Today, Canadian businesses of all sizes must be vigilant to cyber-attacks. Recently, cybercriminals have professionalized considerably by improving their ability to target small- and medium-sized enterprises (SMEs). According to a survey from the Insurance Bureau of Canada (IBC), almost half (47 percent) of Canadian small businesses do not allocate any portion of their annual operating budget to cybersecurity. In this article, we discuss the findings of the survey, as well as offer some tips on how to protect your business from the threat of cyber-attacks.

Small business is big business in Canada

According to a report from Innovation, Science, and Economic Development Canada, nearly 98 percent of all employers in the country are small businesses. The report defines an SME as a business establishment with 1 to 499 paid employees. More specifically:

  • A small business has 1 to 99 paid employees
  • A medium-sized business has 100 to 499 paid employees

Fun fact: 9,700,000 Canadians are employed by a small business.

Small businesses have endured several challenges over the past two and a half years. Many have demonstrated resilience by adopting technology that allowed them to reach their customers online, improve their operations, and stay competitive. However, cybercriminals have been improving their ability to target small and medium-sized businesses. By utilizing techniques such as ransomware, business email compromise (BEC), and other fraud schemes, cybercrime is more pervasive than ever. Although Canadian law enforcement is taking steps to combat these threats, most cybercrime operations are launched from overseas in countries where the risk of prosecution is low. As a result, law enforcement’s capacity to impede these attacks has its limits.

Small businesses: Too small to target?

IBC’s 2023 Cyber Security Survey found that more than 60% of small businesses believe their business is too small to be targeted by cybercriminals. This number rises to 73% for sole proprietors. The majority of business owners surveyed were not concerned about their staff posing a cyber risk. However, three out of four employees admit to having taken at least one action that poses a cyber security risk. The same study states that 41 percent of small businesses that suffered a cyber-attack reported that it cost them at least $100,000.

Employees concerned about cyber-attacks

As the first line of defense for any business, employees are responsible for recognizing threats. They must also ensure that the threat is contained or disposed of before it can spread through to the rest of the business. Growing employee concerns over cyber safety were also highlighted in the IBC report as shown below:

  • 25% of employees don’t feel they have the tools and training needed to identify potential cyber threats at work.
  • 22% of employees are concerned their actions can contribute to a cyber-attack or data breach.
  • 10% of employees have shared confidential information with a publicly available chatbot or artificial intelligence (AI) platform.

Commercial Insurance Banner

Cyber-attack protection lacking for SMEs

According to the Canadian Centre for Cyber Security (CCCS), there were over 70,000 reported cybersecurity incidents in 2023. This suggests a 25% increase from the previous year. Canadian businesses are slowly beginning to wake up to the need to enhance security measures against cyber-attacks. Despite nearly 40% of small business employees indicating that they’ve seen an increase in scam attempts over the last 12 months, the IBC survey found employers may not be making enough investments in cyber protection. Employer responses to the threat of cyber-attacks were as follows:

  • 69% do not consider cybersecurity a financial priority.
  • Only 20% have any intention of purchasing cyber insurance within the next year.
  • 17% don’t think they will qualify for cyber insurance.

Liam McGuinty, Vice President of Strategy at IBC stated, “All businesses, but especially those that rely heavily on an online presence and use e-commerce, should consider contacting their insurance representative to help find ways to manage their cyber risk.” McGuinty also counters, “However, cyber insurance is just one component of an overall cyber risk mitigation strategy – it is not a replacement for cyber resilience.”

Insurance Business Canada’s new cyber savvy assessment

As part of Cyber Security Awareness Month, IBC is launching a self-assessment tool to help business owners understand the steps most cyber insurers want businesses to take to reduce their cyber risk. While this free tool cannot provide an assessment of a business’s actual risk profile, its questions can help business owners gauge their level of readiness for cyber insurance. It can also help determine which areas they may need to focus on to bolster their cyber resilience. The Cyber Savvy Assessment is available until October 31st, 2024 at Additionally, there are resources and information about the proactive measures businesses can take to help reduce their cyber risk.

Microsoft’s SME Cyber Survival Guide

To help small and medium-sized businesses protect themselves from cyber threats, John Hewie, National Security Officer at Microsoft Canada, has compiled a cyber security survival guide to help businesses protect themselves. Here are a few suggestions laid out in the guide to help business owners navigate cyber security:

  • Protect your accounts: Cybercriminals typically “log in” to accounts by guessing passwords or attaining them through a phishing attack. Consider enabling Two-Step Verification or Multi-Factor Authentication (MFA) on all your important accounts.
  • Keep up-to-date: Reduce the risk of malware that exploits software vulnerabilities. Ensure your organization’s devices, infrastructure, and applications maintain the latest vendor-provided software updates.
  • Antivirus and anti-malware defenses
  • Back-up important data: Cloud storage, such as Microsoft OneDrive, is a great solution to back up important files. It also has a recycle bin to recover from those accidental deletions! Windows Defender and OneDrive work together to help detect and recover from ransomware.
  • Foster cybersecurity culture within your small business: Basic phishing awareness should be at the top of your training list. Additionally, educating staff about suspicious websites and installing unapproved apps or free software on work devices is crucial.
  • Enhancing your small business network security: What’s a relatively easy way to add a layer of security to your local small business network? Configure your network router to use a domain name server (DNS) service that blocks access to known malicious domains. Once configured, all devices that use your small business network will benefit.

Learn some of the best ways to protect your business against cyber-attacks here.

Report cyber-attacks and fraud

Only a small percentage of cybercrimes or frauds are reported to police in Canada, making it difficult for law enforcement to keep up with the ever-changing threat landscape. If you have been a victim of a scam, fraud, or cybercrime, please contact your local police as soon as possible. The Canadian Center for Cybersecurity provides detailed instructions and what to expect hereAs well, consider reporting attempted scams or fraud to the Canadian Anti-Fraud Centre here. Reporting may help link multiple crimes together and contribute to further investments in Canada to combat cybercrime.

Is your business in need of a cybersecurity policy? Contact us today to speak with one of our knowledgeable isure brokers who will provide you with the best advice and coverage you need when it comes to cyber safety.

Related Articles