Are Canadian businesses prepared for cyber attacks?

This story appeared in Strategy C-Suite, a weekly email briefing on how Canada’s brand leaders are responding to market challenges and acting on new opportunities. Sign-up for the newsletter here to receive the latest stories directly to your inbox every Tuesday.

Almost three quarters of Canadian organizations have faced at least one serious cyber attack in the last year, but many remain unaware of what their regulatory responsibilities are in the case of a data breach – or how negatively it can impact the way customers see their company.

That is according to a new report from the Canadian Internet Registration Authority (CIRA), which surveyed 500 staff with responsibility over IT and security decisions (335 were in the private sector and 165 in the public or non-profit sectors).

Among those surveyed, 71% reported experiencing at least one cyber attack that impacted their organization over the last year, be it needing to devote time or money to respond to the incident, loss of customers or preventing employee work or the use of resources and services. Among those that had been attacked, 24% experienced one or two incidents, 9% experienced between three and nine, and 6% experienced 10 or more – while 33% couldn’t provide an exact number. Only 18% of respondents said those cyber attacks resulted in a data breach, although that number could be higher: a further 40% said they didn’t know for sure.

Only 13% of those who experienced an attack said it had a negative impact on their reputation. The CIRA pointed out that this belief is in stark contrast to an earlier report of Canadian consumers, which found that 87% are concerned about potential cyber attacks against organizations with access to their private data, and only 19% said they would continue to do business with an organization that had allowed personal data to become exposed as a result of a cyber attack.

Despite the high percentage of respondents who experienced at least one serious cyber attack, 43% said they were unaware of mandatory disclosure requirements under PIPEDA.

Regardless of how many people are impacted by a security breach, PIPEDA states organizations must notify individuals when safeguards around their personal information have been breached and “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm.” The law describes “significant harm” as including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Disclosures must be directed to each individual impacted, and contain information that allows them to understand how significant the breach is and steps they can take to reduce harm that could result from it.

Among the organizations in the survey that did experience a data breach, 58% reported it to a regulatory body, 48% to their customers, 40% to their management and 21% to their board of directors.

When it comes to how organizations are responding to cyber attacks and data breaches, 87% have implemented some form of cyber-security awareness training, but 36% said that took the form of informal “lunch and learn” sessions or informal workshops, and only 41% made training mandatory for all employees.

Looking forward to the next 12 months, 45% of respondents said their organizations plan to increase the human resources dedicated to cybersecurity, while the same amount said the investment will stay roughly the same. In terms of monetary investment, 54% said they will increase their investment (up from 35% who said the same in a similar survey conducted last year), while 35% said it will stay roughly the same. The biggest motivations for increasing the amount of resources dedicated to cybersecurity were protecting personal information of customers and securing the continuity of their operations (with 59% of respondents citing both as reasons).