--- description: Read our survey analysis to understand how businesses in Canada are managing cybersecurity risks and what security challenges they face. image: https://gdm-localsites-assets-gfprod.imgix.net/images/getapp/og_logo-94fd2a03a6c7a0e54fc0c9e21a1c0ce9.png title: How do Canadian firms bolster their cybersecurity measures? --- # Managing cybersecurity risks: 49% of Canadian companies report careless employees as a common security vulnerability Canonical: https://www.getapp.ca/blog/4504/managing-cybersecurity-risks Published on 2024-01-30 | Written by Smriti Arya. ![Managing cybersecurity risks: 49% of Canadian companies report careless employees as a common security vulnerability](https://images.ctfassets.net/63bmaubptoky/4cVhHc2UJ7iGAshX30Zk22/4f0af76b0ac5077fb688271dde0ea268/Managing-cybersecurity-risks-CA-GetApp-Header.jpg) > Are employees in Canada aware of cybersecurity risks? Do they have adequate data security strategies in place to prevent cyberattacks? What actions are being taken by their organizations to safeguard their businesses? Read our survey analysis to discover how Canadian firms are dealing with cybersecurity risks.  ----- ## Article Content Are employees in Canada aware of cybersecurity risks? Do they have adequate data security strategies in place to prevent cyberattacks? What actions are being taken by their organizations to safeguard their businesses? Read our survey analysis to discover how Canadian firms are dealing with cybersecurity risks. In this articleNearly half of companies cite careless employees as a common security vulnerabilityAdvanced email phishing attacks are the top concern for 46% of respondents5 in 10 respondents deploy formal cybersecurity risk assessments to protect their dataOvercoming cybersecurity risksAccording to the Royal Canadian Mounted Police (RCMP), more than $530 million in financial losses were reported to the Canadian Anti-Fraud Centre in 2022. This equals a nearly 40% increase when compared with losses in 2021. Moreover, The Canadian Centre for Cyber Security also released a report in which they predicted that ‘financially motivated cybercriminals will almost certainly continue to target high-value organizations in critical infrastructure sectors in Canada and around the world over the next two years.’ Therefore, cybersecurity is essential in today’s digital era and every organization should prepare themselves to have strong security protocols in place. Considering all this —to understand how Canadian companies combat such increasingly prevalent risks— we surveyed 1,557 full-time employees who use some sort of cybersecurity tools in their organizations. Out of 1,557 total respondents, 1,119 respondents are either responsible for implementing cybersecurity measures, have participated in cybersecurity initiatives, or are fully aware of cybersecurity measures in their companies. We will refer to this group of survey participants as fully aware respondents.  On the other hand, 438 respondents are not fully aware of such measures, whom we will refer to as less aware respondents. Scroll down to the bottom of this article for the full methodology. Nearly half of companies cite careless employees as a common security vulnerability When it comes to breaches, what might come as a surprise is that hackers are not only the ones who are responsible for data breaches: negligent employees could also cause security violations. In particular, our study revealed that nearly half of fully aware respondents (49%) report that careless employees are a common security vulnerability that they are struggling with the most. This is followed by weak passwords/authentication methods (32%), and susceptibility to phishing schemes/social engineering schemes (32%). Other commonly cited vulnerabilities are listed below:The reason why employee negligence could be a top-most security vulnerability might be a lack of awareness of cybersecurity knowledge. Workers may not have the ability to identify suspicious/malicious messages, because of which they could fall prey to such forms of cyberattacks. Therefore, organizations should offer company-wide cybersecurity training programs that not only educate employees but also assess their knowledge levels regarding cybersecurity threats. This additional step can help businesses create more effective training programs. Setting weak passwords is another big challenge that companies usually have to struggle with. In this context, it is essential for companies to implement password policies that require employees to create strong passwords that cannot be easily hacked. In addition, using multi-factor authentication tech can add another layer of security.Another security measure that companies can take is to execute phishing simulations. A phishing simulation is typically part of a cybersecurity awareness program where an imitation of a real-world phishing email is sent to employees to test and monitor how they respond to such emails. Conducting regular phishing simulations may help your employees recognize malicious emails and avoid falling victim to such attacks. Advanced email phishing attacks are the top concern for 46% of respondents There are over 4.3 billion email users worldwide and around 347.3 billion emails are exchanged every day. Consequently, we can say that emails are among the foremost mediums of communication. This could be the reason why emails have increasingly become a common target for hackers. In fact, in one of our surveys on phishing attacks on GetApp, we found that nearly 9 in 10 respondents have received phishing attacks via email. Also, when we asked our fully aware respondents about threats that they were most concerned about for the next 12 months, they cited advanced email phishing attacks as a top concern (46%). In order to combat such issues, employees should be trained on how to spot such emails to safeguard their organization against cyberattacks. Here are some tips on how to spot a phishing email:Emails requiring quick action:Employees might receive an email that requires them to take action urgently, likely threatening a loss of opportunity. In such cases, people may take hasty actions without even reading the email completely.Emails with grammatical errors:Phishing emails may have some sort of grammatical and spelling errors and this is one of the common ways to spot spammy emails. Emails sent from a public or unknown domain:Typically,no business organization will send emails from public domains. Most companies will have their own email domains, which is why it is quite important to look at the domain name of an email before clicking any link or responding to the email.  Emails including suspicious attachments:Employees may receive an email containing infected attachments that can corrupt the system or hack sensitive information. Work-related file sharing in companies nowadays usually takes place using collaboration tools such as OneDrive, Google Drive, or SharePoint. So, workers should ideally treat attachments received with external emails suspiciously before downloading them into their system.   As a matter of precaution, organizations can additionally use email security software that can help them protect email accounts from phishing attacks by identifying emails received from bad IP addresses or dodgy domains. 5 in 10 respondents deploy formal cybersecurity risk assessments to protect their data On the risks of ransomware attacks in Canada, Sami Khoury, the head of the Centre for Cyber Security, said, ‘The threat is real, the threat is growing and we can’t talk enough about it.’ He further urged Canadians to report such incidents so that the Centre could gather more information about who might be behind such attacks. In this sense, it is crucial for companies to take appropriate measures on time so they don’t become a victim of major data breaches. To understand how survey-takers deal with such issues, we asked our fully aware respondents what measures they deploy to protect their company’s data and this is what they reported:54% of the respondents deploy formal cybersecurity risk assessments to protect their data38% of them use a data classification approach to safeguard sensitive data31% of them leverage privileged access management solutions to monitor, detect, and prevent unauthorized privileged access to essential resources Another 31% use zero-trust network security to enable strict access controls for additional securityOnly 7% of them do not implement any security measuresFormal cybersecurity risk assessments can be the first step to combating cyberattack risks for companies because they allow them to find security vulnerabilities in their systems. This can be followed by evaluating the right approach and creating a comprehensive action report. Key steps to performing formal cybersecurity assessmentsAudit your data and its infrastructureFirst, it is important to understand the type of data a business collects, how, and where it is stored, who has access to which data, and if the place where data is being stored is secure.Define the parameters of the assessmentOnce the data audit is done, the next step could be to identify the purpose of the assessment and if there are any priorities that need to be defined. Identify the value of dataGauge the importance of information to be secured and protected from cyberattacks. In particular, determine if there are any legal penalties or if any day-to-day business operations would be affected in case such data is exposed to cybercrime. Prioritize assetsBased on the information inferred from the above step, businesses should potentially prioritize which data assets to assess. Identify threats to the assetsOnce businesses prioritize assets based on their informational value, the next step could be identifying the possible cyber threats to the assets. Some of the common threats that may affect companies are unauthorized access, insider threats, loss of data, service disruption, or data leaks. Implement security controlsDepending on the potential threats a business might have, companies can make decisions on which security controls to implement to safeguard their data against cyberattacks.  Overcoming cybersecurity risksTo keep cybersecurity threats and attacks at bay, it is important for organizations to adopt strategies to overcome and mitigate such risks to create a safe and secure environment. In fact, when it comes to investing in cybersecurity solutions, we found that 49% of fully aware respondents said that spending on security has increased, while 40% of them said that the spending is about the same and only 2% reported that it has decreased. Considering this, we can safely assume that companies are aware of the risks associated with cyberattacks and are actively investing to protect their businesses. While companies are investing in cybersecurity solutions, it is also important for employees to have knowledge of relevant cybersecurity policies and risks. When we asked all our respondents if they had ever raised cybersecurity concerns with their IT departments, what came as a surprise was that only 33% of survey-takers have ever raised a cybersecurity concern with their IT department. Clearly, it’s imperative for companies to fully educate employees on both the risks and the appropriate forums to address such cybersecurity violations. Looking for cybersecurity software? Check out our catalogue\! ## Disclaimer > MethodologyTo collect the data for this report, GetApp conducted an online survey in November 2023 among 1,557 Canadian employees. Of these, 1,119 are either responsible for, actively participate in, or are fully informed about their company's IT security policies. A group of 438 respondents were not fully aware of their company's cybersecurity policies and answered specific questions.All respondents were selected according to the following criteria:Residing in CanadaAged between 18 to 65 yearsFull-time employeesWorks with a company with some sort of a security system ## About the author ### Smriti Arya Smriti is a Content Analyst for GetApp, helping SMBs deliver key insights into software, business and tech trends. ## Related Categories - [Cloud Security Software](https://www.getapp.ca/directory/291/cloud-security/software) - [Cybersecurity Software](https://www.getapp.ca/directory/1035/cybersecurity/software) - [IT, Server & Network Monitoring Software](https://www.getapp.ca/directory/652/it-server-network-monitoring/software) - [Network Monitoring Software](https://www.getapp.ca/directory/480/network-monitoring/software) - [Network Security Software](https://www.getapp.ca/directory/1443/network-security/software) ## Related Articles - [Modernizing libraries: Areas of library automation](https://www.getapp.ca/blog/3499/areas-of-library-automation) - [AI-enhanced malware and phishing worry Canadian IT pros most for 2025, learn four ways to get secure](https://www.getapp.ca/blog/7229/canada-data-security-worries-it-professionals) - [Building consumer trust online: Human-based elements are the most important to internet users](https://www.getapp.ca/blog/3620/building-consumer-trust-online) - [Green marketing: 5 sustainable trends for your SME](https://www.getapp.ca/blog/2154/green-marketing-strategy-ideas) - [Cyber privacy: Does consumer behaviour match consumer attitudes?](https://www.getapp.ca/blog/3098/consumer-cyber-privacy) ## Links - [View on GetApp](https://www.getapp.ca/blog/4504/managing-cybersecurity-risks) - [Blog](https://www.getapp.ca/blog) - [Home](https://www.getapp.ca/) ----- ## Structured Data