CIRA publishes an annual survey of Canadian IT and cybersecurity professionals to better understand how they are coping with cyber threats. The survey of 500 cybersecurity professionals across the country was conducted by research firm The Strategic Counsel in August. This is the third blog post in a series of four documenting 2024 cybersecurity trends.
What’s keeping Canada’s cybersecurity professionals up at night? Plenty, it turns out, according to the results of the 2024 CIRA Cybersecurity Survey.
Frequent cyber attacks are now the norm in Canada, as this year’s survey data shows. Overall, 44 per cent of organizations in the private, public, and MUSH (municipalities, universities, schools, and hospitals) sectors say they’ve been victimized in the last 12 months. Public sector organizations have been hit the hardest (58 per cent), just slightly more than their MUSH sector counterparts (55 per cent), while 41 per cent of organizations in the private sector report being the target of a cyber attack. Data breaches are also commonplace with 38 per cent of organizations saying their customer or employee data has been compromised within the last year.
Recovering from a cyber attack is time-consuming, stressful and expensive
If you’re a cybersecurity professional, you know that working diligently week-in and week-out to steer clear of these damaging attacks can be exhausting, not to mention disruptive to your sleep. Trying to pick up the pieces after a major incident can be even worse.
“The most significant consequences of a cyber attack include reputational damage, operational disruptions, financial losses from decreased revenue and productivity, potential loss of insurance coverage, and the risk of becoming a recurrent target for persistent attackers.” – Michel Devost, Director, Information Technology Services, CIRA
A large majority of Canadian organizations have a cyber incident response plan (83 per cent), which is essential for getting the wheels in motion on recovery when disaster strikes, but the process is almost always stressful and time-consuming.
Among those who fell victim to an attack in the last 12 months, almost three quarters (72 per cent) say it took under a month to recover their IT systems to pre-incident capacity and about half (52 per cent) say it took less than a week. No matter the nature of the incident, time is of the essence when you’re determining what systems have been compromised in an attack or figuring out how to bring them back online quickly to avoid extended downtime and the lost productivity and revenue that come along with it. As well, in the aftermath of a data breach, you need to assess what’s been stolen, who’s been affected and shift your resources accordingly.
“In the heat of the moment, when emotions and the pressure to respond run extremely high—impacting your ability to think clearly—having a well-documented and tested incident response plan helps prepare the organization to respond quickly, mitigate damage and recover more efficiently.” – Scott McMullen, Director of Security
Generative AI a major concern for Canadian cybersecurity professionals
Beyond underscoring the increasing frequency of cyber attacks in Canada, this year’s survey results shine a light on some of the specific issues cybersecurity experts are grappling with in 2024. When asked to cite the top three perceived risks they’re facing, 50 per cent said malicious software, 45 per cent said scams and fraud and 43 per cent said manipulation or theft of data. Additionally, more than four in ten (43 per cent) believe there are dormant threats on their organization’s network, such as botnets, that have not yet been activated and could create challenges at some future date.
In terms of who they’re concerned about, organizations are most likely to perceive profit-motivated cyber criminals as the biggest potential threat (60 per cent), followed by cyber criminals motivated by nationalist beliefs (33 per cent) and foreign state actors (32 per cent).
Whichever category they fall into, the bad guys don’t need to be very tech savvy anymore to carry out a successful attack. Subscription-based ransomware-as-a-service (RaaS) kits can be easily purchased on the dark web, complete with 24/7 technical support, user forums and all the things you get with a legitimate software purchase. An even more unsettling development that’s giving an edge to cyber criminals and contributing to sleepless nights among cybersecurity professionals is the exploitation of generative AI to commit more sophisticated and damaging cyber crimes–more quickly and cheaply than ever before.
Seven in 10 cybersecurity professionals say they’re worried about potential cyber threats from generative AI. They’re most concerned about data that can be gathered by AI tools (61 per cent) and phishing emails and texts (56 per cent). Among those worried about generative AI threats, 52 per cent say they are concerned about AI-powered cyber attacks and 45 per cent are concerned about privacy breaches.
While malicious cyber threats are everywhere and continue to evolve at a dizzying pace, there are promising signs that most Canadian organizations are continuing to invest in strong, foundational cybersecurity measures designed to reduce the risk of an attack and protect their systems, their people and their reputations from cyber criminals.
