The conclusion first: almost every cyber attack against a Canadian SME falls into one of four patterns: ransomware, DDoS, database compromise, phishing. You don't need to learn how to defend against them, but you do need to recognise them when something goes wrong, and you need to know what to ask when choosing who handles your defences. The article walks through all four.
Who should read this? ❓
This article is worth your five minutes if your business meets ANY of the following:
- You operate a business website (even if it's a brochure site with no online ordering)
- Your office computers or devices connect to the internet (which is basically every business)
- Anyone in your company uses email (same applies to basically every business)
If your business runs entirely offline (face-to-face transactions only, no computers, no email), you can skip this. In all honesty, that kind of pure-offline Vancouver business is increasingly rare in 2026.
Why this is worth five minutes of your time today
The Canadian Centre for Cyber Security's Ransomware Threat Outlook 2025-2027 reports the median ransom demand against a Canadian SME in 2025 was CAD $46,000; the total recovery cost — downtime, forensics, legal, and customer notification all included — averaged CAD $190,000. The report also notes that ransomware accounts for 41% of cyber incidents at Canadian SMEs, the single most common attack type.
The four attack types below are what 5U Website has seen Canadian SMEs hit by most often in 17 years of maintaining client sites. They're not the complete catalogue of every cyber attack that exists, but for an owner trying to make sense of what they're hearing, knowing these four is a reasonable starting point.
Four attack patterns: which one is most likely to hit your business
1. Ransomware: your files get locked with a lock you can't pick
This is the most common (and most expensive) attack against Canadian SMEs in 2025. The consequence is direct: your computer files, website files, database: all get locked. You can't pick that lock. Without a backup, your two options are to give up on the files entirely (customer list, order history, a decade of records, all gone) or pay the ransom for the key: assuming the criminals actually deliver on their promise to hand it over (many victims pay and either get nothing or get a key that only decrypts part of the data).
Typical targets: e-commerce, real-estate brokerages, medical clinics, accounting firms, or any SME with a customer database. For how to actually defend against this, see our companion article When ransomware hits your website server, will your backup survive?
2. DDoS: a thousand fake customers crowding your storefront
"Distributed denial of service" sounds abstract. Picture this instead: imagine a thousand fake customers crowding your shop entrance at the same time. They're not just blocking the door so real customers can't come in; they're also pretending to be real customers, asking your staff for service. Your staff is tied up serving people who don't actually buy, and any genuine customer with real purchase intent simply can't get attended to.
For a website: the server is overwhelmed by floods of fake requests. CPU, memory, and bandwidth peg at 100%. Real visitors see the page spinning for ages and leave. The damage isn't lost data; it's that your business is completely offline for the duration. An e-commerce site can lose thousands to tens of thousands of CAD per day; higher-ticket industries (real estate, legal, consulting) lose much more. Recent DDoS campaigns aren't single bursts; they last hours to days, with the goal of pressuring you into paying "protection money".
3. Database compromise: an "insider" appears inside your company
This attack happens when your database or back-end account gets breached, but it's more insidious than it looks from outside. Picture this: imagine one of your employees has been quietly controlled by an attacker, listening only to the attacker's instructions. From the outside, your company looks the same. Inside, there's an insider, and they can quietly hand over your customer records, order history, and credit-card data, or impersonate your company to defraud your customers (for instance, emailing your customers in your name with instructions to wire payment to a fraudulent account).
The damage goes beyond data loss. According to the Office of the Privacy Commissioner of Canada (OPC), Canada saw over 680 reported privacy breaches in 2025 alone, with the majority coming from organisations with fewer than 500 employees. Once customer data is leaked, PIPEDA requires you to notify every affected customer and the regulator. The reputational and compliance costs typically dwarf the technical losses.
4. Phishing and credential theft: tricked into handing over the password
This is the most common and the most ordinary-looking. The mechanism is plain: the attacker sends an email that looks convincingly like one from your bank, Microsoft, or Google, with a "your account needs verification, please log in immediately" link. The link goes to a counterfeit login page that's a near-perfect imitation. An employee types their password in, and the attacker now has the keys to your company account.
One mailbox is just the starting point. From there the attacker can send email impersonating the company, read every past message (including financial information), and trigger password resets to break into other systems. In 2025, over half of ransomware attacks on Canadian businesses started with a phishing email, not a technical exploit.
What deserves the owner's attention (and what doesn't)
What does not deserve owner-level attention: installing the firewall yourself, configuring email authentication rules, learning to write cron backup scripts. That's technical work and not the owner's job.
What does deserve owner-level attention (these can't be delegated):
- Your employees' security awareness. Most breaches start with someone clicking a normal-looking email. An annual "stop and think when you see this kind of email" briefing for the whole team prevents more incidents than any technical control.
- Whether your backup actually works. Don't ask "do we have a backup?"; ask your IT provider: "Can our backup actually restore? How long does it take? Have we ever drilled it?"
- The standard move when something feels off. Got a suspicious phone call from "the bank" / government / CRA? Hang up and call them back on the official number from their website. Got an email that "looks like Microsoft" but feels wrong? Screenshot it, send it to your IT vendor (us, for example) and let them verify before you do anything. Almost every loss happens in the "I'm not sure but I clicked anyway" second.
- The first hour when something goes wrong. If you suspect an attack, don't reboot, don't delete, don't pay anything. Get a professional IT vendor on the line immediately for isolation and forensics. The first few hours determine whether recovery is possible.
- What to ask when choosing a maintenance or hosting provider. Do they run off-site write-only backups? Is email authentication (DKIM, SPF, DMARC) set up? Is there monitoring for unusual logins? What response-time commitment do they offer when something breaks? A vendor who can't answer is the answer.
What 5U Website does for managed clients
No single "magic firewall" defends against all four. The defence is layered. Most owners don't need to learn the tooling themselves, but they do need to confirm someone is running the whole setup. For our managed clients, we run as standard:
- Off-site, "deposit-only" backups for the ransomware case (full details in When ransomware hits your website server, will your backup survive?)
- Email authentication trio (DKIM, SPF, DMARC) making it hard for attackers to convincingly impersonate your domain
- A Web Application Firewall (WAF) plus abnormal-request rate-limiting (against DDoS and database probing)
- Login-anomaly monitoring (any administrator account logging in from an unexpected location or time triggers an alert)
- Monthly recovery drills: backups that can be written aren't backups that can be restored; only drilled ones count
- "Screenshot, then verify with us" routing for any suspicious email a client receives, so the employee doesn't have to judge alone
For background on why AI is making these attacks more frequent and harder to spot, see AI and Cybersecurity: The Internet Is Getting More Dangerous.
Let us handle it
Walked through four attacks and you're still not sure whether your current website and email defences hold up? That's the right reaction. Judging that isn't an owner's job. Our website design, development and hosting service includes the layered defences above; hand the site and email over to us, and you get to focus on running the business.
If you'd rather start with a single "where am I weakest right now" diagnosis, send us an email; we typically get back to you within a business day or two. Up-front diagnostics are far cheaper than the average CAD $190,000 recovery cost when a ransomware incident actually hits.
Last updated:
