May 24, 2026 Insights 7 min read

The Cybersecurity Canada Report 2026: Seven Findings Canadian SMBs Should Know

By Cybersecurity Canada Editorial Team | Published May 24, 2026 · Updated May 24, 2026

We've published the first edition of the Cybersecurity Canada Report 2026 — a synthesis of the most recent verifiable public data on the state of cybersecurity for Canadian small and medium businesses, drawing on Statistics Canada, the Canadian Centre for Cyber Security, Mandiant, Verizon, CrowdStrike, IBM, Sophos, Microsoft Threat Intelligence, the Office of the Privacy Commissioner, and the Canadian Anti-Fraud Centre. Here are the seven findings that should shape decisions in 2026.

Canadians lost a record CA$704 million to fraud in 2025.

The Canadian Anti-Fraud Centre's 2025 annual statistics, released March 2026, recorded CA$704 million in reported fraud losses — the highest year on record, up from CA$645 million in 2024. Investment fraud led at CA$351 million; romance and relationship scams over CA$63.3 million; job scams over CA$50.6 million. The CAFC reiterates that only 5-10% of victims report, so the true national figure is likely between CA$3.5 billion and CA$7 billion.

For Canadian SMBs specifically, business email compromise (BEC) remains the most expensive single incident type — an executive impersonation email redirecting a wire transfer can cost more than any other event at the business's scale. The federal government launched public consultations on Canada's first-ever National Anti-Fraud Strategy in March 2026.

Identity is now the breach surface.

Sophos's 2026 State of Identity Security finds 71% of organizations suffered an identity-related breach in the past year. Its Active Adversary Report 2026 finds 67% of all investigated incidents in 2025 were rooted in identity attacks — a higher figure than ransomware, vulnerability exploitation, or any other category. Of ransomware victims specifically, 67% confirmed their incident stemmed from an identity attack.

Verizon's 2026 DBIR records that, for the first time in 19 editions, vulnerability exploitation overtook stolen credentials as the #1 initial-access vector — but credential abuse remains a close second, ransomware grew to 48% of all breaches, and third-party / supply-chain breaches were up 60% year-over-year. The picture is consistent: identity controls and patch management are now both top-tier priorities.

The threat landscape now moves in seconds, not days.

Mandiant's M-Trends 2026 reports the median time between initial access and handoff to a secondary threat group has collapsed from 8+ hours in 2022 to 22 seconds in 2025. CrowdStrike's 2026 Global Threat Report finds the average eCrime breakout time fell to 29 minutes, with the fastest observed at 27 seconds. There is no human-paced response time that fits inside that window. What matters is automated detection, pre-emptive control, and the policies that prevent the credential or session from being usable in the first place.

Canadians are being specifically targeted — meet Storm-2755.

In April 2026, Microsoft Threat Intelligence published a case study on a financially motivated threat actor it designates Storm-2755, notable for geo-targeting Canadian users specifically — not by industry but by country. The attack chain: malvertising and SEO poisoning on Microsoft 365 sign-in search terms drives Canadian victims to adversary-in-the-middle (AiTM) phishing pages. The AiTM proxy steals the user's authenticated session token. The attacker then either socially engineers the victim's HR or finance team ("Question about direct deposit") or logs directly into Workday and rewrites the victim's salary-deposit account.

This is the first Microsoft-attributed financially motivated threat actor whose primary victim-selection criterion is "Canadian." The Canadian Centre for Cyber Security separately reported in its 2025 ITSM.30.031 guidance that it detected more than 100 AiTM phishing campaigns against Canadian Microsoft Entra tenants between 2023 and early 2025.

The PhaaS economy fragmented — and attack volume rose.

On March 4, 2026, a Microsoft and Europol-led coalition seized 330 active domains of Tycoon 2FA, the dominant phishing-as-a-service kit for AiTM attacks against Microsoft 365 (pre-takedown: ~62% of phishing attempts across the four major PhaaS platforms; used in attacks against ~500,000 organizations since 2023). Microsoft tracks the operators as Storm-1747.

The takedown did not reduce PhaaS attack volume. Within weeks, Barracuda recorded total volume across the four remaining major kits rising from approximately 20 million to over 23 million phishing attempts as operators and affiliates migrated to Mamba 2FA, EvilProxy, Sneaky 2FA, and a new entrant: Whisper 2FA (Barracuda was attributing roughly 1 million attempts per month to Whisper by October 2025; the kit uses AJAX to capture credentials and MFA codes until obtaining a valid session). Tycoon 2FA itself did not disappear — eSentire's TRU team documented Tycoon variants in late April 2026 pivoting to abuse the OAuth Device Authorization Grant flow, a technique that even FIDO2 passkeys do not fully prevent without correctly tuned Conditional Access.

Traditional MFA (SMS, TOTP, push prompt) is not reliable against any of these kits. Phishing-resistant MFA — FIDO2 security keys and passkeys — blocks over 99% of identity attacks per Microsoft's Digital Defense Report. The FIDO Alliance reports 5 billion passkeys in use globally as of World Passkey Day (May 6, 2026), with 68% of mid-to-large organizations deploying.

Bill C-8 has finally moved.

After Bill C-26 died on prorogation in January 2025, its reboot Bill C-8 passed Third Reading in the House of Commons on March 26, 2026 and received Senate First Reading the same day — further than C-26 ever advanced. Bill C-8 applies to federally regulated critical-infrastructure operators (telecommunications, pipelines, electricity, nuclear, transport, banking, clearing and settlement), with obligations including a cybersecurity program within 90 days of designation, 72-hour incident reporting to CSE, Canadian-resident records, and third-party / supply-chain risk management. Administrative monetary penalties run up to CA$10 million per violation per day for corporations, rising to CA$15 million per day for subsequent contraventions.

For most SMBs, Bill C-8 will not apply directly — but SMBs supplying designated operators (managed service providers, contractors, professional services firms) will inherit obligations through their contracts. Given that the bill has advanced further than C-26 did, supply-chain readiness should no longer be treated as hypothetical.

Bill C-27 (containing CPPA and AIDA) remains dead. PIPEDA continues to govern federal private-sector privacy; Quebec's Law 25 is the de facto stricter national standard. On January 30, 2026, Quebec's Commission d'accès à l'information published new guidance on the prevention of confidentiality incidents — a Guide and Checklist for Law 25-regulated entities, with increased scrutiny signalled on AI deployments processing Quebec-resident personal information.

Canadian buyers are reconsidering U.S. cybersecurity vendors.

The 2025 CIRA Cybersecurity Survey captured a structural sentiment shift:

• 69% of Canadian organizations now cite data sovereignty as the most important sourcing factor (up from 60% in 2024)
• 56% have specifically reconsidered U.S. vendors in light of cross-border trade and political uncertainty
• 70% are worried about new AI cyber threats; 54% specifically cite AI-powered cyber attacks
• 65% have integrated AI tools into workflows in 2025, up from 44% in 2023

Combined with the IBM finding that AI-augmented security operations correlate with CA$3.34 million lower breach costs, the 2026 Canadian SMB cybersecurity buyer profile looks distinctly different than at any point in the last decade — more Canada-first, more AI-augmented, and less tolerant of opaque cross-border data flows.

Read the full report

The full Cybersecurity Canada Report 2026 goes deeper on each of these findings with primary-source URLs for every figure, plus a dedicated section on token theft and adversary-in-the-middle phishing. The report will be updated annually; aggregate de-identified findings from the free Cybersecurity Canada assessment will be incorporated in the 2027 edition.

To benchmark your organization against the Canadian Centre for Cyber Security's 13 Baseline Controls, the free assessment takes under 30 minutes, runs entirely in your browser, and produces a score and prioritized recommendations across every control area. The single highest-leverage move for most Canadian SMBs in 2026 is the one in finding #5 above: deploy phishing-resistant MFA on administrative and finance-team accounts. It costs nothing on Microsoft 365 Business Premium or Google Workspace Business, and it is the only defence that reliably stops the Storm-2755-class attacks that are now specifically targeting Canadians.