Canada | Fraud

More than 1 in 5 Canadian businesses hit by cyberattacks: poll

Statistics Canada study shows more than 20 per cent of organizations in 2017 suffered data breaches. And if you think it’s solely an IT issue, think again.

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

Silhouette of person on phone, in foreground, walking in front of Marriott hotel signMarriott International had up to 500-million customer records compromised in a recent data breach. (Scott Olson /Getty Images) 

Another day, another hack. Recently Marriott International became the latest company to announce a massive data breach, with up to 500-million customer records, including emails, passport information and credit cards, being compromised. According to digital security firm Gemalto, 4.5 billion records globally were stolen in the first half of 2018, up 133 per cent year-over-year.

While the breaches of U.S. companies, such as Target, Sony and Equifax, get most of the headlines, Canadian companies are no strangers to hacks. In May, BMO and CIBC announced that, between the two of them, about 90,000 clients had been impacted by a breach, while Air Canada revealed in August that up to 20,000 mobile app users may have been affected by a cyberattack. 

In October, a Statistics Canada survey found that more than 20 per cent of Canadian companies were hit by a cyberattack in 2017, with businesses spending $14-billion on cybersecurity. Claudiu Popa, CEO at Informatica Security Corporation and one of the foremost cybersecurity experts in Canada, thinks the number of attacks is much higher. “We assume every company has been breached, but hasn’t detected it yet,” he says. [See ‘The question isn’t whether you will be hacked, but when’ for more.]

While many companies still think of a breach as an IT issue, cybersecurity is becoming more and more of a finance issue, says Popa, with CPAs needing to take a larger role—along with privacy and security officers—with protection and prevention.

“Accountants have always been considered the custodians of personal information,” he adds. 


In many cases it’s a company’s finance department that has customer credit card information and other personal details on file, which means it’s up to these people to keep that data safe. “Whether it’s individual accountants or other financial professionals, these are the people in an organization who are responsible for controlling access to personal information,” he says.

Finance is also responsible for costs associated with fixing an attack. That could include legal expenses, client settlements and PR-related costs, and as of November 1, fines of up to $100,000 for not reporting a breach to the Office of the Privacy Commissioner of Canada.

Until now, Canadian companies didn’t have to report a breach—and many didn’t. Since reporting hasn’t been required, businesses haven’t spent enough on protecting customers, says Popa. That will change, he says. With reporting now mandatory, companies will have to spend far more on cybersecurity protection. [See Use a hacker’s mindset to tackle cybersecurity, says expert]


Anyone working with sensitive information should ensure they enable multi-factor authentication—a two-step login process that requires someone to input a password and a code sent by text—and ensure all software patches are up to date, says Popa. 

Businesses should also create a breach response plan that can be quickly implemented when a hack comes to light. Accountants, in particular, should keep a watchful eye on the data they’re collecting. If numbers look off, if customers call about curious charges on cards or if a business owner calls about odd expenses, then they need to be prepared to act. “Steps need to be laid out for reporting the data breach and telling customers about it,” says Popa. 

As Marriott’s breach shows, as long as there’s the internet there will be hacks. As hackers get more savvy, businesses around the world will experience even more attacks, which means companies—CPAs and CFOs included—can’t take a hands-off approach to cybersecurity. Concludes Popa: “Companies need to take more steps to protect themselves.” 


Get insight into the role of the CPA and cybersecurity from cyber privacy expert Imran Ahmad. And be prepared for data breaches with CPA Canada’s upcoming virtual classroom, How to protect your organization from cyberattacks in today’s digital world.