Hello, friends 👋

Two big themes this week: when a vendor you've never heard of gets breached, your business can still feel it — and Canada is finally putting real money behind helping small businesses adopt AI without flying blind. We'll also look at why nine out of ten non-profits using AI are barely getting any value from it.

Let's get into it.

🗞️ Story of the Week

Last Saturday, a ransomware crew calling themselves Everest claimed they'd broken into Symcor, a Toronto-based business process outsourcing firm that quietly handles payment processing, document services, and customer statements for many of Canada's biggest banks and insurers. The group says they've stolen sensitive data and are threatening to leak it unless Symcor pays.

Most Canadians have never heard of Symcor — but most of us have probably received something they printed, mailed, or processed. That's exactly what makes this incident matter beyond financial services. When a behind-the-scenes vendor gets breached, the customer data they hold on behalf of their clients can be exposed too. Past Symcor incidents (the company has been targeted before) have led to legal action from banks whose customer information was caught up in the spill.

For a small business owner, this is a textbook supply-chain breach. You may not be Symcor's customer, but you almost certainly use a payroll provider, accounting service, IT vendor, or marketing platform that holds your client list, your invoices, or your employee data. If they get hit, you're the one explaining it to your customers.

The full scope of the Symcor breach won't be known for weeks. But the lesson doesn't need to wait.

💡 Why it matters to you

Your business is only as secure as the third parties you share data with. When was the last time you actually asked a vendor what would happen — to your customer data — if they got breached? "We take security seriously" on a website is not an answer.

This week, list every outside service that touches your customer or employee data — payroll, accounting, CRM, email marketing, IT support, cloud storage. Pick the top three and email each of them one question: "If you had a security incident, how and when would you notify us, and what data of ours would be affected?" Their answer (or silence) tells you a lot.

⚡ The Ripple Effect

Three stories: and what they actually mean for your business

On April 30, the Canadian Centre for Cyber Security issued a rare public alert (AL26-010) warning that cyber criminals have stopped trying to "hack" their way into business systems and started talking their way in instead. They're calling IT help desks, posing as employees, and convincing support staff to reset multi-factor authentication or enroll a new device — then walking right into Microsoft 365, Google Workspace, Salesforce, and other cloud tools. No malware, no exploits, no alarms.

What it means for you: If your business uses cloud apps and someone you outsource IT to (or someone on your team) can reset login security with a phone call, that's now your biggest exposure. Ask your IT provider what verification they use before resetting MFA — and write it down so it doesn't drift.

On April 24, the Business Development Bank of Canada launched LIFT — a $500 million loan program specifically designed to get Canadian small and mid-sized businesses off the AI sidelines. Eligible businesses (over $1M in annual sales) can borrow up to $2 million for AI projects at the Bank of Canada's overnight rate of 2.25%, with up to two years before they have to start paying back the principal. The program also pairs you with an AI advisor and prioritizes Canadian-built AI tools.

What it means for you: This is the most affordable AI capital a Canadian SMB has ever been offered. Even if you're not ready to borrow, the free advisory piece is worth a conversation — most small businesses are buying AI tools without a strategy and getting marginal returns. A trained advisor helps you spend that AI budget on the right problem.

Virtuous's 2026 Nonprofit AI Adoption Report — out this spring — found that 92% of non-profits are now using AI in some form, but just 7% report meaningful improvements in organizational capacity. The gap is structural: 81% of non-profits use AI individually and ad hoc, while only 4% have documented, repeatable workflows. Meanwhile, organizations with real AI processes are reporting 10–15 hours per week in saved staff time — roughly $15,000 to $25,000 per year for a mid-sized non-profit.

What it means for you: AI value doesn't come from the tool — it comes from the workflow around it. If your team is each "playing with ChatGPT," you're in the 81%. Pick one repetitive task (donor thank-yous, grant report drafting, board minute summaries), build a documented process around it, and you'll outperform organizations spending ten times what you do.

📊 Stat of the Week

Reported losses to fraud in Canada in 2025

That's the new figure from the Canadian Anti-Fraud Centre — up from $643 million in 2024, and pushing total reported fraud losses since 2022 past $2.4 billion. And here's the part that should make every owner sit up: the CAFC estimates only 5 to 10 percent of fraud is ever reported. The real number is somewhere between $7 billion and $14 billion.

Source: Canadian Anti-Fraud Centre, "Fraud Reporting System Dataset," Government of Canada Open Data Portal, data through September 30, 2025; reporting rate estimate per CAFC public statements (2024–2026). The CAFC compiles fraud reports voluntarily submitted by Canadians, businesses, and law enforcement — the dataset is not a survey and undercounts unreported incidents.

✅ One Thing To Do This Week

The biggest cyber risk facing Canadian SMBs right now isn't a fancy hack — it's a phone call. The CCCS warning this week makes it official: criminals are calling support staff, IT providers, and even owners' assistants, pretending to be a locked-out employee, and asking for MFA to be reset. It works because it sounds completely normal.

Here's the rehearsal: pick the person on your team most likely to receive that call (often whoever manages your Microsoft 365 or Google Workspace account, or the contact at your IT provider). Ask them: "If 'Sarah' calls saying she's locked out and asks you to reset her MFA so she can log in from her phone — what would you do?" If the answer involves anything other than a callback to a known number, an internal verification, or a two-person check, you have your homework for the month.

"The simplest, cheapest control against the biggest attack of 2026 is a phone call back to a number you trust."

📌 Quick Bites

Microsoft just flagged a 35,000-victim phishing wave hitting 13,000 organizations. Between April 14 and 16, attackers sent emails with PDFs labeled "Awareness Case Log File" and a "Review Case Materials" link that quietly harvested Microsoft 365 logins. If your team uses M365, mention this one at your next huddle — fake "case" or "review" emails are the new fake invoice.

AI is making CRA scams nearly impossible to spot. Scammers are now cloning agent voices, building fake canada.ca pages identical to the real thing, and sending texts that route business owners to credential traps. One stolen login can let them reroute your business's tax refunds. Reminder: the CRA never asks for credentials by email or text — verify everything through your My Business Account directly.

A six-person financial services firm in North York was hit with ransomware that froze their servers and stole 5 GB of customer data. It's the kind of attack that doesn't make national news, but it's the most common shape of an SMB breach in 2026: small team, real customer data, big interruption. The firm's recovery cost ran into the hundreds of thousands.

Microsoft Agent 365 just went generally available. It's a step toward AI "agents" that can carry out multi-step tasks (drafting, scheduling, reviewing) inside your existing Microsoft tools. For SMBs, the practical question for the next six months isn't "should we use it?" — it's "what's the smallest, lowest-risk task we'd let an AI agent run end-to-end?"

💬 Parting Thought

The throughline this week is that the boundary between "your business" and "everyone else's business" has basically disappeared. A breach at a Toronto vendor your bank uses can affect your customers. A help-desk call across the country can hand over your cloud accounts. An AI tool you didn't sanction can leak your donor data.

But the same logic works in your favour. You don't need to be a security expert or an AI researcher to be resilient — you need to know who you depend on, ask better questions, and pick one habit a week that closes a gap. That's it. The companies and non-profits doing well in 2026 aren't the ones with the biggest budgets — they're the ones who got specific.

See you next Friday and stay

TryberResilient