Ransomware Statistics 2021: The Cost of Cyberattacks for SMBs
Cybercrime has been at the top of the lists of cyber threats that Canadian businesses are likely to face for years now and it broke all records in 2021. Even government institutions aren’t safe. The Canadian Revenue Agency (CRA) was one of the latest victims of a series of cyberattacks that compromised the personal information of over 11,000 Canadians and locked out an additional 800,000 users from accessing CRA’s services.
While it’s true that large enterprises and government institutions are more likely to be attacked, small businesses always were and still are a prime target for cyberattacks, including ransomware.
It may seem impossible to prevent ransomware and cyber threats, but the truth is, many organizations are not even trying.
Since 2020-2021 has been a whirlwind of breaches and organizations are now planning to make much needed cybersecurity improvements. There are even signals from top-down, that cybersecurity changes are needed immediately – such as this executive order from The White House. While this order applies to IT and OT service providers contracting with the US government in the realm of cybersecurity, we have already noticed trends here in Canada where businesses are being asked to pass IT security compliance screenings in order to work within and protect the supply chains they do business with. These businesses include marketing firms, non-profits, manufacturers and more. Big or small, every business today needs to implement cybersecurity policies, tools and management.
Our team here at TUCU can help SMB’s pass IT compliance and IT security screenings to protect and grow their business. Please reach out. We’d love to discuss your options.
To help put the massive scale of cybercrime and ransomware attacks in 2021 into perspective, here are 25 statistics about the cost and other damages incurred by businesses in Canada, especially SMBs.
What Makes SMBs a Prime Target for Cyberattacks?
The majority of large cyberattacks, particularly ransomware, targeted large enterprises and public institutions. But attacks on small businesses did not reduce – in fact, SMBs were nearly twice as likely to face some form of cyberattack.
On top of that, a combination of factors including limited IT security personnel, lack of dedicated cybersecurity policies, and general lack of awareness about cyberattacks means that small businesses are far more likely to lose valuable data and reputation, face downtime, and pay a ransom. Speaking of which..,
Ransomware has become one of the most common forms of cyberattacks. There are numerous ways an attacker can gain access (although brute force attacks are the most common) but once they have access, they will encrypt the company’s files and demand a hefty ransom in cryptocurrency in exchange for the encryption key.
In addition to the hundreds or even hundreds of thousands of dollars of cash (cryptocurrency) payment, businesses also face reputational damage, loss of productivity, infrastructure downtime, and additional costs in getting systems back online. In cases where customer information is compromised, businesses may be imposed fines of thousands of dollars per customer/employee.
The Cost of Cyberattacks for SMBs in 2021 (25 Statistics)
1. Cybercrime continues to be the most common threat faced by Canadian organizations, including small businesses.
Although ransomware is one of the most common and costly, cybercrime comes in many different forms, including (but not limited to):
- Phishing: sending fakes emails that look authentic to send people to malicious websites.
- Identity theft: with so much of our personal information on the internet, identity theft has become rampant
- Brute force attacks: attackers can easily overwhelm services, accounts and internet connections performing thousands of password attempts per second.
- IP theft: theft of intellectual property to gain an unfair competitive advantage has also become increasingly common.
(Source: CCCS)
2. More than 4,000 cyberattacks in Canada in 2021
2020 saw a massive increase in cyberattacks all over the world. Canada, in particular, reported over 4,000 attacks over the year which averaged 11 attacks a day.
(Source: Emsisoft)
3. Almost 75 percent of ransomware attacks resulted in data encryption.
One of the main ways ransomware attacks extort businesses is by encrypting their data, in essence, locking them out of their databases.
(Source: Sophos)
4. The average ransom demand increased to $111,605.
Unfortunately, in addition to the increase in frequency, there was also a steep increase in the severity of cyberattacks. For instance, in just Q1 of 2020, ransom demands were up by 33 percent from Q4 of 2019. This was likely a result of targeted ransomware attacks throughout the world.
(Source: Coverware)
5. Ransomware demands increased by more than 80 percent globally by the end of 2020.
IT security teams running low on human resources and capital combined with the targeted ransomware attacks throughout the year resulted in a sort of snowball effect, leading to many more separate incidents. This all meant that by the end of 2020, ransomware demands had actually risen by more than 80 percent from last year.
(Source: Sophos)
6. The estimated ransom demands in Canada totaled $314 million CAD in 2019, but have increased to more than 2.5 times in 2020.
Canada, as one of the top targets of global ransomware attacks, fared much worse than the global average. It’s estimated that the ransom demands in 2019 totalled 314 million CAD but this increased to an estimated $796 million CAD.
(Source: Emsisoft)
7. When factoring in downtime, the cost of ransomware attacks in Canada increases to $2.3 billion CAD.
The cost of ransomware attacks is never limited to the actual ransom demands – in fact, it’s actually only a small part of the total financial damage. When factoring in only the downtime caused by these attacks, the cost of ransomware attacks increases to over $2.3 billion CAD. And this does not even include the long-term reputational damage and recovery costs.
(Source: Emsisoft)
8. Researchers say due to under-reporting, true ransomware figures could be near $5 billion CAD – 4x times as high.
Making all of this far worse is the fact that cyberattacks often go unreported. It’s estimated that the maximum damage suffered by Canadian businesses from cyberattacks could be four times as high or $4.86 billion CAD (including downtime). There are multiple reasons for this. Sometimes companies simply fail to detect the attack but sometimes, they deliberately do not report cyber attacks due to the potential fines by the government.
(Source: Emsisoft)
9. Data breaches cost Canadian small businesses more than $12,000 CAD per employee.
Data breaches have also become extremely commonplace. Sometimes, these breaches leak customer data but more often, data breaches result in the theft of Personally Identifiable Information (PII) of employees.
This attracts three potential costs: ransom demands, data recovery costs, and fines imposed by the government. The fines and financial penalties may seem counterintuitive but they are in place as a deterrent to lax security protocols which is important for the fight against cybercrime.
(Source: Scalar Security)
10. 65 percent of SMBs have failed to act following a cybersecurity incident.
It’s unsurprising that the majority of small businesses weren’t able to either detect or properly react to a cybersecurity incident in time. This is once again due to the three fundamental problems faced by SMBs:
- limited IT personnel
- lack of cyber security awareness
- lack of IT security policies.
(Source: Hiscox)
11. Businesses in the healthcare sector were one of the biggest targets of cyberattacks in 2020.
Making things worse in an already difficult year was the fact that attackers deliberately targeted companies and institutions in the healthcare sector more than ever. The healthcare sector has always been one of the hardest hit by cyberattacks because of the confidential (and thus valuable) nature of patient records.
(Source: Tenable)
12. 37 percent of Canadian small businesses affected by a data breach estimate the attack cost over $120,000 CAD, while 20 percent couldn’t determine the cost of the breach.
For more than one-third of the businesses, the cost of a data breach was more than $120,000 CAD. At the same time, 20 percent of businesses were not able to determine the cost of the breach, indicating that one in five weren’t fully aware of the scope of the breach.
(Source: Insurance Bureau of Canada)
13. In 2020, Canada faced the second-highest instances of stolen data being published on the web.
In many cases, the attackers will publish stolen data such as company trade secrets and personally identifiable information directly to the web – often in places where the information cannot be taken down quickly (like the deep web). Unfortunately, Canada faced the second-highest number of such cases, second only to the US.
14. According to experts, Canadian businesses are a “high profile target for these attackers” as they are more likely to pay due to valuable data.
Companies with higher standards of living are generally considered high profile targets and so Canada is one of the top targets for attackers.
(Source: Unit 42)
15. CCCS cites the lack of basic cybersecurity as the cause of most cyberattacks.
In a recent whitepaper, Scott Jones, the head of the Canadian Centre for Cyber Security (CCCS) said, “The vast majority of cyber incidents in Canada occurred because basic elements of cybersecurity weren’t followed.”
(Source: CCCS)
16. Credential stuffing and brute force attacks are still effective in 2021.
Credential stuffing and brute force attacks are some of the oldest methods of cyberattacks and unfortunately, they are still effective today. This indicates how businesses haven’t adopted newer technologies. For instance, implementing multi-factor authentication (including security codes and biometrics) will go a long way in preventing cyberattacks.
Do your staff re-use passwords from one account to another? This makes you vulnerable to credential stuffing attacks. It’s time to implement and uphold secure password policies.
(Source: CCCS)
17. Cyberattacks post the biggest threat to IoT systems which are often overlooked by businesses.
Internet of Things (IoT) includes millions of smart devices that are often not taken into consideration when designing cybersecurity policies. Unfortunately, these devices are often connected to the main IT infrastructure, giving attackers another way in.
(University of Waterloo’s Cybersecurity and Privacy Institute)
18. In 2020, remote desktop attacks were up 37 percent every quarter compared to last year.
Remote working came quickly and gave businesses little time to prepare from a security point of view. The resulting bad practices and insufficient access controls meant that remote desktop attacks also increased significantly.
(Source: ESET)
19. Almost 7 out of 10 Canadians failed to pass phishing tests conducted in 2020, failing to spot any fake emails.
ESET, a Slovak internet security company conducted free phishing tests in 2020 in which 68 percent of Canadian respondents weren’t able to tell the fake emails from real ones.
(Source: ESET)
20. 54 percent of email scams actually target small businesses.
More than half of all email scams and phishing attempts actually target small businesses, which increases the need for better awareness training.
21. More than half of all victims did not pay the ransom and were able to get their data back through backups.
Due to proper internal security infrastructure and best practices such as regular backups, many businesses were able to weather through the attacks without paying the ransom. However, this isn’t surprising in this study, as the majority of cyberattacks targeted large enterprises, many of whom had more than enough resources and technical expertise to fight back. Small business may find themselves less prepared tp recover.
(Source: Kaspersky)
22. 68 percent of the organizations not hit by ransomware anticipate being in the future.
Nearly 7 in 10 Canadian businesses are alert against the looming threat of cyber attacks and many of them are actively preparing to face this threat in the near future.
(Source: Sophos)
23. One-third of Canadian small businesses spent $6,700 on average on cybersecurity.
Even as 80 percent of small businesses in Canada were shut down in March 2020, one-third continued to spend nearly $7,000 CAD on cybersecurity. Unfortunately, two-thirds were forced to reduce their cybersecurity budget in 2020. In contrast, in 2019, more than 30 percent of SMBs spent over $11,000 on cybersecurity.
(Source: CFIB)
24. Experts recommend businesses spend between 7 percent and 10 percent of their IT budget on security.
Additionally, small businesses should at the very least, dedicate about 10 percent of their IT budget to improving security protocols.
Many small business are operating without the most basic preventative measures in place, such as actively updated antivirus, a basic method to authenticate authorized users and devices (such as Active Directory or Azure AD) enforced password policies and other basic data security policies, and mobile device management.
(Source: CSO)
25. Security and Risk Management expenditure in Canada to pass $4.83 billion CAD this year.
Analytics firm Gartner predicts that the total spending on security and risk management solutions in Canada will increase to nearly $5 billion CAD. At the same time, the firm expects worldwide spending to increase to $143 billion USD in 2021, up from $131 billion this year.
(Source: Gartner)
Wrapping up…
Cyberattacks have become increasingly frequent and costly but the most concerning aspect is that these statistics fail to account for numerous major attacks and breaches every year. Although there is no exact number, the general consensus seems to be that the vast majority of cyberattacks go unreported for a variety of reasons.
Even though large enterprises faced the bulk of cyberattacks, they were never at the highest risk. The most vulnerable are small and medium businesses as more often than not, the attackers can simply get through with brute force attacks – many times these SMBs don’t even know that they are under attack. As a result, small businesses are under immense pressure to assess their vulnerability to the threat of cyberattacks – and that begins with understanding what kind of danger we’re facing.
Further reading:
- Why Is Ransomware So Effective Against Small Business
- Ransomware Protection For Small Business in Canada
To help small businesses get started, security experts here at TUCU developed a comprehensive guide on ransomware attack prevention for small business and also a post to provide insight as to why ransomware is so effective against small business. Read the guides, discuss with your team, and contact us for Toronto Cyber Security Services. We are here to help you protect everything you have built.
Additional reading:
- Sophos whitepaper “The State of Ransomware 2020”
- Canadian Centre for Cyber Security’s Cyber Threat Bulletin: Modern Ransomware and Its Evolution
- Emsisoft Report: The cost of ransomware in 2020. A country-by-country analysis
- Emsisoft Report: The cost of ransomware in 2021. A country-by-country analysis
- Canadian Centre for Cyber Security
- CCCS’s National Cyber Threat Assessment 2020
- Coverware: Ransomware Marketplace Report 2020
- HISCOX Small Business Cyber Risk Report
- Scalar Security Report
- Tenable: 2020 Threat Landscape Retrospective
- Insurance Bureau of Canada: Small Businesses in Canada Vulnerable to Cyber Attacks
- Unit 42: Ransomware Threat Report
- University of Waterloo’s Cybersecurity and Privacy Institute
- ESET: Global FinTech Study
- Symantec Internet Security Threat Report
