Canadian Survey of Cyber Security and Cybercrime - 2017

Canadian Survey of Cyber Security and Cybercrime - 2017
Other versions of the questionnaire
Related Survey(s)

Archived Content

Information identified as archived is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

Archived Content

For Information onlyThis is an electronic survey example for information purposes only. This is not a working questionnaire.

Hide all instructions

INFORMATION FOR RESPONDENTS

Purpose

The purpose of this survey is to collect data on the impact of cybercrime to Canadian businesses and their activities to mitigate the effects. The survey includes information on investment in cyber security measures, cyber security training, the volume of cyber security incidents, and the costs associated with responding to these incidents.

Additional information

Your information may also be used by Statistics Canada for other statistical and research purposes.

Your participation in this survey is required under the authority of the Statistics Act.

Authority

Data are collected under the authority of the Statistics Act, Revised Statutes of Canada, 1985, Chapter S-19.

Purpose

The purpose of this survey is to collect data on the impact of cybercrime to Canadian businesses and their activities to mitigate the effects. The survey includes information on investment in cyber security measures, cyber security training, the volume of cyber security incidents, and the costs associated with responding to these incidents.

Confidentiality

By law, Statistics Canada is prohibited from releasing any information it collects that could identify any person, business, or organization, unless consent has been given by the respondent, or as permitted by the Statistics Act. Statistics Canada will use the information from this survey for statistical purposes only.

Data-sharing agreements

To reduce respondent burden, Statistics Canada has entered into data-sharing agreements with provincial and territorial statistical agencies and other government organizations, which have agreed to keep the data confidential and use them only for statistical purposes. Statistics Canada will only share data from this survey with those organizations that have demonstrated a requirement to use the data.

Section 11 of the Statistics Act provides for the sharing of information with provincial and territorial statistical agencies that meet certain conditions. These agencies must have the legislative authority to collect the same information, on a mandatory basis, and the legislation must provide substantially the same provisions for confidentiality and penalties for disclosure of confidential information as the Statistics Act. Because these agencies have the legal authority to compel businesses to provide the same information, consent is not requested and businesses may not object to the sharing of the data.

For this survey, there are Section 11 agreements with the provincial and territorial statistical agencies of Newfoundland and Labrador, Nova Scotia, New Brunswick, Quebec, Ontario, Manitoba, Saskatchewan, Alberta, British Columbia and the Yukon.

The shared data will be limited to information pertaining to business enterprises located within the jurisdiction of the respective province or territory.

Section 12 of the Statistics Act provides for the sharing of information with federal, provincial or territorial government organizations. For this survey, there are Section 12 agreements with the statistical agencies of Prince Edward Island, the Northwest Territories and Nunavut, as well as with Public Safety Canada.

Under Section 12, you may refuse to share your information with any of these organizations by writing a letter of objection to the Chief Statistician, specifying the organizations with which you do not want Statistics Canada to share your data and mailing it to the following address:

Chief Statistician of Canada
Statistics Canada
Attention of Director, Investment, Science and Technology Division
150 Tunney's Pasture Driveway
Ottawa, Ontario
K1A 0T6

You may also contact us by e-mail at STATCAN.infostats-infostats.STATCAN@canada.ca.

For agreements with provincial and territorial government organizations, the shared data will be limited to information pertaining to business enterprises located within the jurisdiction of the respective province or territory.

Record linkage

To enhance the data from this survey and to reduce respondent burden, Statistics Canada may combine it with information from other surveys or from administrative sources.

Reporting instructions

For this questionnaire:

Please complete this questionnaire for Canadian operations of this business.

Reporting instructions:

Report dollar amounts in Canadian dollars
- Report dollar amount rounded to the nearest dollar
- Exclude sales tax
- Report the number of hours rounded to the nearest hour
- When precise figures are not available, please provide your best estimates
- Enter "0" if there is no value to report
- Questionnaire should be completed by an IT manager or senior member of staff responsible for the computer and network security of this business
- If applicable, external consultants or contractors managing the business's IT infrastructure should provide assistance

Printing a blank questionnaire:

For reference purposes, you may print a blank questionnaire by selecting the following link:
«insert the Web page hyperlink address and text to display»

Printing your completed questionnaire:

You may print this questionnaire once you have completed and submitted it.

Business characteristics

Business characteristics - Question identifier:1

Which of the following does your business currently use? Select all that apply.

Help definitions

Social media
Social networking sites like Facebook, Twitter and LinkedIn for your business to reach potential customers and build stronger relationships with clients. Businesses also uses social networking sites for marketing or professional purposes.

E-commerce platforms
A software technology solution that allows a business to build and host a digital storefront soliciting a specific set of products or services.

Web-based application
A program that is accessed over an Internet network, rather than existing within a device's memory.

E-signature
A technology that allows a person to electronically affix a signature or its equivalent to an electronic document, as when consenting to an online contract.

Cloud computing
The ability to access all required software, data and resources via a computer network instead of the traditional model where these are stored locally on a user's computer.

Cloud storage
Data is stored, accessed and shared through remote servers accessed from the Internet.

Internet-connected 'smart' devices
Electronic devices that can connect to each other and the Internet through a network. These devices are designed to automatically send and receive information from the Internet on a constant basis.

Intranet
A private network accessible only to the organization and its staff. It is protected from unauthorized access with security systems such as firewalls.

Voice over internet protocol
Routing of voice conversations over the Internet. This is distinct from a telephone call, which is made from your home or office phone which goes through the Public Switched Telephone Network.

  • : Website for your business
  • : Social media accounts for your business
  • : E-commerce platforms and solutions
  • : Web-based application
  • : Cloud computing or storage
  • : Internet-connected 'smart' devices
  • : Intranet
  • : Voice Over Internet Protocol (VOIP) services
  • : OR
  • : Business does not use any of the above applications

Business characteristics - Question identifier:2

What type of data does your business store on externally-hosted web services?
Include data that is backed-up. Select all that apply.

Help definitions

Web services
A service that is made available from a business's Web server for Web users or other Web-connected programs. A prevalent example of a Web service is storage management and customer relationship management application.

Cloud storage
Data is stored, accessed and shared through remote servers accessed from the Internet.

  • : Confidential employee information
  • : Confidential information about customers, suppliers, or partners
  • : Confidential business information
  • : Commercially sensitive information
  • : Non-sensitive or public information
  • : OR
  • : Business does not store data on externally-hosted web services

Business characteristics - Question identifier:3

Does anyone in your business use personally-owned devices such as smartphones, tablets, laptops, or desktop computers to carry out regular business-related activities? Include devices that are subsidized by the business.

Help definitions

Personally-owned devices (management of)
Policy to manage personally owned devices (laptops, tablets, and smart phones) that are used at the workplace, with emphasis on access to privileged company information and applications.

  • : Yes
  • : No
  • : Do not know

Cyber security environment

Cyber security environment - Question identifier:4

Which cyber security measures does your business currently have in place?
Include on-site and external security measures, including those provided by an external party. Select all that apply.

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Mobile security
The protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing.

Personally-owned devices (management of)
Policy to manage personally owned devices (laptops, tablets, and smart phones) that are used at the workplace, with emphasis on access to privileged company information and applications.

Secure remote access
The ability to access a device or software from a remote location (e.g., work from home or access work e-mail while travelling).

VPN (Virtual Private Network)
A private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN.

Anti-malware
A type of software program designed to prevent, detect and remediate malicious programming on individual computing devices and IT systems.

Malware
Malicious software created and distributed to cause harm. The most common instance of malware is a "virus."

Virus
Malicious computer programs that are often sent as an email attachment or a download with the intent of infecting your computer, as well as the computers of everyone in your contact list. They often contain spam, provide criminals with access to your computer and disable your security settings.

Spyware
Software that collects personal information about you without you knowing. They often come in the form of a 'free' download and are installed automatically with or without your consent. These are difficult to remove and can infect your computer with viruses.

Ransomware
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

Web security
A branch of computer security specifically related to the Internet, often involving browser security but also network security on a more general level as it applies to other applications or operating systems on a whole. Its objective is to establish rules and measures to use against attacks over the Internet.

Digital certificates
An encrypted file containing user or server identification information, which is used to verify identity and to help establish a security-enhanced link.

Spam filters
A set of rules to screen email that has been sent without the permission or request of you or the employee it has been sent to.

Network security
The protection of the access to files and directories in a computer network against hacking, misuse and unauthorized changes to the system.

Firewall
A hardware and/or software device on a computer that controls the access between a private network and a public network like the Internet. A firewall is designed to provide protection by stopping unauthorized access to the computer or network.

Honeypot systems
A decoy-based intrusion-detection system used primarily as a way to attract hackers to a network system in order to study their movements and behavior.

Encryption
Converting information into a code that can only be read by authorized persons who have been provided with the necessary (and usually unique) "key" and special software so that they can reverse the process (e.g., decryption) and use the information.

Rights management
Restrictions to create and consume protected content such as e-mails and documents.

Point-Of-Sale security
A secure software to record when goods or services are sold to customers.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Application whitelisting
Identifying specific programs that are permitted to execute on a given system and enforcing a policy so that only those identified components can operate.

Patching
Updating or repairing any form of software that is applied without replacing the entire original program. Many patches are provided by software developers to address identified security vulnerabilities.

Hardware
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Asset
Any items belonging to or held by the business, with some value (including information, in all forms and computer systems).

Access
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

Password complexity rules
A policy setting on whether passwords must meet a series of guidelines that are considered important for a strong password.

Physical access controls
Controls to allow authorized personnel access to a place or other sources (e.g., turnstiles, key pass, passwords).

  • : Mobile security
  • : Anti-malware software to protect against viruses, spyware, ransomware, etc.
  • : Web security
  • : E-mail security
  • : Network security
  • : Data protection and control
  • : Point-Of-Sale (POS) security
  • : Software and application security
  • : Hardware and asset management
  • : Identity and access management
  • : Physical access controls
  • : OR
  • : Business does not have any cyber security measures in place
  • : OR
  • : Do not know

Cyber security environment - Question identifier:5

Was implementing any of the cyber security measures a requirement of a supplier, customer, partner, or regulator?

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Regulator
A person or organization that supervises a particular industry or business activity, for example, Bank of Canada, Health Canada, etc.

  • : Yes
  • : No
  • : Do not know

Cyber security environment - Question identifier:6

How many employees are primarily responsible for the overall cyber security of your business? Include part-time and full-time employees. Exclude external IT consultants or contractors.

Help definitions


Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

  • : One to five employees
  • : Six to 15 employees
  • : Over 15 employees
  • : None

Cyber security environment - Question identifier:7

What are the main reasons your business does not have any employees primarily responsible for cyber security? Select all that apply.

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber liability insurance
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Risk
Exposure to a negative outcome if a threat is realized.

  • : All employees are responsible for cyber security to a certain degree
  • : Business uses consultants or contractors to monitor cyber security
  • : Business has cyber liability insurance
  • : Business is in the process of recruiting a cyber security professional
  • : Business is unable to find an adequate cyber security professional
  • : Business lacks the resources to employ a cyber security professional
  • : Cyber security is not a high enough risk to the business

Cyber security environment - Question identifier:8

Did your business share best practices or general information on cyber security risks with your employees in 2017? Include the sharing of information through e-mail, bulletin board, general information sessions on subjects related to: • recognizing and avoiding e-mail scams • importance of password complexity and basic security techniques • securing your web browser and safe web browsing practices • avoiding phishing attacks • recognizing and avoiding spyware.

a. Information shared with internal IT personal
b. Information shared with other employees

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Risk
Exposure to a negative outcome if a threat is realized.

Best practices
A procedure or set of procedures that is preferred or considered standard within an organization.

Web browser
A program that allows a user to find, view, hear, and interact with material on the Internet, including text, graphics, sound, and video.

Phishing
A specific kind of spam targeting one or more specific people while pretending to be a legitimate message, with the intent of defrauding the recipient(s).

Attack
An attempt to gain unauthorized access to business or personal information, computer systems or networks for (normally) criminal purposes. A successful attack may result in a security breach or it may be generically classified as an "incident."

Spyware
Software that collects personal information about you without you knowing. They often come in the form of a 'free' download and are installed automatically with or without your consent. These are difficult to remove and can infect your computer with viruses.

  • : Yes
  • : No
  • : Not applicable

Cyber security environment - Question identifier:9

Did your business provide formal training to develop or upgrade cyber security related skills of your employees or stakeholders in 2017? Include training provided by external sources.

a. Provided training to internal IT personnel
b. Provided training to other employees
c. Provided training to stakeholders such as suppliers, customers, or partners

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Stakeholder
A person, group or organization that has interest or concern in an organization. Stakeholders can affect or be affected by the organization's actions, objectives and policies. Some examples of key stakeholders are suppliers, customers and business partners.

  • : Yes
  • : No
  • : Not applicable

Cyber security environment - Question identifier:10

What are the main reasons your business spends time or money on cyber security measures and/or related skills training? Select up to three.

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Intellectual property
Legal rights that result from intellectual activity in the industrial, scientific, literary and artistic fields. Examples include a business's copyright, trademark, and patents.

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Downtime
A time during which a machine, domain or service is not productive, as during repair, malfunction, or maintenance. This can lead to reduced activity or inactivity of an employee or a business.

  • : Protect the reputation of the business
  • : Protect personal information of employees, suppliers, customers, or partners
  • : Protect trade secrets and intellectual property
  • : Compliance with laws, regulations, or contracts
  • : Business has suffered a cyber security incident previously
  • : Prevent downtime and outages
  • : Prevent fraud and theft
  • : Secure continuity of business operations
  • : OR
  • : Business does not spend time or money on cyber security measures and/or related skills training

Cyber security readiness

Cyber security readiness - Question identifier:11

Which risk management arrangements does your business currently have in place?
Select all that apply.

Help definitions

Risk
Exposure to a negative outcome if a threat is realized.

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Business continuity plan
A strategy that recognizes threats and risks facing a company, with the purpose to ensure that personnel and assets are protected and able to function in the event of a major issue.

Threat
Any potential event or action (deliberate or accidental) that represents a danger to the security of the business.

Vulnerability
A flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber liability insurance
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

  • : A written policy in place to manage cyber security risks e.g. Cyber Incident Response Plan
  • : A written policy in place to report cyber security incident(s)
  • : A Business Continuity Plan with processes to manage cyber security threats, vulnerabilities, and risks
  • : Employee(s) with responsibility for overseeing cyber security risks and threats
  • : Members of senior management with responsibility for overseeing cyber security risks and threats
  • : A consultant or contractor to manage cyber security risks and threats
  • : Cyber liability insurance to protect against cyber security risks and threats
  • : OR
  • : Business does not have any risk management arrangements for cyber security

Cyber security readiness - Question identifier:12

Which are covered under your cyber liability insurance policy? Select all that apply.

Help definitions

Cyber liability insurance
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Attack
An attempt to gain unauthorized access to business or personal information, computer systems or networks for (normally) criminal purposes. A successful attack may result in a security breach or it may be generically classified as an "incident."

Hardware
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Defamation
The action of damaging the good reputation of someone; slander or libel.

Ransomware
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

Fraudulent e-transfers
This can take various forms, but the most popular technique is where the perpetrator fraudulently uses an unauthorized bank account to transfer funds out of the accounts or initiate payments for purchases.

  • : Direct losses from an attack or intrusion (e.g., hardware damage, data corruption)
  • : Restoration expenses for software, hardware, and electronic data
  • : Business interruption (loss of productive time) and reputation losses
  • : Third-party liability (e.g., suits for damages associated with privacy, defamation)
  • : Financial losses (e.g., ransomware, fraudulent e-transfers)
  • : Security breach remediation and notification expenses
  • : Claims made by employees

Cyber security readiness - Question identifier:13

Which activities does your business undertake to identify cyber security risks?
Select all that apply.

Help text

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Risk
Exposure to a negative outcome if a threat is realized.

URL (Uniform Resource Locator)
Universal Resource Locator is the technical term for the address (location) of a resource on the Internet such as a website or file.

Penetration testing
An authorized simulated attack on a computer system that looks for security weaknesses, potentially gaining access to the system's features and data. The test can help determine whether the IT infrastructure is vulnerable to attack, if the defenses are sufficient, and which defenses (if any) the test defeated.

Threat
Any potential event or action (deliberate or accidental) that represents a danger to the security of the business.

  • : Monitoring of employees' behaviours (e.g., URL filtering, social media filtering)
  • : Monitoring network and business systems (e.g., firewalls, websites)
  • : A formal risk assessment of cyber security practices, undertaken by an employee
  • : A formal risk assessment of cyber security practices, undertaken by an external party
  • : Penetration testing, undertaken by an employee
  • : Penetration testing, undertaken by an external party
  • : Investment in threat intelligence
  • : Complete audit of IT systems, undertaken by an external party
  • : Business conducts other activities to identify cyber security risks
  • : OR
  • : Business does not conduct any activity to identify cyber security risks

Cyber security readiness - Question identifier:14

How often does your business conduct activities to identify cyber security risks? Select all that apply.

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Risk
Exposure to a negative outcome if a threat is realized.

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

  • : On a scheduled basis
  • : After a cyber security incident occurs
  • : When a new IT initiative or project is launched
  • : On an irregular basis

Cyber security readiness - Question identifier:15

How often is senior management in your business given an update on actions taken regarding cyber security? Select all that apply.

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

  • : On a scheduled basis
  • : After a cyber security incident occurs
  • : When a new IT initiative or project is launched
  • : Senior management have tools to track cyber security issues
  • : Senior management is given an update on an irregular basis
  • : OR
  • : Senior management is not updated on cyber security issues

Business resiliency

Business resiliency - Question identifier:16

Which cyber security risks or threats would you consider to have the most detrimental impact on your business? Select up to three.

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Risk
Exposure to a negative outcome if a threat is realized.

Threat
Any potential event or action (deliberate or accidental) that represents a danger to the security of the business.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Hardware
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Access
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

Data breach
An incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so.

Phishing
A specific kind of spam targeting one or more specific people while pretending to be a legitimate message, with the intent of defrauding the recipient(s).

Virus
Malicious computer programs that are often sent as an email attachment or a download with the intent of infecting your computer, as well as the computers of everyone in your contact list. They often contain spam, provide criminals with access to your computer and disable your security settings.

Adware
Software that automatically displays or downloads advertising material (often unwanted) when a user is online.

Ransomware
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

Denial of Service
A cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

  • : Theft or compromise of software or hardware
  • : Unauthorized access, manipulation, and theft of data
  • : Identity theft
  • : Scams and fraud
  • : Improper usage of computers or network
  • : Malicious software
  • : Denial of service (DOS/DDOS)
  • : Disruption or defacing of web presence

Business resiliency - Question identifier:17

How concerned is your business about its susceptibility to future cyber security risks and threats?

Help definitions

Cyber security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability.

Susceptibility
The state or fact of being likely or liable to be influenced or harmed by a particular thing.

Risk
Exposure to a negative outcome if a threat is realized.

Threat
Any potential event or action (deliberate or accidental) that represents a danger to the security of the business.

  • : Extremely concerned
  • : Very concerned
  • : Somewhat concerned
  • : Slightly concerned
  • : Not at all concerned

Cost to prevent or detect cyber security incident(s)

Cost to prevent or detect cyber security incident(s) - Question identifier:18

In 2017, what was the total amount your business spent to prevent or detect cyber security incident(s)? If precise figures are not available, please provide your best estimate in Canadian dollars.

Enter "0" if there is no value to report.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Hardware
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Cyber liability insurance
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

  • a.: Cost of employee salary related to prevention or detection
  • b.: Cost of training employees, suppliers, customers, or partners
  • c.: Cost of hiring IT consultants or contractors
  • d.: Cost of hiring other professional services
  • e.: Cost of cyber security software and related hardware
  • f.: Annual cost of cyber risk insurance or equivalent
  • g.: Other related costs

Cyber security incident(s)

Cyber security incident(s) - Question identifier:19

To the best of your knowledge, which cyber security incident(s) impacted your business in 2017? Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Intellectual property
Legal rights that result from intellectual activity in the industrial, scientific, literary and artistic fields. Examples include a business's copyright, trademark, and patents.

Access
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

  • : Incident(s) to disrupt or deface the business or web presence
  • : Incident(s) to steal personal or financial information
  • : Incident(s) to steal money or demand ransom payment
  • : Incident(s) to steal or manipulate intellectual property or business data
  • : Incident(s) to access unauthorised or privileged areas
  • : Incident(s) to monitor and track business activity
  • : Incident(s) with an unknown motive
  • : OR
  • : Business was not impacted by any cyber security incident(s) in 2017

Cyber security incident(s) - Question identifier:20

Approximately how many times did your business experience cyber security incident(s) in 2017?

Incident(s) to disrupt or deface the business or web presence
Incident(s) to steal personal or financial information
Incident(s) to steal money or demand ransom payment
Incident(s) to steal or manipulate intellectual property or business data
Incident(s) to access unauthorised or privileged areas
Incident(s) to monitor and track business activity
Incident(s) with an unknown motive

Help definition

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Intellectual property
Legal rights that result from intellectual activity in the industrial, scientific, literary and artistic fields. Examples include a business's copyright, trademark, and patents.

Access
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

  • : Number of times incident(s) occurred
  • : OR
  • : Do not know

Cyber security incident(s) - Question identifier:21

To the best of your knowledge, who perpetrated the cyber security incident(s) in 2017? Select all that apply.

Incident(s) to disrupt or deface the business or web presence
Incident(s) to steal personal or financial information
Incident(s) to steal money or demand ransom payment
Incident(s) to steal or manipulate intellectual property or business data
Incident(s) to access unauthorised or privileged areas
Incident(s) to monitor and track business activity
Incident(s)with an unknown motive

Help definition

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Intellectual property
Legal rights that result from intellectual activity in the industrial, scientific, literary and artistic fields. Examples include a business's copyright, trademark, and patents.

Access
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

  • : An external party
  • : An internal employee
  • : Supplier, customer or partner
  • : OR
  • : Do not know

Cyber security incident(s) - Question identifier:22

To the best of your knowledge,what was the method used for the cyber security incident(s)? Select all that apply.

Incident(s) to disrupt or deface the business or web presence
Incident(s) to steal personal or financial information
Incident(s) to steal money or demand ransom payment
Incident(s) to steal or manipulate intellectual property or business data
Incident(s) to access unauthorised or privileged areas
Incident(s) to monitor and track business activity
Incident(s) with an unknown motive

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Hardware
A computer, its compnents, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Vulnerability
A flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations.

Hacking
The practice of modifying or altering computer software and hardware to accomplish a goal that is considered to be outside of the creator's original objective.

Password cracking
Refers to various measures used to discover a secret word or combination of characters that is used for authentication of the person that holds it.

Phishing
A specific kind of spam targeting one or more specific people while pretending to be a legitimate message, with the intent of defrauding the recipient(s).

Virus
Malicious computer programs that are often sent as an email attachment or a download with the intent of infecting your computer, as well as the computers of everyone in your contact list. They often contain spam, provide criminals with access to your computer and disable your security settings.

Adware
Software that automatically displays or downloads advertising material (often unwanted) when a user is online.

Ransomware
A type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.

Denial of Service
A cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.

  • : Exploiting software, hardware, or network vulnerabilities
  • : Hacking or password cracking
  • : Identity theft
  • : Scams and fraud
  • : Malicious software
  • : Denial of Service (DoS/DDoS)
  • : Disruption or defacing of web presence
  • : OR
  • : Do not know

Cyber security incident(s) - Question identifier:23

You previously indicated that your business has cyber liability insurance. Did your business attempt to make a claim on that policy after the cyber security incident(s) in 2017? Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Cyber liability insurance
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

  • : Yes, we successfully made a claim against the business's cyber risk insurance
  • : Yes, we attempted to make a claim against the cyber risk insurance but were unsuccessful
  • : Yes, we attempted to make a claim against the business's cyber risk insurance and it is still in progress
  • : OR
  • : No, we have not attempted to make a claim for any of the cyber security incidents

Cyber security incident(s) - Question identifier:24

How was your business impacted by the cyber security incident(s) in 2017? Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Recover
Return of business or employee activity to normal state, including but not limited to regaining data, IT systems, network, and other services.

Regulator
A person or organization that supervises a particular industry or business activity, for example, Bank of Canada, Health Canada, etc.

  • : Loss of revenue
  • : Loss of suppliers, customers, or partners
  • : Additional repair or recovery costs
  • : Paid ransom payment
  • : Prevented the use of resources or services
  • : Prevented employees from carrying out day-to-day work
  • : Additional time required by employees to respond to the cyber security incident(s)
  • : Damage to the reputation of the business
  • : Fines from regulators or authorities
  • : Discouraged business from carrying out a future activity that was planned
  • : Minor incident(s), impact was minimal to the business
  • : OR
  • : Business was not impacted in any of the ways described above in 2017
  • : OR
  • : Do not know or do not know the full extent of the impact

Cyber security incident(s) - Question identifier:25

As a result of cyber security incident(s), approximately how many hours of downtime did your business experience in 2017?

Include total downtime for mobile devices, desktops, and network.

If precise figures are not available,provide your best estimate.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Downtime
A time during which a machine, domain or service is not productive, as during repair, malfunction, or maintenance. This can lead to reduced activity or inactivity of an employee or a business.

  • : Hours
  • : OR
  • : Business did not experience any downtime in 2017
  • : OR
  • : Do not know

Cyber security incident(s) reporting

Cyber security incident(s) reporting - Question identifier:26

Did your business report any cyber security incidents to a police service in 2017? Include all levels of police service including municipal, provincial and federal.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

  • : Yes
  • : No

Cyber security incident(s) reporting - Question identifier:27

Which cyber security incidents did your business report to a police service in 2017? Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Intellectual property
Legal rights that result from intellectual activity in the industrial, scientific, literary and artistic fields. Examples include a business's copyright, trademark, and patents.

Access
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

  • : Incident(s) to disrupt or deface the business or web presence
  • : Incident(s) to steal personal or financial information
  • : Incident(s) to steal money or demand ransom payment
  • : Incident(s) to steal or manipulate intellectual property or business data
  • : Incident(s) to access unauthorised or privileged areas
  • : Incident(s) to monitor and track business activity
  • : Incident(s) with an unknown motive

Cyber security incident(s) reporting - Question identifier:28

Approximately how many times did your business report the cyber security incident(s) to a police service in 2017? Provide an answer to all that apply.

Incident(s) to disrupt or deface the business or web presence
Incident(s) to steal personal or financial information
Incident(s) to steal money or demand ransom payment
Incident(s) to steal or manipulate intellectual property or business data
Incident(s) to access unauthorised or privileged areas
Incident(s) to monitor and track business activity
Incident(s) with an unknown motive

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Intellectual property
Legal rights that result from intellectual activity in the industrial, scientific, literary and artistic fields. Examples include a business's copyright, trademark, and patents.

Access
Enables the right individuals to access the right resources. This security feature helps to protect entry to applications and resources across the corporate IT infrastructure, enabling additional levels of validation such as multi-factor authentication and conditional access policies.

  • : Number of times incident(s) occurred
  • : OR
  • : Do not know

Cyber security incident(s) reporting - Question identifier:29

What were the reasons for not reporting some or all of the cyber security incident(s) to a police service in 2017?

Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

Stakeholder
A person, group or organization that has interest or concern in an organization. Stakeholders can affect or be affected by the organization's actions, objectives and policies. Some examples of key stakeholders are suppliers, customers and business partners.

  • : Incident(s) were resolved internally
  • : Incident(s) were resolved through an IT consultant or contractor
  • : To protect the reputation of the business or stakeholders
  • : Did not want to spend more time or money on the issue
  • : Police service would not consider incident(s) important enough
  • : Police service was unsatisfactory in the past
  • : Reporting process is too complicated or unclear
  • : Did not think the perpetrator would be convicted or adequately punished
  • : Minor incident(s), not important enough for business
  • : Lack of evidence
  • : Did not think of contacting a police service
  • : OR
  • : Business reported all cyber security incident(s) to a police service in 2017

Cyber security incident(s) reporting - Question identifier:30

Excluding police services, which other external party did your business report the cyber security incident(s) to in 2017?

Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber liability insurance
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Canadian Cyber Incident Response Centre
A Canadian government program that is responsible for monitoring threats and coordinating the national response to any cyber security incident. Its focus is the protection of national critical infrastructure against cyber incidents.

Office of the Privacy Commissioner
Provides advice and information for individuals about protecting personal information. They also enforce federal privacy laws that set out the rules for how federal government institutions and certain businesses must handle personal information.

Regulator
A person or organization that supervises a particular industry or business activity, for example, Bank of Canada, Health Canada, etc.

Industry association
A group that supports and protects the rights of a particular industry and the people who work in that industry.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

  • : Suppliers, customers, or partners
  • : IT consultant or contractor
  • : Cyber liability insurance provider
  • : Government department or agency
  • : Canadian Cyber Incident Response Centre (CCIRC)
  • : Office of the Privacy Commissioner
  • : Regulator
  • : Industry association
  • : Bank or other financial institution
  • : Software or service vendor
  • : OR
  • : Business did not report any cyber security incident(s) to external parties in 2017

Cyber security incident(s) reporting - Question identifier:31

What were the reasons for not reporting some or all the of the cyber security incident(s) to an external party in 2017?

Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Stakeholder
A person, group or organization that has interest or concern in an organization. Stakeholders can affect or be affected by the organization's actions, objectives and policies. Some examples of key stakeholders are suppliers, customers and business partners.

  • : Incident(s) were reported to a police service only
  • : Incident(s) were resolved internally
  • : To protect the reputation of the business or stakeholders
  • : Lack of evidence
  • : No benefit to reporting
  • : Did not want to spend more time or money on the issue
  • : Minor incident(s), not important enough for business
  • : Did not think of reporting the incident(s) to an external party
  • : OR
  • : Business reported all cyber security incident(s) to an external party in 2017

Cyber security incident(s) reporting - Question identifier:32

In 2017, which external parties reported a cyber security incident(s) to your business that involved your organization?

Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber liability insurance
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Canadian Cyber Incident Response Centre
A Canadian government program that is responsible for monitoring threats and coordinating the national response to any cyber security incident. Its focus is the protection of national critical infrastructure against cyber incidents.

Office of the Privacy Commissioner
Provides advice and information for individuals about protecting personal information. They also enforce federal privacy laws that set out the rules for how federal government institutions and certain businesses must handle personal information.

Regulator
A person or organization that supervises a particular industry or business activity, for example, Bank of Canada, Health Canada, etc.

Industry association
A group that supports and protects the rights of a particular industry and the people who work in that industry.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

  • : Suppliers, customers, or partners
  • : IT consultant or contractor
  • : Persons or group that perpetrated the incident(s)
  • : Cyber liability insurance provider
  • : Government department or agency
  • : Police services
  • : Canadian Cyber Incident Response Centre (CCIRC)
  • : Office of the Privacy Commissioner
  • : Regulator
  • : Industry association
  • : Bank or other financial institution
  • : Software or service vendor
  • : Other parties not mentioned above
  • : OR
  • : External parties did not report cyber security incident(s) to the business in 2017

Cyber security incident(s) reporting - Question identifier:33

How did your business handle the cyber security incident(s) that were reported to your organization by external parties in 2017?
Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

  • : Incidents were resolved internally
  • : Incidents were resolved with the external party
  • : Incidents were resolved through an IT consultant or contractor
  • : Incidents were reported to a police service
  • : Incidents were reported to other external parties
  • : Business is currently working with the external party to resolve the incidents
  • : OR
  • : No action was taken by the business

Cyber security incident(s) reporting - Question identifier:34

In responding to the cyber security incident(s) in 2017, which external parties did your business contact for information or advice?

Select all that apply.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

Cyber liability insurance
An insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Canadian Cyber Incident Response Centre
A Canadian government program that is responsible for monitoring threats and coordinating the national response to any cyber security incident. Its focus is the protection of national critical infrastructure against cyber incidents.

Office of the Privacy Commissioner
Provides advice and information for individuals about protecting personal information. They also enforce federal privacy laws that set out the rules for how federal government institutions and certain businesses must handle personal information.

Regulator
A person or organization that supervises a particular industry or business activity, for example, Bank of Canada, Health Canada, etc.

Industry association
A group that supports and protects the rights of a particular industry and the people who work in that industry.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

  • : Suppliers, customers, or partners
  • : IT consultant or contractor
  • : Cyber liability insurance provider
  • : Legal services
  • : Government department or agency
  • : Police services
  • : Canadian Cyber Incident Response Centre (CCIRC)
  • : Office of the Privacy Commissioner
  • : Regulator
  • : Industry association
  • : Bank or other financial institution
  • : Software or service vendor
  • : Internet community e.g., forum, blog
  • : Friends, family, or acquaintances
  • : Computer repair shop
  • : OR
  • : Business did not contact any external parties in 2017

Cost of recovering from cyber security incident(s)

Cost of recovering from cyber security incident(s) - Question identifier:35

In 2017, what was the total cost to your business to recover from the cyber security incident(s)?

If precise figures are not available, provide your best estimate in Canadian dollars.

Enter "0" if there is no value to report.

Help definitions

Cyber security incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete or render unavailable any computer network or system resource.

Recover
Return of business or employee activity to normal state, including but not limited to regaining data, IT systems, network, and other services.

Consultant
A person or business that is hired to evaluate a client's needs and provide expert advice and opinion on what needs to be done.

Contractor
A person or business that is hired to evaluate the client's needs and actually perform the work.

Software
A computer program, which provides the instructions which enable the computer hardware to work. System software, such as Windows, Linux or MacOS, operate the machine itself, and applications software, such as spreadsheet or word processing programs, provide specific functionality.

Hardware
A computer, its components, and its related equipment. Hardware also refers to communication, networking, and security equipment.

Regulator
A person or organization that supervises a particular industry or business activity, for example, Bank of Canada, Health Canada, etc.

  • a.: Cost of employee salary related to recovery
  • b.: Cost of training employees, suppliers, customers, or partners
  • c.: Cost of hiring IT consultants or contractors
  • d.: Cost of hiring other professional services e.g., legal services, PR, and marketing
  • e.: Cost of cyber security software and related hardware
  • f.: Increased cost of cyber liability insurance or equivalent
  • g.: Reimbursing suppliers, customers, or partners
  • h.: Fines from regulators or authorities
  • i.: Ransom payments
  • j.: Other related costs
Date modified: