The Canadian Centre for Cyber Security (CCCS) recently released the National Cyber Threat Assessment for 2025/2026 and there are some new trends that we certainly need to take note of, which I will cover in future articles, but one trend in particular really stood out for me. The thing that caught my eye was the use of AI by threat actors to improve social engineering tactics. And now you’re asking, “Why would that surprise you? What else would the bad guys use AI for?”. Yes, of course, that part is not what surprises me. What surprises me are the stats around the adoption of one of the easiest and most budget friendly protections against social engineering.
Part of being a cybersecurity professional is keeping up with trends and trying to understand how we can keep organizations safe from cyber threats. When I read some of the recent stats on Cybersecurity Awareness Training adoption the disconnect is startling!
Canadian Companies Receive a “C” Grade for Cyber Safety Actions and Knowledge
The stats start out pretty good when you look at CIRA’s 2025 Cybersecurity Survey. The survey shows that 98% of organizations are conducting cybersecurity awareness training. Fantastic! The survey goes on to note that 67% of organizations which conduct cybersecurity awareness training do so at least quarterly. Wow! That’s really good! But things get a little bit more grim when you look at the Insurance Bureau of Canada’s Cyber Savvy Report Card . IBC gives Canadian Companies a “C” grade for Cyber Safety Actions and Knowledge with only 34% of small and medium-sized business employees receiving mandatory cybersecurity awareness training which is the best defense against phishing a social engineering attacks from bad actors.
Less Than Half of Employees Have Cyber Security Training
To make matters worse, the Business Development Bank of Canada reports that only 42% of small businesses have implemented cybersecurity training for staff which is in stark contrast to CIRA’s much more positive reporting. You might be thinking that doesn’t sound so bad but small businesses are much better at implementing things like firewalls and anti-malware protection yet don’t invest in the one thing that will have the biggest impact on decreasing their odds of a successful ransomware attack.
With strong reporting within the cybersecurity industry about the benefit of a strong security awareness program, it’s surprising that this isn’t one of the first things that small businesses employ in their protection toolbox. Let’s take a look at the benefit to organizations considering the cost.
Cyber Security Training for Employees Is A Must
According to KnowBe4, a strong security awareness program can reduce the occurrence of employees clicking on links in phishing emails (or other links like through SMS and instant messaging apps). The reduction is estimated at 86%. That’s a huge reduction!
How does that translate to reduction in cybersecurity incidents? According to the SANS institute, the reduction in incidents can be equally impressive. In the SANS ROI case study they determined that a good cybersecurity awareness training program can reduce the occurrence of incidents between 65% to 70%. Considering the cost of responding to and recovering from a security incident, this means that for every dollar spent on security awareness training, organizations can see a return of $3 to $8. That’s an ROI of 300% to 800%! The 2024 version of IBM’s Cost of a Data Breach Report noted that Employee training can reduce the cost of a data breach by hundreds of thousands of dollars (approximately $250,000).
The Easiest Cyber Win You Can Implement Today
I realize that cybersecurity awareness training might not be the most exciting topic within the cybersecurity realm, but it is one of the most important foundations your organization can invest in.
If you haven’t started on your security awareness training program yet, I strongly recommend that you call us here at AniSoft today and we can help you get started.