New Insurance Bureau of Canada (IBC) research has found that small and medium-sized Canadian businesses have been slow to adapt to increasingly frequent and sophisticated cyber attacks. The results are featured in IBC's first Cyber Savvy Report Card, which assigned Canadians a "C" letter-grade for cyber safety actions and knowledge.
IBC's report card is informed by the results of a survey of 1,525 Canadians that work at small and medium-sized businesses (defined as businesses with fewer than 500 employees). The survey revealed a number of startling findings:
Two-in-five of employees surveyed (42%) say they have seen an increase in cyber scam attempts over the last year.
Only a third of surveyed employees (34%) report that their company provides mandatory cyber security awareness training.
Only half (50%) of employees surveyed report that their organization has introduced multi-factor authentication, a critical cyber security defence mechanism that requires a user to provide two or more verification factors to access a corporate network or application.
Only a quarter of employees surveyed (24%) report that their employer conducts phishing email simulations to help promote cyber vigilance.
"As cyber criminals get savvier, it's our collective responsibility to stay one step ahead," said Celyeste Power, Executive Vice-President, Strategic Initiatives and Advocacy, IBC. "That's why IBC has launched cybersavvycanada.ca, a new cyber education initiative to help small business owners and their employees better understand the threat of cyber attacks and what they can do to reduce their risk."
Employees' actions increase their company's cyber security risk
IBC's survey also revealed that 7 in 10 employees of small and medium-sized businesses (72%) reported at least one behaviour that could allow a cyber criminal to gain access to their company's computer systems. This strengthens the argument for more employers to take action to reduce cyber threats. According to survey respondents:
27% use one password to access multiple websites they use for work;
23% access public Wi-Fi while using their work computer;
19% download software/apps on their work devices that were not provided by their employer;
7% allow family members or friends to use their work computer; and
5% share their work login or password by email or text.
Hybrid/remote employees are even more likely (77% of respondents) to take actions that may compromise their employer's cyber security or data.
Attitudes toward cyber security raise concerns
Employees may also underestimate the role they play in their organization's cyber defences, with 30% of respondents saying they don't believe cyber criminals would target them at work, and 28% of respondents saying their employer is solely responsible for protecting their workplace from cyber threats.
The research also found that 21% of respondents believe that most cyber breaches are minor and easy to resolve, while the reality is that they can have a devastating financial impact. In 2021, the average total cost of a data breach to Canadian organizations was an estimated $7.3 million.1
"Everyone has a role to play in reducing cyber threats in the workplace. While cyber insurance is an important backstop for businesses in the event of a cyber breach, it should be thought of as one component within a complete cyber risk mitigation strategy aimed at reducing an organization's vulnerability to online threats," added Power.
IBC's new Cyber Education Initiative
IBC has launched a website, cybersavvycanada.ca, that provides resources and information about the proactive measures businesses can take to help reduce their cyber risk.
During Cyber Security Awareness Month (October 1--31), IBC will encourage Canadians to test their knowledge by taking IBC's Cyber Savvy Challenge at cybersavvycanada.ca.
Survey results are available at cybersavvycanada.ca.
1IBM, Cost of a Data Breach Report 2022
About the study
The findings are from a survey that IBC conducted from August 17 to 19, 2022, among 1,525 Canadians aged 18 and over who work primarily on a computer or other digital device at an organization with 2 to 499 employees. The sample was balanced with respect to age, gender and region to match the profile of the working Canadian population. All respondents are members of the online Angus Reid Forum. Interviews were conducted in English and French. For comparison purposes only, a sample of this size would yield a margin of error of +/-2.5 percentage points 19 times out of 20.