One in Five (18%) Small and Medium-Sized Canadian Businesses Have Been Victims of Cyber-Attacks

IT security and protection of business data is of top priority for Canadian businesses

Toronto, ON - Small and medium-sized businesses aren't immune to cyber attacks, with one in five (18%) Canadian employees of small and medium-sized (SMBs) businesses saying their workplace has been a victim of a cyber-attack, according to a new Ipsos survey conducted on behalf of ESET. The survey of 1,003 Canadians interviewed employees at small (5-99 employees) and medium-sized (100-499 employees) businesses, who work in IT, senior management, or who have a broad knowledge of their company's IT policies and procedures.

Cyber-attacks are more likely to have occurred at companies with yearly revenue over $10 million. For instance, three in ten (29%) employees from businesses with a yearly revenue of $25-$99 million and one in four (24%) employees from businesses with a yearly revenue of either $10-$24 million or over $100 million indicated that they have been victims of a cyber-attack. This is compared to only one in ten companies in the $1-9 million (13%) or less than $1 million (12%) range indicating they have been a victim of a cyber-attack. Further, more small-sized business employees say that they have never been victims of a cyber-attack (76%) compared to employees from medium-sized businesses (70%).

Given the prevalence of high-profile cyber attacks and leaks in the news media, it's perhaps not surprising that two in three (64%) employees say that it is very important their businesses participate in activities involving "information technology security and the protection of our businesses' data."

Being Attacked

Among the two in ten (18%) employees whose company has been a victim of a cyber-attack, the most common device to have been hacked is the server (43%), followed by the network (36%), user device (31%), kiosk/point-of-sale terminal (9%) or some other type of attack (8%).

During the attack, one in three (33%) victims say that some employees were locked out of company devices, networks, etc. Two in ten victims say that their companies "lost money by paying to gain their files/hardware/networks back" (26%), "proprietary and/or customer information was stolen (23%) or they "experienced a loss to our business because the attack made us unable to service our customers" (21%). Slightly more than two in ten (23%) employees said the nature of the attack was something other than these options.

A majority (65%) of SMB employees - whether their company has already been attacked or not - think their business could only function for a few days at most without access to its data (digital files, the network, emails, etc). Further, more than one in ten (15%) say their company would cease functioning immediately.

Importance of IT Policies, Procedures and Products

A majority of Canadian employees believe it is important for their businesses to take action to protect and safeguard their business information. For instance, nine in ten employees think backing up company files (96%) and having IT security software installed on all devices (92%) are important IT security measures their organizations can take, followed by "training on your company's IT security procedures" (88%), employees regularly changing their computer passwords (86%), having strict BYOD guidelines on employees using their own IT devices to access company documents (83%), and randomly auditing employees and the company on IT security compliance (81%).

Employees from medium-sized businesses appear to find more importance in some of the above IT policies, procedures or products compared to small-sized businesses. For instance, employees from medium-sized businesses are more likely to find these produces to be "very important" for their organization to protect and safeguard their business information:

  • Having IT security software installed on all devices: 66% medium-sized, vs. 57% small-sized;
  • Organizations training employees on their company's IT security procedures: 55% medium-sized, vs. 47% small-sized;
  • Employees regularly changing their computer passwords: 51% medium-sized, vs. 43% small-sized;
  • Having strict BYOD guidelines: 46% medium-sized, vs. 38% small-sized;
  • ?
  • Randomly auditing employees and the company on IT security compliance: 37% medium-sized, vs. 31% small-sized.

Are SMBs Doing Enough?

Two in ten (22%) Canadian employees say that their organization is not spending enough time on IT security. Seven in ten (70%) say the amount of time spent on IT security is about right, and only one in ten (8%) say their organization is spending too much time.

When it comes to the amount of money organizations are spending on IT security, one in four (23%) employees say that their organization is not spending enough. Canadian employees' views on time tend to be the same as for money: seven in ten (70%) say the amount of money spent on IT is about right, and only one in ten (8%) believe their organization is spending too much money on IT security.

Employees were asked how confident they are that their business and its information would be safe from a cyber-attack. Only one in three (33%) of Canadian employees were "very confident" that their businesses would be safe, meaning that more than half (67%) have some reservation about their companies' ability to protect the business and its information if a cyber-attack were to occur. The confidence level among employees in believing their business and its reputation would be able to survive and thrive after a cyber-attack was less than ideal, with only four in ten (43%) being "very confident." Further, only two in five (40%) of employees are "very satisfied" with their company's current IT security policies, produces and products.

Being Prepared

Employees were asked how often their staff is given information, training or practice IT procedures to ensure IT security. Three in four (75%) say their staff backs up their files on an ongoing or monthly basis. Half (56%) say the staff at their organization uses their own IT devices to access company documents on an ongoing/monthly basis, while four in ten (42%) say staff change their computer passwords at this same frequency. Only one in three (34%) say that staff is trained on their company's IT security procedures on an ongoing/monthly basis, and a further one in three (32%) say the same about the frequency with which staff is audited on their IT security compliance.

There seems to be a general awareness of terms dealing with IT security, however there is certainly room for improvement. With two exceptions, less than half of those surveyed describe themselves as being "very familiar" with the following terms: viruses (64% are very familiar), malware (55%), encryption (47%), phishing (46%), two-factor authentication (29%), ransomware (28%), social engineering (27%).

These are some of the findings of an Ipsos poll conducted between August 22 and August 26, 2016, on behalf of ESET. For this survey, a sample of 1,003 Canadian adults employed at small businesses (defined as companies with 5-99 employees) and medium businesses (defined as companies with 100 to less than 500 employees), who work in IT, are senior management or who have a broad knowledge of their company's IT policies and procedures from Ipsos' online panel was interviewed online. Weighting was then employed to balance demographics to ensure that the sample's composition reflects that of the adult population according to Census data and to provide results intended to approximate the sample universe. The precision of Ipsos online polls is measured using a credibility interval. In this case, the poll is accurate to within +/ - 3.5 percentage points, 19 times out of 20, had all Canadian adults employed at small and medium businesses in these job functions been polled. The credibility interval will be wider among subsets of the population. All sample surveys and polls may be subject to other sources of error, including, but not limited to coverage error, and measurement error.

For more information on this news release, please contact:

Sean Simpson
Vice President
(416) 324-2002
Ipsos Public Affairs

About Ipsos

Ipsos ranks third in the global research industry. With a strong presence in 87 countries, Ipsos employs more than 16,000 people and has the ability to conduct research programs in more than 100 countries. Founded in France in 1975, Ipsos is controlled and managed by research professionals. They have built a solid Group around a multi-specialist positioning-- Media and advertising research; Marketing research; Client and employee relationship management; Opinion & social research; Mobile, Online, Offline data collection and delivery. Ipsos has been listed on the Paris Stock Exchange since 1999.

More insights about Consumer Goods

Consumer & Shopper