Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybercrime and Canadian Businesses

Published byHerbert Hodges Modified over 5 years ago

Similar presentations

Presentation on theme: "Cybercrime and Canadian Businesses"— Presentation transcript:

1 Cybercrime and Canadian Businesses
Mohammad Lari & Economist October 23, 2018 Mark Uhrbach Program Manager

2 Canadian policy makers had to rely on statistics and data from outside of government to inform decision-making. Insufficient data for decision-making Cross-economy enterprise-based survey Feasibility study

3

4 Over 12,000 firms in the sample
The Canadian Survey of Cyber Security and Cybercrime is the first of its kind in Canada and one of the first in the world. Firms with employees Across all sectors Over 12,000 firms in the sample 86% response rate 10+ Focus on economic impact of cybercrime, not social issues such as cyberbullying or online harassment.

5 Anti-malware software
Nearly all (95%) businesses employed some form of cyber security to protect themselves, their customers and their partners. However, usage was not universal. A number of businesses did not use: Anti-malware software security Network security 24% 26% 32% 66% of businesses allowed their employees to use personally owned devices to carry out business-related activities, but less than half (47%) of these businesses had security measures in place to manage these devices.

6 Almost 29% of businesses were required to implement cyber security measures by their suppliers, customers, partners or regulators. These requirements were more common among: Banking institutions Health & personal care stores Pipeline transportation 81% 79% 67%

7 74% of businesses had employees primarily responsible for cyber security
72% 83% 91% Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees) 67% of businesses, regardless of size, reported having one to five employees primarily responsible for cyber security. Among the 26% of businesses that reported not having any employees primarily responsible for cyber security: 56% 31% Indicated that the business used consultants or contracts to monitor their networks Indicated cyber security was not a high enough risk

8 % of businesses that provided formal training, by size of business
Cyber security training 51% of businesses shared general cyber security practices through , bulletin boards or information sessions with employees. 19% of businesses provided formal training for employees to develop or upgrade their cyber security-related skills. % of businesses that provided formal training, by size of business 16% 32% 59% Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees)

9 13% of businesses had a written policy in place to manage or report cyber security incidents.
Certain industries surpassed the average, including: Banking institutions Rail transportation Pipeline transportation 66% 55% 55% 28% of businesses reported having senior managers oversee cyber security risks and threats, and 89% of these businesses reported that they updated senior managers on actions taken regarding cyber security.

10 58% of businesses undertook activities to identify cyber security risks. Of these:
85% 38% Monitored their network and business systems Monitored their employees’ behaviours 25% 8% Complete audit of IT systems, undertaken by an external party Investment in threat intelligence 20% 11% A formal risk assessment, undertaken by an external party A formal risk assessment, undertaken by an employee 16% 7% Penetration testing, undertaken by an external party Penetration testing, undertaken by an employee

11 9% of businesses had cyber liability insurance to protect against cyber security risks and threats.
7% 14% 24% Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees) Cyber liability insurance was prevalent among certain industries: Natural gas distribution Data processing, hosting and related services Banking institutions 54% 50% 48%

12 $8 billion $4 billion $2 billion
Canadian businesses reported spending $14 billion on cyber security in 2017. $8 billion on salaries for employees, consultants and contractors $4 billion on cyber security software and related hardware $2 billion on other prevention and recovery methods Annual average expenditures differed greatly based on size of business. Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees) $46,000 $113,000 $948,000

13 % of businesses impacted, by size of business
21% of businesses reported that they were impacted by a cyber security incident, which affected their operations. % of businesses impacted, by size of business 19% 28% Small (10 to 49 employees) Medium (50 to 249 employees) 41% Large (250+ employees)

14 Pipeline transportation
% of businesses impacted, by industry Top 3 industries impacted Banking institutions Pipeline transportation Oil and gas extraction Telecom (Including ISPs) Universities (Excluding colleges) 47% 46% 45% 44% 39% Air transportation Legal services Utilities Hospitals Retail trade 35% 32% 31% 20% 16%

15 38% 39% Of those businesses that were impacted:
Experienced an attempt to steal money or demand a ransom payment Could not identify the attack’s motive Method Used 46% Malicious software (e.g., viruses, adware, ransomware) 29% Scams and fraud (e.g., financial fraud, phishing) 20% Exploiting software, hardware or network vulnerabilities Method Used 48% Scams and fraud (e.g., financial fraud, phishing) 42% Malicious software (e.g., viruses, adware, ransomware) 20% Exploiting software, hardware or network vulnerabilities

16 23% 26% Of those businesses that were impacted: Method Used
Experienced an attempt to access unauthorized or privileged areas Experienced an attempt to steal personal or financial information Method Used 36% Hacking or password cracking 34% Exploiting software, hardware or network vulnerabilities 31% Malicious software (e.g., viruses, adware, ransomware) Method Used 51% Scams and fraud (e.g., financial fraud, phishing) 30% Malicious software (e.g., viruses, adware, ransomware) 25% Hacking or password cracking

17 Businesses impacted by cyber security incidents experienced the following major impacts:
54% 53% Prevented employees from carrying out day-to-day work Prevented the use of resources or services 32% 30% Additional time was required by employees to respond to incidents Resulted in additional repair or recovery costs

18 Over half (58%) of businesses experienced some downtime as a result of an incident.
23 hours Average total downtime for businesses Most businesses (65%) reported that they believed an external party to be responsible for the incidents that impacted them.

19 Businesses did not report for the following reasons:
About 10% of businesses impacted by a cyber security incident reported the incident to a police service in 2017. 8% 12% 15% Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees) Businesses did not report for the following reasons: 53% Incidents were resolved internally 35% Incidents were resolved through IT consultants or contractors 29% Incidents were considered to be too minor and not important enough

20 So who did businesses report their cyber security incidents to?
42% 11% Software or service vendor IT consultant or contactor 38% 2% Did not report to any external party Government department or agency 15% 1% Suppliers, customers or partners Canadian Cyber Incident Response Centre (CCIRC) 12% <1% Bank or other financial institution Office of the Privacy Commissioner

21 Thank you For further information, please contact: Howard Bilodeau Economist Mohammad Lari Economist Mark Uhrbach Program Manager Data can be accessed through Research Data Centres (RDCs) or the Canadian Centre for Data Development and Economic Research (CDER)

22 Annex

23 About 92% of businesses reported using one or more of the following for their business:
79% 40% Website Internet-connected smart devices 61% 37% Social media accounts Intranet 53% 33% Cloud computing and storage E-commerce platforms and solutions 41% 20% Web-based applications Voice Over Internet Protocol (VOIP)

24 Of the 47% of businesses that used cloud storage, businesses stored:
27% 31% Confidential business information (e.g., inventory, financial statements) Non-sensitive or public information 30% 16% Confidential information about customers, suppliers, partners Commercially sensitive information (e.g., market position, sales and marketing plans) 28% Confidential employee information

Download ppt "Cybercrime and Canadian Businesses"

Similar presentations

David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Network security policy: best practices

Network security policy: best practices
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.

Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:

Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Copyright 2009 Trend Micro Inc. Classification 9/9/2015 1 2010 Corporate End User Study Employee Online Behavior.

Copyright 2009 Trend Micro Inc. Classification 9/9/ Corporate End User Study Employee Online Behavior.
FRAUD, ONE OF THE FASTEST GROWING SEGMENTS OF OUR INDUSTRY Joseph Bajic, Chief Compliance Officer and Vice-President, Compliance.

FRAUD, ONE OF THE FASTEST GROWING SEGMENTS OF OUR INDUSTRY Joseph Bajic, Chief Compliance Officer and Vice-President, Compliance.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.

Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Computing Essentials 2014 Privacy, Security and Ethics © 2014 by McGraw-Hill Education. This proprietary material solely for authorized instructor use.

Computing Essentials 2014 Privacy, Security and Ethics © 2014 by McGraw-Hill Education. This proprietary material solely for authorized instructor use.

Similar presentations

Ads by Google