The emerging cybersecurity risks facing Canada’s public sector

How government and public-sector leaders can foster cyber resilience while laying the foundation for new citizen services.

Contributors: 
Charles Eckert, Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada
Justin Abel, Partner, PwC Canada

For government and public-sector organizations, the damage caused by a cyber attack extends beyond its direct financial and operational costs. In the last year alone, we’ve seen an attack on one of Toronto’s busiest hospitals force its systems offline for days and a cyber incident disrupt thousands of medical appointments, including COVID-19 testing, across a Canadian province. Such incidents can have immediate and long-term impacts on citizens’ lives and erode their trust in critical institutions.

Against this backdrop, our latest Canadian Cyber Threat Intelligence report explores the key trends and potential impacts facing businesses, organizations and citizens across the country. We see governments increasingly recognizing cyber risk as a matter of national security. New draft legislation calls on government organizations to play a more active role in coordinating and overseeing measures to secure the country’s critical infrastructure. But at the same time, government and public-sector organizations are confronting their own distinct cyber risk landscape. By understanding the unique risks facing your organization, government and public-sector leaders can better focus cyber investments on promoting resilience and delivering solutions that make a meaningful difference to citizens’ lives.

90%+ of the cyber attacks conducted against the health-care sector are financially motivated. Source: PwC threat intelligence sources

A unique and attractive target

11% of cyber attacks in Canada last year targeted the public sector. Source: PwC threat intelligence sources

Government entities across Canada are squarely in the crosshairs of cyber criminals. Only the telecom and technology sector experienced a larger proportion of attacks (14.1%) than the health-care sector (11.9%) and public sector (11%) in Canada last year. Government and public-sector entities are highly attractive targets for several reasons:

  • Many hold significant volumes of highly coveted data

  • They’re perceived to have virtually unlimited financial resources

  • They’ve often underinvested in cybersecurity, and are struggling to modernize legacy systems as well as attract and retain talented cyber professionals to their organizations

This means government and public-sector organizations are likely to continue to be among the top targets of cyber criminals seeking financial gain or competitive intelligence in the coming years.

How threat actors are gaining—and exploiting—access

We’ve seen several advanced persistent threat (APT) groups linked to attacks against government and public-sector organizations in Canada. Unlike ransomware or financially motivated attacks that tend to become visible relatively quickly, APT actors typically want to stay undetected for an extended period of time. In some cases, they may not immediately know how they’ll exploit their access and are content maintaining a low profile while waiting for a future opportunity. Discovering these intruders can be particularly challenging and complicated, underscoring the importance of deploying strong intrusion detection capabilities and conducting regular threat hunts to find existing threats in your environment.

But such safeguards also have limits. Meticulously designed phishing campaigns have emerged as a key initial access vector in attacks against government and public-sector organizations. Safeguarding your organization from these attacks starts with user awareness campaigns and training, including making employees familiar with the types of schemes they may encounter. It’s important for employees to understand the steps they should take if they fall victim to a phishing attack. Quick reporting can give cybersecurity teams valuable time to contain and remove threats—a luxury not always afforded to organizations where employees, fearing repercussions, stay silent and hope their momentary lapse in judgment goes unnoticed.

64% of breaches reported to the Privacy Commissioner of Canada in 2021 arose from unauthorized access through malware, ransomware and social engineering, as well as employees gaining access to information without authority. Source: Privacy Commissioner of Canada

Rate the content on this page

Five stars = highest, one star = lowest

Thank you for your feedback

This content was relevant
This content was valuable to me

“We’ve seen organizations improve their security posture by combining strong internal controls with the management of supplier and third-party risks. Are you managing third-party risks before or after they impact you?”

—Charles Eckert, Partner, Cybersecurity, Privacy and Financial Crime, Government and Public Sector, PwC Canada

Building confidence and resilience in your capabilities

The right cyber tools, culture and leadership form the basis of how your organization manages threats. But you need to have confidence in your plans. To further hone and test your capabilities, here are two exercises we’ve seen make a notable impact on government and public-sector organizations:

Number one

Appoint a task force to manage third-party risk

We’re seeing a rise in third-party and supply chain attacks as threat actors look to exploit vulnerabilities in organizations’ extended ecosystem. It’s important to map out which organizations are providing you with data or accessing your information, particularly through the use of third-party software. Assessing the level of risk each relationship presents to your organization lets you prioritize your efforts on detecting anomalies with high-risk third parties. Part of your evaluation may include reconsidering relationships that bring low business value, but present high cyber risks.

Number two

Participate in tabletop exercises to practice your response to a cyber emergency

Simulating an attack can help organizations create awareness of cyber threats and the potential challenges teams may face in an actual incident. To be effective, it should mimic an actual event as closely as possible. In some cases, this may mean launching a simulated attack without warning. Afterwards, it’s helpful to evaluate how teams reacted, the extent to which they followed—and were aware of—your organization’s plans and whether those plans worked as expected.

“Discussing how to best align cyber investments with your business and digital transformation journeys is one of the best conversations your organization can have. What’s possible—and what’s not yet possible—based on your cyber footprint?”

—Justin Abel, National Cyber Leader, Government and Public Sector, PwC Canada

Protecting and enabling your purpose

No government or public-sector organization is facing their cybersecurity challenges alone. Collaborating with other levels of government, as well as private-sector businesses, can help you prevent, prepare for and respond to critical incidents. As you evaluate your own capabilities, it’s valuable to ask the following questions:

  • How quickly is our vulnerability management program assessing new threats and determining the potential impact on our environment? Are we receiving predictive forecasts or early warning signs of threat incidents?

  • What percentage of our assets are covered by our security protective controls and monitoring programs?

  • How are we tracking and categorizing the risks posed by third-party relationships?

  • Do we have a well-rehearsed operational playbook to guide our response to an incident?

  • How are our cybersecurity investments contributing to our vision for our organization in the coming years?

The last question is particularly powerful. Risk avoidance measures and controls that protect your organization are only part of the cyber discussion for government and public-sector organizations. Your investments should also let you innovate with speed and confidence as you develop new digital ways of delivering on your purpose. To sustain this momentum, constituents must be confident that their personal data is safe and secure. A strong cybersecurity posture is a key part of the foundation for government and public-sector leaders to build new solutions that create positive impact and improve citizens’ lives.

Read the full Canadian Cyber Threat Intelligence report for an in-depth look at the risk landscape facing government and public-sector organizations as well as other industries. To learn more about how your organization can apply these insights, reach out to start a conversation.

Contact us

Charles Eckert

Charles Eckert

Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada

Tel: +1 416 815 5274

Justin Abel

Justin Abel

Partner, PwC Canada

Tel: +1 403 509 7522

Follow PwC Canada