The cost and maintenance of cybersecurity measures is prohibitive to small and medium-size enterprises (SMEs) across all sectors of the Canadian economy.
There are a few very simple things that can be done to minimize the risk and enhance recovery procedures. Many SMEs lack the detailed knowledge to make informed decisions and the financial support to contract professionals to handle it for them.
We at the Peterborough and the Kawarthas Chamber of Commerce have put together a policy resolution on this topic with input from our fellow chambers and industry experts. This policy resolution will go to the Canadian Chamber of Commerce (CCC) and be discussed at our annual policy debate in October. If approved by the membership, it will become part of the CCC’s advocacy program for the next three years.
The issue of cybersecurity is even more relevant today as bad actors begin to use Artificial Intelligence to produce even more invasive ways to trap their victims.
The internet is the road on which the majority of business is conducted in the 21st century and
while business is responsible for its own portion of that road, help is needed to make sure it is
maintained. Many businesses still feel cybersecurity is an optional extra, yet it is just as important as locks on our doors. Protecting digital assets requires at least a basic cybersecurity strategy and should be part of the business strategy for all SMEs.
The Canadian economy is comprised primarily of SMEs. By incentivizing the adoption of cybersecurity solutions, the federal government can ensure that small and medium-sized businesses are not only protected, but can recover quickly and effectively if attacked.
As of December 2021, there were 1.21 million employer businesses in Canada. Of these, 1.19 million (97.9%) were small businesses and 22,700 (1.9%) were medium-sized businesses. Small businesses employed 8.2 million individuals in Canada, or 67.7% of the total private labour force, with medium businesses employing another 2.5 million people. Together, SMEs represent about 51% of Canada’s GDP.
According to the Insurance Bureau of Canada:
• 40% of small business owners are spending at least $100,000 to resolve a cyberattack
• 1 in 5 small businesses have been affected by a cyberattack or data breach
Cyber risk insurance is also a contributor to a business’ ability to survive a cyber incident. However, many SMEs lack the minimum requirements to qualify for cyber risk insurance and are not able to implement needed protocols due to the financial burden.
According to an annual report from IBM, the average data breach cost about $5.5 million globally in 2022, up from $3.92 million in 2019. Canada is ranked the third highest for cost per data breach with an average of $7 million, up from $4.44 million in 2019. In a 2023 study conducted by MasterCard, cybercrime has increased by 600% since the pandemic.
It is clear the need for SMEs to protect themselves is important to the Canadian economy. In November 2018, the CRA implemented the Accelerated Investment Incentive proposals which, under Chart 3 Purchase of Equipment, allow a business to deduct up to $4,400 in the first two years after the purchase. While this was welcomed, under the current economic situation it is not enough.
Ideally, SMEs need support from professional cybersecurity businesses. This should come through an initial assessment, typically around $100 per system user. Additionally, grants, tax rebates, and tax deductions will support investments in training, support from third-party experts, and getting up-to-date software.
Furthermore, as businesses recover from the effects of the COVID-19 pandemic, the Canada Business Resilience Network (www.cbrn.ca) Roadmap to Recovery document suggests government introduce programs, funding and incentives for technology adoption in businesses of all sizes and across all sectors to improve Canadian productivity.
Our recommendations are that the Government of Canada:
1. Broaden the scope of the existing Canadian Digital Adoption Program (CDAP) or create a similar grant program focused on cybersecurity which will allow SMEs to access comprehensive cybersecurity products and services;
2. Provide specific annual tax credits for the ongoing support and maintenance required from Third Party vendors for SMEs that have satisfied the grant program to assess their technology;
3. Allow SMEs to write off 100% of their business investments in preventative cybersecurity-related software, equipment and other costs (support services and outsourcing costs) in the year those investments are made;
4. Provide a subsidy for training of staff on cybersecurity awareness programs; and
5. Create a SME Cyber Defence Fund that provides SMEs with the necessary support to improve their cyber resilience and close the cybersecurity investment gap.