As relations between Russia and Ukraine continued to fray in 2022, Lester Chng was thinking about how that conflict could pose cybersecurity risks for the major Canadian bank he worked for.

He and his colleagues assessed potential risks and used what they learned to run an exercise with company leaders. Though many cyber-risk assessments can be passive, Chng’s allowed the organization to actively role-play the decisions they might have to make if faced with a threat.

Cybersecurity came naturally to Chng after spending more than eight years in the Singapore Armed Forces. “It’s essentially defence and offence in cyberspace, so a lot of the concepts were borrowed from the military,” says Chng, now senior cybersecurity advisor at Toronto Metropolitan University’s Rogers Cybersecure Catalyst centre.

That’s why Chng has run drills such as ransomware attack simulations, which assess how quickly IT teams are informed, and how long it takes for further escalation of the organization’s incident-response plan. Or scenarios where breaches of customer data from a cloud platform are simulated. Chng tasked teams with assessing the potential affects and extent of the breach, despite having limited information.

“Leaders had to decide when to notify regulators and collaborate with internal and external communications teams,” he says.

Today, companies of all sizes need to be ready for battle. In September 2024, the Business Development Bank of Canada (BDC) reported that 73 per cent of small businesses have experienced cybersecurity incidents, from phishing attempts—phony emails or text messages designed to encourage victims to share information such as bank details or passwords—on up to ransomware attacks, where criminals block access to company systems until a fee is paid. Overall, stories of organizations worldwide hit with cyberattacks continue to make headlines—from hospitals and municipal governments, to power utilities and airlines, to retailers and software companies.

IBM reports that the average cost of a cyber breach in Canada is US $4.8 million (about CDN $6.7 million), yet for some firms the financial and reputational fallout will lead to the affected company’s demise. As businesses face an economy battered by rising costs and undulating tariffs, they don’t need another risk. Despite this, multiple surveys suggest fewer than half of businesses have any sort of cybersecurity plan.

With Canadian businesses across sectors relying on increasingly international operations—whether through employing digital nomads or contractors, or third-culture entrepreneurs opening branch offices in their homelands—it’s necessary to consider the risks posed to a company’s data and its overall operations.

“People always think that [a breach] won’t happen to them, and therefore they’re taking a gamble or taking a risk,” Chng says. He sees a fine line, but a distinct difference between those two ideas. Businesses gamble when assuming they won’t fall victim to a cyberattack. Assessing a risk means spending the time and effort to understand what might happen and then taking steps to prevent it and mitigate costly problems.

Business leaders need to do impact analyses to understand how a cyberattack could upend their operations. For instance, determining how many hours an online retail website can stay down without significantly affecting revenue, or how long it would take to restore the contents of a hacked hard drive. These sobering realities can lead companies to re-evaluate the potential for cyber breaches more seriously, how to create more redundant or resilient processes to mitigate risk and to make informed decisions to prevent them.

It’s hard to find a business today that doesn’t have significant amounts of data stored online, whether in software accounts, cloud storage folders or mobile phone apps. Data stored and shared across multiple devices can, if compromised, offer cybercriminals access to everything from bank accounts to customers’ personal data.

Yet Sem Ponnambalam, Ottawa-based co-founder of cybersecurity firm xahive, says smaller businesses rarely think they’re large enough to worry. “They don’t realize they’re a part of the ecosystem, and you are as strong as your weakest link,” she says, adding that a lot of large enterprise breaches happen when cybercriminals uncover weak access points in a supply chain.

When the Starbucks payroll system was compromised in November 2024, for example, it was because of a ransomware attack on a third-party supplier, not the coffee giant itself. “If you have data and you’re connected to the internet, you’re a target,” Ponnambalam says.

In its poll, BDC found 61 per cent of respondents agreed that the bigger the company, the greater the likelihood of it being hacked. Businesses with revenues under $3 million believed this in greater numbers than others.

Ponnambalam thinks it’s less financial concerns over investing in cybersecurity strategies that drive such thinking and more corporate mindsets in need of a tune-up. Instead of considering cybersecurity an optional but burdensome cost or a barrier to overcome due to compliance regulations and the efforts required to overhaul processes, she believes business leaders should view it as a strategic investment that empowers the business to grow.

“They don’t look at the governance, risk and compliance (GRC) perspective,” she says, which refers to the holistic management across divisions of an organization’s governance and risks, balanced alongside compliance with government and industry regulations.

She says this active approach to cybersecurity offers opportunities to grow a business. Not only will it build trust with potential customers, but also meeting certain levels of compliance allows some businesses access to contracts in government or other regulated sectors. Earlier this year, adherence to the Canadian Program for Cyber Security Certification, a third-party assessed program, became a requirement to submit for companies pursuing certain federal defence contracts.

Ponnambalam feels that, beyond poor general awareness of cybersecurity in the corporate world, there’s a “cultural disconnect in messaging” when cybersecurity awareness campaigns are run, offering little cultural or linguistic tailoring to third-culture individuals or newcomers. These businesspeople are also typically underrepresented in policy development, she adds. This can lead to disengagement or misunderstanding of key cybersecurity concepts in a Canadian context among these groups.

If you have data and you’re connected to the internet, you’re a target

Sem Ponnambalam, co-founder of cybersecurity firm, xahive

This runs out of step with the number of newcomers who own businesses in fields where cybersecurity is business critical: more than 32 per cent of data processing, hosting and service companies, 40 per cent of software publishers and 49 per cent of computer systems design and service firms are newcomer-owned, according to the federal government.

“I think building networks where experienced cybersecurity professionals focus on mentoring new [business] founders could help close the knowledge and trust gaps,” she says. This can include partnerships with diaspora organizations, government agencies and newcomer resource centres.

Ponnambalam says cyber training not only helps bolster the strength of third-culture and newcomer businesses themselves, but also the broader Canadian business world. “We’re all part of the supply chain in some form,” she says.

Though no reliable statistics exist of how many Canadian companies employ international contractors or digital nomads, numbers of both are widely viewed as trending upward. One report on digital nomads described them as going from an “eccentric and fringe group” in 2018 to “mainstream” by 2024. This creates new challenges as employees work on sensitive projects in jurisdictions that may be more prone to cyberattacks or face unique threats they might not encounter when working from a Canadian headquarters. These can include working on public Wi-Fi connections, using unsecured personal devices for work, which can be more easily compromised, and the physical risk of losing a device or having it stolen.

The World Cybercrime Index reports that trading partners such as the United States, China, the United Kingdom and India are among the top 20 nations for cybercrime. Other rankings suggest popular digital nomad havens such as Indonesia and Vietnam have experienced significantly elevated cybercrime threat levels in recent years.

Lisa Kearney, Calgary-based president of N2 Cyber Security Consulting, says it can be helpful for firms with these workers to bring in a consultant or expert to assess risks present in these situations. She has worked as a cybersecurity consultant for government agencies and Fortune 500 companies and founded the Women CyberSecurity Society, which aims to get more women and underrepresented groups involved in the field.

One area Kearney thinks needs attention is identity validation when hiring staff, such as contractors, who work remotely. “Some [companies] don’t really understand the risks, and they may not have any kind of background checking,” she says. It can be at their peril.

In July, the U.S. Department of Justice announced that North Korean IT workers, using stolen U.S. identities, were illegally working for more than 100 American companies, creating countless security and reputational breaches.

Regardless of the size or the type of information stored, Kearney says companies should check employee references and pay for background checks to verify the identities and criminal histories of new workers. This is especially critical for sensitive roles in departments such as human resources or legal, she adds, or those that allow elevated access to corporate assets, such as buildings, data and networks.

In traditional workplaces, users may be trusted to gain access to all programs connected to company networks. But Kearney advocates adopting a zero-trust mentality requiring processes such as user and device verification and multi-factor authentication to access secure data on a network.

Kearney adds that employee training is critical. This includes ensuring that employees who are working internationally get the same messaging and training on the company’s cybersecurity standards as everyone else. “But also maybe even take into consideration specific training in different regions,” she says.

Cybercrime researchers have even observed that in some countries, the cultural and social acceptability of cybercrimes is greater than in North America, especially if the attacks are directed at foreign companies or individuals.

“There are so many low-cost organizational cybersecurity awareness training platforms available for small business owners,” she says. Building a more cybersecure organization can be as simple as assigning relevant modules to workers and helping prepare for the added risks of increasingly borderless workplaces.

For his part, Chng believes many businesses can benefit from taking training even further.

A few weeks after Chng’s simulation, the Russia-Ukraine tensions escalated into all-out war. “The exercise prepared the leadership team and gave them the confidence that the organization was ready to move to a heightened state of readiness,” he says.

Most business owners focus on just doing business, Chng says, instead of intentionally analyzing, documenting and sharing the details of how their companies work with their teams and manage their data.

With business executives increasingly mindful of cyber threats, these insights can help companies plan to keep critical assets safe. Last year, KPMG surveys of Canadian and Global CEOs found that cybersecurity was a top-three threat to organizations for the first time since the onset of the pandemic. Despite this, only about half of each group felt “well prepared” to ward off potential attacks.

Understanding the assets and information a business owns and works with, identifying the processes and programs critical to its function and enacting key cybersecurity measures to safeguard them can help companies survive a cyberattack.

“I think those three things would put you in a much better position than the majority of the organizations out there,” Chng says.