This week’s story is a personal one, and I think it’s one of the clearest explanations of cyber resilience I’ve ever fallen into. I injured myself last week, and lying on the couch with my leg up gave me a lot of time to think about how closely a trip to the ER mirrors cyber incident response. Also this week: Canada’s spy agency quietly hacked a ransomware gang targeting Canadian business, payroll records for Canadian Nissan employees were exposed through widely-used HR software, and AI is compressing attack timelines in ways that most incident response plans weren’t built for. Let’s get into it.
🗞️ STORY OF THE WEEK
The Bone Bruise That Surprising Aligns With Cyber Resilience
First off, I want to apologize for missing last week’s instalment of this newsletter. And this week’s is a little longer than usual. Last Thursday, I was doing something I’ve done countless times before: taking a load of scrap building materials and garbage to the dump.
As I climbed out of the trailer, I swung my left leg over the side and placed my foot on the steel step on the trailer. Then brought my right leg over to step down to the ground.
That’s when things went wrong… my boot slipped off of the step.
Instead of landing safely, my leg came down hard on the edge of the steel step, just below my knee, with my entire body weight behind it. The pain was immediate and so was the swelling. And then I did what most of us do when something goes wrong: I tried to manage it myself. Ice. Motrin. Rest. Wait and see. For six hours I repeated the cycle, convinced the swelling would go down. It didn’t. It spread. Across my knee and down my leg. Eventually we made the call: we’re going to the ER.
After waiting 6 hours, the doctor finally saw me. She saw the swelling and immediately said: “I think you’re going to need surgery.”
Suddenly this wasn’t just a painful injury. It was a significant medical event. X-rays were taken. The doctor couldn’t clearly determine if there was a fracture. The x-rays were sent to an off-site radiologist. They weren’t sure either. Back to radiology for a CT scan. More waiting.
Finally, the doctor returned with good news: no fracture. No surgery. Just a severe bone bruise and significant soft tissue damage. Knee wrapped for stability, crutches, medications, and strict instructions to stay off my leg.
As I lay on the couch, I couldn’t help but think about how closely this experience mirrors what happens inside a business during a cyber incident.
When organizations experience a breach or security incident, the first symptoms are almost always alarming. A server goes offline. A user reports suspicious activity. Systems become unavailable. The initial assessment points toward the worst.
“We’ve been breached.”
“We’ve lost our data.”
“This is going to be catastrophic.”
But just like my injury, the first diagnosis isn’t always the final diagnosis. You investigate. You gather information. You bring in the specialists. You run additional tests. You wait for the facts.
Sometimes the outcome is better than you feared. Sometimes it’s worse. But the organizations that recover best aren’t the ones with the most resources, they’re the ones with a process.
What always strikes me most about the ER was they don’t panic because they don’t know immediately what is wrong. They follow a process: initial assessment, escalation to specialists, additional diagnostics, confirmation, stabilization, recovery plan.
That’s cyber incident response in a nutshell.
The other lesson was equally important: resilience isn’t about avoiding every incident. Accidents happen. Systems fail. People click things they shouldn’t. Threat actors find new ways in.
Resilience is about how prepared you are to respond, stabilize, and recover, and how clearly everyone knows their role when that moment arrives.
And perhaps the hardest lesson of all: sometimes recovery simply takes time. I can’t force my knee to heal faster. I have to follow the process: rest, ice, recover. Organizations are no different. After a cyber incident, there is almost always pressure to return to normal immediately. But true recovery takes time, discipline, and patience.
Resilience isn’t the absence of adversity. It’s having the capability, the process, and the mindset to work through it. Whether it’s a damaged knee or a damaged network.
Assess the situation. Gather the facts. Stabilize. Trust the process. Give yourself the time you need to recover.
Why this matters to you
Most small businesses don’t have an incident response process. They have an instinct to manage it themselves first, call in help late, and then scramble to figure out who does what. That’s exactly what I did with my knee for six hours, and it made things worse. The businesses that recover from cyber incidents fastest are the ones who had already answered the hard questions before anything went wrong: who makes the call, who gets the call, who stabilizes, who communicates. You can build that in an hour.
What you can do
This week, write down five names and phone numbers on a single sheet of paper and put it somewhere visible: (1) your IT provider or managed security service, including their after hours number, (2) your cyber insurance carrier, (3) your lawyer or legal advisor, (4) the person who authorizes emergency spending at your business, and (5) the Privacy Commissioner’s office (1-800-282-1376) if customer data may be involved. That sheet is the beginning of an incident response process. It takes 10 minutes to create.
⚡THE RIPPLE EFFECT - Three stories, and what they actually mean for your business
Canada’s Spy Agency Hacked the Ransomware Gangs Targeting You
Canada’s Communications Security Establishment published its annual report this week and revealed something that didn’t get nearly enough attention: last year CSE hackers broke into a ransomware gang’s infrastructure and rendered it inoperable. The gang had been targeting Canadian healthcare, transportation, and business sectors. CSE deleted much of the data on the gang’s servers, and separately conducted “technical disruptions” against 10 of the most significant ransomware groups targeting Canada, making parts of their infrastructure unusable. A third operation disrupted an active phishing campaign aimed at Canadian government institutions.
What it means for you: Genuinely good news. Canada’s government is fighting back, and fighting effectively. The important caveat: the government can disrupt criminal infrastructure, but it cannot protect individual small businesses. The same gangs CSE disrupted were running ransomware-as-a-service models, meaning any criminal could rent access to their tools. Competitors still exist. Your defences still matter.
Canadian Employees’ Payroll Records Exposed in Major HR Software Breach
Nissan disclosed that current and former employees across Canada, the US, Mexico, and Brazil had their personal and financial data exposed, including social insurance numbers, banking details, tax records, and information about their dependents. The breach came through Oracle PeopleSoft, the widely-used payroll and HR software that Nissan and thousands of other organizations rely on. Attackers exploited a critical flaw before Oracle could release a fix, and ShinyHunters, the same group behind the Canada Life breach, is believed responsible.
What it means for you: This is a payroll software story with a very Canadian dimension. If your business uses any third-party HR or payroll platform (and most do), ask your provider this week whether they run Oracle PeopleSoft and whether they were among the hundreds of organizations affected. Your employees’ banking information and SINs are every bit as sensitive as customer data, and your PIPEDA obligations cover them.
AI Attacks Are Moving Faster Than Your Incident Response Plan
Intelligence agencies from the US, UK, Canada, Australia, and New Zealand issued a joint warning in late June: AI-powered cyberattacks capable of overwhelming business defences are "months, not years" away. In some categories, they're already here. The specific concern isn't a single dramatic attack; it's compression. AI tools available on criminal marketplaces can now scan for vulnerabilities, write convincing phishing in your company's own voice, and begin exfiltrating data, all before any human on the attacker's side has reviewed a single result. Attacks that used to take days now take hours.
What it means for you: This connects directly to this week's lead story. An incident response process built for human-speed attacks, where you have days to identify, contain, and notify, is increasingly insufficient. The organizations recovering fastest from AI-speed incidents are the ones who had already pre-decided: who calls first, who shuts what down, who notifies whom. Pre-decided is the key word. There isn't time to figure it out during the incident.
$3.34M
That’s the average savings per breach for Canadian organizations that use
AI in their security operations, compared to those that don’t.
Here's the other side of the AI story. The same technology arming attackers is giving defenders a meaningful edge, if they deploy it. IBM's Cost of a Data Breach report found that Canadian organizations using AI and automation extensively in security reported average breach costs of CA$5.19 million. Organizations without these tools averaged CA$8.53 million. That's a CA$3.34 million difference per incident.
For small businesses, the practical takeaway is more accessible than it sounds. Many of the AI-driven features driving that gap are already built into tools you're likely paying for. Microsoft 365 Business Premium includes AI-powered threat detection. Most modern endpoint protection software includes automated response capabilities. The question isn't whether to buy something new; it's whether you've turned on what you already have.
📌 Source: IBM Cost of a Data Breach Report, 2025, Canada data. Based on a study of 604 organizations globally. Canada-specific figures reflect a subset of the global sample. Figures converted to CAD.
✅ ONE THING TO DO THIS WEEK
Write Your Incident Response Cheat Sheet Before You Need It
This week's lead story makes the point better than any statistic could: when something goes wrong, the organizations, and people, that respond best aren't the ones with the most resources. They're the ones who had already answered the key questions before the crisis arrived.
Your incident response cheat sheet doesn't need to be a 40-page document. It needs to answer five questions, written down in advance, so that no one has to figure them out while the situation is unfolding.
Question 1: Who do we call first? Your IT provider or managed security service. Write down their name, their after-hours line, and their escalation procedure. If they don't have one, ask about it this week.
Question 2: Who decides whether to shut things down? Isolating a system (pulling it off the network or turning it off) is sometimes exactly right. Sometimes it destroys forensic evidence. Someone at your business needs the authority to make that call. Name them now.
Question 3: Who contacts customers? If client data is involved, PIPEDA requires notification when there's real risk of significant harm. Who at your business owns that notification? Do you have a draft template?
Question 4: Who calls the insurer? Cyber insurance policies almost always require prompt notification of a claim. Delays can void coverage. Put the claims number somewhere obvious.
Question 5: Who talks to the Privacy Commissioner if needed? The number is 1-800-282-1376. You may never need it. But not having to search for it in a crisis is worth more than it sounds.
Resilience isn’t the absence of adversity. It’s having the capability, the process, and mindset to work through it.
📌 QUICK BITES
The EU's AI law becomes enforceable in 23 days. August 2 is when the EU AI Act takes full effect, applying rules to organizations using AI to make decisions about people (hiring, lending, insurance, customer service) if those organizations serve European customers. For most Canadian small businesses, this won't apply directly. But if you sell to or serve customers in Europe, now is the time to check whether any of your AI tools make automated decisions about them. The compliance window has essentially closed.
Shadow AI is quietly adding CA$308,000 to the average Canadian breach cost. IBM's breach report found that unsanctioned AI tools, meaning software employees adopt on their own without IT approval, have become one of the top cost drivers in Canadian data incidents. The fix doesn't require a policy manual. At your next team meeting, simply ask: "What AI tools is everyone using for work?" That conversation, by itself, is a meaningful first step.
AI voice cloning is targeting Canadian businesses right now. The Canadian Anti-Fraud Centre is tracking record losses from AI-powered impersonation fraud, and the most concerning variant doesn't involve email. Attackers clone executives' voices using as little as 30 seconds of audio from a LinkedIn video or company website, then call employees with financial authority to request urgent wire transfers. The call sounds exactly like your CEO. The defence is simple: establish a verbal code word or callback protocol for any phone request involving money. Tell everyone on your team who handles payments that this rule exists.
💬 PARTING THOUGHT
I didn't expect a trip to the dump to become this week's newsletter lead. But lying on the couch, leg elevated, ice on my knee, I found myself thinking about the same thing I write about every week, and realizing I'd just lived a version of it.
The part that stays with me most isn't the injury itself. It's the six hours I spent convinced I could manage it on my own. Ice. Motrin. Wait. Hoping it would resolve without intervention.
That instinct, to manage, to wait, to see if it gets better, is completely human. And it shows up in cyber incidents constantly. The server goes offline and someone spends two hours trying to fix it before calling IT. The phishing email is reported and no one escalates it for a day. The anomaly shows up in the logs and gets filed away because no one's sure what it means.
The hospital didn't panic because they didn't have an immediate answer. They had a process. The process created calm. The calm created good decisions. And the good decisions led to the right outcome, even when the first assessment pointed toward surgery and the real answer turned out to be a bone bruise and crutches.
That's what I want for every business reading this. Not certainty. Not perfection. Not a guarantee that nothing will go wrong. Just a process: a clear, pre-decided set of steps that kicks in when it needs to, so that the first ten minutes of a bad situation feel like preparation instead of panic.
My knee is healing. It's going to take time. But the process is working.
See you next Friday and stay
TryberResilient