CIRA publishes an annual survey of Canadian IT and cybersecurity professionals to better understand how they are coping with cyber threats. The survey of 500 cybersecurity professionals across the country was conducted by research firm The Strategic Counsel in August. This is the second blog post in a series of four documenting 2024 cybersecurity trends.
Malicious cyber attacks against Canadian organizations continue to rise. In the 2024 CIRA Cybersecurity Survey, nearly half (44 per cent) of organizations report being the victim of a cyber attack in the last 12 months. The fallout for these firms can be devastating—operations get disrupted, revenue takes a hit, public trust dwindles and their reputation can suffer long term damage.
Organizations aren’t the only victims. When hackers acquire the private data of individuals from an organization entrusted with protecting it, the consequences for those individuals can be dire. Once a hacker has your email and password for one site, they can do all kinds of damage, such as locking you out of your accounts, emptying out your bank account, or stealing your identity altogether.
As the stewards of our data, Canadian organizations, whether in the private, public, or MUSH sector (municipalities, universities, schools and hospitals) know they must do everything in their power to protect it. Fortunately, the survey results show that Canadian organizations in every sector are putting a variety of measures in place to protect against cyber threats and data breaches. These include increasing the human, technological, financial and legal resources being allocated to cybersecurity measures.
Making investments in human resources
What’s the weakest link in the cybersecurity chain? Ask almost any expert, and they’ll tell you it’s us, the “human element.” Hackers are of course the real enemy, but all too often it’s the people working inside an organization who are their unwitting, accidental enablers.
Take passwords, for example. Many of us routinely choose weak ones instead of creating strong ones that are difficult to guess. Research conducted using a database of 193 million passwords leaked on the dark web found that the majority of them (59 per cent) can be easily cracked in less than an hour. And those AI-generated phishing emails engineered to prey on human fallibility? It just takes one bad decision and a single click to make it possible for a bad actor to breach an organization’s defences.
Fortunately, cybersecurity awareness training for employees has been shown to significantly reduce the risk of a security breach. Organizations that implement CIRA Cybersecurity Awareness Training, for example, see (on average) a threefold decrease in users clicking on phishing emails.
This year’s cybersecurity survey results show Canadian organizations are getting it right in this area: nearly everyone surveyed (98 per cent) say they conduct cybersecurity awareness training and most (76 per cent) do so at least quarterly. For 39 per cent of organizations, cybersecurity training is mandatory for all employees.
A large majority of Canadian organizations (76 per cent) have also increased the human resources dedicated to IT system’s management and cybersecurity, up from 70 per cent in 2023. Among the 20 per cent of organizations that have not increased the number of people working in these areas, 50 per cent cite lack of need, while 33 per cent report a lack of financial resources.
New technologies for fending off AI-powered attacks
Canadian organizations also continue to adopt new technologies to keep cybercriminals at bay. This is vitally important as threat actors work to find new methods for exploiting generative AI and other emerging technologies to launch more sophisticated and damaging attacks.
Integrating AI tools into their workflow and operations is one important technology adjustment that more than half (57 per cent) of organizations say they are making, up from 44 per cent in 2023. Among organizations that have not yet integrated AI tools, 36 per cent of those surveyed said their organization is planning to.
Furthermore, over four in 10 cybersecurity professionals (43 per cent) say their organization has an AI policy, which is a significant increase over 2023, when just 32 per cent had one in place.
Organizations that are integrating AI tools are doing so for a variety of reasons but improving general productivity (54 per cent) and automating repetitive tasks (52 per cent) are the top two reasons cited. Both will help cybersecurity professionals detect threats more effectively.
The most common activities organizations take to identify cybersecurity risks remain monitoring network traffic (52 per cent), monitoring employees’ behaviour (46 per cent), using one or more threat detection and response solution (45 per cent) and vulnerability scanning and management (44 per cent).
Investments in cybersecurity are on the upswing
Canadian organizations are also marshalling their financial and legal resources in the fight against cybercrime. About half of those surveyed have annual IT budgets in excess of $100,000, with 20 per cent allocating between $50,000 and $100,000. Just over four in 10 organizations (43 per cent) allocate between five to 15 per cent of their IT budget to cybersecurity. This proportion is growing. Almost three quarters of those surveyed (74 per cent) say that the financial resources they devote to IT system’s management and cybersecurity have increased in the past 12 months.
To ensure additional protection in the case of a successful cyber attack, a growing share of Canadian organizations (82 per cent) also report having cybersecurity insurance coverage, which represents a significant increase from 59 per cent in 2021.
