Employees at small and medium-sized Canadian organizations have been given a “C” rating for their knowledge of cyber safety and awareness.
The rating comes from the Insurance Bureau of Canada, which, after surveying 1,525 workers at companies with fewer than 500 employees, concluded firms have been slow to adapt to increasingly frequent and sophisticated cyber attacks.
Among what the bureau called “startling” findings:
- only a third of respondents (34 per cent) said their company provides mandatory cyber security awareness training;
- only half of respondents said their organization has introduced multi-factor authentication;
- only a quarter of respondents (24 per cent) said their employer conducts phishing email simulations to help promote cyber vigilance.
Just under three-quarters of respondents (72 per cent) said they have done something that could allow a cybercriminal to gain access to their company’s computer systems. For example:
- 27 per cent said they use one password to access multiple websites they use for work;
- 23 per cent access public Wi-Fi while using their work computer;
- 19 per cent said they download software/apps on their work devices that were not provided by their employer;
- 7 per cent allow family members or friends to use their work computer; and
- 5 per cent share their work login or password by email or text.
The survey results, called a Cyber Savvy Report Card, were released in advance of October’s cybersecurity awareness month.
To help raise awareness, the bureau launched cybersavvycanada.ca, to help small business owners and their employees better understand the threat of cyber attacks and what they can do to reduce their risk.
“Everyone has a role to play in reducing cyber threats in the workplace,” said Celyeste Power, the insurance bureau’s executive vice-president for strategic initiatives and advocacy. “While cyber insurance is an important backstop for businesses in the event of a cyber breach, it should be thought of as one component within a complete cyber risk mitigation strategy aimed at reducing an organization’s vulnerability to online threats.”
Employees may also underestimate the role they play in their organization’s cyber defences, the bureau said. It notes that 30 per cent of respondents said they don’t believe cybercriminals would target them at work, while 28 per cent of respondents said their employer is solely responsible for protecting their workplace from cyber threats.
Twenty-one per cent of respondents believe that most cyber breaches are minor and easy to resolve. “The reality,” the bureau said in a news release accompanying the results, “is that they can have a devastating financial impact.” Citing IBM’s latest annual cost of a data breach report, the bureau notes that in 2021, the average total cost of a data breach to Canadian organizations was an estimated $7.3 million.
The insurance bureau has a stake in the cybersecurity of customers with cyber insurance. As a result of rising claims and payouts, insurers have been raising premiums, restricting coverage, and demanding customers toughen their cyber defences, according to a global survey released last month.