CIRA finds 71% of Canadian organizations impacted by a cyber-attack last year

OTTAWA — The Canadian Internet Registration Authority (CIRA), which manages the .CA top-level domain, released its 2019 Cybersecurity Survey Report. The report provides an overview of the Canadian cybersecurity landscape.

More than 500 individuals with responsibility over IT security decisions at both private and public sector institutions across Canada were surveyed to learn more about how they are coping with the increase in cyber threats.

Key findings

• 71 per cent of organizations reported experiencing at least one cyber-attack that impacted the organization in some way, including time and resources, out of pocket expenses, and paying ransom.
• While 96 per cent of respondents said that cybersecurity awareness training was at least somewhat effective in reducing incidents, only 22 percent conducted the training monthly or better.
• Only 41 per cent of respondents have mandatory cybersecurity awareness training for all employees.
• Among those businesses that were victimized by a cyber-attack, 13 per cent indicated the attack damaged their reputation. This perception is a sharp contrast to the findings of CIRA’s recent report: Canadians deserve a better internet, which indicated that only 19 per cent of Canadians would continue to do business with an organization if their personal data were exposed in a cyber-attack.
• 43 per cent of respondents were unaware of the mandatory breach requirements of PIPEDA.
• Of those businesses that were subject to a data breach, only 58 per cent reported it to a regulatory body; 48 per cent to their customers; 40 per cent to their management and 21 per cent to their board of directors.
• 43 per cent of respondents who said they didn’t employ dedicated cybersecurity resource cited lack of resources as the reason. This is up from 11 per cent last year.

“While technical solutions are important, the best layer of security for any organization are cyber-aware employees. We are happy to see more organizations embracing cybersecurity awareness training as a critical element of their defense. However, there is more work to be done to ensure the quality and rigor of the training offered keeps pace with the ever-changing world of cybersecurity,” said Jacques Latour, chief security officer, CIRA, in a prepared statement.