A survey by Statistics Canada has found the cost of being hit with a cybercrime has risen substantially and creates burdensome business overheads.
The numbers in individual cases can be quite high. The average cost of cybercrime for a large business with over 250 employees was $172,000 in 2021—a big jump from $73,000 in 2019.
However, the frequency of such attacks has diminished slightly. The survey found 18 percent of businesses reported a cyber security incident in 2021, down from 21 percent in 2019.
In contrast, it said cybercrimes against individuals continued to rise.
“These trends may reflect a change in the strategies of cybercriminals, but could also be the result of businesses having more tools at their disposal to identify and intercept malicious cyber activities when compared with individuals,” the report said.
The types of attacks are also changing. The survey found hacking a password and exploiting network vulnerabilities has declined slightly since 2019. But other types of money-making attacks, such as fraud, scams, ransomware, and identity theft, have all gone up.
“Identity theft had the largest increase in 2021 compared with 2019,” the survey said, rising to 20 percent of all reported cybercrimes—a jump of 6 percent.
But while identity theft may have risen the most, the Canadian Centre for Cyber Security (CCCS) said a ransomware attack is almost certainly the worst.
The organization defines ransomware as criminals who are “using malicious software to encrypt, steal, or delete data, then demand a ransom payment to restore it.”
The cybercrime landscape has evolved in part because of an increase in the number of people conducting their business online. According to the Survey of Digital Technology and Internet Use, a third of businesses received orders or made sales over the internet in 2021—up from 25 percent in 2019.
It notes that although the burgeoning use of the internet increases opportunities for businesses, it also creates vulnerabilities.
“While a growing online presence has created new opportunities for many businesses, it has also exposed them to new risks regarding privacy, data protection, and cyber security,” said the report.
Not only are cybercrimes continuing to cost businesses more over time, but the price of prevention is also going up.
Spending on prevention and detection is up 46 percent, the average cost being $52,000 per company. Large companies averaged expenses in excess of $1 million on cybercrime prevention in 2021, compared with $667,000 in 2019.
Small companies with 10–49 employees spent an average of $19,000 in 2021, which is almost double what it was in 2019.
But not all companies are investing in protection. The survey found about 40 percent were not spending at all on cybercrime prevention.
“Part of the motivation of some businesses to invest more in cyber defenses and policies may be the parallel awareness among consumers,” the report said. “The 2020 Canadian Internet Use Survey found that one-quarter of Canadian individuals were very or extremely concerned about cyber security or privacy threats when using online shopping sites or applications.”
The awareness of cybercrime comes against a background of a growing incidence of fraud and cybercrime in Canada.
Earlier this year, the Canadian Anti-Fraud Centre comprising the RCMP, Ontario Provincial Police, and the Competition Bureau Canada noted 2022 was another record year in terms of cybercrime.
“Unfortunately, the increase in financial loss isn’t tied to an increase in reporting—the Canadian Anti-Fraud Centre estimates that only 5 to 10 percent of people report fraud.”
