Cybersecurity remains a tick-the-box exercise despite jump in cyberattacks

With nearly a 10-percentage point jump in cyberattacks over the past year, Canadian business leaders rank cybersecurity as the No. 1 threat to their growth, finds a recent KPMG Private Enterprise™ survey. Yet over 70 per cent of companies still treat cybersecurity as a ‘tick-the-box exercise’.

Almost three-quarters (72 per cent) of small- and medium-sized business (SMB) leaders say they were attacked by cybercriminals in the past year, up from 63 per cent last year. Over two-thirds (67 per cent) say they paid a ransom in the last three years, up from 60 per cent a year ago.

“The rapid escalation in both the frequency and complexity of cyberattacks has Canadian business leaders identifying it as the greatest threat to their company’s growth objectives,” says Hartaj Nijjar, partner and national leader of KPMG in Canada’s cybersecurity practice. “However, while they understand the risk is growing and significant, our recent poll found 71 per cent of companies are not taking a strategic approach to managing their risk and consider cybersecurity a tick-box in staff training. 

Part of the problem is they don’t have the expertise to implement cybersecurity defences or monitor for attacks, with as many as seven in 10 saying they lack qualified personnel. Our poll findings also show that they may not have nailed down the basics, leaving them vulnerable to cybersecurity breaches. The first line of defence is good cyber hygiene, and that means your employees must always be on high alert. It can’t just be a tick-box exercise.” 

In addition to the lack of skills, businesses also reported having fewer financial resources to invest in cyber defences (69 per cent). Faced with competing investment priorities, companies have a tendency to put cyber on the backburner, yet the number and sophistication of cyberattacks will only continue to increase, he says. 

“They may not realize that investing more up front for cybersecurity defences is less costly in the long run, especially if they are a victim of a ransomware attack,” Mr. Nijjar says. 

The research finds that two-thirds (66 per cent) admitted their company doesn’t have a plan to address potential ransomware attacks.

“Ransomware attacks are among the more costly cyberattacks,” says Mr. Nijjar. “When smaller businesses are forced to pay a ransom, it often causes significant disruption and can even result in business closures due to financial loss and reputational damage. Being proactive and investing in resources like cybersecurity training for all employees, proper software and threat monitoring practices to help defend against these attacks is often a more cost-effective strategy for smaller and medium-sized companies.” 

It’s not just SMB leaders who are concerned about cybersecurity. KPMG International’s latest CEO Outlook found that it has also reemerged as a top threat to the growth of Canada’s multi-billion-dollar organizations over the next three years. 

Key highlights:

• 72 per cent of 735 SMB leaders say they had been attacked by cybercriminals in the past year (up from 63 per cent last year)
• 71 per cent consider cybersecurity “a tick-box in staff training and not as fully embedded as it could be”
• 67 per cent paid out a ransom in the last three years (up from 60 per cent last year)
• 66 per cent don’t have a plan to address a potential ransomware attack (up from 59 per cent last year)
• 70 per cent say their company doesn’t have the skilled personnel to implement cybersecurity or monitor for attacks (up from 66 per cent last year)
• 69 per cent say their company lacks the financial resources to invest in cyber defences (up from 64 per cent last year)

Worried over generative AI attacks
 

Many SMBs (75 per cent) are worried that cybercriminals will use generative AI, making them even more vulnerable to cybersecurity breaches. Due to this concern, businesses are starting to make cybersecurity a priority even if most lack the financial resources, with 36 per cent strongly agreeing that their company “is increasing investment in cybersecurity to protect their businesses from AI threats” and nearly 80 per cent are considering bolstering their defences with AI.

“We know bad actors are using generative AI to fast track the path to exploitation, so it makes sense that businesses also adopt the use of AI for risk mitigation,” says Nisal Samarakkody, a partner in KPMG in Canada’s cybersecurity practice who specializes in the use of AI to tackle cybercrime. “It not only increases efficiency and productivity while allowing for more intelligent threat detection, it can also result in cost reductions during cyber breaches, which is especially beneficial for small- to medium-sized businesses.” 

How SMBs view generative AI:

• 75 per cent of SMBs say their company is worried generative AI will make them even more vulnerable to cybersecurity breaches
• 36 per cent strongly agree their company is increasing investment in cybersecurity to protect their operations and intellectual property from AI threats
• 79 per cent are considering using AI to bolster cybersecurity and have a good understanding of the risks associated with it and how to manage them

About the KPMG Private Enterprise™ Business Survey
 

KPMG in Canada surveyed 735 business owners or executive level C-suite decision makers at small-and-medium-sized Canadian companies between August 13 and Sept. 4, 2024, using Sago's premier business research panel. Thirty-seven per cent helm companies with more than C$500 million and less than C$1 billion in annual revenue, a quarter have more than C$300 million and less than $500 million in annual revenue, 26 per cent have between C$100 million and C$300 million in annual revenue, and 13 per cent have between C$10 million and C$50 million in annual revenue.