Canadian SMEs vulnerable to cyber attacks, authorities say

Small and medium-sized enterprises (SMEs) in Canada have been slow to adapt to increasingly frequent and sophisticated cyber attacks, according to the Insurance Bureau of Canada.

Only a third of surveyed employees at the surveyed SMEs (defined as businesses with fewer than 500 employees) said that their company provides mandatory cyber security awareness training.

In 2021, the average total cost of a data breach to Canadian organizations was US$7.3m, according to an IBM estimate.

Only half (50%) of employees surveyed report that their organization has introduced multi-factor authentication, a critical cyber security defence mechanism.

The survey also revealed that 7 in 10 employees of small and medium-sized businesses (72%) reported at least one behaviour that could allow a cyber criminal to gain access to their company's computer systems.

For example, 27% use one password to access multiple websites they use for work; and 23% reported accessing public wifi while using their work computer.

Hybrid/remote employees are even more likely (77% of respondents) to take actions that may compromise their employer's cyber security or data.

“While cyber insurance is an important backstop for businesses in the event of a cyber breach, it should be thought of as one component within a complete cyber risk mitigation strategy aimed at reducing an organization's vulnerability to online threats," said Celyeste Power, executive vice-president for strategic initiatives and advocacy at IBC.