Research Summary
Profile of Canadian Businesses who Report Cybercrime to Police

Just over 20% of businesses experienced cyber-related incidents, but only 10% reported these incidents to police. Incidents were often resolved internally or through an IT consultant, or were thought to be too minor to report.

PDF (292 Kb)

Background

Cybercrime (hacking, virus dissemination, and organized crime using the computer) is a growing concern for governments, organizations, individuals and businesses worldwide. Notably, most research looking at the impact of cybercrime has thus far been conducted in the United States; the exact level of cybercrime in Canada is not known.

While research has suggested that cyber offences are underreported, there may be several reasons for this. It is essential to understand the specific reasons why certain Canadian businesses do not report cyber-related crimes, the factors that may increase the likelihood of reporting a cyber incident, and the profiles of businesses who report cyber incidents. By obtaining a better understanding of who reports and their incentives for reporting, cybercrime and national security policy makers and law enforcement agencies can be better equipped to address the issues around underreporting.

The current study uses data from the 2017 Canadian Survey of Cyber Security and Cybercrime (CSoCC). The CSoCC was administered to Canadian businesses in 2018 to identify the number of businesses who report cybercrime to authorities, the reasons why cybercrimes are not reported, and the characteristics of businesses who report cybercrimes in comparison to those that do not.

Method

The CSoCC was designed by Statistics Canada in consultation with various government agencies including Public Safety Canada, along with police agencies, subject matter experts, academics, private businesses, and business associations. Through that process, the questionnaire was refined to the 35 questions used for this study. It pertains to incidents/security questions that occurred from January to December 2017.

Data were collected from Canadian businesses with 10 or more employees, across all sectors except government and public administration. A total of 12,597 businesses were sampled, drawn from a population of 194,569 businesses across Canada. The response rate was 86%, resulting in a final sample size of 10,794 businesses. Approximately 44.9% of the respondents were small businesses with 10 to 49 employees, 35.5% were medium businesses with 50 to 249 employees, and 19.6% were large businesses with 250 or more employees.

Frequencies were examined and analysis of variance was conducted across the various business sizes (and overall) on various items on the survey related to reporting incidents to police. In addition, means, standard deviations and t-tests were examined in order to compare businesses that reported cyber incidents to police with those that did not.  Finally, logistic regression analyses were conducted to explore whether businesses that report cyber security incidents to police have distinct characteristics.  

Findings

Approximately 20.8% of businesses experienced some form of cyber incident, which included 18.8% of small, 28.0% of medium, and 41.0% of large businesses. However, only 9.6% of businesses reported incidents to police (8.4% of small businesses, 12.5% of medium businesses, and 15.0% of large businesses).

Incidents were often resolved internally (52.1%), through an IT consultant (32.5%), thought to be too minor to report to police (29.1%), or businesses did not think to contact the police (23.5%).

Businesses that reported cyber incidents to police tended to have more risk management protocols, formal training mechanisms and cyber security measures put in place, and engaged in sharing a number of best practices with employees and IT, in comparison to businesses who did not report cyber incidents to police.

Larger businesses were more likely to report cybercrime to police when they implemented fewer security measures. However, having fewer security measures in place did not impact police reporting for small businesses. Small businesses were less likely to report cybercrime to police when they implemented best practices. Both larger and smaller businesses were more likely to report cybercrime to police when there were more formal training measures put in place. Finally, all businesses (regardless of size) were more likely to report cybercrimes to police when they implement more risk management practices.

Implications

The findings suggest the need for businesses to have enhanced cyber security measures in place. They also point to the importance of improving awareness around the frequency of cybercrime – given that one in five Canadian businesses experienced such crimes – along with increasing public awareness about the importance of reporting to police, regardless of how minor an incident may seem. Given that they are least likely to report cyber-related incidents to police, perhaps education should be targeted towards smaller businesses, with future policy and programming honing in on ways to incentivize police reporting.

More research is needed to compare businesses that report to third parties with businesses that report to police in order to obtain a fuller picture on how businesses react to cyber-related incidents.

Source

Wanamaker, K. A. (2019). Profile of Canadian Businesses who Report Cybercrime to Police: The 2017 Canadian Survey of Cyber Security and Cybercrime. Ottawa, ON: Public Safety Canada.

Additional Sources


For more information on research at the Community Safety and Countering Crime Branch, Public Safety Canada, to get a copy of the full research report, or to be placed on our distribution list, please contact:

Research Division, Public Safety Canada
340 Laurier Avenue West, K1A 0P8
Ottawa, Ontario
PS.CSCCBResearch-RechercheSSCRC.SP@canada.ca

Research Summaries are produced for the Community Safety and Countering Crime Branch, Public Safety Canada. The summary herein reflects interpretations of the report authors' findings and do not necessarily reflect those of the Department of Public Safety Canada.

Date modified: