Money

‘Don’t underestimate the threat:’ National cyber security program warns Canadian small businesses

By
Anam Khan

Updated: 

Published: 

FILE - In this Dec. 12, 2016, file photo illustration, a person types on a laptop in Florida. Riviera Beach, Fla., agreed to pay $600,000 in ransom to hackers who took over its computer system, the latest in thousands of attacks worldwide aimed at extorting money from governments and businesses. Spokeswoman Rose Anne Brown said Wednesday, June 19, 2019, that the city of 35,000 residents has been working with outside security consultants, who recommended the ransom be paid. (AP Photo/Wilfredo Lee, File)

Cyber crime is at an all-time high globally but many small and medium sized Canadian businesses may be over confident in their ability to withstand a cyber attack, experts warn.

Canada’s national cyber security agency, Communications Security Establishment Canada told BNN Bloomberg that it is seeing an increase in cyber security threats, and it’s not just limited to corporations, governments or critical infrastructure, it’s also the small and medium enterprises (SMEs).

“The first thing I would say is, don’t underestimate the threat, and don’t assume that because you’re an SME, that you’re not going to be a victim of a cyber incident,” Sami Khoury, a senior official for the federal government’s Cyber Security program, told BNN Bloomberg in an interview on Wednesday.

He said SMEs are often part of larger supply chains that make them potential entry points for cybercriminals targeting bigger companies, and they can be targeted by ransomware attacks, sophisticated phishing campaigns and credential theft because of weak passwords.

A recent survey by the Insurance Bureau of Canada showed that 48 per cent of respondents representing small and medium sized businesses think their business is vulnerable to a cyber attack or data breach, but only six per cent of them believe it will happen to them.

About 73 per cent of small businesses have already experienced a cyber security incident in Canada, according to research from the Business Development Bank of Canada.

The IBC says these findings suggest businesses may not fully understand the magnitude of a cyberattack and the cost of recovering from one.

Small business owners lose more than just their job after a cyber attack, said Jocelyn Rhindress with the Canadian Federation of Independent Business, a non profit that advocates for small businesses across Canada.

“They’re losing their whole livelihood. And you know that with crippling taxes and tariffs, and all of the uncertainty in our trade environment and strikes and things like that, it’s just one more thing that they have to worry about,” said Rhindress in an interview with BNN Bloomberg.

“We’ve talked to several business owners that have been affected by a cyber attack, whether it’s getting hacked, being held ransom for their data, and eventually, possibly having to close their business because of a cyber attack.”

Hackers are going for easy targets

If hackers have not attacked an SME, it doesn’t mean they can’t, it usually means they don’t want to, said Ali Dehghantanha, a cyber security expert from the University of Guelph in an interview with BNN Bloomberg.

“Attackers don’t go based on the name or based on the reputation. They are going after any easy targets,” said Dehghantanha.

“A lot of these small, medium businesses are very easy targets for the attackers.”

Dehghantanha says SMEs rarely implement cyber security monitoring, detection or response, and so they are not notified in real time if there has been a data breach.

But by the time they find out, it’s too late. Dehghantanha says the attackers usually steal private and sensitive information first and then develop ransomware, because they know that’s when users will take security measures.

“A lot of private information has been stolen, which means there will be a lot of legal liabilities. They need to inform everyone who has been impacted and all the legal costs around that,” said Dehghantanha.

“And of course, the cost of recovery itself. Usually the cost of prevention is one tenth of the cost of recovery.”

Concern of AI

With the rise of artificial intelligence, businesses will find it more difficult to protect themselves from cyber risks, experts warn.

IBC’s survey shows only 45 per cent of businesses have policies in place to help identify AI Scams.

Third party risks are another growing issue. As more businesses rely on vendor, cloud services and outsourced IT providers, 27 per cent of respondents said they worry about lawsuits stemming from the cyber break.

Majority of cyber attacks due to human error

The Canadian Federation of Independent Business says 95 per cent of cyber attacks are due to human error.

“It sounds so simple, but the biggest threats are weak passwords,” said Rhindress

She said 63 per cent of all breaches are a result of weak credentials, 91 per cent of attacks are phishing attacks. The other common issues are outdated softwares and malwares .

“If you can control those four things, passwords, batching phishing emails and malware, then that’s, that’s the bulk of the big cyber threats,” said Rhindress.

Methodology

These findings are from a survey conducted by Insurance Bureau of Canada from August 6 to 15, 2025, among n=308 Canadian business owners and decision makers who work at companies with up to 500 employees.

All respondents were members of the online Angus Reid Forum. Interviews were conducted in English and French.

For comparison purposes only, a sample of this size would yield a margin of error of +/- 5.6 percentage points, 19 times out of 20. Discrepancies in or between totals are due to rounding.