Baseline Controls News Resources Glossary About
Free Assessment
Home / Cybersecurity Canada Report 2026
Annual Report · 2026 Edition

The Cybersecurity Canada Report 2026

The state of cybersecurity for Canadian small and medium businesses — cyber incidents, breach costs, ransomware, fraud, and regulation. Verified figures from Statistics Canada, the Canadian Centre for Cyber Security, Mandiant, Verizon, CrowdStrike, IBM, Sophos, Microsoft Threat Intelligence, the Office of the Privacy Commissioner, and the Canadian Anti-Fraud Centre.

Published by Cybersecurity Canada · A Cyber Unit initiative · Last updated: May 24, 2026
Take the Free Assessment View Sources
67%
of investigated incidents in 2025 were rooted in identity attacks
Sophos Active Adversary Report 2026
CA$704M
in fraud losses reported by Canadians in 2025 — the highest year on record
Canadian Anti-Fraud Centre, March 2026
22 sec
median time from initial access to attacker handoff — down from 8+ hours in 2022
Mandiant M-Trends 2026
100+
AiTM phishing campaigns targeting Canadian Microsoft Entra tenants (2023 to early 2025)
CCCS ITSM.30.031, 2025

Executive Summary

This is the inaugural Cybersecurity Canada Report, a synthesis of the most recent verifiable public data on the cybersecurity posture of Canadian small and medium businesses (SMBs). Figures are drawn from primary sources — Statistics Canada, the Canadian Centre for Cyber Security, IBM Security, Mandiant, Verizon, CrowdStrike, IBM X-Force, Sophos, Microsoft Threat Intelligence, the Office of the Privacy Commissioner, and the Canadian Anti-Fraud Centre. Where authoritative Canadian government data is on a 1-2 year publication lag (it usually is), we cite the most recent available and flag the vintage. See the Methodology section for the data-vintage breakdown and the Sources section for the full citation list.

The seven findings that should shape Canadian SMB cybersecurity decisions in 2026:

  1. Canadians lost a record CA$704 million to fraud in 2025. The Canadian Anti-Fraud Centre's 2025 annual statistics — released March 2026 — record the highest annual fraud loss on file, with investment fraud, romance scams, and job scams leading by dollar value. The CAFC continues to estimate that only 5-10% of fraud is ever reported, so the true national figure is likely several times higher. For Canadian SMBs specifically, business email compromise remains the most expensive single incident type.
  2. Identity is now the breach surface. Sophos's 2026 State of Identity Security finds 71% of organizations suffered an identity-related breach in the past year; its Active Adversary Report 2026 finds 67% of all investigated incidents in 2025 were rooted in identity attacks. Verizon's 2026 DBIR records that, for the first time in 19 years of the report's history, vulnerability exploitation has overtaken stolen credentials as the #1 initial-access vector — but credential abuse remains a close second and is the dominant pathway into Canadian SMB Microsoft 365 tenants.
  3. The threat landscape now moves in seconds, not days. Mandiant's M-Trends 2026 reports the median time between initial access and handoff to a secondary threat group has collapsed from 8+ hours in 2022 to 22 seconds in 2025. CrowdStrike's 2026 Global Threat Report finds the average eCrime breakout time fell to 29 minutes, fastest observed at 27 seconds. There is no human-paced response time that fits inside that window; what matters is automated detection and pre-emptive control.
  4. Traditional MFA is no longer enough — and Canadians are being specifically targeted. Microsoft Threat Intelligence published an April 2026 case study on Storm-2755, a financially motivated actor running an AiTM "payroll pirate" campaign that geo-targets Canadian employees, hijacks their Microsoft 365 sessions, and redirects salary deposits in Workday. The Canadian Centre for Cyber Security separately reported in its 2025 guidance that it detected 100+ AiTM campaigns against Canadian Microsoft Entra tenants between 2023 and early 2025. Phishing-resistant MFA (FIDO2 / passkeys) is the only reliable defence; FIDO Alliance data from May 2026 puts global passkey use at 5 billion, with 68% of mid-to-large organizations deploying.
  5. The PhaaS ecosystem fragmented — but attack volume rose. In March 2026 a Microsoft and Europol-led coalition seized 330 active domains of Tycoon 2FA, which had been the dominant adversary-in-the-middle phishing-as-a-service kit (used against ~500,000 organizations since 2023). Within weeks, PhaaS attack volume across the four major kits rose from approximately 20 million to over 23 million as operators and customers migrated to Mamba 2FA, EvilProxy, Sneaky 2FA, and the newer Whisper 2FA. The disruption did not slow the threat; it diversified it.
  6. Bill C-8 has finally moved. After Bill C-26 died on prorogation in January 2025, the reboot Bill C-8 passed the House of Commons at Third Reading on March 26, 2026 and received Senate First Reading the same day — further than C-26 ever advanced. Administrative monetary penalties run up to CA$10 million per violation per day for corporations (CA$15 million for subsequent contraventions). PIPEDA remains the federal private-sector privacy floor; Bill C-27's AI provisions (AIDA) are confirmed not returning. Quebec's Law 25 remains the strictest practical national standard.
  7. Canadian buyers are reconsidering U.S. vendors. 69% of Canadian organizations now cite data sovereignty as the most important sourcing factor (up from 60% in 2024); 56% have specifically reconsidered U.S. cybersecurity providers in 2025. Combined with the IBM finding that AI-augmented security operations correlate with CA$3.34 million lower breach costs, the 2026 Canadian SMB cybersecurity buyer looks distinctly different than at any point in the last decade.

How Many Canadian Businesses Are Being Hit?

According to Statistics Canada's Canadian Survey of Cyber Security and Cybercrime (CSCSC), 16% of Canadian businesses were impacted by cyber security incidents in 2023 — the most recent national survey, with results released in October 2024. That continues a downward trend (21% in 2019, 18% in 2021, 16% in 2023), but the decline is concentrated among larger businesses.

Larger organizations remain disproportionately targeted: 30% of large businesses (250+ employees) reported an incident in 2023, nearly double the national average. Small and medium businesses report lower incident rates, but as discussed below they face several specific risks (BEC, vendor compromise, ransomware against under-prepared backups) that the headline rate does not capture.

The 2023 CSCSC surveyed 12,462 enterprises with 10 or more employees and achieved a 71% response rate, with fieldwork completed in early 2024. It is the largest and most methodologically rigorous public dataset on Canadian business cyber experience; we treat its national figures as the baseline for this report.

What did it cost to clean up?

Canadian businesses spent approximately $1.2 billion recovering from cyber security incidents in 2023, roughly double 2021. Recovery spending split: small businesses (1-99 employees) ~$300 million, medium businesses (100-249 employees) ~$300 million, and large businesses ~$500 million. In other words, small and medium businesses together account for roughly half of national recovery spending, despite lower per-business incident rates, simply because there are vastly more SMBs.

Prevention and detection spending also rose: $11.0 billion in 2023 versus $9.7 billion in 2021. Defensive investment is growing roughly 6% annually — faster than overall business IT spend.

What Kinds of Attacks Are Canadian Businesses Facing?

Among the 16% of Canadian businesses impacted by an incident in 2023, the breakdown by method (CSCSC 2023) was:

  • Scams or fraud: 50% — the most common method by a wide margin
  • Identity theft: 31% — up 11 percentage points from 2021
  • Ransomware: 13%

Of incidents reported to police, 56% involved theft of money or a ransom demand, and 33% involved theft of personal or financial information. Phishing remains the most common initial attack vector in the IBM 2024 Canadian dataset, present in 14% of breaches, with an average per-breach cost of CA$6.38 million when phishing was the entry point.

The Canadian Centre for Cyber Security's National Cyber Threat Assessment 2025-2026, released October 30, 2024, names ransomware as the top cybercrime threat to Canada's critical infrastructure — a category that increasingly includes SMBs in critical supply chains (managed service providers, software vendors, professional services firms supporting CI sectors).

The Cost of a Breach in Canada

IBM Security's Cost of a Data Breach Report 2025 (the most recent edition; the 2026 edition is expected in July 2026) found the average cost of a data breach at a Canadian organization reached CA$6.98 million, a 10.4% year-over-year increase. Canada is one of the few countries where breach costs rose against a falling global average. Financial services breaches averaged CA$9.97 million — the most expensive sector in Canada.

The IBM report's clearest finding for SMB decision-makers: Canadian organizations that extensively used security AI and automation reported average breach costs of CA$5.19 million, versus CA$8.53 million for those that did not — a CA$3.34 million spread. The category is not "having AI tools" — it is having them operationalized in detection, response, and triage workflows.

Two 2026 successor reports reinforce the directional finding: IBM's X-Force Threat Intelligence Index 2026 (February 2026) found a 44% year-over-year increase in attacks beginning with exploitation of public-facing applications, with vulnerability exploitation overtaking other initial-access vectors at 40% of incidents. Verizon's 2026 DBIR independently corroborates this: for the first time in 19 editions, vulnerability exploitation overtook stolen credentials as the #1 initial-access vector globally, with third-party / supply-chain breaches up 60% year-over-year. The 2026 message is that Canadian SMBs need to weight patch management and supply-chain risk more heavily than the 2023-2024 narrative implied.

One caveat: IBM's Canadian dataset is not broken out by business size. The CA$6.98M figure reflects all Canadian organizations in the sample, weighted toward enterprises with mature breach response capability. Small business breaches typically cost less in absolute dollars but a higher proportion of revenue.

Ransomware in Canada: Why the Payment Rate Depends on Who You Ask

The most frequently mis-cited statistic about Canadian ransomware is the ransom payment rate. Two reputable sources give very different numbers because they sample very different populations:

  • Statistics Canada (CSCSC 2023, latest available): Of Canadian businesses impacted by ransomware, 88% did not pay. Of those who did pay, 84% paid under $10,000 but 4% paid over $500,000.
  • CIRA 2025 Cybersecurity Survey: Of Canadian organizations that were victims of ransomware, 74% paid the ransom. 24% of respondents were ransomware victims in the prior 12 months.

Both are correct. The gap is methodological. Statistics Canada's denominator is every Canadian business that experienced ransomware — including the many that had usable backups, isolated the incident, and walked away without engaging the attacker. CIRA's denominator is IT decision-makers responding to a cybersecurity survey, a sample skewed toward larger organizations and toward incidents that escalated to negotiation.

The Verizon 2026 DBIR reports that ransomware grew to 48% of all breaches globally, with the majority of ransomware victims continuing to refuse payment — consistent with the long-running StatCan finding. Sophos's Active Adversary Report 2026 adds two operational details Canadian SMBs should plan for: 88% of ransomware payloads were deployed during non-business hours, and 67% of all investigated incidents in 2025 were rooted in identity attacks (i.e., ransomware most often arrived via a compromised account, not a vulnerability scan). Akira alone was present in 22% of Sophos-investigated incidents.

The practical implication for Canadian SMBs: tested, isolated backups are the difference between a ransomware incident and a ransomware crisis, and identity is the door. The businesses that don't pay are overwhelmingly the ones with working recovery options. See backup and recovery for the CCCS baseline guidance.

Token Theft, AiTM Phishing, and the Death of First-Generation MFA

The single largest shift in the Canadian SMB threat landscape over the past 18 months is one that the structural Canadian surveys don't yet capture: adversary-in-the-middle (AiTM) phishing and session token theft have made first-generation multi-factor authentication broadly ineffective. An organization that deployed MFA in 2022 and assumes it is protected against phishing in 2026 is, in the median case, mistaken. Sophos's 2026 State of Identity Security reports that 71% of organizations suffered an identity-related breach in the past year, and its Active Adversary Report 2026 finds 67% of all investigated incidents in 2025 were rooted in identity attacks.

How the attack works

In a modern AiTM attack, the user receives a phishing email and clicks through to what looks like a legitimate Microsoft 365 or Google Workspace login page. The page is actually a real-time reverse proxy operated by the attacker. When the user enters their credentials and approves the MFA prompt, the proxy forwards both upstream to the real identity provider, which authenticates the session and issues a session cookie. The attacker's proxy captures that cookie and replays it from the attacker's own browser. The attacker is now logged in as the user, with MFA already satisfied, until the session expires — typically hours or days later.

A second, related vector is the infostealer ecosystem. Malware families harvest saved passwords and live session cookies from infected browser profiles, package them as "logs" and sell them on criminal marketplaces. Buyers replay the stolen cookies the same way an AiTM proxy does, with the same result: authenticated access without ever needing to defeat the user's MFA. After the May 2025 takedown of Lumma Stealer (~2,300 domains seized, 394,000 infected machines), Gen Digital documented a successor it calls Remus — a 64-bit infostealer whose first campaigns were observed in February 2026 and whose command-and-control is resolved through Ethereum smart contracts, making the infrastructure effectively immune to platform-level takedown. ReliaQuest has separately reported on Acreed as another rising infostealer absorbing displaced Lumma activity.

The Canadian picture: Storm-2755 and the "payroll pirate" campaign

In April 2026, Microsoft Threat Intelligence published a case study on a threat actor it designates Storm-2755, financially motivated and notable for geo-targeting Canadian users specifically, not by industry vertical. The attack chain: Storm-2755 uses malvertising and SEO poisoning against Microsoft 365 sign-in search terms to drive Canadian victims to AiTM phishing pages (one observed domain: bluegraintours.com). The page steals the session token in the standard AiTM way. The attacker then either socially engineers the victim's HR or finance team ("Question about direct deposit") or logs directly into Workday and rewrites the victim's salary-deposit account. As far as we are aware this is the first Microsoft-documented financially motivated threat actor whose victim-selection criterion is "Canadian."

Separately, the Canadian Centre for Cyber Security's 2025 guidance publication ITSM.30.031 — Defending against adversary-in-the-middle threats with phishing-resistant MFA reported that it detected more than 100 AiTM phishing campaigns targeting Canadian Microsoft Entra ID tenants between 2023 and early 2025. That figure represents only campaigns CCCS specifically attributed and tracked, not total exposure. Microsoft also reported in February 2026 that a device-code phishing wave targeting 340+ Microsoft 365 organizations explicitly named Canada among the top target geographies, alongside the U.S., Australia, New Zealand, and Germany.

The PhaaS market: Tycoon 2FA disruption and its aftermath

What made AiTM a structural threat rather than a sophisticated one is that the tooling has been sold on subscription since 2023. The market changed materially in March 2026.

On March 4, 2026, Microsoft and Europol-led law enforcement seized 330 active domains of Tycoon 2FA, the dominant AiTM phishing-as-a-service kit. Pre-takedown, Tycoon 2FA accounted for approximately 62% of phishing attempts across the four major PhaaS platforms and roughly 89% of total PhaaS market share, used in attacks against an estimated 500,000 organizations since 2023. Microsoft tracks the operators as Storm-1747.

The takedown did not reduce PhaaS attack volume. Barracuda's post-takedown analysis (April 2026) found that within weeks, total attack volume across the four major remaining kits rose from approximately 20 million to more than 23 million phishing attempts as operators and affiliates migrated to:

  • Mamba 2FA — Barracuda recorded a major surge in Mamba 2FA activity across late 2025 and early 2026; the kit is sold on Telegram at $250 per 30 days.
  • EvilProxy — longest-running of the major kits; subscription priced.
  • Sneaky 2FA — targets Microsoft 365 specifically; advertised at $200/month.
  • Whisper 2FA — a net-new entrant first tracked by Barracuda in July 2025. By October 2025 Barracuda was attributing roughly 1 million phishing attempts per month to Whisper 2FA, placing it third behind Tycoon and EvilProxy at that time. Whisper uses AJAX to repeatedly capture credentials and MFA codes until obtaining a valid token, plus anti-debugging features including a browser-freezing "infinite debugger loop."

Tycoon 2FA itself did not disappear: late-April 2026 reporting from eSentire's TRU team documented Tycoon-2FA variants still operating and pivoting to abuse the OAuth Device Authorization Grant flow — a technique that even phishing-resistant FIDO2 MFA does not, on its own, fully prevent without correctly tuned Conditional Access policies.

A recent campaign that illustrates the present-day risk

Between April 14–16, 2026, Microsoft Defender observed a single coordinated AiTM phishing campaign hitting more than 35,000 users across 13,000+ organizations in 26 countries. The lures used "code of conduct" and HR-disciplinary themes (e.g., "Awareness Case Log File – Tuesday 14th, April 2026.pdf") delivered via legitimate email-relay services and impersonating internal HR communications. The AiTM proxy captured session tokens, bypassing every non-phishing-resistant MFA method in scope. Most-targeted sectors: healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology / software (11%) — sectors directly relevant to Canadian SMBs in these verticals.

Global telemetry confirms the shift

  • Sophos Active Adversary Report 2026: 67% of investigated incidents in 2025 were rooted in identity-related attacks; 88% of ransomware payloads were deployed during non-business hours.
  • Verizon DBIR 2026: For the first time in 19 editions, vulnerability exploitation overtook stolen credentials as the #1 initial-access vector — but credential abuse remains a close second, and ransomware grew to 48% of all breaches with third-party / supply-chain breaches up 60% YoY.
  • Mandiant M-Trends 2026: Median time between initial access and handoff to a secondary threat group collapsed to 22 seconds (from 8+ hours in 2022). Internet-facing exploitation was the #1 initial vector for the sixth consecutive year (32% of cases).
  • CrowdStrike 2026 Global Threat Report: Average eCrime breakout time fell to 29 minutes; fastest observed at 27 seconds. AI-enabled adversaries up 89% YoY.
  • IBM X-Force 2026: 44% increase in attacks beginning with exploitation of public-facing applications; supply-chain compromises nearly quadrupled since 2020.
  • Microsoft Digital Defense Report 2024 / 2025: Microsoft Entra processes roughly 600 million identity attacks per day; token-theft incidents reached ~39,000 per day in 2024; identity attacks rose 32% in H1 2025.

What actually works

The defence is well-understood and increasingly low-cost. Microsoft's Digital Defense Report finds that phishing-resistant MFA — FIDO2 security keys and passkeys — blocks over 99% of identity-based attacks in Microsoft's telemetry. The FIDO Alliance estimates 5 billion passkeys are now in use worldwide as of World Passkey Day (May 6, 2026), with 68% of mid-to-large organizations deploying or actively deploying passkeys (caveat: the FIDO survey samples enterprises of 500+ employees; SMB adoption is materially lower). CISA's Implementing Phishing-Resistant MFA fact sheet, the joint CISA-FBI-NSA-MS-ISAC Phishing Guidance, and the CCCS's ITSAP.30.030 / ITSM.30.031 all name FIDO / WebAuthn and PKI as the only widely-available phishing-resistant authentication. SMS one-time-passwords, voice OTPs, and push prompts without number-matching are all explicitly named as vulnerable to AiTM.

For a Canadian SMB already on Microsoft 365 Business Premium or Google Workspace Business, the practical roadmap is:

  1. Enable passkeys (FIDO2) for all administrative and finance-team accounts as a hard requirement — not an option.
  2. Apply Conditional Access policies that bind sessions to managed devices and known locations, and that require re-authentication on token age or risk signal — including specifically scoped controls on OAuth device-code grants (now a known token-theft vector).
  3. Reduce default session token lifetimes from the default (days) to hours, particularly for administrative roles.
  4. Roll passkeys out to all remaining users over a defined period, treating SMS and TOTP as transitional rather than the destination.
  5. Monitor for the indicator that AiTM has already happened — new MFA methods added to user accounts, inbox rules forwarding to attacker-controlled addresses, OAuth grants to unfamiliar apps, and (for Storm-2755 specifically) HR-system payroll-detail changes from unusual locations. Most successful AiTM intrusions are first detected by anomalous mailbox or HR-system activity, not by login telemetry.

See our pillar pages on authentication (BC.5) and security awareness training (BC.6) for the CCCS baseline framing.

The Readiness Gap

According to the 2023 CSCSC (the most recent Statistics Canada national figure; the next iteration covering 2025 data is expected late 2026), only 26% of Canadian businesses had written cybersecurity policies in place. That remains the cleanest national snapshot of Canadian SMB security maturity available.

Globally, Sophos's 2026 State of Identity Security survey of 5,000 IT and security leaders across 17 countries found that 71% of organizations suffered at least one identity-related breach in the past year, and 67% of ransomware victims confirmed their incident stemmed from an identity attack. The Canadian SMB picture sits somewhere between StatCan's national 26%-policy figure and Sophos's larger-org identity-incident rate; in either reading, the readiness gap is real and concentrated in identity controls.

The Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089) defines 13 control areas as the minimum recommended standard for Canadian SMBs. Our free assessment evaluates organizations against those baseline controls; aggregate, de-identified findings from assessment users will be incorporated into the 2027 edition of this report.

Fraud Is the Biggest Dollar Loss to Canadians — A Record CA$704M in 2025

Headline cyber incident statistics undercount the largest financial risk Canadian businesses actually face, because much of it is reported as fraud rather than breach. The Canadian Anti-Fraud Centre's 2025 annual statistics, released in March 2026, record CA$704 million in reported fraud losses — the highest year on record, up from CA$645 million in 2024.

  • Investment fraud: CA$351 million — the single largest category by dollar value
  • Romance and relationship scams: CA$63.3+ million
  • Job scams: CA$50.6+ million
  • Top three categories by report volume: identity fraud, service fraud, investment fraud

The CAFC reiterates that only an estimated 5-10% of fraud victims ever report to the centre, so the true national fraud loss in 2025 is likely between CA$3.5 billion and CA$7 billion. The Government of Canada launched public consultations on Canada's first-ever National Anti-Fraud Strategy on March 30, 2026 (consultation period: March 30 to April 28, 2026), signalling that federal policy is finally catching up to the scale of the problem.

For Canadian SMBs specifically, business email compromise (BEC) remains the most costly single incident category at the business scale — an executive impersonation email redirecting a wire transfer can cost more than any other incident type a small business will face. The Storm-2755 "payroll pirate" campaign described in the token theft section is a current variant of this same pattern: a hijacked Microsoft 365 session used to redirect salary deposits via Workday. See our background on business email compromise in Canada.

The Regulatory Landscape in 2026

Canada's federal cybersecurity and privacy legislative agenda reset in early 2025 when Parliament was prorogued. As of May 2026, the practical picture is:

Bill C-8 has passed Third Reading — further than C-26 ever advanced.

The Critical Cyber Systems Protection Act, originally introduced as Bill C-26, died on the order paper when Parliament was prorogued in January 2025. The reboot, Bill C-8, was tabled on June 18, 2025 and moved through committee study at the Standing Committee on Public Safety and National Security (SECU) through late 2025. On March 26, 2026, Bill C-8 passed the House of Commons at Third Reading and received Senate First Reading the same day. (The Speaker had ruled certain committee amendments out of order on March 25, restoring ministerial / Governor-in-Council authority to issue cybersecurity orders that had been weakened in committee. The amended bill now includes a statutory five-year mandatory ministerial review after Royal Assent.) Second Reading and SECU referral in the Senate are expected in spring 2026.

Bill C-8 applies to federally regulated operators of critical infrastructure (telecommunications, pipelines, electricity, nuclear, transport, banking, clearing and settlement), with obligations including a cybersecurity program within 90 days of designation, 72-hour incident reporting to the Communications Security Establishment, Canadian-resident records, and third-party / supply-chain risk management. Administrative monetary penalties run up to CA$10 million per violation per day for corporations, rising to CA$15 million per day for subsequent contraventions.

For most Canadian SMBs, Bill C-8 will not apply directly — but SMBs that supply designated operators (managed service providers, contractors, professional services firms) will inherit obligations through their contracts. Given that Bill C-8 has now advanced further than C-26 did, supply-chain readiness should no longer be treated as hypothetical.

PIPEDA remains. Bill C-27's AI provisions are dead.

The Consumer Privacy Protection Act and Artificial Intelligence and Data Act bundled in Bill C-27 died with the January 2025 prorogation. Minister Evan Solomon confirmed in June 2025 that AIDA will not return in its drafted form. The latest federal privacy-reform vehicle, Bill C-15, was the subject of OPC Commissioner Philippe Dufresne's testimony before the House Standing Committee on Industry and Technology on January 26, 2026; as of this writing no comprehensive PIPEDA replacement has been enacted.

PIPEDA therefore remains Canada's federal private-sector privacy law. Mandatory breach reporting under PIPEDA's "real risk of significant harm" threshold has been in force since November 1, 2018. The Office of the Privacy Commissioner of Canada's 2024-25 Annual Report records 686 PIPEDA private-sector breach reports in the reporting year, affecting an estimated 20 million Canadian accounts; federal Privacy Act (public-sector) breaches rose to 615 (from 561 the prior year), affecting 309,865 individuals — more than double the previous year. See our guide to PIPEDA for Canadian SMBs.

Quebec's Law 25 is the strictest practical national floor.

Quebec's Law 25 (the Act to Modernize Legislative Provisions Respecting the Protection of Personal Information) is fully in force. Its consent requirements, mandatory privacy impact assessments, breach reporting obligations, and financial penalties (administrative monetary penalties up to CA$10M / 2% of global revenue; penal penalties up to CA$25M / 4%) make it the de facto stricter standard for any Canadian business handling Quebec residents' personal information — which, for businesses with national customer bases, is essentially every business.

On January 30, 2026, Quebec's Commission d'accès à l'information (CAI) published new guidance on the prevention of confidentiality incidents, including a step-by-step Guide and complementary Checklist for Law 25-regulated entities. The CAI is signalling increased scrutiny on AI deployments that lack privacy impact assessments under s. 3.3 and consent obligations under s. 14 (automated decision-making) — relevant to any Canadian SMB deploying AI tools that process Quebec-resident personal information.

AI Threats and the Data Sovereignty Shift

The 2025 CIRA Cybersecurity Survey captured two related shifts in Canadian IT-buyer sentiment that did not exist at this scale a year earlier:

  • 70% of Canadian IT professionals are worried about new AI cyber threats; 54% specifically cite AI-powered cyber attacks as a leading concern.
  • 69% of Canadian organizations now cite data sovereignty as the most important factor when sourcing cybersecurity solutions — up from 60% in 2024.
  • 56% of Canadian organizations have specifically reconsidered U.S. vendors in light of cross-border trade and political uncertainty in 2025.
  • 65% of Canadian organizations have integrated AI tools into their workflows in 2025, up from 44% in 2023.

The sovereignty shift is structurally important: it represents a re-pricing of Canadian-hosted, Canadian-owned cybersecurity providers relative to U.S. alternatives. Combined with the IBM finding that extensive AI-and-automation deployment correlates with CA$3.34 million lower breach costs, the 2026 Canadian SMB cybersecurity buyer profile looks different than at any time in the last decade.

What This Means for Canadian SMBs in 2026

Six practical implications follow from the data above:

  1. Move to phishing-resistant MFA before someone else moves on for you. The CCCS has detected more than 100 AiTM campaigns against Canadian Microsoft Entra tenants since 2023, and the phishing-as-a-service kits doing the work are sold for $120-$350 a month. Traditional MFA (SMS, TOTP, push prompt) is no longer reliable. Microsoft's telemetry shows phishing-resistant MFA — FIDO2 security keys and passkeys — blocks 99%+ of identity attacks; both Microsoft 365 and Google Workspace support it natively at no additional cost.
  2. Plan for the dollar loss, not just the breach. The largest single financial threat to a Canadian SMB is a successful business email compromise wire-transfer scam, not a ransomware event. Controls that matter most: strong authentication on email accounts, out-of-band verification for wire transfers over a defined threshold, and finance-team awareness training specifically on payment redirection scams.
  3. Invest in backup that is actually tested. The single biggest predictor of whether a Canadian business pays a ransom is whether its backups work when tested. See backup and recovery baseline guidance.
  4. Get an incident response plan written down. Only 26% of Canadian businesses had a written cybersecurity policy as of 2023. Among Canadian businesses that had a documented incident response plan, recovery time and cost were materially lower.
  5. Treat AI tooling as a security control, not a risk to manage. The IBM evidence is clear: Canadian organizations using security AI extensively pay materially less when they are breached. The risk-management framing of AI obscures that AI-augmented detection and response is now the difference between a CA$5M and a CA$9M event.
  6. Treat Bill C-8 as imminent, not hypothetical. The bill passed House Third Reading on March 26, 2026 and is now in the Senate — further than C-26 ever advanced. If your business serves federally regulated critical-infrastructure operators (telecom, energy, banking, transport, clearing and settlement), your contracts will require Canadian-resident records, 72-hour incident notification to CSE, and documented supply-chain risk management. Get ahead of it; the penalty ceiling is CA$15 million per violation per day.

The free Cybersecurity Canada assessment measures your organization against the CCCS Baseline Controls and produces a score, letter grade, and prioritized recommendations across all 13 control areas. It takes under 30 minutes and runs entirely in your browser — we do not collect or store your answers.

Frequently Asked Questions

What is the current state of cybersecurity in Canada?

According to Statistics Canada's 2023 Canadian Survey of Cyber Security and Cybercrime (released October 2024), 16% of Canadian businesses were impacted by cyber security incidents in 2023, down from 21% in 2019. Total business recovery spending doubled to approximately $1.2 billion. The Canadian Centre for Cyber Security's National Cyber Threat Assessment 2025-2026 identifies ransomware as the top cybercrime threat. IBM's 2025 Cost of a Data Breach report places the average Canadian breach cost at CA$6.98 million, up 10.4% year-over-year.

What percentage of Canadian businesses have been hit by a cyber attack?

16% of Canadian businesses reported being impacted by a cyber security incident in 2023, according to Statistics Canada's most recent Canadian Survey of Cyber Security and Cybercrime. Among large businesses (250+ employees) the rate was 30%; rates were lower for small and medium businesses, though these segments together account for roughly half of national recovery spending.

How much does a data breach cost in Canada?

The average cost of a data breach at a Canadian organization was CA$6.98 million in 2025, according to the IBM Cost of a Data Breach Report 2025 — a 10.4% increase over 2024. Financial services breaches averaged CA$9.97 million. Canadian organizations using security AI and automation extensively reported costs of CA$5.19 million on average, versus CA$8.53 million without — a CA$3.34 million difference.

How much fraud loss did Canadians report in 2025?

The Canadian Anti-Fraud Centre's 2025 annual statistics, released March 2026, record CA$704 million in reported fraud losses — the highest year on record, up from CA$645 million in 2024. Investment fraud led at CA$351 million; romance and relationship scams over CA$63.3 million; job scams over CA$50.6 million. The CAFC reiterates that only 5-10% of fraud victims report, so true 2025 losses are likely between CA$3.5 billion and CA$7 billion.

What percentage of Canadian businesses pay ransomware ransoms?

It depends on the sample. Statistics Canada's nationally representative survey found 88% of Canadian businesses impacted by ransomware in 2023 did not pay the ransom. CIRA's 2025 survey of Canadian IT decision-makers found 74% of ransomware victims did pay (79% in 2024). The gap reflects different sampled populations: StatCan covers all businesses, including those with working backups that walked away; CIRA's IT-decision-maker sample skews toward organizations that engaged in negotiation.

What is adversary-in-the-middle (AiTM) phishing?

Adversary-in-the-middle phishing is a technique where attackers operate a real-time reverse proxy of a legitimate login page (typically Microsoft 365 or Google Workspace). When the victim enters credentials and approves the MFA prompt, the proxy forwards both upstream and captures the resulting authenticated session cookie, which the attacker then replays from their own browser. The attacker is logged in as the user, with MFA already satisfied. The Canadian Centre for Cyber Security detected more than 100 AiTM campaigns targeting Canadian Microsoft Entra tenants between 2023 and early 2025.

Does multi-factor authentication stop phishing?

Not anymore — not without qualification. First-generation MFA methods (SMS one-time-password, app-based TOTP, push prompt without number-matching) are routinely bypassed in 2025-2026 by adversary-in-the-middle phishing kits and by infostealer malware that harvests live session cookies. Microsoft observed approximately 39,000 token-theft incidents per day in 2024. Verizon's 2025 Data Breach Investigations Report finds credential abuse is now the #1 initial-access vector for breaches at 22%. Only phishing-resistant MFA — FIDO2 security keys and passkeys — reliably stops modern phishing; CISA, CCCS, and Microsoft all name FIDO-based authentication as the recommended standard.

What is phishing-resistant MFA, and how does a Canadian SMB deploy it?

Phishing-resistant MFA refers to authentication that cryptographically binds the login attempt to the legitimate site (so the credential cannot be replayed from a proxy) and that is not vulnerable to SIM-swap, prompt-bombing, or session-cookie theft. In practice this means FIDO2 / WebAuthn (security keys like YubiKey and Feitian) or passkeys (the FIDO Alliance standard now supported natively by Apple, Google, and Microsoft). Canadian SMBs already on Microsoft 365 Business Premium or Google Workspace Business can enable passkeys at no additional cost; the CCCS recommends FIDO-based solutions in its ITSAP.30.030 and ITSM.30.031 guidance. The practical starting point is to require passkeys for administrative and finance-team accounts first, then roll out organization-wide.

What is the status of Canada's cybersecurity legislation (Bill C-8 / C-26 / C-27) in 2026?

Bill C-26 (CCSPA) died on prorogation in January 2025. Its successor, Bill C-8, was tabled June 18, 2025 and passed Third Reading in the House of Commons on March 26, 2026, receiving Senate First Reading the same day — further than C-26 ever advanced. Bill C-8 applies to federally regulated critical infrastructure operators with penalties up to CA$15 million per violation per day. Bill C-27 (containing CPPA and AIDA) also died with prorogation; PIPEDA remains Canada's federal private-sector privacy law. The OPC's 2024-25 Annual Report records 686 PIPEDA private-sector breach reports affecting an estimated 20 million Canadian accounts. Quebec's Law 25 remains the strictest practical standard.

What cybersecurity standards apply to Canadian small businesses?

The Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089) defines 13 control areas as the recommended minimum standard for Canadian SMBs. Businesses handling personal information must comply with PIPEDA (federally) or substantially similar provincial legislation (Alberta PIPA, BC PIPA, Quebec Law 25). The free Cybersecurity Canada assessment measures organizations against the CCCS baseline controls.

What is Cybersecurity Canada?

Cybersecurity Canada (cybersecuritycanada.ca) is a free, independent Canadian cybersecurity resource. It provides a free online assessment based on the CCCS 13 Baseline Controls, an annual State of Canadian SMB Cybersecurity report (this document), and curated guides, news, and reference material for Canadian small and medium business decision-makers. It is built and maintained by Cyber Unit, a Canadian cybersecurity firm.

Methodology, Data Vintage, and Limitations

Every statistic in this report is drawn from a named primary source with a published URL. We have not commissioned original survey data for this edition; aggregate, de-identified findings from the free Cybersecurity Canada assessment will be incorporated in the 2027 edition once data volume supports statistically meaningful reporting.

Data vintage — what's fresh and what isn't

Canadian and global cybersecurity primary data is published on radically different cadences. We have used the most recent edition available in each category as of May 24, 2026:

  • Q1-Q2 2026 data (freshest): Mandiant M-Trends 2026, Verizon DBIR 2026, CrowdStrike 2026 Global Threat Report, IBM X-Force Threat Intelligence Index 2026, Sophos Active Adversary Report 2026 and State of Identity Security 2026, Microsoft Threat Intelligence campaign analyses (Storm-2755, Tycoon 2FA disruption, "Code of Conduct" campaign), Huntress 2026 Cyber Threat Report, Canadian Anti-Fraud Centre 2025 annual statistics, FIDO Alliance World Passkey Day 2026, Bill C-8 House Third Reading (March 26, 2026), Quebec CAI January 2026 incident guidance.
  • Late 2025 data: IBM Cost of a Data Breach Report 2025, CIRA 2025 Cybersecurity Survey, Microsoft Digital Defense Report 2025, OPC 2024-25 Annual Report.
  • 2023 Canadian government baseline (oldest, kept because no fresher official Canadian data exists): Statistics Canada's Canadian Survey of Cyber Security and Cybercrime 2023 (released October 2024) for incident prevalence, recovery spending, and policy uptake. CSCSC has historically been released every two years (2017, 2019, 2021, 2023); the next iteration covering 2025 data is expected in 2026 or early 2027 and will be incorporated into the next edition of this report. Until then, the 16% impact rate and the 26% written-policy rate remain the most authoritative Canadian government figures.
  • 2024-2025 CCCS guidance: The National Cyber Threat Assessment 2025-2026 (October 2024) and ITSM.30.031 phishing-resistant MFA guidance (2025) are the most current public CCCS positions; the next NCTA (2027-2028) is expected late 2026.

Where a number from a 2023 or 2024 publication is the freshest available, we say so inline. Where a 2026 successor exists, we use it.

Other limitations

  • Sample differences. StatCan's CSCSC samples businesses with 10+ employees; CIRA's survey samples IT decision-makers; IBM's Cost of a Data Breach samples organizations that experienced a breach; Sophos and Huntress samples are weighted by their customer telemetry. When the same metric is reported by multiple sources we cite both and explain the gap, rather than averaging incompatible numbers.
  • Under-reporting. The Canadian Anti-Fraud Centre estimates only 5-10% of fraud victims report, and only 13% of cyber-impacted businesses in CSCSC 2023 reported the incident to police. National figures reliably understate the true incident count and dollar loss.
  • Global vs. Canadian. Several of the most current 2026 statistics come from global vendor telemetry (Mandiant, Verizon, CrowdStrike, IBM X-Force, Sophos, Microsoft, Huntress) rather than Canadian primary data. We treat these as directional indicators of trends affecting Canadian SMBs, not as precise Canadian-population statistics. The CCCS ITSM.30.031 "100+ AiTM campaigns at Canadian Entra tenants" figure is the rare Canadian-government primary number on a 2025-vintage threat.

Sources

All figures in this report are sourced from the following primary publications. URLs are provided so readers can verify every number cited.

Statistics Canada

Canadian Centre for Cyber Security (CCCS) / Communications Security Establishment

Canadian Internet Registration Authority (CIRA)

IBM Security

Canadian Anti-Fraud Centre and Federal Anti-Fraud Policy

Office of the Privacy Commissioner of Canada

Quebec Commission d'accès à l'information (Law 25)

Major 2026 Global Threat Reports

Adversary-in-the-Middle Phishing, Token Theft & Phishing-Resistant MFA

Parliament of Canada — Legislative status

Cite This Report

Suggested citation:

Cybersecurity Canada (2026). The Cybersecurity Canada Report 2026: State of Canadian SMB Cybersecurity. Retrieved from https://cybersecuritycanada.ca/cybersecurity-canada-report-2026/

This report will be updated annually. Permanent URL: cybersecuritycanada.ca/cybersecurity-canada-report-2026/

For media inquiries or to request the underlying source list as a structured document, contact info@cybersecuritycanada.ca.

Free Assessment

How does your organization compare?

Take the free Cybersecurity Canada assessment to measure your organization against the Canadian Centre for Cyber Security's 13 Baseline Controls. 50 questions, under 30 minutes, 100% confidential — your answers never leave your browser.

Take the Free Assessment SMB Cybersecurity Guide

Cybersecurity Canada is an independent resource and is not affiliated with, endorsed by, or connected to the Canadian Centre for Cyber Security, the Communications Security Establishment, or the Government of Canada.