Most Canadian firms pay a ransomware gang, latest CIRA survey suggests

The vast majority of organizations in this country are still giving in and paying ransomware gangs after successful attacks, the annual survey of infosec pros by the Canadian Internet Registry Authority (CIRA) suggests.

That’s one possible conclusion from the results of an online survey of 500 Canadian cybersecurity professionals from organizations that had at least 50 employees that was released Tuesday by CIRA.

CIRA oversees the .ca registry.

Released in conjunction with Cybersecurity Awareness Month, the survey shows 41 per cent of respondents said their organization had experienced an attempted or successful cyber attack in the last 12 months. Of those, 23 per cent said that their organization had been a victim of a successful ransomware attack in the last 12 months, one per cent more than 2022.

And of those, 70 per cent said their organization paid ransom demands — and nearly a quarter of those paid up to $100,000. The responses are roughly similar to those of previous CIRA surveys. In 2022, 73 per cent of those hit by ransomware said their firm paid up, while 69 per cent said their firm paid a ransom in 2021.

The numbers “went the wrong way in terms of a trend this year,” admitted Jon Ferguson, CIRA’s general manager of cybersecurity.

“The challenge for a lot of organizations is if they’re not well prepared for an attack before it happens, remediation may not be easy,” he said. “So they perceive paying is the simplest resolution of the problem. Maybe they lack the ability to recover without getting access (to data) back.”

They may also be worried about damage to their reputation if word gets out about a ransomware attack, he added.

Asked why in 2023 an organization would not be well prepared for ransomware, Ferguson said some firms may have trouble understanding the threats new technologies adopted by IT will pose.

He also noted evidence in the survey numbers that IT pros recognize ransomware is a problem. Three-quarters of respondents said they would support a law forbidding organizations from making ransom payments. (That’s up from 64 per cent in the 2021 survey).

Among other troubling survey numbers pointed out to Ferguson, 64 per cent of respondents said they had to use their incident response plans in the past 12 months. At least they had an IR plan to use, Ferguson replied. (In fact 44 per cent of respondents said their firm has a comprehensive IR plan, with another 40 per cent saying they have a basic plan).

Among other survey results:

— of those who had been hit by a successful cyber attack, 29 per cent said their organization had lost revenue as a result of the incident, 22 per cent said they incurred repair or recovery costs and 36 per cent said it prevented staff from carrying out day-to-day work. But 38 per cent described the incident as minor;
— 97 per cent of respondents said their organization conducts cybersecurity awareness training. That number has been over 90 per cent since 2020. But just under half of respondents said their organization makes training mandatory for all employees. The number has been growing over the past five years. This year it was 48 per cent of respondents;
— the top three reasons cited by respondents who said their organization does no awareness training were: it has never been considered, it’s expensive and it’s time-consuming;
— 57 per cent of respondents said their organization does training every quarter. Another 13 per cent said it’s done monthly;
— organizations use a combination of in-house and third-party training materials. But only 43 per cent of respondents said their organization does phishing simulations;
— 65 per cent of respondents believe their organization’s cybersecurity budget is sufficient to protect against cyber attacks;
— 73 per cent of respondents said the budget allocated to IT and cybersecurity at their organization had increased in the past 12 months;
— 37 per cent said their organization is using technology released before 2010. Another 20 per cent said they still have technology that might date back to 2000. Others said some of their technology goes back further;
— 70 per cent of respondents said their IT staff has increased in the past 12 months.

Asked what the report’s numbers say about the readiness of Canadian firms to face cyber attacks, Ferguson said, “There is no clear answer to that question. What the data certainly points to is a heightened awareness and an increased amount of engagement in cybersecurity-related services and support, which I think is definitely an improvement.”

“But,” he added, “we have work to do to make sure the best option for organizations isn’t to pay a ransom. We got to get to a stage where everybody’s got that baseline level of cybersecurity hygiene and capabilities to prevent a ransomware payment from being an easy answer to their problem.”