Cybercrime strikes more than half of Alberta-based companies

CALGARY, Oct. 24, 2023 – More than half (51 per cent) of small- and medium-sized businesses (SMBs) in Alberta say they were attacked by cybercriminals over the past year and 55 per cent paid a ransom to unlock their computers within the past three years, finds a survey conducted last month by KPMG in Canada.

Yet only 44 per cent say that cybersecurity is a “business priority.”

“Cyberattacks have become a hard reality all over the globe and even closer to home for Albertan companies, with over half falling prey to cybercriminals,” says Vidur Gupta, a Calgary-based cybersecurity partner for KPMG in Canada. “It’s a lot like being ‘stuck between a rock and a hard place’ because small- and medium-sized companies have many competing businesses priorities, limited capital, and stretched resources. But in today’s world, you can no longer ignore cybersecurity. It needs to be part of the overall business strategy.”

Almost two-thirds of SMBs in Alberta acknowledged their information-technology (IT) and/or operational-technology (OT) systems make them susceptible to cyberattacks, the KPMG Private Enterprise™ Business Survey finds. Nearly 60 per cent also say that they lack the skilled personnel to implement, monitor, and manage cybersecurity risks and only 29 per cent strongly agree that their employees are adequately trained to recognize a phishing or other attack.

• 51 per cent of 78 SMBs surveyed in Alberta say they were attacked by cybercriminals in the past year, compared to 63 per cent nationally
• 55 per cent paid a ransom within the past three years (vs. 60 per cent nationally)
• Only 44 per cent say that cybersecurity is a “business priority” (slightly higher than the 38 per cent national average)
• 65 per cent say that their legacy systems or infrastructure – that is, their information and/or operational technology – make their company vulnerable to cyberattacks (vs. 71 per cent nationally)
• 57 per cent say their company doesn’t have the skilled personnel to implement cybersecurity or monitor for attacks (vs. 66 per cent nationally)
• Just 28 per cent agreed strongly that their company is “well-prepared” to defend against a cyberattack and 54 per cent agreed somewhat (vs. 41 per cent agreed strongly and 47 per cent agreed somewhat, nationally)
• Only 29 per cent agreed strongly that their employees are adequately trained and equipped to identify and report on potential threats, and 47 per cent agree somewhat (vs. 31 per cent agreed strongly and 51 per cent agreed somewhat, nationally)
• 53 per cent don’t have a plan to address a potential ransomware attack (vs. 59 per cent nationally)
• 82 per cent believe a senior executive or someone on their board should be responsible for cybersecurity (vs. 81 per cent nationally).

“While our survey indicates similar findings across Alberta-based entities and nationally, fewer Alberta companies are prepared to defend cyberattacks,” says Mr. Gupta. “This is worrisome because a cyber breach can be costly, impair their operations, and also damage their reputation. This is why it’s so important to take proactive, preventative measures, such as training employees how to identify phishing attacks and deploying measures to restrict access to segments of network based on the defined role of the employee.”

“While many SMBs don’t think they can afford to add full-time cyber teams, they can’t leave their operations exposed to criminals. They need to regularly assess their vulnerabilities and take action to enhance their cyber resilience.”

Nearly thirty per cent (30 per cent) agreed strongly that they are considering using artificial intelligence (AI) to bolster cybersecurity and have “a good understanding” of the risks associated with it and how to manage them, while 47 per cent agreed somewhat. By comparison, nationally, 32 per cent agreed strongly and 48 per cent agreed somewhat.

But eight in 10 (78 per cent) also believe generative AI is a “double-edged sword” that may help detect cyberattacks but also provide new attack strategies for adversaries or bad actors. This compares to 81 per cent nationally.

“AI and machine learning can help detect abnormalities and potential vulnerabilities to warn users of potential threats,” says Mr. Gupta. “But while companies are just starting to harness AI for good, unfortunately bad actors are also already using AI to make their attacks more real. As we wrap up Cybersecurity Awareness Month, it’s important to acknowledge along with adoption of new technologies, the security and governance aspects also need to be addressed.”

Mr. Gupta is hosting a Cyber Challenge hackathon today for university students at Platform Calgary focused on operational technology exercises.

KPMG last month completed the acquisition of Calgary-based IMagosoft, solidifying the firm’s presence in identity and access management service space.

More insights from the KPMG survey are available here.

KPMG in Canada surveyed business owners or executive level C-suite decision makers at 700 small-and-medium-sized Canadian companies between August 30 and Sept. 25, 2023, using Sago’s premier business research panel. A quarter of the companies surveyed have more than $500 million and less than $1 billion in annual revenue, a quarter have more than $300 million and less than $500 million in annual revenue, 23 per cent have between $100 million and $300 million in annual revenue, and 26 per cent have between $10 million and $50 million in annual revenue. No companies were surveyed under $10 million.

Roula Meditskos
National Communications and Media Relations
KPMG in Canada
(416) 416-549-7982
rmeditskos@kpmg.ca