Today Cyber Unit publishes the inaugural Cybersecurity Canada Report 2026 — a synthesis of the most current verifiable public data on the cybersecurity posture of Canadian small and medium businesses. The report is free, fully sourced, and built for executives who need to make 2026 cybersecurity decisions without sorting through a dozen vendor blog posts to do it.

Cybersecurity Canada is the public research initiative Cyber Unit operates for the broader Canadian business community. The 2026 edition is the first of what will be an annual release. Every figure in the report is attributed to a named primary source — Statistics Canada, the Canadian Centre for Cyber Security, the Office of the Privacy Commissioner, the Canadian Anti-Fraud Centre, IBM Security, Mandiant, Verizon, CrowdStrike, Sophos, and Microsoft Threat Intelligence among them.

Why this report exists

The Canadian SMB threat picture diverged from the global one in 2025. Canada is now one of the few countries where breach costs are rising against a falling global average. The federal cybersecurity statute (Bill C-8) advanced further than its predecessor ever did. A financially motivated threat actor began geographically targeting Canadian employees specifically. And the Canadian Anti-Fraud Centre logged the largest single-year fraud loss on record. No single Canadian publication tied those threads together. This report is that publication.

Seven findings from the Cybersecurity Canada Report 2026

The seven findings below are the ones most likely to change a Canadian SMB's 2026 security plan. Each is drawn from a named source published between October 2024 and May 2026. The report's full methodology and source list document every URL behind every number.

1. Canadians lost a record CA$704 million to fraud in 2025

The Canadian Anti-Fraud Centre's 2025 annual statistics, released in March 2026, record CA$704 million in reported fraud losses — the highest annual figure on record, up from CA$645 million in 2024. Investment fraud accounted for CA$351 million; romance and relationship scams over CA$63 million; job scams over CA$50 million. The CAFC reiterates that only an estimated 5–10% of fraud victims ever report to the centre, so the true national loss is likely between CA$3.5 billion and CA$7 billion.

For Canadian SMBs specifically, the dominant single incident type remains business email compromise (BEC) — a hijacked or impersonated executive email redirecting a wire transfer or a payroll deposit. The 2026 variant of this attack is the Storm-2755 "payroll pirate" campaign discussed below.

2. The average Canadian data breach now costs CA$6.98 million

IBM's Cost of a Data Breach Report 2025 placed the average cost of a Canadian organization's breach at CA$6.98 million — a 10.4% year-over-year increase. Canada is one of the few jurisdictions where breach costs rose against a falling global average. Financial services breaches averaged CA$9.97 million.

The same IBM dataset's clearest finding for SMB decision-makers: Canadian organizations using security AI and automation extensively reported average breach costs of CA$5.19 million, versus CA$8.53 million for those that did not — a CA$3.34 million spread. The category that matters is not "having AI tools." It is having them operationalized in detection, response, and triage.

3. The threat landscape now moves in seconds, not days

Mandiant's M-Trends 2026 reports that the median time between initial access and handoff to a secondary threat group fell to 22 seconds in 2025 — from more than eight hours in 2022. CrowdStrike's 2026 Global Threat Report measured average eCrime breakout time at 29 minutes, with the fastest observed at 27 seconds. No human-paced response process fits inside that window. Detection and pre-emptive control are now automated functions, or they are absent.

4. Traditional MFA is no longer enough — and Canadians are being specifically targeted

In April 2026, Microsoft Threat Intelligence published a case study on Storm-2755, a financially motivated threat actor whose victim-selection criterion is "Canadian." The attack chain: malvertising and SEO poisoning drive Canadian victims to adversary-in-the-middle (AiTM) phishing pages that capture the session cookie after the user enters credentials and approves the MFA prompt. The attacker then logs into Workday and rewrites the victim's salary deposit account.

The Canadian Centre for Cyber Security separately reported in its 2025 guidance publication ITSM.30.031 that it detected more than 100 AiTM phishing campaigns targeting Canadian Microsoft Entra tenants between 2023 and early 2025. The recommended defence is phishing-resistant MFA — FIDO2 security keys and passkeys — which Microsoft's telemetry shows blocks more than 99% of identity-based attacks. The FIDO Alliance reports five billion passkeys now in use globally as of May 2026.

5. The phishing-as-a-service market fragmented — but volume rose

On March 4, 2026, a Microsoft- and Europol-led coalition seized 330 active domains of Tycoon 2FA, the dominant AiTM phishing-as-a-service kit, which had been used against an estimated 500,000 organizations since 2023. Within weeks, total PhaaS attack volume across the four major remaining kits (Mamba 2FA, EvilProxy, Sneaky 2FA, Whisper 2FA) rose from approximately 20 million to more than 23 million phishing attempts, as operators and affiliates migrated. Tycoon itself did not disappear; late-April 2026 reporting documented Tycoon variants pivoting to abuse the OAuth device authorization grant flow, which even phishing-resistant MFA does not fully mitigate without correctly tuned conditional-access policies.

6. Bill C-8 has moved further than its predecessor ever did

Canada's Bill C-8 — the Critical Cyber Systems Protection Act reboot — passed Third Reading in the House of Commons on March 26, 2026 and received Senate First Reading the same day. The predecessor (Bill C-26) never reached this stage before dying on prorogation in January 2025. Administrative monetary penalties under Bill C-8 run up to CA$10 million per violation per day for corporations, rising to CA$15 million per day for subsequent contraventions.

For most Canadian SMBs, Bill C-8 will not apply directly. But SMBs that supply federally regulated critical-infrastructure operators (telecom, energy, banking, transport, clearing and settlement) will inherit obligations through their contracts: Canadian-resident records, 72-hour incident notification to the Communications Security Establishment, and documented supply-chain risk management. Bill C-27 (containing CPPA and AIDA) is confirmed not returning in its drafted form. PIPEDA remains Canada's federal private-sector privacy law; Quebec's Law 25 remains the de facto stricter standard for any business handling Quebec residents' personal information.

7. Canadian buyers are reconsidering U.S. vendors

The 2025 CIRA Cybersecurity Survey records 69% of Canadian organizations now citing data sovereignty as their most important factor when sourcing cybersecurity solutions, up from 60% in 2024. 56% have specifically reconsidered U.S. cybersecurity providers in 2025. Combined with the IBM finding that AI-augmented security operations correlate with materially lower breach costs, the 2026 Canadian SMB cybersecurity buyer profile looks distinctly different from any point in the last decade.

What the rest of the report covers

The full State of Canadian SMB Cybersecurity covers nine sections: Canadian incident rates and recovery cost, the cost of a breach in Canada, ransomware payment dynamics (and why two reputable sources give very different answers), token theft and the death of first-generation MFA, fraud, regulation, the practical implications for Canadian SMBs in 2026, methodology and data vintage, and the full source list. The methodology section is explicit about which figures are 2026-vintage and which are the most recent Canadian government data on a 1–2 year publication lag (Statistics Canada's 2023 Canadian Survey of Cyber Security and Cybercrime remains the cleanest national baseline).

What Canadian SMB leaders should do in 2026

Six practical implications follow directly from the data. They are unranked — the right starting point depends on your organization's current posture — but every Canadian SMB should be working on each of them in 2026.

  1. Move to phishing-resistant MFA before someone else moves on for you. Enable passkeys (FIDO2) for all administrative and finance-team accounts as a hard requirement, not an option. Both Microsoft 365 Business Premium and Google Workspace Business support passkeys natively at no additional cost. Treat SMS and TOTP as transitional rather than the destination.
  2. Plan for the dollar loss, not just the breach. The single largest financial threat to a Canadian SMB is a successful BEC wire-transfer scam, not a ransomware event. Out-of-band verification of wire transfers above a defined threshold, and finance-team training specifically on payment-redirection scams, are the cheapest controls with the highest expected return.
  3. Test the backups. The single biggest predictor of whether a Canadian business pays a ransom is whether its backups work when tested. See our piece on backup and recovery assumptions that fail.
  4. Write the incident response plan down. Only 26% of Canadian businesses had a written cybersecurity policy as of Statistics Canada's most recent national survey. Among businesses that had a documented response plan, recovery time and cost were materially lower. Our guide on incident response planning covers the practical structure.
  5. Treat AI tooling as a security control, not a risk to manage. Canadian organizations using security AI extensively pay materially less when they are breached. The risk-management framing of AI obscures that AI-augmented detection and response is now the difference between a roughly CA$5M and roughly CA$9M event.
  6. Treat Bill C-8 as imminent, not hypothetical. If your business supplies federally regulated critical-infrastructure operators, your contracts will require Canadian-resident records, 72-hour incident notification to CSE, and documented supply-chain risk management. Get ahead of it; the penalty ceiling is CA$15 million per violation per day.

For a structured baseline measurement against the Canadian Centre for Cyber Security's 13 Baseline Controls, the free Cybersecurity Canada assessment — the same one referenced in the report — produces a score, letter grade, and prioritized recommendations in under thirty minutes. You can also run Cyber Unit's free quick security assessment to identify high-leverage gaps in your current posture before the next IT review cycle.

How to cite the Cybersecurity Canada Report 2026

Suggested citation, for media and research use:

Cybersecurity Canada (2026). The Cybersecurity Canada Report 2026: State of Canadian SMB Cybersecurity. Retrieved from https://cybersecuritycanada.ca/cybersecurity-canada-report-2026/

The report will be updated annually. Permanent URL: cybersecuritycanada.ca/cybersecurity-canada-report-2026/. For media inquiries or to request the underlying source list as a structured document, contact info@cybersecuritycanada.ca.

This article summarizes findings from the Cybersecurity Canada Report 2026, a public research synthesis published by Cyber Unit. It is intended for general informational purposes only and does not constitute professional security, legal, or compliance advice. Statistics cited are accurate as of the report's publication date and may evolve as new primary data is released. Organizations should consult qualified cybersecurity professionals before acting on any specific control recommendation in this article.