Only 34% of small and medium-sized business employees report receiving mandatory cyber security awareness training

TORONTO – New Insurance Bureau of Canada (IBC) research has found that small and medium-sized Canadian businesses have been slow to adapt to increasingly frequent and sophisticated cyber attacks. 

The results are featured in IBC’s first Cyber Savvy Report Card, which assigned Canadians a “C” letter-grade for cyber safety actions and knowledge.

IBC’s report card is informed by the results of a survey of 1,525 Canadians that work at small and medium-sized businesses (defined as businesses with fewer than 500 employees). The survey revealed a number of startling findings:

– Two-in-five of employees surveyed (42%) say they have seen an increase in cyber scam attempts over the last year;

– Only a third of surveyed employees (34%) report that their company provides mandatory cyber security awareness training;

– Only half (50%) of employees surveyed report that their organization has introduced multi-factor authentication, a critical cyber security defence mechanism that requires a user to provide two or more verification factors to access a corporate network or application.

– Only a quarter of employees surveyed (24%) report that their employer conducts phishing email simulations to help promote cyber vigilance.

“As cyber criminals get savvier, it’s our collective responsibility to stay one step ahead,” said Celyeste Power, executive vice-president of strategic initiatives and advocacy for IBC. 

“That’s why IBC has launched, a new cyber education initiative to help small business owners and their employees better understand the threat of cyber attacks and what they can do to reduce their risk.”

Employees’ actions increase their company’s cyber security risk

IBC’s survey also revealed that seven in 10 employees of small and medium-sized businesses (72%) reported at least one behaviour that could allow a cyber criminal to gain access to their company’s computer systems. This strengthens the argument for more employers to take action to reduce cyber threats. According to survey respondents:

  27% use one password to access multiple websites they use for work;

– 23% access public wi-fi while using their work computer;

– 19% download software/apps on their work devices that were not provided by their employer;

  7% allow family members or friends to use their work computer; and

– 5% share their work login or password by email or text.

Hybrid/remote employees are even more likely (77% of respondents) to take actions that may compromise their employer’s cyber security or data.

Attitudes toward cyber security raise concerns

Employees may also underestimate the role they play in their organization’s cyber defences, with 30% of respondents saying they don’t believe cyber criminals would target them at work, and 28% of respondents saying their employer is solely responsible for protecting their workplace from cyber threats.

The research also found that 21% of respondents believe that most cyber breaches are minor and easy to resolve, while the reality is that they can have a devastating financial impact. 

In 2021, the average total cost of a data breach to Canadian organizations was an estimated $7.3 million.  

“Everyone has a role to play in reducing cyber threats in the workplace. While cyber insurance is an important backstop for businesses in the event of a cyber breach, it should be thought of as one component within a complete cyber risk mitigation strategy aimed at reducing an organization’s vulnerability to online threats,” added Power.

IBC’s new Cyber Education Initiative

IBC has launched a website,, that provides resources and information about the proactive measures businesses can take to help reduce their cyber risk. 

During Cyber Security Awareness Month (October 1–31), IBC encourages Canadians to test their knowledge by taking IBC’s Cyber Savvy Challenge at