Canadian small businesses underestimate cyber risk, study finds 

Canadian small businesses may be underestimating their level of cyber risk, finds new data from Coalition. 

Seventy-seven percent believe they’re too small to be attractive targets for threat actors and therefore not at risk for cyberattacks. That’s compared to 64% globally who believe the same.  

The data show a disconnect between small businesses’ awareness and perception of their cyber risks, Coalition suggests. The cyber insurer’s Small Business Cybersecurity Study survey gathered responses from cybersecurity investment decision-makers at 1,000 small businesses in the U.S., Australia, Canada, Germany and the U.K.

“Threat actors not only target the most valuable companies but also the most vulnerable: small businesses,” says George Bozanin, head of Canada at Coalition. “Despite the increased risk, small businesses continue to view cybersecurity tools and services as elective purchases and misunderstand the potential serious impacts an attack could have on their business.” 

In fact, the risk is real for some Canadian small businesses — 86% say they’ve experienced a cyberattack in the last five years. That’s 7% more than the global figure of 79%.   

Even though small businesses in Canada don’t perceive their cyber exposure as a large threat, they mostly agree that cyberattacks are increasing. 

CAIB New Edition 1.0 – a New Standard for Broker Education Image

Insights Paid Content

CAIB New Edition 1.0 – a New Standard for Broker Education

Preparing brokers to navigate an increasingly complex insurance landscape.

By 

Sponsor Image

A full 85% indicate they are very or somewhat concerned about cyber threats over the next 12 months (compared to 87% globally). Another 90% believe their cyber risk has grown in the last year alone (83% globally). 

Plus, the risk is real for some Canadian small businesses — 86% say they’ve experienced a cyberattack in the last five years. That’s 7% above the global average.   

“The ‘smaller fish’ are often the easiest catch, and while most small businesses do not think they’re at risk because they’re not attractive targets [we’ve] seen firsthand that this is not the case,” Coalition’s report reads 

“Small businesses worldwide recognize that cyber risk is a significant problem. Yet they aren’t prioritizing making informed decisions about where and how to invest their time and money to thoughtfully prevent attacks.” 

In fact, 74% of small businesses in Canada allocate 10% or less of their total budget to cybersecurity, matching global results.  

Because small businesses believe they’re not targets, they’re not prioritizing cybersecurity investments. Yet, small businesses are spending more time on securing their channels. 

Specifically, Canadian small businesses spend more than 10 hours per week on cybersecurity-related activities (52%) compared to the rest of the globe (41%). 

Part of the reason small businesses may not prioritize cybersecurity as a key investment area is that they are uncertain about or unaware of the financial costs of a cybersecurity incident.

Coalition finds 30% of global respondents expect an attack to cost less than $500,000, 39% expect it to cost between $500,000 and $2 million, and 31% expect it to cost more than $2 million.  

“This distribution of responses and lack of consensus are surprising,” the cyber insurer writes, given that 86% of Canadian small businesses recently experienced a cybersecurity event as previously mentioned, and 79% globally.

“This dispersion also demonstrates that small businesses may not perceive the total cost of an incident,” the insurer writes. “Regardless of whether the true cumulative cost of an attack is less than $500,000 or more than $2 million, the amount is often insurmountable for a small business to bear.”

Alyssa DiSabatino

Alyssa Di Sabatino has been a reporter for Canadian Underwriter since 2021, covering industry trends, market developments, and emerging risks.