- and medium-sized businesses and increase awareness of those programs and resources on a national level. 

Of the 468 respondents, only 46 per cent have an employee responsible for managing day-to-day IT security for their organization. Over two-thirds of businesses do not know that the federal government provides resources and tools to combat cyber security threats. 

“At a time when many businesses have needed to pivot their businesses to online in order to better navigate the pandemic, we are very pleased to be working with the Cyber Centre and our provincial and territorial partners to identify the education, tools and resources needed to better protect small-and medium-sized businesses across the country from cyber threats,” said Fiona Famulak, President and CEO of the BC Chamber of Commerce. “We are hopeful that the survey findings will result in new and innovative tools and resources to educate and prepare businesses for cyber threats so that they can operate confidently knowing that their people and assets are protected.” 

While 72 per cent of responding businesses rated their level of cyber security knowledge as average, above average, or expert, many have experienced a cyber security incident. Eighty-eight per cent reported having a good or strong sense of what items, assets, or devices require protection in their organization. 

“Small- and medium-sized businesses are critical to Canada’s economy, and a key part of the Cyber Centre’s mandate is to make its services available to them,” said Sami Khoury, Head of the Cyber Centre. “We work with partners like the NCIC to better understand their members’ needs. By working together, these efforts help us to offer innovative cyber security tools and resources that help Canadian businesses stay safe online.” 

Key Findings: Day-To-Day Business Operations 

Of the 468 responding businesses:  

  • 46 per cent have an employee responsible for managing day-to-day IT security for their organization. 
    • 18 per cent have an employee dedicated to IT, and 28 per cent outsource the responsibility to an IT firm. 
  • 47 per cent do not own intellectual property (IP) that would be valuable to a competitor if stolen. 
    • For the businesses who own valuable IP, the top value items are business plans (28 per cent), propriety data sets (24 per cent), and project management plans (18 per cent). 
  • 88 per cent have a good sense of what items, assets, and/or devices require protection in their organization 
    • 36 per cent of businesses periodically review their items, assets and/or devices as a priority.  

Key Findings: Cyber Security Knowledge 

Of the 468 responding businesses:  

  • 72 per cent would rate their level of cyber security knowledge as average, above average, or expert. 
  • 61 per cent have encountered a cyber security incident before, however, 74 per cent of that group did not report the incident.  
    • The top cyber security incidents encountered by organizations are phishing (49 per cent) and malware (30 per cent). 
  • The most common cyber security technical measures applied in organizations are:
    • System and information backups for all devices (75 per cent) 
    • Software updates and patching (71 per cent) 
    • Administrative access (50 per cent) 
  • Google cloud is the most common cloud service among businesses (36 per cent). 
    • 25 per cent of businesses do not use cloud services. Thirty-four per cent of that group plan to move to cloud services over time. 
  • The most common cyber security business practices implemented in organizations are:
    • Password and account management policies (62 per cent) 
    • Document security (62 per cent) 
    • Physical access control (49 per cent) 

Full results of the Cyber Security and Business Survey can be viewed here