Cybersecurity in Canada 2026
Cybersecurity statistics in Canada for 2026 document a nation experiencing a genuinely contradictory set of outcomes: Canadian organizations are spending more on security than at any point in the country’s history, yet the threat environment is simultaneously worsening at nearly every measurable dimension. Security spending has reached a five-year high, with 20% of IT budgets now dedicated to security and 57% of organizations reporting security funding as “good or readily available,” according to the 2026 CDW Canada Cybersecurity Study conducted by IDC Canada across more than 700 IT security, risk, and compliance professionals. Yet the same study found that cyberattacks targeting Canadian enterprises surged nearly 80% year-over-year, with enterprise cloud infection rates reaching the highest level ever recorded in the study’s history. This is the “maturity paradox” CDW Canada specifically identified: board-level confidence and investment are rising, but foundational execution gaps in identity governance, third-party risk, and resilience are not closing at the same pace.
The Government of Canada’s own intelligence assessment — the National Cyber Threat Assessment 2025–2026 (NCTA 2025–2026), published by the Canadian Centre for Cyber Security (CCCS) on October 30, 2024 and covering the threat horizon through 2026, identifies ransomware as the top cybercrime threat to Canada’s critical infrastructure.“ These government-level conclusions sit alongside the latest commercial data: the IBM Cost of a Data Breach Report 2025 places the average cost of a Canadian data breach at CA$6.98 million, up 10.4% year-over-year — a figure that puts Canada among the most expensive breach jurisdictions in the world, and one of the few countries where breach costs are rising against a falling global average. This article compiles the latest, most current verified statistics on cybersecurity threats, incidents, spending, and regulatory developments in Canada for 2026.
Interesting Facts About Cybersecurity in Canada 2026
| Fact | Detail |
|---|---|
| Average cost of a data breach in Canada (IBM 2025) | CA$6.98 million — up 10.4% year-over-year |
| Average Canadian breach cost with AI/automation (IBM 2025) | CA$5.19 million — vs. CA$8.53 million without |
| Businesses impacted by a cyber incident in 2023 | 16% of all Canadian businesses (Statistics Canada CSCSC 2023) |
| Large businesses (250+ employees) impacted by a cyber incident | 30% |
| Business recovery spending from cyber incidents, 2023 | CA$1.2 billion — doubled from CA$600 million in 2021 |
| Business prevention and detection spending, 2023 | CA$11 billion |
| Police-reported cybercrime rate, 2024 | 225.1 incidents per 100,000 — more than double the 2018 rate of 91.9 |
| Year-over-year change in police-reported cybercrime, 2024 | −9% from 2023 peak — but still more than double 2018 baseline |
| Cyber incidents reported to police by affected businesses | Only 13% — true scale vastly exceeds official counts |
| CAFC fraud losses, 2025 (all fraud including cyber-enabled) | CA$704 million — largest single-year fraud loss on record |
| OPC PIPEDA breach reports, fiscal 2023–2024 | 693 reports — affecting approximately 25 million Canadian accounts |
| Ransomware growth rate | +26% per year from 2021 to 2024 |
| Average Canadian ransom payment, 2023 | CA$1.13 million |
| Businesses that DID NOT pay ransom (of those affected) | 88% — of those who did pay, 84% paid under $10,000 |
| Cyberattack surge targeting Canadian enterprises, 2026 | Nearly 80% year-over-year (CDW Canada 2026 Study, IDC Canada) |
| Average enterprise cloud downtime per incident, 2026 | 20 days — up from 16 days |
| CCCS pre-ransomware notifications to Canadian organizations (2024–25) | 336 notifications to 300+ organizations; estimated savings of up to CA$18 million |
| Federal cybersecurity budget allocation (Budget 2024) | CA$917.4 million to enhance intelligence and cyber operations |
| Bill C-8 (Canada’s federal cybersecurity law) status | Third reading in the House of Commons: March 26, 2026 |
| Data sovereignty concern (CIRA 2025 survey) | 69% cite it as the most important factor when sourcing cybersecurity solutions |
| Organizations reconsidering US cybersecurity providers | 56% in 2025 (CIRA 2025 Cybersecurity Survey) |
Source: Statistics Canada, Canadian Survey of Cyber Security and Cybercrime (CSCSC) 2023 (released October 2024); Canadian Centre for Cyber Security (CCCS), National Cyber Threat Assessment 2025–2026 (October 30, 2024); Communications Security Establishment Canada (CSE), Annual Report 2024–2025; IBM Security, Cost of a Data Breach Report 2025; CDW Canada 2026 Cybersecurity Study (IDC Canada, April 1, 2026); Cybersecurity Canada Report 2026 / Cyber Unit (last updated May 24, 2026); Discreet Investigations, “Cybercrime Statistics Canada 2026” (May 4, 2026, citing Statistics Canada UCR, CCCS NCTA, CAFC, OPC); CIRA Cybersecurity Survey 2025; Canadian Anti-Fraud Centre 2025 Annual Statistics; Office of the Privacy Commissioner of Canada, Annual Report 2024–25
The facts table above captures an unusually complex cybersecurity picture for 2026, where improving organizational commitment — measured in dollars, board attention, and policy progress — has not yet translated into proportionally better security outcomes. The Canadian SMB threat picture diverged from the global one in 2025: Canada is now one of the few countries where breach costs are rising against a falling global average. The CA$6.98 million average breach cost per IBM’s 2025 report — up 10.4% year-on-year — is both a financial burden and a strategic alarm signal, because it reflects the specific vulnerability of Canadian organizations to the type of high-dwell-time, financially motivated intrusions that characterize the current threat actor ecosystem. IBM’s own dataset provides the most actionable comparison point: Canadian organizations using security AI and automation extensively reported average breach costs of CA$5.19 million, versus CA$8.53 million for those that did not — a CA$3.34 million spread.
The 89% underreporting rate — with only 13% of affected Canadian businesses reporting cyber incidents to police — is the single figure that most dramatically undermines any attempt to assess the true scale of the problem from official statistics alone. Statistics Canada’s own data represents a significant undercount of actual incidents, a fact the CCCS itself acknowledges by noting that its baseline figures do not include indirect costs such as reputational damage, operational downtime, legal fees, or insurance impacts. The CA$704 million in CAFC fraud losses in 2025 — the largest single-year total on record — similarly captures only frauds reported to the Canadian Anti-Fraud Centre, not the full universe of cyber-enabled fraud affecting Canadians annually.
Cyber Threat Landscape in Canada: CCCS Assessment 2026
CCCS NCTA 2025–2026 — Top Threat Categories for Canada
──────────────────────────────────────────────────────────────────
State Adversaries
1. People's Republic of China │████████████████████████████████████████ MOST COMPREHENSIVE THREAT
2. Russia │████████████████████████████░░░░░░░░░░░░ Ransomware & infrastructure
3. Iran │████████████████████░░░░░░░░░░░░░░░░░░░░ Social engineering, spear phishing
4. DPRK (North Korea) │████████████████░░░░░░░░░░░░░░░░░░░░░░░░ Financial crime, crypto theft
Cybercrime Threats
1. Ransomware │████████████████████████████████████████ #1 THREAT to critical infrastructure
2. Fraud/Scams │████████████████████████████░░░░░░░░░░░░ 50% of all affected businesses
3. Identity Theft/BEC │███████████████████████░░░░░░░░░░░░░░░░░ Rising; 31% of incidents
└──────────────────────────────────────────
(Source: CCCS NCTA 2025–2026, Oct. 2024)
| Threat Category | Key CCCS Finding |
|---|---|
| People’s Republic of China (PRC) | “Most comprehensive cyber security threat facing Canada today” — espionage, IP theft, malign influence, transnational repression |
| PRC specific 2024 action | CSE issued a bulletin on PRC-sponsored activity against Canadian provincial, territorial, Indigenous, and municipal governments |
| Russia | Critical infrastructure targeting; ransomware ecosystem support; infrastructure attacks linked to geopolitical context |
| Iran | Social engineering and spear phishing campaigns; targeted manipulation assessed; bulletin published by CSE |
| DPRK (North Korea) | Cryptocurrency theft; financially motivated attacks to fund state programs |
| Ransomware | Top cybercrime threat to Canada’s critical infrastructure; +26% per year growth 2021–2024 |
| Fraud and scams | Affected 50% of Canadian businesses that reported a cyber incident in 2023 |
| Identity theft | Affected 31% of businesses with incidents — up 11 percentage points from 2021 |
| AI-assisted social engineering | Publicly reported AI-generated harm incidents grew from 36 cases in 2022 to 107 in 2023, with 138 projected for 2024 based on first-half figures |
| Hack-and-leak operations | CCCS flags as a growing threat to democratic institutions and public trust |
Source: Canadian Centre for Cyber Security (CCCS), National Cyber Threat Assessment 2025–2026 (cyber.gc.ca, published October 30, 2024); Communications Security Establishment Canada Annual Report 2024–2025; Cybersecurity Canada Report 2026 (May 24, 2026)
The CCCS’s designation of the PRC as Canada’s most comprehensive cyber threat is perhaps the most significant strategic statement in the National Cyber Threat Assessment — and it is backed by specific documented incidents. CSE published a cyber threat bulletin urging Canadians to be aware of and protect against PRC cyber threat activity and a specific bulletin on People’s Republic of China-sponsored cyber activity against Canadian provincial, territorial, Indigenous, and municipal governments during the 2024–25 reporting year. The breadth of this targeting — not just federal government and critical infrastructure but explicitly subnational and Indigenous governance institutions — reflects a PRC strategy to map and access the full spectrum of Canadian governance structures, not merely the most obvious high-value federal targets.
Ransomware’s designation as the top cybercrime threat to Canadian critical infrastructure is reinforced by a striking operational metric from the CCCS itself: 336 pre-ransomware notifications were issued to over 300 Canadian organizations in 2024–2025, with estimated economic savings of up to CAD $18 million from prevented ransomware events. The CCCS explicitly notes this figure understates the true benefit since Statistics Canada’s cost data excludes indirect costs. The same CCCS dataset confirms a notable shift in how attacks are executed: the median time between initial access and handoff to a secondary threat group fell to 22 seconds in 2025 — from more than eight hours in 2022. This compression to seconds, not hours, means that traditional human-paced detection and response processes are structurally inadequate against the current threat actor tempo.
Data Breach Statistics in Canada 2026
Average Data Breach Cost — Canada vs. Global (IBM Cost of a Data Breach 2025)
──────────────────────────────────────────────────────────────────────────────
Canada (with AI/automation) │████████████████░░░░░░░░░░░░░░ CA$5.19M
Global average │█████████████████░░░░░░░░░░░░░ CA$5.47M (approx.)
Canada (without AI/automation) │████████████████████████████░░ CA$8.53M
Canada (all, average) │████████████████████████░░░░░░ CA$6.98M (+10.4% YoY)
Phishing entry point (Canada) │████████████░░░░░░░░░░░░░░░░░░ CA$6.38M per breach
└────────────────────────────────────────────────────
(Source: IBM Cost of a Data Breach 2025)
| Data Breach Metric | Figure |
|---|---|
| Average cost of a Canadian data breach (2025) | CA$6.98 million (+10.4% YoY) |
| Average cost with extensive AI/automation | CA$5.19 million |
| Average cost without AI/automation | CA$8.53 million |
| AI/automation cost savings per breach | CA$3.34 million |
| Average breach cost when phishing was the entry point | CA$6.38 million |
| Phishing as initial attack vector share | 14% of Canadian breaches (IBM 2024 Canadian dataset) |
| OPC PIPEDA breach reports received, 2023–24 | 693 reports |
| Approximate individuals affected by OPC-reported breaches | ~25 million Canadian accounts |
| MOVEit breach — Canadian government impact (2023) | Exposed data on 100,000 Nova Scotia government employees |
| Desjardins data breach (largest Canadian insider breach) | 9.7 million individuals exposed by insider over 26+ months |
| Average enterprise cloud downtime per breach, 2026 | 20 days (up from 16 days) — CDW Canada study |
| Average CrowdStrike eCrime breakout time (2026 Global Threat Report) | 29 minutes average; 27 seconds fastest observed |
Source: IBM Security, Cost of a Data Breach Report 2025; Office of the Privacy Commissioner of Canada Annual Report 2024–25; CCCS NCTA 2025–2026; CDW Canada 2026 Cybersecurity Study (IDC Canada); Cybersecurity Canada Report 2026; CrowdStrike 2026 Global Threat Report; corbado.com “11 Biggest Data Breaches in Canada 2026” (May 22, 2026)
The data breach cost landscape in Canada in 2026 is defined by a stark bifurcation between organizations that have operationalized AI-driven security capabilities and those that have not. The CA$3.34 million per-breach cost differential between AI-augmented and non-augmented organizations in the IBM 2025 Canadian dataset is not a marginal efficiency gain — it represents a 64% reduction in breach cost for organizations that have successfully deployed security AI in detection, response, and triage. This finding carries a critical caveat that the Cybersecurity Canada 2026 report makes explicit: the category that matters is not “having AI tools” — it is having them operationalized in detection, response, and triage. The mere purchase of AI security tools without operational integration produces no measurable cost benefit, a distinction that the CDW Canada study’s “maturity paradox” finding reinforces across a broader set of metrics.
The Office of the Privacy Commissioner’s 693 PIPEDA breach reports covering approximately 25 million Canadian accounts in fiscal 2023–24 deserve particular attention as a regulatory compliance and liability metric. Under Canada’s mandatory breach notification requirements — in force since 2018 under amendments to PIPEDA — organizations must report breaches that pose “a real risk of significant harm” to the Privacy Commissioner and notify affected individuals, or face penalties. The 693 formal reports represent only the subset of breaches that organizations determined met this threshold; the actual number of security incidents affecting Canadian personal data is known to be substantially higher, given the 13% police reporting rate that Statistics Canada’s own research documents among affected businesses.
Cybersecurity Spending & Industry Statistics in Canada 2026
Canada Cybersecurity Spending Indicators (2023–2026 Data)
──────────────────────────────────────────────────────────────────
Business prevention/detection spend (2023) │████████████████████████████████████████ CA$11 billion
Business recovery spending (2023) │████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ CA$1.2 billion
Federal cybersecurity budget (Budget 2024) │████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ CA$917.4 million
IT budget share dedicated to security (2026) │████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ 20% (5-yr high)
Defensive investment annual growth rate │████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ ~6% per year
└──────────────────────────────────────────
(Source: Statistics Canada CSCSC 2023; CDW Canada 2026;
Budget 2024; Cybersecurity Canada Report 2026)
| Spending / Industry Metric | Figure |
|---|---|
| Business prevention and detection spending (2023) | CA$11 billion — up significantly from prior years |
| Business recovery spending from incidents (2023) | CA$1.2 billion — doubled from CA$600 million in 2021 |
| Defensive investment annual growth rate | ~6% per year — faster than overall business IT spend |
| Federal Budget 2024 — cybersecurity/intelligence allocation | CA$917.4 million |
| Share of IT budgets dedicated to security (2026) | 20% — five-year high (CDW Canada 2026 Study) |
| Organizations with security funding “good or readily available” (2026) | 57% of surveyed organizations |
| Data sovereignty as top procurement criterion (CIRA 2025) | 69% of organizations — up from 60% in 2024 |
| Organizations reconsidering US cybersecurity providers (2025) | 56% |
| Global cybersecurity spending forecast, 2026 (Cybersecurity Ventures) | >USD $520 billion globally |
| AI model monitoring/auditing as a priority (CDW Canada 2026) | 51% of organizations identified it as a priority |
| Identity and access security for AI workloads | 45% of organizations — underscores AI risk concern |
| Bill C-8 (Cybersecurity of Federally Regulated Systems Act) | Passed third reading in the House of Commons, March 26, 2026 |
Source: Statistics Canada CSCSC 2023 (released October 2024); CDW Canada 2026 Canadian Cybersecurity Study (IDC Canada, April 1, 2026); Cybersecurity Canada Report 2026 (May 24, 2026); CIRA Cybersecurity Survey 2025; Department of Finance Canada, Budget 2024; Cybersecurity Ventures, 2026 Cybersecurity Market Report
The cybersecurity spending data tells a story of Canadian organizations committing more money than ever while finding themselves in a more vulnerable position than ever — the “maturity paradox” that CDW Canada identified as the defining theme of its 2026 study. With 20% of IT budgets now dedicated to security — a five-year high — and CA$11 billion in prevention and detection spending in 2023, the investment is genuine and substantial. Yet the simultaneous 80% surge in cyberattacks on Canadian enterprises and the rising breach costs confirm that adversaries are adapting faster than defences are improving. CDW Canada’s Field CTO Ivo Wiens described this as “a clear pivot toward high-value enterprise environments” signaling “a more calculated and strategic attacker mindset.”
The data sovereignty dimension of Canadian cybersecurity spending in 2026 is an entirely new strategic variable that did not feature prominently in prior years’ analyses. With 69% of Canadian organizations citing data sovereignty as their most important factor in sourcing cybersecurity solutions — up 9 percentage points from 60% in 2024 — and 56% having specifically reconsidered US cybersecurity providers, the geopolitical environment surrounding the Canada-US relationship has directly reshaped Canadian enterprise procurement decisions in 2025 and 2026. The advancement of Bill C-8, the Cybersecurity of Federally Regulated Systems Act, to third reading in the House of Commons on March 26, 2026 represents the most significant legislative development for Canada’s cybersecurity regulatory framework since the PIPEDA breach notification amendments of 2018, establishing mandatory cybersecurity obligations for federally regulated sectors including banking, telecommunications, and energy infrastructure for the first time. Once enacted, Bill C-8 will require designated operators in these sectors to implement cybersecurity programs, report significant incidents to the government, and comply with directions to mitigate cybersecurity risks — obligations that will create measurable new compliance spending and drive a further round of cybersecurity investment across precisely the critical infrastructure sectors that the CCCS NCTA 2025–2026 identified as the most seriously targeted by both state and ransomware threat actors.
Disclaimer: This research report is compiled from publicly available sources. While reasonable efforts have been made to ensure accuracy, no representation or warranty, express or implied, is given as to the completeness or reliability of the information. We accept no liability for any errors, omissions, losses, or damages of any kind arising from the use of this report.