Nearly three-quarters of small and medium-sized Canadian businesses (72 percent) say they were attacked by cybercriminals in the past year—up 9 percent since 2023, according to a newly released survey.
The survey of 735 businesses conducted by KPMG found that 67 percent had paid a ransom to cybercriminals in the last three years, up from 60 percent a year ago.
Nijjar said many companies are not taking a strategic approach to manage these risks, and consider cybersecurity to be a “tick-box in staff training.”
The survey found 69 percent of businesses reported having insufficient financial resources to invest in cyber defences, 70 percent lack the skilled personnel to monitor cybersecurity attacks, and 66 percent of those polled said their company does not have a plan to address potential ransomware attacks.
“They may not realize that investing more upfront for cybersecurity defences is less costly in the long run, especially if they are a victim of a ransomware attack,” Nijjar said.
Generative artificial intelligence (AI) is also seen as a risk to businesses, with 75 percent of those surveyed saying they worry cybercriminals will use the technology for cybersecurity breaches.
The report said China poses the “most comprehensive cyber security threat facing Canada today,” with Beijing using espionage, intellectual property theft, and malign influence to attack Canada. The report said its cyber program’s “scale, tradecraft, and ambitions” are “second to none.”
Russia and Iran were also cited as threats to Canada, with Moscow viewing the country as a “valuable espionage target for Russian state-sponsored cyber threat actors, including through supply chain compromises,” and Tehran showing an increasing willingness to engage in disruptive cyber attacks beyond the Middle East.
The report said that the business model of “cybercrime-as-a-service,” which it defines as online marketplaces where cybercriminals sell stolen and leaked data and malicious tools, is growing in popularity.
“This has almost certainly enabled a growing number of actors with a range of capabilities and expertise to carry out cybercrime attacks and evade law enforcement detection,” the report added.
Canada’s critical infrastructure is increasingly vulnerable to ransomware, which can be used to disrupt critical infrastructure entities’ ability to deliver critical services, according to the report. It added that over the net two years, ransomware actors will escalate their extortion tactics to “increase pressure on victims to pay ransoms and evade law enforcement detection.”
