Cybercrime strikes more than half of Vancouver companies

VANCOUVER, Oct. 24, 2023 – More than half (55 per cent) of the small- and medium-sized businesses (SMBs) surveyed in the Metropolitan Vancouver Area (MVA) and on Vancouver Island were attacked by cybercriminals over the past year and 54 per cent paid a ransom to unlock their computers within the past three years, finds a KPMG in Canada survey conducted last month.

Yet 60 per cent still don’t consider cybersecurity a “business priority.”

“Cyberattacks have become a hard reality for companies, with over half in Vancouver and on the Island either trying to ward off attacks or falling prey to bad actors with malicious intent,” says Erik Berg, Partner, Cyber Security Advisory and National Co-Lead of Justice and Public Safety sector, KPMG in Canada, who is based in Vancouver and focuses on digital transformation risk, organizational resilience, privacy, and cybersecurity services. “Small- and medium-sized companies have many competing businesses priorities and often limited capital and resources. Yet, with organizations being constantly targeted by cybercriminals, cybersecurity can no longer be ignored.”

Six in 10 companies in the MVA and on Vancouver Island say their information-technology (IT) and/or operational-technology (OT) systems make them vulnerable to cyberattacks, finds the KPMG Private Enterprise™ Business Survey. Over half (54 per cent) also say that they lack the skilled personnel to implement, monitor, and manage cybersecurity risks and only a third (32 per cent) feel strongly that their employees are adequately trained to recognize a phishing or other attack.

• 55 per cent of 73 SMBs surveyed in the Metropolitan Vancouver Area and on Vancouver Island say they were attacked by cybercriminals in the past year. By comparison, 63 per cent of 700 SMBs surveyed across Canada were attacked
• 54 per cent paid a ransom within the past three years (60 per cent nationally)
• 60 per cent say that cybersecurity is not regarded as a “business priority” (vs. 62 per cent nationally)
• 60 per cent say that their legacy systems or infrastructure – their IT and/or OT systems – make their company vulnerable to cyberattacks, compared to the 71 per cent national average
• 54 per cent say their company doesn’t have the skilled personnel to implement cybersecurity or monitor for attacks, compared to the national average of 66 per cent
• 45 per cent agreed strongly that their company is “well-prepared” to defend against a cyberattack and 44 per cent agreed somewhat. By comparison, the national average is 41 per cent who agreed strongly and 47 per cent who agreed somewhat
• 32 per cent agreed strongly that their employees are adequately trained and equipped to identify and report on potential threats, and 44 per cent agreed somewhat (vs. 31 per cent agreed strongly and 51 per cent agreed somewhat, nationally)
• 53 per cent don’t have a plan to address a potential ransomware attack (vs. 59 per cent nationally)
• 86 per cent believe a senior executive or someone on their board should be responsible for cybersecurity (vs. 81 per cent nationally)

“A cyber breach can be costly, impair their operations and damage their reputation,” says Mr. Berg. “While many SMBs don’t think they can afford to have full-time cyber teams, there are options available to them. They can’t afford to leave their operations exposed to criminals. They need to understand what data and systems are most important to their business then focus security investment, controls and monitoring on those key assets. Customer and stakeholder expectations on how organizations secure their data is increasing. Regularly assessing their vulnerabilities and taking action to safeguard their operations and critical data are baseline expectations.

“There are more technology options available that can help organizations improve their cybersecurity when deployed appropriately. Companies should also take proactive, preventative measures, such as training to teach employees how to identify phishing attacks, restricting access to essential parts of the network, having the organization ready to respond to a cyber incident, such as establishing an Incident Response Plan, and partitioning back-up files from the main network” he says.

Thirty per cent agreed strongly that they are considering using artificial intelligence (AI) to bolster cybersecurity and have “a good understanding” of the risks associated with it and how to manage them, while 49 per cent agreed somewhat. This is in line with the national average of 32 per cent who agreed strongly and 48 per cent who agreed somewhat.

About three-quarters (76 per cent) also believe generative AI is a “double-edged sword” that may help detect cyberattacks but also provide new attack surfaces for adversaries or bad actors. This compares to 81 per cent nationally.

More insights from the KPMG survey are available here.

KPMG in Canada surveyed business owners or executive level C-suite decision makers at 700 small-and-medium-sized Canadian companies between August 30 and Sept. 25, 2023, using Sago’s premier business research panel. A quarter of the companies surveyed have more than $500 million and less than $1 billion in annual revenue, a quarter have more than $300 million and less than $500 million in annual revenue, 23 per cent have between $100 million and $300 million in annual revenue, and 26 per cent have between $10 million and $50 million in annual revenue. No companies were surveyed under $10 million.

Roula Meditskos
National Communications and Media Relations
KPMG in Canada
(416) 416-549-7982
rmeditskos@kpmg.ca