Listen to the Eh Sayers podcast to meet the people behind the data and explore the stories behind the numbers. Join us as we meet with experts from Statistics Canada and from across the nation to ask and answer the questions that matter to Canadians.
Tegan: Welcome to Eh Sayers, a podcast from Statistics Canada, where we meet the people behind the data and explore the stories behind the numbers. I'm your host, Tegan Bridge.
It’s difficult to exist in the world today without being online. Understatement, I know. And while being online gives us access to information, entertainment, education, communication with friends, family, people you forgot that you knew in high school. But it also puts us at risk. Have you ever gotten one of those messages from a friend on social media that says something like, “Oh my god have you seen this photo of you?” With a link on it? Pro-tip, definitely don't click that link.
Being online exposes us. We might get unsolicited spam, or we might be misdirected to fraudulent websites seeking our personal information or to install viruses or other malicious software on our computers. And that’s just the tip of the cybersecurity iceberg.
Because we’re all online, so are Canadian businesses. And they’re dealing with many of the same issues around cybersecurity as the rest of us. Digitalization exposes businesses to new risks around privacy, data protection and cyber security.
Since 2017, the Canadian Survey of Cyber Security and Cybercrime has collected data on the policies and measures put in place by Canadian businesses to manage cyber security and investigated how they’re impacted by cyber security incidents. New data’s just come out, so we sat down with an expert to find out more about how the online landscape is changing for business and what it means for the rest of us.
Howard: My name is Howard Bilodeau and I am an economist at Statistics Canada.
Tegan: What's cybercrime? And what are some examples of the types of cybercrime businesses in Canada might experience?
Howard: On our survey, we don't actually focus on cybercrime specifically. The term we tend to use is cybersecurity incident. I guess the reason for that being we don't want to worry too much about the threshold for when something becomes a crime. We're kind of just interested more broadly in terms of incidents that have an impact on businesses.
And so the way we define that is a cybersecurity incident is any type of unauthorized attempt to access a business's computing infrastructure with some sort of goal of trying to either steal information or modify information or just render some of that infrastructure unavailable for use for the business.
So we ask about several different types of cybersecurity incidents in our work. And they often include things like stealing money, stealing information, but as I said before, also kind of like rendering technology unusable at the business.
Tegan: Is it okay if I continue to use the phrase cybercrime?
Howard: Yes, it's fine.
Tegan: Cybersecurity is quite a lot. Quite a mouthful.
Howard: Absolutely, yeah.
Like, I mean, cybercrime is certainly contained within what we cover, and it is kind of one of the major focuses, so that, no issue.
Tegan: Perfect. Thank you.
Tegan: How widespread is cybercrime?
Howard: So on our survey, the way we ask about this is we focus on whether the business was actually impacted by some sort of cyber security incident. We choose that word “impacted” to avoid capturing things that are kind of just too frequent or like everyday type things like receiving a phishing email that you didn't click on.
So in terms of that group of businesses that were impacted by incidents, we found in 2023 that 16% of businesses said that they were impacted. And that has actually been going down over the course of this survey. So it started with 21% of businesses in 2019. And as I said, it's now dropped to 16 percent in 2023.
Tegan: Does this hold true for individual Canadians as well? Are they experiencing fewer incidents as well?
Howard: So far we've been speaking about our business cyber crime focus survey. On the individual side, we don't have a perfectly comparable survey, but we do have the Canadian Internet Use Survey, which asks individuals if they had experienced any type of cyber security incident. And on that survey, we found that 70% of Canadians said that they had experienced some sort of incident in 2022, and that was up from 52% in 2018.
So a little bit of a different trend on the individual side, but we do ask about a slightly different concept there, so it's not perfectly comparable.
Tegan: How do the incidents compare for what a business might experience versus what an individual might experience?
Howard: That's a great question. I think that they are often very similar. I think that cybersecurity incidents tend to kind of try to exploit the human factor, so try to essentially get an individual to give up information, which may allow the attacker to get into some sort of computing infrastructure. And so I think in that way, they're actually very similar.
I guess what might be a little bit different in terms of what the attacker wants, they may be, the attacker may be looking for slightly different types of information, depending on whether it's an individual or a business. But I think a lot of the techniques are going to be quite similar.
Tegan: And what kind of impact does this have?
Howard: So, there are various impacts that these types of incidents can have. We actually asked a question about that on our business survey. Kind of the most common things we hear about are interruptions to business activities. So, like for example, the employees just may not be able to access their computer or it might be slower so that it takes them longer to kind of complete their work. But as well, there could be costs. So there could be direct costs such as having to replace hardware or having to buy new software, but also there could be indirect costs such as just lost revenue from the business not being able to operate that day.
Tegan: Do we have a dollar amount for what businesses are kind of facing?
Howard: So, in 2023, we found that all the various recovery costs total to $1.2 billion in the economy. And that was actually double what we found in 2021, which was 600 million. So, an interesting increase there. And in terms of what is contributing to that we find that basically half of that is like personnel costs. So costs related to hiring employees or costs related to getting contractors or consultants to come help with the recovery from an incident.
Tegan: The number of businesses affected is going down, but the costs involved are going up. That's interesting, can you say more about that?
Howard: It's certainly an interesting dichotomy. And I think what it might point to is that among those businesses that actually do have some sort of impactful incident for whatever reason, the costs to recover from that are becoming larger. So basically every individual incident might become more costly and more impactful on that business. I think that it's an area that needs more research to kind of fully figure out what's going on there, but that's kind of how we read it, is that it does seem like, you know, yes, maybe the percentage being impacted is going down, but among those that are impacted the impacts are very important and are getting more important.
Tegan: One of the things that surprised me in the article, in The Daily article, I'd never heard of cyber risk insurance. What's cyber risk insurance? And to what extent is that just becoming part of the cost of doing business nowadays?
Howard: So, cyber risk insurance is an insurance product that has been offered for a few years now by various insurance companies. It has been evolving a lot, I would say, over the last decade in terms of how these policies are structured and the types of things that they cover. But yeah, so we've found that over the last few years, there has been quite a bit of uptake of these types of policies.
So in 2023, 22% of businesses said that they had some sort of policy like this, and that was up 6 percentage points from 2021. So these policies can cover various things such as kind of the direct expenses that follow an incident, such as trying to kind of recover from that and as well sometimes the insurance companies will actually offer businesses access to kind of consultants that can help them just kind of figure out what what they should do to try to recover and improve their cyber security going forward.
Tegan: Were there any other surprises in the findings?
Howard: We asked the businesses that were impacted by incidents, what the method of that incident was and one large change that we saw in terms of those methods was that many more businesses were saying that they were victims of identity theft. That was up 11 percentage points among those that were impacted by incidents. So I think that's an interesting finding and I think it warrants further research because, you know, typically you don't think of a business as being the victim of identity theft, but clearly there's something going on there. We don't define the concept of identity theft on the survey, so the businesses are kind of self classifying incidents under that heading. But I do think that, you know, it's worth kind of looking further into what's going on there.
Tegan: Yeah, definitely. And why does this matter for a Canadian who doesn't operate a business? In what way are consumers affected when a business experiences an incident?
Howard: Well, businesses hold a lot of personal data about their customers. So, whenever a business has some sort of cybersecurity breach, it is also possible that a person's information gets leaked in that breach. So businesses maintaining the security of customer information is certainly an important thing for all of us to consider.
Tegan: Why do these findings matter?
Howard: So, what this survey is primarily designed to do is to give kind of a picture of the broader economy and how cybersecurity and cybercrime is affecting the business community. And these statistics feed into various policy initiatives in Canada. Kind of most notably the National Cyber Security Strategy. These results are used to kind of make decisions that feed into that strategy. And so kind of as a country, these results matter, because it kind of forms a basis to build our strategy as a country to face cyber security.
Tegan: What's the biggest takeaway from this research?
Howard: So I think that, you know, as we've shown with these results, there are some interesting trends and I think the cost one is, is really the most interesting one that we should focus on because I think it just goes to show that, you know, cybersecurity is not going away. This is becoming a growing issue, even if the percentage of businesses experiencing it is going down. When they do face those incidents, they still are having important impacts. And you know, this is also something that can affect individuals in similar ways. So it is something we all need to kind of consider going forward.
Tegan: Is there anything you would have liked to include in your release, but couldn't? Or has this given you ideas for future reports, future studies?
Howard: So, the field of cyber security is, is always evolving. I mean, that's kind of the cat and mouse game of crime. So there's always going to be new areas to kind of look into going forward.
I think one that everyone is speaking about recently is AI and how that's going to intersect with cybersecurity. To date, that has not been something we've really touched on in the survey, but I do certainly think that it is an area we could go into going forward.
Tegan: How would AI impact cyber security for someone who's not… who's never… for whom this has never occurred to? Like, what, how?
Howard: Yeah, I think there are various ways. One I'll focus on is that we do see that a lot of these cybersecurity incidents seem to be perpetrated by targeting individual vulnerabilities. So kind of tricking employees into giving up information. And, you know, we know that generative AI can be used in that way to try to kind of create something that looks legitimate when it isn't actually legitimate. So I think that's one good example of how AI could be used by threat actors to actually execute some of these incidents.
Tegan: You've been listening to Eh Sayers. Thank you to our guest, Howard Bilodeau.
For more information, you can check out StatCan’s recent release called, “Impact of cybercrime on Canadian businesses, 2023.”
You can subscribe to this show wherever you get your podcasts. There, you can also find the French version of our show, called Hé-coutez bien! If you like this show, the best thing you can do to support it is to subscribe, so please, make sure you hit the follow button if you haven’t already. We really appreciate it. And thanks for listening.
Sources
Impact of cybercrime on Canadian businesses, 2023
Canadian Internet Use Survey, 2022