COUNTERING COSTLY CYBERCRIMES (2023)

Issue

The cost of cybercrime perpetrated on businesses is rising. However, there is insufficient data to determine accurately what those costs are. When asked at a recent cybercrime dialogue if the attendants knew where to report a cybercrime, most did not. Canada does have websites where business can report a breach of their data, however, it is not well known. Businesses need to report cybercrime and provide the data that the federal agencies require to accurately measure the costs and develop strong countermeasures. Conversely, the federal agencies could and should do more to engage businesses as part of their planning and outreach strategies and promote their webpage for reporting cybercrime through education and awareness campaigns.

Background

The fact that cybercrime is on the increase is indisputable. What becomes challenging is measuring the impact on Canada’s economy. In 2021, just under one-fifth (18%) of Canadian businesses were impacted by cyber security incidents, compared with 21% of Canadian businesses in both 2019 and 2017 that were impacted. This varied significantly by business size, with 16% of small businesses (10 to 49 employees), 25% of medium businesses (50 to 249 employees), and 37% of large businesses (250 or more employees) reporting being impacted by cyber security incidents in 2021.

The most common types of cyber security incidents identified by business in 2021 were incidents to steal money or demand ransom payments (7%) and incidents to steal personal or financial data (6%). More than one-third (39%) of Canadian businesses impacted by cyber security incidents indicated that there was no clear motive.

While most impacted businesses identified external parties (61%) as the perpetrator of cyber security incidents, 38% of impacted businesses could not identify the perpetrator. Other perpetrators identified were internal parties (5%) and known third parties (6%), like a supplier or customer.

The percentage of businesses that reported spending some money to detect or prevent cyber security incidents remained relatively the same in 2021 (61%) compared with 2019 (62%). However, the amount of money Canadian businesses spent to detect or prevent cyber security incidents increased by roughly $2.8 billion in 2021 to $9.7 billion when compared with 2019. Large businesses contributed to just under half of the total ($4.4 billion), followed by small businesses ($2.9 billion) and medium businesses ($2.4 billion).

An October 2021 survey of Canadian and worldwide tech and security executives found that 36 percent of Canadian organizations had fully implemented a combined strategy for data management, cyber, privacy, and other governance functions, while 32 percent of worldwide organizations had these practices. In the attempt for better data protection, 42 percent of Canadian organizations had implemented the ability to share data securely with third parties, business partners, and suppliers and to potentially “audit” their compliance to terms.

The same survey of Canadian tech and security executives found that 23 percent of organizations anticipate a significant year-over-year increase in ransomware attacks in 2022. Furthermore, malware attacks were projected to grow by 43 percent in 2022 compared to 2021.

THE CHAMBER RECOMMENDS

That the Provincial Government and Federal Government work collaboratively with stakeholders and business to:

1. Increase integration amongst governments and policing agencies and cyber crime prevention professionals to effectively catch and prosecute cyber criminals.
2. Promote digital literacy for businesses by establishing best practices for cyber resilience, including education on more sophisticated and specialized crime.
3. Invest additional financial and skilled human resources to a national cyber-security centre set up by government, industry and policing agencies to help investigate and warn the public about new and emerging cyber-threats.