Canada's national cyber agency, the Canadian Centre for Cyber Security, has published its National Cyber Threat Assessment. It is written for the whole country, but a few of its findings land squarely on small businesses.
What the assessment says
Ransomware is named the top cybercrime threat to Canadian organizations. Canadian ransomware incidents grew roughly 26% a year between 2021 and 2024, and the average ransom paid in Canada reached about $1.13 million in 2023, more than double the figure two years earlier. Fraud losses across Canada climbed from $383 million in 2021 to $567 million in 2023. The direction of travel is clear, and it is not improving.
Why this reaches a business your size
The report puts a name to something that should worry smaller firms: cybercrime-as-a-service. Ready-made phishing and ransomware tools are now sold online, which the assessment says has "almost certainly increased the number of actors participating in cybercrime by lowering the barrier to entry." In plain terms, an attacker no longer needs skill or a big target to make money. They rent a tool and run automated campaigns that hit thousands of softer targets at once, and a small business with thinner defenses is exactly that. The assessment also flags AI-written phishing that now mimics real writing convincingly, removing the old typo-and-bad-grammar tell.
It is not just theory
The assessment points to real Canadian incidents to make the point. Ransomware disrupted payment processing at Petro-Canada stations (Suncor, 2023), forced London Drugs to close stores (LockBit, 2024), and hit Ontario hospitals (2023). If organizations that size and sophistication get knocked over, a small business counting on "we're too small to bother with" is not as safe as it feels.