Just over half of surveyed Canadian organizations hit by ransomware or malware have paid the amounts demanded by cybercriminals.
That’s one of the findings of a poll released this morning of 491 medium and large companies, conducted last October for the Quebec-based IT services firm NoviPro.
The respondents included 288 IT decision-makers, 97 decision-makers who do not work in IT, 81 decision-makers who are neither directors nor IT and 25 NoviPro clients.
Of the companies that paid a ransom, one in three retained the services of a negotiator, while 23 per cent proceeded without the help of an intermediary.
“As an entrepreneur, I am very concerned that so many organizations are paying a ransom,” Yves Paquette, co-founder and chief executive officer of NoviPro said in a statement. “Companies need to be proactive in preventing cyberattacks, otherwise the impact will be devastating to them and their customers. If organizations invested even a fraction of the potential cost of an attack, they could easily put systems in place to guard against such fraud. In the physical world, you’d employ a detachment of guards to protect something with a seven-figure value, however, there still seems to be a disconnect when the ‘something’ is digital.”
Among other findings
- respondents attributed 66 per cent of cyberattacks on what the report summarizes as “internal sources,” including employees and partners. 31 per cent of attacks were attributed to a “malicious internal source,” 22 per cent to an unintentional internal source, and 13 per cent to partners, suppliers or clients. 27 per cent of attacks were attributed to an external source not related to the company;
- 43 per cent of respondents said they are increasingly concerned about cyberattacks since the hybrid work model was introduced. The percentage of companies that have reviewed their security practices in response to the pandemic slightly decreased last year
compared to 2020 (76 per cent vs. 81 per cent);
- 28 per cent of respondents estimated the cost of a cyber attack on their firm was less than $50,000. The same number estimated the cost was between $50,000 and $250,000. 25 per cent of respondents estimated the cost was over $500,000;
- only 43 per cent of respondents said they reported a data breach to customers.This was the sixth edition of the Canada-wide study examining IT trends and the state of technology in large and medium-sized Canadian businesses, including AI and cybersecurity investment plans, perception of IT infrastructure, the “great resignation” and cloud computing.
In an interview, Paquette said that if organizations had put 10 per cent of what they paid in a ransom towards improving cybersecurity they would lower the odds of being victimized. And they don’t necessarily have to make large expenditures in hardware and software, he added. Sometimes it’s enough to review and update the firm’s cybersecurity practices. Increasing cybersecurity training of employees is also relatively inexpensive. What’s vital, he said, is that cyber training be regular. It’s also vital that it be part of the onboarding process for new employees. Having an up-to-date inventory of all corporate data so IT and management know what needs to be protected is also relatively inexpensive, he added.
Finally, it doesn’t cost much to make sure only those staffers who need privileged access to data should have it, he said.