Canadian companies spent $1.2-billion on recovery from cyberattacks last year, double what they shelled out two years earlier, according to the latest data from Statistics Canada.
The sharp increase in recovery spending occurred even while the proportion of businesses falling victim to cyberattacks declined slightly to about 16 per cent in 2023, down from 18 per cent in 2021 and 21 per cent in 2019.
Statistics Canada said the data suggest that the financial consequences of being breached by cybercriminals are escalating. Those costs can include things such as hiring new staff, training employees, managing public relations and investing in new hardware or software, according to Howard Bilodeau, unit head in Statscan’s Centre for Innovation, Technology and Enterprise Statistics.
“We’re pretty confident that the upward trend that we’re seeing is a real trend,” Mr. Bilodeau said in an interview Monday, referring to the rising cost of breaches.
The new figures underline the increasingly costly battle that organizations face against cybercriminals who are becoming more and more sophisticated.
“This paradox reflects the evolving cyber threat landscape where attacks are more sophisticated, regulatory penalties steeper and the stakes for business continuity higher than ever,” Nick Galletto, cybersecurity leader at EY Canada, said in a statement.
“Companies are not just spending to recover – they’re also investing heavily in fortifying their defenses and restoring trust. In the digital age, the cost of resilience is rising, but the price of vulnerability is even greater,” he added.
Despite the investments that organizations have made into bolstering their defences – spending on prevention and detection of cyberattacks rose to $11-billion in 2023, up from $9.7-billion in 2021, according to Statscan – a number of high-profile organizations were hit last year.
Those organizations include Indigo Books & Music Inc., The Weather Network’s parent company Pelmorex Corp., Toronto Public Library and a number of companies – including Barrick Gold Corp. and Sun Life Financial – that were affected by a mass data theft from a third-party file-sharing system called MOVEit.
Indigo has said that as of the end of 2023, it had incurred $6.5-million of costs as a result of the cyberattack, including legal fees and spending to bring its systems back online. That figure does not include millions of dollars in lost sales.
At the time, the company said it had received $1.3-million in insurance proceeds and that it was continuing to process claims with its insurer. The company’s cyberinsurance provided for maximum coverage of roughly $10-million.
Indigo said it had decided it would not pay the ransom that the hackers were seeking, citing concerns that the payment could end up in the hands of terrorists or others on sanctions lists.
Indigo’s refusal to pay the ransom is in line with how other companies responded to payment demands from hackers. The majority – 88 per cent – of the 2023 ransomware victims surveyed by Statistics Canada said that their companies did not make ransom payments. Of those that did, 84 per cent paid less than $10,000, while 4 per cent paid more than $500,000.
“There are always going to be limitations on the survey like this of whether a business feels comfortable responding and identifying that they made that type of payment,” Mr. Bilodeau said. “But nonetheless, we’ve consistently seen over time on this survey that the majority of businesses say that they’re not making those payments,” he added.
The data for the Statscan survey were collected between January and March of 2024, with respondents asked to only report on activities that occurred in 2023. The sample size was 12,462 enterprises, with a response rate of 71 per cent. Statistics Canada aimed to survey small, medium and large enterprises across a variety of economic sectors.