This week we are sitting with an uncomfortable truth: most small business owners say they are ready for a cyber attack, but when researchers actually look under the hood, the numbers tell a different story. We also watched AI try to run a real retail store in. San Francisco and forget to schedule any staff on opening day. And Canada’a largest grocery chain has just notified customers of a cyberattack. Let’s get into it.
STORY OF THE WEEK
Seven in Ten Small Businesses Think They Can Handle A Cyberattack. Only Two in Ten Actually Can.
There is a gap in Canadian small business cybersecurity that does not get talked about enough. It is not a gap in awareness. It is not a gap in intention. It is a gap between what business owners believe about their own preparedness and what is actually true.
A new benchmark report released this month by Corporate Technologies looked at the real operational data of small and mid-sized businesses and compared it to how those same businesses described their own security posture. The finding, sourced from Devolutions' 2025 State of IT Security report and cited prominently in the index, is stark: 71% of small businesses express confidence in their ability to handle a cyber incident, but only 22% have a security posture that could actually survive one. In other words, for every ten business owners who believe they are fine, fewer than three of them actually are.
Canadian data reinforces the picture. The Insurance Bureau of Canada surveyed 308 Canadian business owners and decision-makers in August 2025 and found that 66% were confident they could withstand a data breach or website shutdown. Yet 73% of Canadian small businesses have already experienced a cybersecurity incident, and only 47% feel genuinely prepared for one. Just 22% carry any form of cyber insurance.
Here is why this matters more than it might seem. Research from the JPMorgan Chase Institute found that the median small business holds only about 27 days' worth of cash as a buffer. A cyberattack does not just threaten your data. It threatens your ability to operate, to pay staff, to serve customers, and to keep the lights on. For a business with less than a month of runway, even a two-week disruption is not a security incident. It is potentially a closing notice. One in five small businesses that suffer a cyberattack subsequently files for bankruptcy or closes.
The confidence gap is not just a statistic. It is a risk that most business owners do not know they are carrying.
WHY IT MATTERS TO YOU
The businesses in these surveys are not careless. They have firewalls. They have passwords. Some even have IT support. But having tools is not the same as being resilient. The question worth asking yourself is not "Do I have security software?" It is "If ransomware locked every device in my business tomorrow morning, what would I actually do in the first hour?"
WHAT CAN YOU DO RIGHT NOW
Before your next team meeting, write down three answers: who you would call first, where your most recent backup is and how to access it without your usual computers, and how you would contact your customers if your email and website went down. If you cannot answer all three in under two minutes, you have found your starting point.
THE RIPPLE EFFECT
Three stories, and what they actually mean for your business
An AI Signed a Three-Year Lease, Hired Staff, and Forgot to Schedule Them
A San Francisco company called Andon Labs decided to run an experiment. They gave an AI agent named Luna a three-year retail lease, a $100,000 budget, and complete authority over a gift shop called Andon Market in the city's Cow Hollow neighbourhood. Luna chose the products, set the prices, negotiated with suppliers, hired two human employees, and designed the interior. Then, on opening day, Luna forgot to schedule either of them. The store opened with no staff.
That was not the only issue. When a reporter from NBC News called Luna before the launch, the AI confidently described products the store did not actually carry, including tea it had never stocked. The company says the point of the experiment is not profit. It is to find out what autonomous AI agents actually do when given real authority and real money, and to surface failure modes before they become widespread.
What it means for you:
AI tools are genuinely useful for small businesses, but this experiment is a good reminder that AI without human checkpoints will make confident, plausible-sounding mistakes. Before you hand any business process fully to an AI tool, whether that is customer communication, scheduling, or purchasing, ask yourself who is checking its work.
Canada's Largest Grocery Chain Notifies Customers of a Cyberattack
Loblaw Companies, the country's largest food and pharmacy retailer with banners including Loblaws, No Frills, Shoppers Drug Mart, and PC Financial, has begun notifying customers of a cyberattack. Details on the scope and nature of the incident are still emerging, but the notification confirms that customer data was involved. For a retailer of Loblaw's scale, where millions of Canadians use the PC Optimum loyalty program and store credit cards, the potential reach of the incident is significant.
What it means for you:
If you or your employees are PC Optimum members or use a PC Financial credit card, keep a close eye on your account activity and consider changing your password this week. More broadly, this is a reminder that cybercriminals target large organizations precisely because of the volume of customer data they hold. Your data lives inside the systems of every business you interact with.
A New Report Finds Most Canadian SMBs Have Cyber Insurance. But Phishing Still Gets Through.
A fresh report from security firm ESET released April 16 surveyed 200 Canadian cybersecurity decision-makers at businesses with 25 to 1,000 endpoints. The headline finding is encouraging: 78% of Canadian SMBs now carry cyber insurance, significantly up from figures reported in earlier surveys. But the same report found that phishing remains the leading cause of breaches among Canadian small businesses, accounting for 21% of all incidents. Insurance pays for the damage after the fact. It does not stop the email that starts the breach.
The report also found that Canadian SMBs are more cautious about adopting AI tools than their American counterparts: 69% of Canadian respondents say they have integrated AI applications into their business, compared to 81% of US respondents.
What it means for you:
Cyber insurance is worth having, and more Canadian businesses getting it is genuinely good news. But insurance is a safety net, not a prevention strategy. The 21% phishing figure is a reminder that the most effective protection is still a team that knows how to spot a suspicious email before clicking.
STAT OF THE WEEK
71% vs 22%
Seven in ten small businesses are confident they can survive a cyberattack. Only two in ten have a security posture that could actually do it.
This is not a survey finding. It is a comparison between how businesses describe themselves and what their actual operational data shows. The gap between perceived and real resilience is where most small businesses are exposed.
Source: Corporate Technologies, SMB Technology and Cyber Resilience Index Q1 2026, April 2026, citing Devolutions 2025 State of IT Security report. Index built on anonymized operational data benchmarked against more than 40 industry sources. Cash buffer figure from JPMorgan Chase Institute small business research
ONE THING YOU CAN DO THIS WEEK
Write Your First Cyber Incident Response Checklist
You do not need a 40-page security policy. You need a single page that answers three questions, kept somewhere your team can actually find it when everything goes wrong.
Question one: who do you call in the first hour? Write down the phone numbers of your IT provider or managed service provider, your cyber insurance carrier (if you have one), and your bank's fraud line. Do not assume these are saved in someone's phone. Print them. Put the paper somewhere physical.
Question two: where are your backups, and how do you access them? Backups that live on the same network as your main systems can be encrypted alongside everything else in a ransomware attack. If your backups are in the cloud, write down the login credentials and store them offline. If they are on a hard drive, confirm it is kept disconnected when not in use.
Question three: how do you communicate with customers if your email and website go down? A personal phone number. A personal email. A social media account you control independently from your business systems. Know the answer before you need it.
"The businesses that recover fastest from cyberattacks are not the ones with the best technology. They are the ones with a plan."
This exercise takes about 30 minutes. Most business owners who do it discover at least one thing they assumed was handled that actually is not. Better to find that out now.
QUICK BITES
Lakelands Public Health in Ontario was hit by ransomware this month. The Lynx ransomware group claimed credit for the attack, which caused temporary outages in programs and services. It is the latest in a pattern of ransomware groups targeting Canadian healthcare and public sector organizations, which attackers view as likely to pay quickly given the impact on essential services. If your business works with any government or healthcare clients, ask whether their vendor security requirements have been updated recently.
Canadian small businesses are more cautious about AI than their American counterparts. The new ESET report found that 69% of Canadian SMBs have integrated AI tools into their business, compared to 81% in the US. That caution is not necessarily a weakness. Given that AI-generated phishing and fraud are rising quickly, taking time to understand a tool before deploying it is a reasonable approach.
The tax filing deadline is April 30. The Canada Revenue Agency does not communicate by text message, WhatsApp, or e-transfer under any circumstances. With less than two weeks left in tax season, scammers are pushing hard with fake CRA messages. If anything arrives claiming to be from the CRA and asking you to click a link, call a number, or send a payment, treat it as a scam and report it to the Canadian Anti-Fraud Centre at antifraudcentre-centreantifraude.ca.
Canada's Competition Bureau is warning that scammers are now using deepfakes of real politicians and government officials. In a March 2026 advisory, the Bureau flagged a surge in AI-generated videos and voice clones impersonating the Prime Minister and other leaders to promote fake investment schemes, phony government programs, and fraudulent refunds. The fakes are convincing enough that many recipients genuinely believe they are hearing from an official source. If you or your employees see a video or receive a call featuring a Canadian official urging urgent financial action, treat it as a scam.
PARTING THOUGHT
There is something almost reassuring about the Andon Labs story. An AI was handed a real business with real money and real authority, and one of its first moves was to forget that humans needed to show up to work. Luna did not mean to leave the store unstaffed. It was doing its best. It just had blind spots it did not know it had.
Small businesses face a version of the same problem. Most owners are doing their best on cybersecurity. They have made reasonable decisions. They believe, sincerely, that they are covered. The uncomfortable finding from this week's data is that sincere effort and actual readiness are not the same thing, and the gap between them is where attacks do the most damage.
The good news is that the gap is closable. Not with expensive software or complex programs, but with a checklist, a conversation with your team, and thirty minutes of honest answers. The businesses that come through cyberattacks intact are usually not the ones with the biggest budgets. They are the ones who knew what to do when the moment came.
see you next Friday and stay
TryberResilent