In Canada’s small and medium-sized businesses, cyber risk is increasingly shaped by two simple realities: too few people and too little time. That combination makes human error – not just malicious software – one of the most dangerous vulnerabilities SMEs face.
According to Jonathan Weekes (pictured), president, Canada at BOXX Insurance, structural realities of how SMEs operate make them especially susceptible to human-driven cyber risk.
“SMEs are generally running a much leaner staff than what you'd see with much larger corporations,” he said. “They have a lot fewer people doing a lot more work,” which means employees simply don’t have the time to scrutinize every email, link, or request that lands in their inbox.
That time crunch is a gift to cybercriminals. Phishing messages, fraudulent invoices, and cleverly spoofed login prompts rely on people moving fast, trusting what they see, and clicking before they think. In many small businesses, Weekes noted, the pace of work leaves little room to “double, triple, quadruple check emails that are coming through, links that are being sent, [or] the authenticity of the sender itself.”
On top of that, SMEs are trying to manage growing cyber threats with far thinner security budgets than larger organizations. While big enterprises may allocate millions of dollars to information security, smaller firms are often forced to make difficult trade-offs. “SMEs are trying to get as many of the right resources in place as they can, with very small budgets,” Weekes said. That can mean limited access to dedicated IT staff, fewer layers of technical protection, and less frequent training for employees.
Weekes said the good news is that SMEs don’t need enterprise-sized budgets to make meaningful improvements – especially on the people side.
“Even if you're operating with a leaner staff, you can still train that staff really, really well,” he said. Organizations that provide basic cybersecurity training already outperform peers that offer nothing at all. Those that go a step further – running phishing simulations to test how employees respond to suspicious emails or links – “do even better than those other counterparts,” he added.
Beyond training, he urged SMEs not to be shy about seeking outside help. Bringing in a managed service provider can give smaller firms access to technologies and expertise that would otherwise be out of reach. “Sometimes outsourcing is actually a much more cost-effective method to protect themselves than trying to manage it internally with a large security staff at a small company,” Weekes said.
Crucially, he argued, cyber risk shouldn’t sit off to the side as an IT issue. “My view is always that cyber risk is business risk,” he said. That means cybersecurity should be “built into the fabric” of how the organization operates, starting on day one. As part of onboarding, new hires should get clear training on cyber expectations and why it matters – not just in abstract terms, but in how it protects the company’s balance sheet.
From there, Weekes advocates for an ongoing, engaging approach rather than a dry annual module. Many firms use self‑guided online training that’s slightly gamified, giving employees scores they can track over time. Others add group sessions to reinforce that “regardless of where you sit in the organization, your job level, your job role, everyone is equally invested and equally impacted by cybersecurity events.”
“The cultural element is building it into the fabric of the organization,” he said. “Then there’s the individual element: keeping people up to date and equipped with the right information to protect themselves and the company.”
Many SME owners still see cyber insurance and cyber advice as two separate tracks: you hire a tech provider to assess your security, then you go somewhere else to “just buy” a policy. Weekes said that separation is breaking down – and that cyber insurance today is very different from traditional, “get it and forget it” coverages.
He traces it back to how the product has evolved. “Initially, we didn’t really ask many questions,” he said. Underwriters might check whether a client had antivirus and a privacy policy, “and then we’d throw millions of dollars of capacity out to clients.” The hard market changed that. Insurers now dig far deeper into how an organization governs cyber risk, what controls it has in place, and how well it aligns with privacy regulations in the jurisdictions where it operates.
Read more: Munich Re warns: Small firms underinsured
As a result, the cyber application has become more than a formality. “We look at the cyber application as not just a questionnaire for insurance,” Weekes explained. “It’s a good way to assess your level of maturity,” effectively functioning as a structured checklist of strengths and weaknesses.
That shift has also driven much closer interaction between cyber insurers and the cybersecurity community. Insurers are increasingly helping to identify risk, recommend controls, and then deploy insurance capacity based on how strong the client is – with pricing tied closely to that risk posture. Many now bundle or broker value‑added services that look a lot like what security firms have long provided: training, risk assessments, virtual CISO support and curated vendor partners to help implement controls.
For Canadian SMEs, that means buying cyber insurance can no longer be treated as a one‑off transaction. Done properly, it’s part of an ongoing cycle of risk analysis, improvement, and transfer – and a practical way to access expertise they might not otherwise be able to afford.
