Cybersecurity Preparedness in Canada: An Urgent Call for Action Amid Rising Data Breaches
Data breaches have become prevalent in Canada, affecting approximately one in six businesses in 2023, according to recent findings by Statistics Canada. Despite the alarming rise in cyber incidents, many organizations remain ill-prepared for such threats, with escalating costs associated with breaches as cyber criminals refine their tactics.
Milind Bhargava, founder of Mjolnir Security, recounted a case from 2020 involving a transportation company in British Columbia that suffered a ransomware attack. Initial responses included a drastic plan to erase all compromised data. However, by the time cybersecurity experts were engaged, forensic analysis proved challenging due to the remnants of outdated equipment and reliance on obsolete dial-up internet connections. This led to a situation where replacing antiquated technology was deemed more efficient than attempting to restore compromised systems.
Experts like Bhargava, who has managed responses to over 560 breaches since 2018, highlight a troubling trend among industries, particularly in sectors like oil and gas. Many companies lag in essential cybersecurity defenses, often falling years behind in critical system updates. This lag creates vulnerabilities that cyber adversaries exploit, resulting in significant financial repercussions.
According to IBM’s annual Cost of Data Breach report, Canadian organizations spent an average of $6.32 million per data breach in 2024, with the financial sector facing particularly severe impacts at $9.28 million. Cybercriminals predominantly gained unauthorized access through stolen credentials, a method that frequently takes organizations up to ten months to detect and mitigate.
The landscape of cyber threats has also evolved, as described by Hélène Deschamps Marquis, national co-leader of privacy and cybersecurity at Borden Ladner Gervais LLP. The traditional model of massive data theft has shifted towards ransomware, where attackers both encrypt the victim’s data and leverage threats of public exposure to coerce payment. The dual nature of these attacks often presents organizations with a chilling ultimatum: pay for decryption and prevent data leaks, or risk severe operational and reputational damage.
The response strategy for organizations under siege has become clearer: containment followed by investigation. Legal counsel plays a critical role, facilitating a breach-response strategy that could capitalize on privilege protections. Many organizations are now recognizing the importance of having a robust response plan, a significant shift in mindset from previous years.
As regulations tighten globally, organizations must be aware of their obligations following a breach. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) mandates that organizations notify both affected individuals and the Office of the Privacy Commissioner of any breaches. However, as Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange, pointed out, hackers often operate with greater agility than businesses can respond.
The rise of artificial intelligence (AI) plays a dual role in cybersecurity. While 61 percent of Canadian firms are employing AI to bolster defenses, attackers are equally leveraging advanced AI technologies to automate and enhance their malicious activities. As Quaid noted, the availability of sophisticated hacking tools on the dark web makes it increasingly accessible for those with minimal skills, challenging traditional notions of security preparedness.
This ongoing battle highlights a concerning trend: a decrease in the percentage of companies allocating resources for cybersecurity defenses, dropping from 61 percent in 2021 to 56 percent in 2023, even as the frequency and severity of attacks surge. Bhargava emphasizes that many businesses only invest in security measures after they experience a breach, stressing that proactive investment in cybersecurity can mitigate catastrophic outcomes.
Overall, the Canadian cybersecurity landscape is marred by a lack of preparedness that demands immediate attention. As businesses reconceptualize their security frameworks, leveraging tools like the MITRE ATT&CK Matrix can provide valuable context for understanding potential adversary tactics—including initial access and privilege escalation—that may be employed in future attacks. For business owners, the message is clear: investing in cybersecurity is not merely a precaution but a fundamental aspect of operational continuity and customer trust in an increasingly perilous digital world.
