Cyberattacks Surge Against Canadian SMBs, Report Finds

Canadian small businesses are being targeted by cyberattacks at rates higher than the global average, yet many remain unprepared. A new study warns that 2025 could be a breaking point if firms don’t strengthen their defences.

A report by Insurance Business Canada found that 85 per cent of SMBs in Canada have experienced at least one cyber incident in the past five years, compared with 74 per cent globally. Despite the heightened risk, fewer than half carry standalone cyber insurance, highlighting a preparedness gap that experts say could make 2025 a pivotal year for digital security.

Phishing attempts, ransomware attacks and business email compromises were the most common incidents identified in the study. For small firms with limited IT staff and budgets, these can cause days of downtime, financial loss and reputational damage.

Industry analysts said attackers view Canadian SMBs as especially vulnerable because they rely heavily on digital tools but often lack dedicated security teams. “Threat actors not only target the most valuable companies but also the most vulnerable: small businesses,” George Bozanin, head of Canada at cyber-insurer Coalition, told Insurance Business Canada in a separate interview.

Many small firms mistakenly believe cyber coverage is included in general business policies, the study noted. Without dedicated coverage, they risk paying for recovery costs themselves — including data restoration, legal fees, ransom demands and lost revenue.

Insurers are pushing companies to move beyond passive coverage toward so-called “active insurance,” which combines financial protection with monitoring, detection and rapid-response services.

Consequences of inaction

Cybersecurity experts warned that unprepared businesses face cascading consequences. Beyond direct costs, attacks can trigger supply chain delays, customer mistrust and regulatory penalties.

The report cautioned that if attack volumes continue to climb, 2025 could be a turning point for SMBs — especially those that continue to underinvest in basic protection.

The study and industry experts outlined several steps for small businesses looking to reduce their exposure:

• Assess vulnerabilities:
  Regular system audits can reveal weak points before attackers exploit them.
• Train staff:
  Employees are the first line of defence against phishing and social engineering.
• Adopt layered security:
  Firewalls, multi-factor authentication and endpoint protection remain essential.
• Consider cyber insurance:
  Standalone policies can offer both financial coverage and rapid-response support.

Analysts stressed that waiting until after an attack is too late, with recovery costs often far exceeding the expense of preventative measures.

Growing concern among business groups

A BDC survey released in September 2024 found that 73 per cent of small businesses had already experienced a cybersecurity incident—from phishing attempts to denial-of-service attacks. Yet more than half said they still felt unprepared to respond.

The poll also showed that 61 per cent of entrepreneurs believed larger companies were more likely to be hacked, a misconception that experts warn leaves small firms dangerously complacent. “Too many business owners think cyberattacks only happen to big corporations, but that’s simply not true,” said Pierre Cléroux, Vice President of Research and Chief Economist at BDC. “Small businesses are increasingly on the radar of cyber criminals, and denial is the biggest risk.”

With Canadian attack rates outpacing global averages, insurers expect demand for cyber policies to rise sharply in the months ahead. Business groups say more education and support are needed to help small firms close the preparedness gap.

For now, the study paints a stark picture: Canadian SMBs are being targeted more often than their global peers, yet many remain underinsured and underprotected. Experts warn the gap could leave thousands of small businesses exposed to crippling financial and reputational harm in 2025.