Cyber concerns: Canadians show little confidence in ability of several key institutions to fend off cyberattacks

Cyber concerns: Canadians show little confidence in ability of several key institutions to fend off cyberattacks

Two-thirds (65%) prefer to fight the hackers rather than pay ransom if their local hospital was targeted


December 9, 2021 – Critical Canadian infrastructure was the target of more than 100 ransomware attacks in 2021 and new data from the non-profit Angus Reid Institute finds many Canadians lacking confidence in the ability of key institutions to defend themselves from cyber threats.

Canadian targets of ransomware attacks range from Rideau Hall, where an office connected to the governor general was recently targeted, to hospitals, including one that crippled Newfoundland and Labrador’s healthcare system in October.

In the wake of the latter attack, which resulted in cancelled appointments and procedures throughout the province, half (50%) say they aren’t confident their local health authority has up-to-date, high-quality cybersecurity, while two-in-five (43%) say they believe those institutions have the right defensive tools to fight cyberattacks.

Two-in-five lack confidence in Elections Canada (45%) and other federal government services such as the Canada Revenue Agency (45%) to fight hackers. Of all the institutions surveyed, Canadians had the most confidence in the cybersecurity of banks (65%).

The threat isn’t hypothetical for many Canadians; three-in-ten say they have been affected by a cyberattack and one-in-ten say their personal account or computer was compromised.

More Key Findings:

  • Canadians would much rather prefer to fight than give in. In the case of a ransomware attack on a hospital, two-thirds (65%) would live with service disruptions and fight the hackers rather than pay the ransom while one-third (35%) prefer to pay up.
  • Men aged 55 and older say they are the most likely to have been affected personally by a cyberattack – 14 per cent report having a personal account or computer compromised.
  • Half (47%) of Canadians support legislation to ban the payment of ransoms to hackers in the event of ransomware attacks.

 

About ARI

The Angus Reid Institute (ARI) was founded in October 2014 by pollster and sociologist, Dr. Angus Reid. ARI is a national, not-for-profit, non-partisan public opinion research foundation established to advance education by commissioning, conducting and disseminating to the public accessible and impartial statistical data, research and policy analysis on economics, political science, philanthropy, public administration, domestic and international affairs and other socio-economic issues of importance to Canada and its world.

 

INDEX

Part One: Three-in-ten Canadians have been affected by a cyberattack

Part Two: Low confidence in cyber-resilience of Canadian institutions

Part Three: Canadians prefer to fight hackers instead of paying ransoms

 

Part One: Three-in-ten Canadians have been affected by a cyberattack

The issue of cybersecurity has come to the forefront after several high-profile Canadian institutions were targeted by hackers in recent months. Most recently, Rideau Hall experienced a “breach” in early December. The target was the internal network of the office that supports the work of the governor general, but details of who exactly was affected, and what information was accessed, have yet to be released.

The attack affecting the governor general’s office follows what has been called the “worst cyberattack in Canadian history”, when Newfoundland and Labrador’s healthcare system was disrupted provincewide by an October ransomware attack targeting “the brain of the data centre”. Thousands of appointments were delayed, including nearly all non-emergency procedures in one of the province’s four health authorities.

Ransomware attacks – caused by hackers who gain control of and lock computer systems until a ransom is paid – have increased by 151 per cent in the first six months of 2021 when compared to 2020, according to the Communication Security Establishment’s Canadian Centre for Cyber Security. The centre believes that is the tip of the iceberg and many more go unreported. Of the 235 known attacks, more than half targeted critical infrastructure, including electrical grids and hospitals. In response to the increasing threat, the Cyber Centre posted a playbook, advising Canadian organizations on how to best protect themselves from ransomware attacks – and what to do if they are targeted by hackers.

The problem is also growing south of the border. This year, hackers disrupted a major fuel supply pipeline in the United States in May and targeted meat-packing company JBS for an US$11-million ransom. The U.S. is meeting the threat head-on, according to the U.S. Cyber Command, which said the military has “imposed costs” on ransomware groups.

The threat of cyberattacks is on the minds of Canadians: three-quarters (75%) say they are familiar with this form of digital sabotage. In the wake of the incident in Canada’s eastern-most province – which required Newfoundland and Labrador to go back in time to a paper-based system from the 1980s to keep clinics running – awareness is highest in Atlantic Canada:

 

Three-in-ten Canadians say they have been indirectly affected by a cyberattack – instances where their data held by a third-party was illegally accessed – and one-in-ten say their personal account was compromised or their own computer was infected.

Men aged 55 and older are the most likely demographic to report being directly affected by a cyberattack – 14 per cent say that’s the case – while those under 55 are much more likely to report being affected indirectly:

For the one-in-ten who have been personally affected by a cyberattack, awareness of the problem is much higher. Two-in-five (41%) say they are very familiar and are well versed in the subject (see detailed tables).

Part Two: Low confidence in cyber-resilience of Canadian institutions

Further, Canadians aren’t confident key institutions are well insulated against the threat posed by hackers. Canadians have the highest levels of assurance in financial institutions, with two-thirds (65%) saying they are confident that banks have high-quality cybersecurity. But only half say the same of the federal government and its services, while it drops even lower for local governments and health systems:

There are demographic divides when it comes to confidence in federal government services’ cybersecurity. Men aged 18 to 34 are the least confident in the federal government while women the same age are the most confident.

Meanwhile, three-in-ten (28%) 18- to 34-year-old men are confident social media platforms are secure against cyberattacks, double the rate of men aged 55-plus – notably the group most likely to have experienced a cyberattack personally:

Confidence varies across the country. Notably, confidence in the ability of Elections Canada to defend itself against cyberattacks ranges from a high of 53 per cent of British Columbians, to a low of one-third (35%) of Albertans. With the disruption in Newfoundland and Labrador’s health system fresh in mind, Atlantic Canadians have the lowest confidence in the cybersecurity of their local health authority and hospitals (see detailed tables).

Those who have been victimized by hackers indirectly have much lower confidence in the digital defence systems of local health authorities (34%) and utility providers (36%) than those who have been targeted more directly:

Part Three: Canadians prefer to fight hackers instead of paying ransoms

In late November INTERPOL coordinated an international crackdown on hackers which resulted in over 1,000 arrests. The U.S. military, too, has confronted the problem directly. Earlier in the year, the U.S. Cyber Command said ransomware attacks were the responsibility of law enforcement. Now, it says it is taking offensive measures against ransomware groups.

It would appear that most Canadians share a similar impulse to fight back against cyberattacks. When hypothetically placed at the helm of various institutions in the midst of a ransomware crisis, most Canadians say they would not pay up and would instead choose to fight back against the hackers – even if this meant service disruptions.

This stands in contrast with a report released earlier this year, in which 54 per cent of Canadian companies hit by such an attack said they paid the ransom (another survey this year found that 69 per cent of the companies they surveyed paid the ransom).

There are some important differences in opinion when broken down by age and gender. On the example of a local hospital, fully four-in-five (80%) men over the age of 55 would refuse to pay the ransom – a number which falls to half (50%) of women aged 18 to 34:

In an effort to disincentivize ransomware attacks, lawmakers in the U.S. have recently proposed the Ransomware and Financial Stability Act which would ban companies from paying any ransoms over US$100,000 without first seeking the government’s permission. At least three states – New York, North Carolina, and Pennsylvania – are also exploring this option, while a similar bill died in committee in Texas earlier this year.

Although no such legislation is being considered publicly in Canada at the moment, a plurality of Canadians (47%) say they would support a ban on ransomware payments. Another one-third (34%) said they aren’t sure:

Those who have been directly and indirectly affected by cyberattacks don’t hold stronger opinions on the matter of a ban on ransomware payments. Half (48%) who have been directly affected believe there should be a ban, while two-in-five (44%) who were indirectly targeted by hackers say the same:

Survey Methodology:

The Angus Reid Institute conducted an online survey from Nov. 3-7, 2021, among a representative randomized sample of 1,611 Canadian adults who are members of Angus Reid Forum. For comparison purposes only, a probability sample of this size would carry a margin of error of +/- 2.5 percentage points, 19 times out of 20. Discrepancies in or between totals are due to rounding. The survey was self-commissioned and paid for by ARI. 

For detailed results by age, gender, region, education, and other demographics, click here.

For detailed results by whether or not respondents were affected by a cyberattack, click here.

To read the full report, including detailed tables and methodology, click here

To read the questionnaire, click here.

Image – Christiaan Colen, Flickr

MEDIA CONTACT:

Shachi Kurl, President: 604.908.1693 shachi.kurl@angusreid.org @shachikurl

Dave Korzinski, Research Director: 250.899.0821 dave.korzinski@angusreid.org

Jon Roe, Research Associate: jon.roe@angusreid.org