Robert Shearar and Mark Lee

The barrier to entry for cybercrime has never been lower as tools for launching an attack have become widely accessible, inexpensive and easy to deploy. In this environment, prevention alone isn’t enough. Businesses are best served by strengthening their cyber resilience – being prepared to effectively respond in order to minimize the damage and recover with minimal disruption.

In a recent webinar hosted by Acera Insurance, “Cybercrime & evolving risk management strategies,” they brought together an expert panel of legal, insurance, cybersecurity and IT professionals to share their insights on how Canadian organizations can keep up with the changing landscape.

The expert panel

• Matt Lewis and Patrick Curtin, Field Effect
• Patrick Mutwale, CybIQs
• Mouna Hanna, Whitelaw Twining LLP
• Joel Lauzon, Coalition
• Dan Lewis, Acera Insurance

They explored the ways cyber threats are evolving. from the most common types of incidents to the legal and regulatory implications of a breach, and practical strategies to reduce exposure. Here’s what you need to know and the proactive steps you can take now.

How cyber threats are changing

These trends are making attacks easier to carry out, harder to detect and more disruptive for organizations of all sizes.

• Identity‑based attacks are now the primary entry point. Phishing campaigns are designed to steal legitimate credentials, allowing attackers to log in undetected.
• AI is accelerating cybercrime. Attackers are using AI tools to automate reconnaissance, improve phishing realism and scale attacks more efficiently than ever.
• Cybercrime‑as‑a‑service is removing technical hurdles. Almost anyone can now launch a sophisticated attack with minimal cost or technical skill.
• Poor AI integration creates new vulnerabilities. Organizations that adopt AI tools without a robust integration and governance strategy risk exposing sensitive systems, credentials and data.

The limitations of anti-virus software

While cybersecurity awareness is growing among Canadian businesses, many small and mid‑sized organizations are still relying solely on traditional anti‑virus software. This approach leaves significant gaps that cybercriminals can exploit. Anti‑virus tools can detect known threats, but they do little to prevent credential theft, cloud misconfigurations, financial fraud or lateral movement once attackers gain access.

Strengthen your defences for a new era of cybercrime

The panel outlined several practical steps organizations can take to reduce exposure beyond anti‑virus software:

• Protect network access using tools such as VPNs, single sign‑on (SSO), and multi‑factor authentication (MFA).
• Partner with third‑party managed detection and monitoring providers to ensure 24/7 visibility across endpoints, networks and cloud environments.
• Adopt a 3‑2‑1 backup strategy: three backups, stored on two different types of media, with one copy kept off‑site.
• Keep physical copies of cyber insurance policies, incident response plans and business continuity plans so they remain accessible if systems go down.
• Encrypt cyber insurance policy documents to prevent attackers from accessing coverage limits and tailoring ransom demands.
• Implement clear financial controls (such as call‑back and dual‑approval processes) to reduce the risk of invoice redirection and payment fraud.
• Use attack surface reports and tabletop exercises to identify vulnerabilities and test decision‑making before an incident occurs.

Cybersecurity and privacy regulation is tightening

Regulatory pressure is increasing across Canada, with new requirements and enforcement measures taking shape. These developments signal where organizations face heighted expectations:

• A continued shift toward stronger cybersecurity, data protection and privacy legislation.
• Expansion of mandatory breach notification requirements, including in the public sector.
• New obligations under Bill C‑8, which applies to organizations operating critical infrastructure, many of which may not realize they fall under this category.
• A desire to align Canadian regulations more closely with the EU’s GDPR framework.
• Growing enforcement activity, including significant penalties and fines for non‑compliance.
• For boards and leadership teams, cyber preparedness is increasingly tied to regulatory and fiduciary responsibility.

Top five cybersecurity controls you should prioritize

While no single control can stop every attack, these five measures form a strong baseline to limit exposure and should be standard for every business regardless of size:

• Multi‑factor authentication (MFA)
• Closing or restricting unnecessary open ports
• Continuous, 24/7 system monitoring
• Ongoing IT patching to address vulnerabilities
• Regular cybersecurity awareness training for employees

Together, these controls form a layered defence that improves detection, containment and recovery.

Cyber insurance does not replace risk management

While insurance can significantly reduce the financial impact of a breach, it is not sufficient protection on its own and does not prevent operational disruption, reputational damage or regulatory scrutiny.

Cybersecurity measures and cyber insurance must work together. The panel noted that small businesses often assume cybersecurity services will be too costly. In reality, there are affordable options that can place small businesses in safer positions than much larger organizations simply because environments are less complex with fewer systems and moving parts.

Importantly, when evaluating cyber insurance, organizations should ensure their policies include pre‑breach services, such as online security assessments, training and access to expert guidance before an incident ever occurs.

Key Takeaway

Cyber resilience ultimately depends on culture as much as technology. It requires leadership buy‑in, clear decision‑making and a shared understanding of how incidents will be managed across the organization.

Those that take a proactive approach – by investing in foundational controls, testing their response plans andpartnering with trusted experts – are far better positioned to respond effectively when – not if – a cyber incident occurs.

To watch the complete webinar on-demand, register here.

About the Authors

Rob Shearar is a Senior Client Executive, Commercial Insurance and Partner with Acera Insurance. He brings 20 years of specialized expertise in custom insurance and risk management solutions for manufacturing, whole and distribution and commercial property across Canada. Connect with Rob at [email protected] or 604.484.0208.

Mark Lee is Director, Commercial Client Care for the BC and Yukon offices of Acera Insurance. He brings more than 30 years of experience developing and structuring large, complex insurance and risk management programs, specializing in the manufacturing and technology sectors. Mark is a former board member of Canadian Manufacturers and Exporters BC and an active member of the Manufacturing Safety Alliance of BC. Connect with Mark at [email protected] or 604.484.4999.

Information and services provided by Acera Insurance, Acera Benefits and any other tradename and/or subsidiary or affiliate of Acera Insurance Services Ltd. (“Acera”), should not be considered legal, tax, or financial advice. While we strive to provide accurate and up-to-date information, we recommend consulting a qualified financial planner, lawyer, accountant, tax advisor or other professional for advice specific to your situation. Tax, employment, pension, disability and investment laws and regulations vary by jurisdiction and are subject to change. Acera is not responsible for any decisions made based on the information provided.