Revealed – how much Canadian businesses spend on their cyber defences
Statistics Canada found that the most common types of cyber security incidents identified by businesses in 2021 were incidents to steal money or demand ransom payments (7%) and incidents to steal personal or financial data (6%). About 39% of Canadian businesses affected by a cyber incident indicated that there was no clear motive to the attack launched against them.
While a good 61% identified external parties as the perpetrator of cyber security incidents, 38% could not identify the perpetrator. Other perpetrators identified by businesses included internal parties (5%) and known third parties (6%), such as a supplier or a customer.
The report noted that Canadian businesses spent more than $10 billion on cyber security in 2021. Some 61% of businesses surveyed said they spent to detect or prevent cyber security incidents in 2021, compared to 62% in 2019. But the amount of money spent increased by about $2.8 billion in 2021 to $9.7 billion, compared to 2019.
When the $9.7 billion total spent on cyber security in 2021 is broken down per business type, large businesses spent $4.4 billion, followed by small businesses with $2.9 billion, and medium businesses at $2.4 billion.
It was also found that for 2021, more than one in 10 (11%) of businesses were impacted by ransomware, but there were fewer ransom payments made. Eighty-two per cent (82%) of businesses said they did not pay the ransom, with only 18% indicating that they paid. Among those who paid, 1% said they paid a ransom of more than $500,000, and 14% said they paid using cryptocurrency.
Canadian businesses that were impacted by a cyber security incident spent a total of slightly over $600 million to recover – this is a noticeable increase of about $200 million from 2019. Statistics Canada also said that businesses that identified being impacted by cyber security incidents went on to spend more money to prevent and detect incidents and were also more likely to employ dedicated cyber security employees. Those types of businesses were also more concerned about cyber security incidents.