Despite the rising frequency of data breaches, many Canadian businesses remain unprepared, with the cost of attacks escalating as cybercriminals evolve their tacticsKacper Pempel/Reuters
Data breaches are endemic, with about one in six Canadian businesses affected by cybersecurity incidents in 2023, according to Statistics Canada. Experts say companies continue to grapple with defence protocols and postbreach responses, despite the proliferation.
Milind Bhargava, a cybersecurity expert and founder of Mjolnir Security, got a call from a B.C.-based transportation company in 2020, asking his firm to investigate a ransomware data breach.
“[The company’s] first plan was to wipe everything,” Mr. Bhargava says. By the time Mjolnir Security arrived, there wasn’t much data left for forensics. Legacy equipment complicated the investigation, with many of the transportation company’s remote global operations relying on dial-up internet. Mjolnir Security ended up shipping new technology rather than rebuilding the compromised systems.
“You may be surprised thinking about how an organization can be this bad, but this is normal,” says the cybersecurity expert, who has worked on 560 breaches – the majority for enterprise-level businesses – since 2018. “Most oil-and-gas companies in Calgary are seven to eight years behind patching and securing their [computer] systems that control critical infrastructure because it would cost too much to have regular downtimes.”
According to IBM’s annual Cost of Data Breach report, Canadian organizations paid $6.32-million on average for each data breach in 2024. That number was disproportionately higher for the financial sector ($9.28-million on average for each breach) and the technology and industrial sectors, which pay around $7.8-million a breach. The most common pathway for cybercriminals was stolen credentials, a breach that often takes 10 months to identify and contain, according to the report.
Hélène Deschamps Marquis, national co-leader of privacy and cybersecurity at Borden Ladner Gervais LLP, says attacks have evolved over the past decade from big data breaches, where information was stolen or copied, to ransomware, an attack where an organization’s system will be blocked or encrypted.
“The hacker will come back and say ‘we offer two services: We can give you the decryption key [and] the other is we won’t publish your data on the dark web,’” Ms. Deschamps Marquis says.
There’s often a discount for paying both to unlock data and keep it off the dark web. With the escalating attacks, an ideal formula has emerged for responding: Contain then investigate. “You need the technical support, but you also need a lawyer because you want the breach response covered by privilege,” she says.
Ms. Deschamps Marquis adds that many companies she works with now have a response plan.
Cybersecurity expert Milin Bhargava says the cost of companies investing in better security now far outweighs the cost of becoming a victim of a data breach.Nick Kozak
“Laws across Canada and the world are getting stronger and imposing more obligations on organizations in case of cyber incidents. More contracts demand that type of notification now.”
Within sectors such as finance, energy and insurance, oversight bodies usually require some form of disclosure. In Canada, under the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations are required to notify the Office of the Privacy Commissioner and affected individuals of any security breach involving their data.
But hackers are outpacing the abilities of businesses to respond, says Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange (CCTX), an organization of 200 companies that confidentially swap information about cyberattacks and best practices for managing them.
“We are learning our lessons and some people are getting better at some things,” Ms. Quaid says. “[But] it’s whack-a-mole … attackers [aren’t] playing by the same rules we are.”
She says organizations and governments operate within the confines of laws, good policy and corporate citizenship. She points to artificial intelligence (AI) as an example. According to the IBM report, 61 per cent of Canadian companies are now deploying AI and automation to combat breaches. But attackers are using AI to write malicious codes, automate attacks and design a more sophisticated tool kit for executing data breaches.
“You can go on the dark web and buy malicious code for less than a hundred bucks … you don’t need skills because the code might even come with a help desk and, my favourite part, a money-back guarantee,” Ms. Quaid says. “So yes, we are learning and we are getting better at it, but so are they.”
Mr. Bhargava says part of the challenge of staying ahead of cyber criminals is getting ahead of them. According to Statistics Canada, the proportion of companies that reported spending money to prevent or detect cybersecurity incidents decreased from 61 per cent in 2021 to 56 per cent in 2023, even as attacks escalated in frequency and intensity.
“People only change or invest after they’ve been breached,” he says. “Most organizations, when we go and sell our services, [will ask] ‘what’s the worst that can happen?’ Well, all of your data can be out, your clients can leave you, you can be bankrupt three months from now … or you invest a little and then at least you can make sure it doesn’t happen to you or at least not as bad.”