Some businesses paid a ransom of more than $500,000 after a cyberattack last year, .
The report surveyed more than 12,000 businesses to investigate the impacts of cybersecurity incidents on enterprises across Canada, including how many are paying attackers after getting hit by ransomware.
In 2023, an estimated two per cent of Canadian businesses reported being hit by ransomware, which is a type of cybersecurity attack that encrypts files and comes with a payment demand to make those files available again.
Though most affected businesses didn't make a payment, 12 per cent did give money to attackers, the report says.
Most payments were relatively small — 84 per cent of ransom payments were under $10,000. But the report estimates that four per cent of businesses who paid after a ransomware attack handed over more than $500,000.
Only 13 per cent of businesses who dealt with a cyberattack ended up reporting the attack to police, the survey found, though that number is up from 10 per cent in 2021. More than half of incidents that did get reported were related to stealing money or demanding ransom payments.
The cost of cyberattacks
Canadian businesses spent $1.2 billion recovering from cybersecurity incidents last year, double what was paid a couple of years earlier.
That's also a sixfold increase from 2019, when businesses dished out $200 million according to the report.
The cost of cybersecurity continues to rise, with businesses also spending $11 billion on prevention and detection in 2023, compared to $9.7 billion in 2021. Most of that was on salary related to prevention and detection of cyberattacks.
The sample size for this survey was 12,462 enterprises and is representative of the 208,537 businesses with Canadian operations and 10 or more employees, across most economic sectors, except for public administration. For more about the methodology, see .
