Canadian Survey of Cyber Security and Cybercrime - 2023

For Information onlyThis is an electronic survey example for information purposes only. This is not a working questionnaire.

Hide all instructions

INFORMATION FOR RESPONDENTS

Purpose

The purpose of the 2023 Canadian Survey of Cyber Security and Cybercrime is to measure the impact of cybercrime on Canadian businesses.

The survey gathers information about:
- The measures businesses have implemented for cyber security, including employee training;
- The types of cyber security incidents that impact businesses; and
- The costs associated with preventing and recovering from cyber security incidents.

Additional information

Your information may also be used by Statistics Canada for other statistical and research purposes.
Your participation in this survey is required under the authority of the Statistics Act.

Authority

Data are collected under the authority of the Statistics Act, Revised Statutes of Canada, 1985, Chapter S-19.

Confidentiality

By law, Statistics Canada is prohibited from releasing any information it collects that could identify any person, business, or organization, unless consent has been given by the respondent, or as permitted by the Statistics Act. Statistics Canada will use the information from this survey for statistical purposes only.

Data-sharing agreements

To reduce respondent burden, Statistics Canada has entered into data-sharing agreements with provincial and territorial statistical agencies and other government organizations, which have agreed to keep the data confidential and use them only for statistical purposes. Statistics Canada will only share data from this survey with those organizations that have demonstrated a requirement to use the data.

Section 11 of the Statistics Act provides for the sharing of information with provincial and territorial statistical agencies that meet certain conditions. These agencies must have the legislative authority to collect the same information, on a mandatory basis, and the legislation must provide substantially the same provisions for confidentiality and penalties for disclosure of confidential information as the Statistics Act. Because these agencies have the legal authority to compel businesses to provide the same information, consent is not requested and businesses may not object to the sharing of the data.

For this survey, there are Section 11 agreements with the provincial and territorial statistical agencies of Newfoundland and Labrador, Nova Scotia, New Brunswick, Quebec, Ontario, Manitoba, Saskatchewan, Alberta, British Columbia and the Yukon.

The shared data will be limited to information pertaining to business establishments located within the jurisdiction of the respective province or territory.

Section 12 of the Statistics Act provides for the sharing of information with federal, provincial or territorial government organizations. Under Section 12, you may refuse to share your information with any of these organizations by writing a letter of objection to the Chief Statistician, specifying the organizations with which you do not want Statistics Canada to share your data and mailing it to the following address:

Chief Statistician of Canada
Statistics Canada
Attention of Director, Investment, Science and Technology Division
150 Tunney's Pasture Driveway
Ottawa, ON
K1A 0T6

You may also contact us by email at statcan.istdinformation-distinformation.statcan@canada.ca.

For this survey, there are Section 12 agreements with the statistical agencies of Prince Edward Island, Northwest Territories and Nunavut, as well as with Public Safety Canada; Royal Canadian Mounted Police; Natural Resources Canada; Communications Security Establishment; Innovation, Science and Economic Development Canada; and Public Services and Procurement Canada.

For agreements with provincial and territorial government organizations, the shared data will be limited to information pertaining to business establishments located within the jurisdiction of the respective province or territory.

Record linkage

To enhance the data from this survey and to reduce respondent burden, Statistics Canada may combine it with information from other surveys or from administrative sources.

Reporting instructions

For this questionnaire:

Please complete this questionnaire for Canadian operations of this business.

Reporting instructions:

-Report dollar amounts in Canadian dollars.
-Report dollar amounts rounded to the nearest dollar.
-If precise figures are not available, provide your best estimate.
-Enter "0" if there is no value to report.

Business characteristics

Business characteristics - Question identifier:1

Which of the following does your business currently use? Select all that apply.

Help definitions

Blockchain technologies:
A decentralized and distributed public digital ledger that is used to record transactions across many computers so that any involved record cannot be altered retroactively, without the alteration of all subsequent blocks.

Cloud computing or storage:
Services that are used over the Internet to access software, computing power or storage capacity where the service:

a. is delivered from servers of service providers;
b. can be easily scaled up or down (e.g., number of users or storage capacity);
c. can be used on-demand by the user, at least after the initial set up (without human interaction with the service provider);
d. is paid for per user or by capacity used, or is pre-paid.

E-commerce platforms:
A software technology solution that allows a business to build and host a digital storefront soliciting a specific set of products or services.

Electronic Data Interchange (EDI):
The electronic transmission of data suitable for automated processing between businesses or organizations. Generally, EDI allows for the sending or receiving of messages (e.g., payment transactions, tax declarations, orders) in an agreed or standard format suitable for automated processing, and does not require an individual to type a message manually.

E-signature:
A technology that allows a person to electronically affix a signature or its equivalent to an electronic document, as when consenting to an online contract.

Internet-connected smart devices:
Electronic devices that can connect to each other and the Internet through a network. These devices are designed to automatically send and receive information from the Internet on a constant basis.

Internet of Things (IoT):
A term referring to the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data. Examples include smart televisions, Wi-Fi enabled security cameras, automatic car tracking adapters, Canary smart security system, Cisco's connective factory, Phillips hue smart bulbs and August smart locks.

Intranet:
A private computer network accessible only to the business and its staff. It is protected from unauthorized access with security systems such as firewalls. It is composed of LANs (local area networks) and in some cases WANs (wide area networks).

Open source software:
Software for which the source code is available without any copyright cost, often providing the possibility of it being modified, distributed, and re-distributed.

Social media:
Social networking sites like Facebook, Twitter and LinkedIn for your business to reach potential customers and build stronger relationships with clients. Businesses also use social networking sites for marketing or professional purposes.

Voice over internet protocol (VoIP):
Routing of voice conversations over the Internet. This is distinct from a telephone call, which is made from your home or office phone which goes through the Public Switched Telephone Network.

Web-based application:
A program that is accessed over an Internet network, rather than existing within a device's memory.

: Website for your business
: Social media accounts for your business
: E-commerce platforms and solutions
: Web-based applications
: Open source software
: Cloud computing or storage
: Internet-connected smart devices or Internet of Things (IoT)
: Intranet
: Blockchain technologies
: Voice Over Internet Protocol (VoIP) services
: Remote Access Technology
: Software or hardware using artificial intelligence (AI)
: OR
: Business does not use any of the above

Business characteristics - Question identifier:2

What type of data does your business store on servers which are connected to the Internet.

Include:
• Data stored on cloud computing or storage services
• data stored on servers that can be accessed remotely (e.g., through virtual desktop connections)
• data that are backed-up.

Select all that apply.

Help definitions

Cloud computing or storage:
Services that are used over the Internet to access software, computing power or storage capacity where the service:

a. is delivered from servers of service providers;
b. can be easily scaled up or down (e.g., number of users or storage capacity);
c. can be used on-demand by the user, at least after the initial set up (without human interaction with the service provider);
d. is paid for per user or by capacity used, or is pre-paid.

Web services:
A service that is made available from a Web server for Web users or other Web-connected programs. An example of a Web service is an online customer relationship management application.

: Personal employee information
: Personal information about customers, suppliers, or partners
: Confidential business information
: Commercially sensitive information
: Non-sensitive or public information
: OR
: Business does not store data on servers which are connected to the Internet

Business characteristics - Question identifier:3

Does anyone in your business use personally-owned devices such as smartphones, tablets, laptops, or desktop computers to carry out regular business-related activities?

Include personally-owned devices with enterprise software installed, and devices that are subsidized by the business.

Help definitions

Personally-owned devices (management of):
Policy to manage personally owned devices (laptops, tablets, and smart phones) that are used at the workplace, with emphasis on access to privileged business information and applications.

: Yes
: No
: Do not know

Cyber security environment

Cyber security environment - Question identifier:4

Which cyber security measures does your business currently have in place?
Include on-site and external security measures, including those provided by an external party. Select all that apply.

Help definitions

Access:
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

Anti-malware:
A type of software program designed to prevent, detect and remediate malicious programming on individual computing devices and IT systems.

Application whitelisting:
Identifying specific programs that are permitted to execute on a given system and enforcing a policy so that only those identified components can operate.

Asset:
Any items belonging to or held by the business, with some value (including information, in all forms and computer systems).

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Digital certificates:
An encrypted file containing user or server identification information, which is used to verify identity and to help establish a security-enhanced link.

Encryption:
Converting information into a code that can only be read by authorized persons who have been provided with the necessary (and usually unique) "key" and special software so that they can reverse the process (e.g., decryption) and use the information.

Firewall:
A hardware and/or software device on a computer that controls the access between a private network and a public network like the Internet. A firewall is designed to provide protection by stopping unauthorized access to the computer or network.

Hardware:
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Honeypot systems:
A decoy-based intrusion-detection system used primarily as a way to attract hackers to a network system in order to study their movements and behavior.

Malware:
Malicious software created and distributed to cause harm. The most common instance of malware is a "virus."

Mobile security:
The protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing.

Network security:
The protection of the access to files and directories in a computer network against hacking, misuse and unauthorized changes to the system.

Password complexity rules:
A policy setting on whether passwords must meet a series of guidelines that are considered important for a strong password.

Patching:
Updating or repairing any form of software that is applied without replacing the entire original program. Many patches are provided by software developers to address identified security vulnerabilities.

Personally-owned devices (management of):
Policy to manage personally owned devices (laptops, tablets, and smart phones) that are used at the workplace, with emphasis on access to privileged company information and applications.

Physical access controls:
Controls to allow authorized personnel access to a place or other sources (e.g., turnstiles, key pass, passwords).

Point-Of-Sale (POS) security:
Security measures applied to the software used by businesses to record when goods or services are sold to customers.

Ransomware:
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

Rights management:
Restrictions to create and consume protected content such as emails and documents.

Secure remote access:
The ability to access a device or software from a remote location (e.g., work from home or access work email while travelling).

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Spam filters:
A set of rules to screen email that has been sent without the permission or request of you or the employee it has been sent to.

Spyware:
Software that collects personal information about you without you knowing. They often come in the form of a 'free' download and are installed automatically with or without your consent. These are difficult to remove and can infect your computer with viruses.

Virus:
Malicious computer programs that are often sent as an email attachment or a download with the intent of infecting your computer, as well as the computers of everyone in your contact list. They often contain spam, provide criminals with access to your computer and disable your security settings.

VPN (Virtual Private Network):
A private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN.

Web security:
A branch of computer security specifically related to the Internet, often involving browser security but also network security on a more general level as it applies to other applications or operating systems on a whole. Its objective is to establish rules and measures to use against attacks over the Internet.

: Mobile security
: Anti-malware software to protect against viruses, spyware, ransomware, etc.
: Web security
: Email security
: Network security
: Data protection and control
: Point-Of-Sale (POS) security
: Software and application security
: Hardware and asset management
: Identity and access management
: Physical access controls
: OR
: Business does not have any cyber security measures in place
: OR
: Do not know

Cyber security environment - Question identifier:5

Did any of the following external parties or cyber security standards or cyber security certification programs require your business to implement certain cyber security measures?

Select all that apply.

Help text

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Digitally delivered goods:
Products in a digital format that are both ordered and delivered online. Examples include software, music and video streaming services, e-books and online subscriptions.

Digitally delivered services:
Services that are delivered online; examples include website hosting, e-commerce platforms, online payment services, cloud computing and cloud storage capacity.

Cyber security certification program:
Programs which offer businesses a certification for adhering to particular cyber security standards. Examples include the CyberSecure Canada program and the Cyber Essentials Canada program.

Cyber security standards:
Best practices which, when followed, are designed to protect the cyber environment of a business or user. Examples include the cyber security standards published by the ISO and the IEC, the COBIT best practices framework and the NIST Cyber Security Framework.

Physical goods:
Physical, produced objects for which demand exists and whose ownership can be transferred through market transactions. Examples include laptops, office equipment, office furniture and uniforms.

Services:
A type of economic activity that is intangible, is not stored, and does not result in ownership. A service is consumed at the point of sale. Examples include the transfer of goods, such as the postal service delivering mail, and the use of expertise or experience, such as an organization using an accountant for filing taxes.

Regulator:
An organization that supervises a particular industry or business activity. Examples include the Bank of Canada and Health Canada.

: Supplier of physical goods
: Supplier of digitally delivered goods or services
: Supplier of other services that are not digitally delivered
: Customer
: Partner
: Canadian departments, agencies, centres or regulators

Which Canadian departments, agencies, centres or regulators required your business to implement certain cyber security measures?
o Office of the Privacy Commissioner
o Canadian Radio-television and Telecommunications Commission
o Competition Bureau
o Innovation, Science and Economic Development Canada
o Canadian Centre for Cyber Security (Cyber Centre)
o Canadian Spam Reporting Centre
o Canada Revenue Agency (CRA)
o Other
: Foreign departments, agencies, centres or regulators
: Cyber security standard or cyber security certification program
: Cyber risk insurance provider
: OR
: None of the above

Cyber security environment - Question identifier:6

How many employees does your business have that complete tasks related to cyber security as part of their regular responsibilities?

Include part-time and full-time employees. Examples of tasks these employees may complete include:
- managing, evaluating or improving the security of business networks, web presence, email systems or devices;
- patching or updating the software or operating systems used by the business for security reasons;
- completing tasks related to recovery from previous cyber security incidents.

Exclude
• Members of senior management with responsibility for decision making regarding cyber security risks, threats and incidents
• External IT consultants or contractors.

If precise figures are not available, please provide your best estimate.

Help definitions

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Operating system:
A type of software installed on a computer or mobile device which manages hardware and other software resources. The operating system completes basic computer functions such as executing applications and managing tasks to maintain efficient use of system resources. Examples include Windows, Linux, MacOS, iOS and Android.

Patching:
Updating or repairing any form of software that is applied without replacing the entire original program. Many patches are provided by software developers to address identified security vulnerabilities.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Web presence:
Internet-based locations where information about a business can be found by external parties. Examples include a business's websites, social media accounts, mobile apps and their online advertising.

: One employee
: Two to five employees
: 6 to 15 employees
: Over 15 employees
: None
: Do not know

Cyber security environment - Question identifier:7

What are the main reasons your business does not have any employees that complete tasks related to cyber security as part of their regular responsibilities? Select all that apply.

Help definitions

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security employee:
Part-time or full-time employees that complete tasks related to the cyber security of the business as part of their regular responsibilities. Examples of tasks these employees may complete include:

-managing, evaluating or improving the security of networks, web presence, e-mail systems or devices
-patching or updating the software or operating systems used for security reasons
-completing tasks related to recovery from previous cyber security incidents.

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Risk:
Exposure to a negative outcome if a threat is realized.

: Business uses private sector consultants or contractors to monitor cyber security
: Business uses public sector consultants or contractors to monitor cyber security
: Business has cyber risk insurance
: Business is in the process of recruiting a cyber security employee
: Business is unable to find an adequate cyber security employee
: Business lacks the money or resources to employ a cyber security employee
: Cyber security is not a high enough risk to the business
: Business' parent organization manages cyber security

Cyber security environment - Question identifier:8

What percentage of the employees that complete tasks related to the cyber security of your organization as part of their regular responsibilities identify as the following genders?

Gender refers to current gender, which may be different from sex assigned at birth and may be different from what is indicated on legal documents.

Exclude individuals employed by external IT consultants or contractors.

If precise figures are not available, please provide your best estimate.

: Female
: Male
: Another gender

Cyber security environment - Question identifier:9

Which of the following population groups do your business's cyber security employees belong to?
Select all that apply.

: White
: Indigenous
: Visible minority
: OR
: Do not know

Cyber security environment - Question identifier:10

What are the highest academic certificates, diplomas or degrees your business' cyber security employees hold?

Select the highest academic certificate, diploma or degree that each cyber security employee holds.

: Less than high school diploma or its equivalent
: High school diploma or a high school equivalency certificate
: Trades certificate or diploma
: College, CEGEP or other non-university certificate or diploma (other than trades certificates or diplomas)
: University certificate or diploma below the bachelor's level
: Bachelor's degree
: University certificate, diploma or degree above the bachelor's level
: OR
: Do not know

Cyber security environment - Question identifier:11

What cyber security certifications do your business' cyber security employees hold?

Include certifications that are no longer active.
Exclude academic certificates, diplomas or degrees.

Select all that apply.

: Certified Ethical Hacker
: Certified Information Security Manager
: Certified Information Systems Professional
: GIAC Security Expert
: Security+
: Other certifications
: OR
: None
: OR
: Do not know

Cyber security environment - Question identifier:12

Which qualification does your business value the most when evaluating a potential new cyber security employee?

Cyber security employees are part-time or full-time employees that complete tasks related to the cyber security of the business as part of their regular responsibilities. Examples of tasks these employees may complete include:
• managing, evaluating or improving the security of networks, web presence, e-mail systems or devices
• patching or updating the software or operating systems used for security reasons
• completing tasks related to recovery from previous cyber security incidents.

Exclude:
• Members of senior management with responsibility for decision making regarding cyber security risks, threats and incidents
• external IT consultants or contractors.

: Experience working in cyber security
: Academic certificates, diplomas or degrees related to cyber security
: Other Cyber security certifications
: Other cyber security training
: Other qualifications - Specify other qualifications
: Business has never attempted to hire a cyber security employee
: Do not know

Cyber security environment - Question identifier:13

What are the top 3 technical cyber skills you are looking for in potential new cyber security employees?

Select up to three.

: Script writing
: Software development, deployment or debugging
: IT system development, implementation or maintenance
: Data management or analysis
: Knowledge of Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS)
: Experience with IT or network security
: Experience with application security
: Experience with cyber security incident response
: Experience with ethical hacking
: Other - Specify other technical skills

Cyber security environment - Question identifier:14

In 2023, did your business encounter any challenges finding qualified cyber security employees or retaining existing cyber security employees?

Select all that apply.

: Challenges finding qualified cyber security employees
: Challenges retaining cyber security employees
: OR
: This business did not encounter any challenges finding or retaining qualified cyber security employees in 2023
: OR
: Do not know

Cyber security environment - Question identifier:15

What challenges did your business encounter when hiring cyber security employees in 2023?

Select all that apply.

: Applicants lacking skills
: Applicants lacking experience
: Salary requests too high
: Not enough time or resources for effective recruitment
: Lack of candidate interest in the position
: Other challenges - Specify other challenges
: OR
: Do not know

Cyber security environment - Question identifier:16

For which reasons did cyber security employees leave your business in 2023?

Select all that apply.

: Recruited by other business
: Limited internal promotion or development opportunities
: High stress levels at work
: Lack of flexibility (work-life balance)
: Better salary
: Other reasons - Specify other reasons
: OR
: No cyber security employees left the business in 2023
: OR
: Do not know

Cyber security environment - Question identifier:17

Did your business share best practices or general information on cyber security risks with your employees in 2023?

Include the sharing of information through email, bulletin boards, general information sessions on subjects related to:
• recognizing and avoiding email scams
• importance of password complexity and basic security techniques
• securing your web browser and safe web browsing practices
• avoiding phishing attacks
• recognizing and avoiding spyware.

Help definitions

Best practices:
A procedure or set of procedures that is preferred or considered standard within a business.

Cyber security employee:
Part-time or full-time employees that complete tasks related to the cyber security of the business as part of their regular responsibilities. Examples of tasks these employees may complete include:

-managing, evaluating or improving the security of networks, web presence, e-mail systems or devices
-patching or updating the software or operating systems used for security reasons
-completing tasks related to recovery from previous cyber security incidents.

Cyber security certification program:
Programs which offer businesses a certification for adhering to particular cyber security standards. Examples include the CyberSecure Canada program and the Cyber Essentials Canada program.

Cyber security standards:
Best practices which, when followed, are designed to protect the cyber environment of a business or user. Examples include the cyber security standards published by the ISO and the IEC, the COBIT best practices framework and the NIST Cyber Security Framework.

a.: Information shared with internal cyber security employees
b.: Information shared with other employees
o Yes
o No
o Not applicable
o Do not know

Cyber security environment - Question identifier:18

Did your business provide formal training to develop or upgrade cyber security related skills of your employees or stakeholders in 2023?

Include training provided by external sources.
Exclude ad hoc information sharing between employees.

Help definitions

Cyber security employee:
Part-time or full-time employees that complete tasks related to the cyber security of the business as part of their regular responsibilities. Examples of tasks these employees may complete include:

-managing, evaluating or improving the security of networks, web presence, e-mail systems or devices
-patching or updating the software or operating systems used for security reasons
-completing tasks related to recovery from previous cyber security incidents.

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Firewall:
A hardware and/or software device on a computer that controls the access between a private network and a public network like the Internet. A firewall is designed to provide protection by stopping unauthorized access to the computer or network.

Internet-connected smart devices:
Electronic devices that can connect to each other and the Internet through a network. These devices are designed to automatically send and receive information from the Internet on a constant basis.

Internet of Things (IoT):
A term referring to the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data. Examples include smart televisions, Wi-Fi enabled security cameras, automatic car tracking adapters, Canary smart security system, Cisco's connective factory, Phillips hue smart bulbs and August smart locks.

Penetration testing:
An authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. The test can help determine whether the IT infrastructure is vulnerable to attack.

1.: Provided training to internal cyber security employees
2.: Provided training to other employees
3.: Provided training to stakeholders such as suppliers, customers or partners
o Yes
o No
o Not applicable
o Do not know

Cyber security environment - Question identifier:19

Why did your business not provide formal training to develop or upgrade the cyber security related skills of some or all of its employees?

: Unable to find appropriate training
: Cost of training
: Not enough time or resources to send employees on training
: Lack of interest from employees
: Employees did not require formal training
: Other

Cyber security environment - Question identifier:20

What are the three main reasons your business spends time on or allocates budget to cyber security measures or related skills training?

Select up to three.

Help definitions

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Downtime:
A time during which a machine, domain or service is not productive, as during repair, malfunction, or maintenance. This can lead to reduced activity or inactivity of an employee or a business.

Intellectual property:
Legal rights that result from intellectual activity in the industrial, scientific, literary and artistic fields. Examples include a business's copyright, trademark, and patents.

: Allow employees to work remotely securely
: Protect the reputation of the business
: Protect personal information of employees, suppliers, customers or partners
: Protect trade secrets and intellectual property
: Compliance with Canadian laws and regulations
: Compliance with foreign laws and regulations
: Compliance with contracts
: Business has suffered a cyber security incident previously
: Prevent downtime and outages
: Prevent fraud and theft
: Secure continuity of business operations
: Required by cyber risk insurance provider
: OR
: Business does not spend time or money on cyber security measures or related skills training

Cyber security readiness

Cyber security readiness - Question identifier:21

Which risk management arrangements does your business currently have in place?
Select all that apply.

Help definitions

Business Continuity Plan (BCP):
A strategy that recognizes threats and risks facing a business, with the purpose to ensure that personnel and assets are protected and able to function in the event of a major issue.

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Insider threat:
The threat of cyber security incidents being perpetrated by an employee, consultant or contractor of a business, or being caused by the carelessness of an employee, consultant or contractor of an organization.

Operating system:
A type of software installed on a computer or mobile device which manages hardware and other software resources. The operating system completes basic computer functions such as executing applications and managing tasks to maintain efficient use of system resources. Examples include Windows, Linux, MacOS, iOS and Android.

Patching:
Updating or repairing any form of software that is applied without replacing the entire original program. Many patches are provided by software developers to address identified security vulnerabilities.

Risk:
Exposure to a negative outcome if a threat is realized.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Threat:
Any potential event or action (deliberate or accidental) that represents a danger to the security of the business.

Vulnerability:
A flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect a business's assets or operations.

: A written policy in place to manage internal cyber security risks
: A written policy in place to manage cyber security risks associated with supply chain partners

Does your business's written policy associated with supply chain partners cover any of the following?
o Cyber security risks related to immediate suppliers or partners
o Cyber security risks related to you business' wider supply chain
: A written policy in place to report cyber security incidents
: Other type of written policy related to cyber security
: Cyber risk insurance

What type of cyber risk insurance does your business have?
o Indirect coverage through an existing insurance policy
o A cyber-specific add-on to an existing insurance policy

What type of cyber-specific add-on does your business have?
o A cyber-specific add-on to an existing insurance policy with under 100k in coverage
o A cyber-specific add-on to an existing insurance policy with over 100k in coverage
o Do not know
o A cyber-specific add-on to an existing insurance policy
o Standalone cyber risk insurance
o Other
: A procedure for notifying employees of cyber security incidents or threats
: A Business Continuity Plan (BCP) with processes to manage cyber security threats, vulnerabilities, and risks
: Employees with responsibility for overseeing cyber security risks and threats
: Members of senior management with responsibility for decision making regarding cyber security risks, threats and incidents
: A consultant or contractor to manage cyber security risks and threats
: Monthly or more frequent patching or updating of operating systems for security reasons
: Monthly or more frequent patching or updating of software for security reasons
: Recurring mandatory cyber security training for employees
: OR
: Business does not have any risk management arrangements for cyber security

Cyber security readiness - Question identifier:22

Why does your business not have a written policy in place to manage cyber security risks associated with supply chain partners?

Select all that apply.

: Lack of time or money to invest in developing or upholding a policy
: Lack of knowledge for how to develop a policy
: Lack of available information regarding supply chain partners
: Creating such a policy is not a priority
: Such a policy is not applicable to this business
: Business has not considered establishing a policy
: Other

Cyber security readiness - Question identifier:23

Have any of your written cyber security policies been reviewed by third parties, such as cyber security consultants, or external auditors, within the past 2 years?

: Yes
: No
: Do not know

Cyber security readiness - Question identifier:24

How would you describe the level of preparedness of your business to defend itself against cyber threats?

: Extremely prepared
: Very prepared
: Somewhat prepared
: Unprepared
: Very unprepared

Cyber security readiness - Question identifier:25

Which of the following are covered under your cyber risk insurance policy? Select all that apply.

Help definitions

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Hardware:
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Ransomware:
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

: Direct losses from an attack or intrusion
: Incident response
: Restoration expenses for software, hardware, and electronic data
: Interruptions (loss of productive time)
: Reputation losses
: Third-party liability
: Cyber extortion or ransom payments
: Financial losses
: Security breach remediation and notification expenses
: Credit monitoring expenses
: Claims made by employees
: Other - Please specify
: OR
: Do not know

Cyber security readiness - Question identifier:26

When your business's cyber risk insurance was last up for renewal, did your provider change any of the following?

Select all that apply.

Help definitions

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Cyber security standards:
Best practices which, when followed, are designed to protect the cyber environment of a business or user. Examples include the cyber security standards published by the ISO and the IEC, the COBIT best practices framework and the NIST Cyber Security Framework.

Ransomware:
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

: Higher premiums
: Higher deductibles
: Lower coverage limits
: Additional exclusions
: Co-insurance
: Sub-limits
: Baseline cyber security threshold or cyber security standards checklist required to obtain coverage increased
: Reduced ransomware coverage
: More detailed submissions, including but not limited to, supplemental ransomware questionnaires
: Providing pre-breach services
: Enlisting third-party cyber security firm to conduct additional assessments
: Carrying out external scans of web-facing assets
: Other - Please specify
: OR
: None
: OR
: Do not know

Cyber security readiness - Question identifier:27

Why does your business not have cyber risk insurance?
Select all that apply.

: The business' existing insurance policies cover cyber security risks
: The cost of cyber risk insurance is too high
: The business' existing cyber security measures provide enough protection that cyber risk insurance is unnecessary
: The business had no cyber security risks
: The business has not considered obtaining cyber risk insurance
: Not aware of cyber risk insurance prior to responding to this survey
: Other reasons for not having cyber risk insurance
: OR
: Do not know

Cyber security readiness - Question identifier:28

Prior to responding to this survey, were you aware of any cyber security standards or cyber security certification programs that businesses can apply for?

Include:
- Canadian, foreign and international standards and programs;
- standards and programs that you were aware of but your business was not eligible for or did not apply for.

Select all that apply.

Help Text

Best practices:
A procedure or set of procedures that is preferred or considered standard within a business.

Cyber security certification program:
Programs which offer businesses a certification for adhering to particular cyber security standards. Examples include the CyberSecure Canada program and the Cyber Essentials Canada program.

Cyber security standards:
Best practices which, when followed, are designed to protect the cyber environment of a business or user. Examples include the cyber security standards published by the ISO and the IEC, the COBIT best practices framework and the NIST Cyber Security Framework.

: Cyber security standards

Does your business follow any cyber security standards?
o Yes
o No
o Do not know
: Cyber security certification programs

Does your business hold any cyber security certifications?
o Yes
o No
o Do not know
: OR
: Not aware of any cyber security standards or certification programs

Cyber security readiness - Question identifier:29

Which activities does your business undertake to identify cyber security risks?
Select all that apply.

Help text

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Firewall:
A hardware and/or software device on a computer that controls the access between a private network and a public network like the Internet. A firewall is designed to provide protection by stopping unauthorized access to the computer or network.

Internet-connected smart devices:
Electronic devices that can connect to each other and the Internet through a network. These devices are designed to automatically send and receive information from the Internet on a constant basis.

Internet of Things (IoT):
A term referring to the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data. Examples include smart televisions, Wi-Fi enabled security cameras, automatic car tracking adapters, Canary smart security system, Cisco's connective factory, Phillips hue smart bulbs and August smart locks.

Penetration testing:
An authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. The test can help determine whether the IT infrastructure is vulnerable to attack.

Risk:
Exposure to a negative outcome if a threat is realized.

Threat:
Any potential event or action (deliberate or accidental) that represents a danger to the security of the business.

URL (Uniform Resource Locator):
The technical term for the address (location) of a resource on the Internet such as a website or file.

: Monitoring insider threat risk behaviours
: Monitoring other employee behaviour
: Monitoring network and business systems
: A formal risk assessment of cyber security practices, undertaken by an employee
: A formal risk assessment of cyber security practices, undertaken by an external party
: Penetration testing, undertaken by an employee
: Penetration testing, undertaken by an external party
: Assessment of the security of Internet-connected smart devices or Internet of Things (IoT) devices
: Investment in threat intelligence
: Participation in a cyber security information sharing community
: Complete audit of IT systems, undertaken by an external party
: Business conducts other activities to identify cyber security risks
: OR
: Business does not conduct any activity to identify cyber security risks

Cyber security readiness - Question identifier:30

How often does your business conduct activities to identify cyber security risks? Select all that apply.

: On a scheduled basis

On what schedule does your business conduct activities to identify cyber security risks?
o Daily
o Weekly
o Monthly
o Quarterly
o Annually
o Other
: After a cyber security incident occurs
: When a new IT initiative or project is launched
: On an irregular basis

Cyber security readiness - Question identifier:31

How often is senior management in your business given an update on actions taken regarding cyber security? Select all that apply.

: On a scheduled basis

On what schedule does senior management get updates on actions taken regarding cyber security?
o Daily
o Weekly
o Monthly
o Quarterly
o Annually
o Other
: After a cyber security incident occurs
: When a new IT initiative or project is launched
: Senior management have tools to track cyber security issues
: Senior management is given an update on an irregular basis
: OR
: Senior management is not updated on cyber security issues

Cyber security readiness - Question identifier:32

Which of the following cyber security resources provided by the federal government has your business used?

Select all that apply.

Help definitions

Cyber security:
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber security certification program:
Programs which offer businesses a certification for adhering to particular cyber security standards. Examples include the CyberSecure Canada program and the Cyber Essentials Canada program.

Cyber security standards:
Best practices which, when followed, are designed to protect the cyber environment of a business or user. Examples include the cyber security standards published by the ISO and the IEC, the COBIT best practices framework and the NIST Cyber Security Framework.

Ransomware:
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

: Get Cyber Safe campaign
: CyberSecure Canada certification program
: Baseline Cyber Security Controls for Small and Medium Businesses
: Canadian Cyber Security Tool (CCST)
: Ransomware Playbook
: Developing an Operational Technology and Information Technology Incident Response Plan
: Sector specific guidance or tools
: Other reports, advice or guidance
: OR
: None
: OR
: Do not know

Cyber security incidents

Cyber security incidents - Question identifier:33

To the best of your knowledge, which cyber security incidents impacted your business in 2023?

Select all that apply.

: Incidents to disrupt or deface the business or web presence
: Incidents to steal personal or financial information
: Incidents to steal money or demand ransom payment
: Incidents to steal or manipulate intellectual property or business data
: Incidents to access unauthorised or privileged areas
: Incidents to monitor and track business activity
: Incidents with an unknown motive
: OR
: Business was not impacted by any cyber security incidents in 2023

Cyber security incidents - Question identifier:34

In 2023, was your business contacted by any of the following external parties regarding their cyber security incidents because they may have involved your business?

Select all that apply.

Help definitions

Canadian Centre for Cyber Security (Cyber Centre):
A Government of Canada organization which acts as a single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public.

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Industry association:
A group that supports and protects the rights of a particular industry and the people who work in that industry.

Office of the Privacy Commissioner:
A Government of Canada organization which provides advice and information for individuals about protecting personal information. They also enforce federal privacy laws that set out the rules for how federal government institutions and certain organizations must handle personal information.

Regulator:
An organization that supervises a particular industry or business activity. Examples include the Bank of Canada and Health Canada.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

: Suppliers, customers or partners
: IT consultant or contractor
: Cyber risk insurance provider
: Canadian department, agency, centre or regulator

Which Canadian departments, agencies, centres or regulators contacted you?
o Office of the Privacy Commissioner
o Canadian Radio-television and Telecommunications Commission
o Competition Bureau
o Innovation, Science and Economic Development Canada
o Canadian Centre for Cyber Security (Cyber Centre)
o Canadian Spam Reporting Centre
o Canada Revenue Agency (CRA)
o Other
: Foreign department, agency, centre or regulator
: Industry association
: Bank or other financial institution
: Software or service vendor
: Other parties not mentioned above
: OR
: External parties did not report their cyber security incidents events to the business in 2023

Cyber security incidents - Question identifier:35

You previously indicated that external parties contacted your business about their cyber security incidents because they may have involved your business in 2023. How did your business react to those cyber security incidents?

Select all that apply.

: Incidents were resolved internally
: Incidents were resolved with the external party
: Incidents were resolved through cyber risk insurance
: Incidents were resolved through an IT consultant or contractor
: Incidents were reported to a police service
: Incidents were reported to other external parties
: Business is currently working with the external party to resolve the incidents
: OR
: No action was necessary or not action was taken by the business

Cost of cyber security incidents

Cost of cyber security incidents - Question identifier:36

In 2023, what was the total amount your business spent to prevent or detect cyber security incidents?

Exclude costs that were incurred specifically due to previous cyber security incidents (e.g., recovery costs from previous cyber security incidents).

If precise figures are not available, provide your best estimate in Canadian dollars.

Enter "0" if there is no value to report.

a.: Employee salary related to prevention or detection
b.: Cost of training employees, suppliers, customers, or partners
c.: Cost of hiring IT consultants or contractors
d.: Cost of legal services or public relations (PR) services
e.: Cost of cyber security software
f.: Cost of hardware related to cyber security
g.: Annual cost of cyber risk insurance or equivalent
h.: Other related costs

Cost of cyber security incidents - Question identifier:37

In 2023, what was the total cost to your business to recover from the cyber security incidents?

Exclude costs related to prevention and detection of cyber security incidents as these were asked in the previous question.

If precise figures are not available, provide your best estimate in Canadian dollars.

Enter "0" if there is no value to report.

Help definitions

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Data breach:
An incident in which sensitive, protected or confidential data have potentially been viewed, stolen or used by an individual unauthorized to do so.

Hardware:
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Recover:
Return of business or employee activity to the normal state, including but not limited to regaining data, IT systems, network, and other services.

Regulator:
An organization that supervises a particular industry or business activity. Examples include the Bank of Canada and Health Canada.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

a.: Employee salary related to recovery
b.: Cost of training employees, suppliers, customers, or partners
c.: Cost of hiring IT consultants or contractors
d.: Cost of legal services or public relations (PR) services
e.: Cost of hiring other external parties
f.: Cost of new or upgraded cyber security software
g.: Cost of new or upgraded hardware related to cyber security
h.: Increased cost of cyber risk insurance or equivalent
i.: Reimbursing suppliers, customers, or partners
j.: Financial penalties from Canadian regulators or authorities
k.: Financial penalties from foreign regulators or authorities
l.: Ransom payments
m.: Additional credit monitoring fees
n.: Costs related to notification of a breach
o.: Other related costs

Impact of cyber security incidents

Impact of cyber security incidents - Question identifier:38

To the best of your knowledge, who perpetrated the cyber security incidents in 2023?

Select all that apply.

Help definition

Access:
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Intellectual property:
Legal rights that result from intellectual activity in the industrial, scientific, literary and artistic fields. Examples include a business's copyright, trademark, and patents.

Web presence:
Internet-based locations where information about a business can be found by external parties. Examples include a business's websites, social media accounts, mobile apps and their online advertising.

: Incidents to disrupt or deface the business or web presence
: Incidents to steal personal or financial information
: Incidents to steal money or demand ransom payment
: Incidents to steal or manipulate intellectual property or business data
: Incidents to access unauthorised or privileged areas
: Incidents to monitor and track business activity
: Incidents with an unknown motive

• An external party
• An internal employee
• Supplier, customer or partner
OR
• Do not know

Impact of cyber security incidents - Question identifier:39

What were the methods used by the perpetrator for the cyber security incidents?

Select all that apply.

Help definitions

Adware:
Software that automatically displays or downloads advertising material (often unwanted) when a user is online.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Denial of Service (DoS) or Distributed Denial of Service (DDoS):
A cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

Hacking:
The practice of modifying or altering computer software and hardware to accomplish a goal that is considered to be outside of the creator's original objective.

Hardware:
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Password cracking:
Refers to various measures used to discover a secret word or combination of characters that is used for authentication of the person that holds it.

Phishing:
A specific kind of spam targeting one or more specific people while pretending to be a legitimate message, with the intent of defrauding the recipients.

Ransomware:
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

Virus:
Malicious computer programs that are often sent as an email attachment or a download with the intent of infecting your computer, as well as the computers of everyone in your contact list. They often contain spam, provide criminals with access to your computer and disable your security settings.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Vulnerability:
A flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect a business's assets or operations.

Web presence:
Internet-based locations where information about a business can be found by external parties. Examples include a business's websites, social media accounts, mobile apps and their online advertising.

: Incidents to disrupt or deface the business or web presence
: Incidents to steal personal or financial information
: Incidents to steal money or demand ransom payment
: Incidents to steal or manipulate intellectual property or business data
: Incidents to access unauthorised or privileged areas
: Incidents to monitor and track business activity
: Incidents with an unknown motive

• Exploiting software, hardware, or network vulnerabilities
• Password cracking
• Identity theft
• Scams and fraud
• Ransomware
• Other malicious software
• Denial of Service (DoS) or Distributed Denial of Service (DDoS)
• Disruption or defacing of web presence
• Abuse of access privileges by a current or former internal party
• Other
OR
• Do not know

Impact of cyber security incidents - Question identifier:40

You previously indicated that your business has cyber risk insurance. Did your business attempt to make a claim on that policy after the cyber security incidents in 2023?

Select all that apply.

Help definitions

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

: Yes, we successfully made a claim against the business's cyber risk insurance
: Yes, we attempted to make a claim against the business' cyber risk insurance but were unsuccessful
: Yes, we attempted to make a claim against the business's cyber risk insurance and it is still in progress
: OR
: No, we have not attempted to make a claim for any of the cyber security incidents

Impact of cyber security incidents - Question identifier:41

How was your business impacted by the cyber security incidents in 2023?

Select all that apply.

Help definitions

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Recover:
Return of business or employee activity to the normal state, including but not limited to regaining data, IT systems, network, and other services.

Regulator:
An organization that supervises a particular industry or business activity. Examples include the Bank of Canada and Health Canada.

: Loss of revenue
: Loss of suppliers, customers, or partners
: Additional repair or recovery costs
: Prevented the use of resources or services
: Prevented employees from carrying out their day-to-day work

What percentage of employees were prevented from carrying out their day-to-day work at some point in
2023?
o Percentage
: Additional time required by employees to complete their day-to-day work
: Damage to the reputation of the business or erosion of public trust
: Financial penalties or fines from Canadian regulators or authorities
: Financial penalties or fines from foreign regulators or authorities
: Discouraged business from carrying out a future activity that was planned
: Minor incidents, impact was minimal to the business
: Manipulation or theft of data
: Theft or compromise of software or hardware
: Required to notify external parties of a breach
: Other
: OR
: Do not know

Impact of cyber security incidents - Question identifier:42

As a result of cyber security incidents, approximately how many hours of downtime did your business experience in 2023?
Include:
- total downtime for mobile devices, desktops, and network;
- time periods during which there was either reduced activity or inactivity of employees or the business.

If precise figures are not available, provide your best estimate, rounded to the nearest hour.

Help definitions

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Downtime:
A time during which a machine, domain or service is not productive, as during repair, malfunction, or maintenance. This can lead to reduced activity or inactivity of an employee or a business.

: Hours
: OR
: Business did not experience any downtime in 2023
: OR
: Do not know

Cyber security incidents reporting

Cyber security incidents reporting - Question identifier:43

Did your business report any cyber security incidents to a police service in 2023?

Include all levels of police service including federal, provincial, territorial, municipal and Indigenous.

: Yes
: No
: Do not know

Cyber security incidents reporting - Question identifier:44

Which cyber security incidents did your business report to a police service in 2023?

Select all that apply.

: Incidents to disrupt or deface the business or web presence
: Incidents to steal personal or financial information
: Incidents to steal money or demand ransom payment
: Incidents to steal or manipulate intellectual property or business data
: Incidents to access unauthorised or privileged areas
: Incidents to monitor and track business activity
: Incidents with an unknown motive

Cyber security incidents reporting - Question identifier:45

What were the reasons for reporting incidents to a police service in 2023?

Select all that apply.

Help text

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Cyber security certification program:
Programs which offer businesses a certification for adhering to particular cyber security standards. Examples include the CyberSecure Canada program and the Cyber Essentials Canada program.

Cyber security standards:
Best practices which, when followed, are designed to protect the cyber environment of a business or user. Examples include the cyber security standards published by the ISO and the IEC, the COBIT best practices framework and the NIST Cyber Security Framework.

Regulator:
An organization that supervises a particular industry or business activity. Examples include the Bank of Canada and Health Canada.

: To reduce the damage caused by the incidents
: To lower the probability of other businesses being impacted by the same incidents
: To help catch the perpetrators
: To fulfill the requirements of customers, suppliers, partners, regulators, cyber security standards or cyber certification programs
: Other
o Specify other reasons

Cyber security incidents reporting - Question identifier:46

What were the reasons for not reporting some or all of the cyber security incidents to a police service in 2023?

Select all that apply.

: Incidents were resolved internally
: Incidents were resolved through an IT consultant or contractor
: To keep knowledge of the incidents internal
: To protect the reputation of the business or stakeholders
: Did not want to spend more time or money on the issue
: Police service would not consider incidents important enough
: Police service was unsatisfactory in the past
: Unsure of where or how to report
: Reporting process is too complicated or unclear
: Did not think the perpetrator would be convicted or adequately punished
: Minor incidents, not important enough for business
: Lack of evidence
: Did not think of contacting a police service
: OR
: Business reported all cyber security incidents to a police service in 2023

Cyber security incidents reporting - Question identifier:47

Excluding police services, which other external party did your business report the cyber security incidents to in 2023?

Select all that apply.

Help definitions

Canadian Centre for Cyber Security (Cyber Centre):
A Government of Canada organization which acts as a single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public.

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Industry association:
A group that supports and protects the rights of a particular industry and the people who work in that industry.

Office of the Privacy Commissioner:
A Government of Canada organization which provides advice and information for individuals about protecting personal information. They also enforce federal privacy laws that set out the rules for how federal government institutions and certain organizations must handle personal information.

Regulator:
An organization that supervises a particular industry or business activity. Examples include the Bank of Canada and Health Canada.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

: Suppliers, customers, or partners
: IT consultant or contractor
: Cyber risk insurance provider
: Canadian department, agency, centre or regulator

Which Canadian departments, agencies, centres or regulators did you report to?
o Office of the Privacy Commissioner
o Canadian Radio-television and Telecommunications Commission
o Competition Bureau
o Innovation, Science and Economic Development Canada
o Canadian Centre for Cyber Security (Cyber Centre)
o Canadian Spam Reporting Centre
o Canada Revenue Agency (CRA)
o Other
: Foreign department, agency, centre or regulator
: Industry association
: Bank or other financial institution
: Software or service vendor
: Cyber security employees at other businesses or organizations
: OR
: Business did not report any cyber security incidents to external parties in 2023

Cyber security incidents reporting - Question identifier:48

What were the reasons for not reporting some or all the of the cyber security incidents to an external party in 2023?

Select all that apply.

Help definitions

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Stakeholder:
A person, group or business that has interest or concern in a business. Stakeholders can affect or be affected by the business's actions, objectives and policies. Examples include suppliers, customers and business partners.

: Incidents were reported to a police service only
: Incidents were resolved internally
: To keep knowledge of the incidents internal
: To protect the reputation of the business or stakeholders
: Lack of evidence
: No obligation or benefit to reporting
: Minor incidents, not important enough for business
: Did not think of reporting the incidents to an external party
: Did not know where to report cyber security incidents
: OR
: Business reported all cyber security incidents to an external parties in 2023

Cyber security incidents reporting - Question identifier:49

In responding to the cyber security incidents in 2023, which external parties did your business contact for information or advice?

Select all that apply.

Help definitions

Canadian Centre for Cyber Security (Cyber Centre):
A Government of Canada organization which acts as a single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public.

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Industry association:
A group that supports and protects the rights of a particular industry and the people who work in that industry.

Office of the Privacy Commissioner:
A Government of Canada organization which provides advice and information for individuals about protecting personal information. They also enforce federal privacy laws that set out the rules for how federal government institutions and certain organizations must handle personal information.

Regulator:
An organization that supervises a particular industry or organizational activity. Examples include the Bank of Canada and Health Canada.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

: Suppliers, customers, or partners
: IT consultant or contractor
: Cyber risk insurance provider
: Legal services
: Police services
: Canadian department, agency, centre or regulator

Which Canadian departments, agencies, centres or regulators did you contact?
o Office of the Privacy Commissioner
o Canadian Radio-television and Telecommunications Commission
o Competition Bureau
o Innovation, Science and Economic Development Canada
o Canadian Centre for Cyber Security (Cyber Centre)
o Canadian Spam Reporting Centre
o Canada Revenue Agency (CRA)
o Other
: Foreign department, agency, centre or regulator
: Industry association
: Bank or other financial institution
: Software or service vendor
: A cyber security information sharing community
: Other Internet community
: Friends, family, or acquaintances
: Computer repair shop
: Cyber security employees at other businesses or organizations
: OR
: Business did not contact any external parties in 2023

Cyber security incidents reporting - Question identifier:50

Did your business report any attempted but unsuccessful cyber security incidents to police services or other external parties in 2023?

Include all levels of police service including federal, provincial, territorial, municipal and Indigenous.

Yes

Which external parties did your business report the cyber security incidents to?
o Police services
o Suppliers, customer or partners
o IT consultant or contractor
o Cyber risk insurance provider
o Canadian department, agency, centre or regulator

Help definitions

Canadian Centre for Cyber Security (Cyber Centre):
A Government of Canada organization which acts as a single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public.

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Industry association:
A group that supports and protects the rights of a particular industry and the people who work in that industry.

Office of the Privacy Commissioner:
A Government of Canada organization which provides advice and information for individuals about protecting personal information. They also enforce federal privacy laws that set out the rules for how federal government institutions and certain organizations must handle personal information.

Regulator:
An organization that supervises a particular industry or organizational activity. Examples include the Bank of Canada and Health Canada.

Software:
A computer program, which provides the instructions which enable the computer hardware to work. Operating systems, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

: Which Canadian departments, agencies, centres or regulators did you report to?
- Office of the Privacy Commissioner
- Canadian Radio-television and Telecommunications Commission
- Competition Bureau
- Innovation, Science and Economic Development Canada
- Canadian Centre for Cyber Security (Cyber Centre)
- Canadian Spam Reporting Centre
- Canadian Anti-Fraud Centre (CAFC)
- Canada Revenue Agency (CRA)
- Other

o Foreign department, agency, centre or regulator
o Industry association
o Banks or other financial institution
o Software or service vendor
o Cyber security employees at other businesses or organizations
o Other
: No
: Do not know

Current cyber security trends

Current cyber security trends - Question identifier:51

In 2023, what was the total value of ransom payments made by your business?

Help definitions

Ransomware:
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

: More than $0, but less than or equal to $10,000
: More than $10,000, but less than or equal to $50,000
: More than $50,000, but less than or equal to $100,000
: More than $100,000, but less than or equal to $250,000
: More than $250,000, but less than or equal to $500,000
: More than $500,000
: The business did not make ransom payments in 2023
: Do not know

Current cyber security trends - Question identifier:52

In 2023, what form of transaction did your business use to make ransom payments?

Select all that apply.

Help definitions

Cryptocurrencies:
A digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank.

Ransomware:
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

: Cryptocurrency
: Gift card
: E-transfer
: Other - Please specify

Current cyber security trends - Question identifier:53

In 2023, which external parties did your business work with to address ransomware incidents?

Include all external parties your business reported the ransomware incidents to.

Select all that apply.

Help definitions

Canadian Centre for Cyber Security (Cyber Centre):
A Government of Canada organization which acts as a single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public.

Consultant:
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor:
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber risk insurance:
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Cyber security incident:
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Office of the Privacy Commissioner:
A Government of Canada organization which provides advice and information for individuals about protecting personal information. They also enforce federal privacy laws that set out the rules for how federal government institutions and certain organizations must handle personal information.

Ransomware:
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

: IT consultant or contractor
: Cyber risk insurance provider
: Royal Canadian Mounted Police (RCMP)
: Other police services
: Canadian Centre for Cyber Security (Cyber Centre)
: Canadian Spam Reporting Centre
: Canadian Anti-Fraud Centre (CAFC)
: Office of the Privacy Commissioner
: Other external parties
: OR
: The business did not work with external parties to resolve ransomware incidents in 2023
: OR
: Do not know

Current cyber security trends - Question identifier:54

In the case of ransomware attacks, does your business have a rule or policy to not pay the ransom?