Skip to content

How Much Does a Penetration Test Cost in Canada?

You have decided your business needs a penetration test. Maybe a SOC 2 auditor asked for one, maybe a client’s security questionnaire demands it, or maybe you simply want to know whether your defences hold up. Then you request three quotes and they come back at $3,000, $14,000, and $55,000 for what looks like the same thing. The spread is not a mistake, and understanding it is the difference between buying real security assurance and buying a scan with a nice logo on the cover.

This guide breaks down what a penetration test actually costs in Canada, what drives the price up or down, and how to budget without overpaying or, worse, underpaying for a test that misses the flaws an attacker would find.

Most penetration tests for mid-market Canadian businesses land between $5,000 and $30,000 CAD, with the majority of scoped engagements we see for GTA companies falling in the $8,000 to $20,000 range. Price is driven mainly by scope (how many IP addresses, applications, and environments are in play) and methodology (how much of the work is manual expert testing versus an automated scan). A single external network test starts around $5,000; a full objective-based red team engagement can exceed $50,000.

Penetration testing is priced by scope and depth, not by a flat rate. Budget $8,000 to $20,000 CAD for a typical mid-market test covering your external network and key web applications. If a quote comes in dramatically lower, confirm you are buying a manual test and not an automated vulnerability scan relabelled as a pen test.

Penetration Test

A penetration test is a controlled, authorized simulation of a real cyberattack in which security professionals attempt to exploit vulnerabilities in your systems, networks, or applications the same way a malicious hacker would. Unlike an automated scan, which only flags known weaknesses, a penetration test confirms which flaws are genuinely exploitable and what an attacker could reach through them.

How much does a penetration test cost in Canada?

In Canada, penetration tests typically cost between $5,000 and $30,000 CAD, with most mid-market engagements falling in the $8,000 to $20,000 range. The exact figure depends on what you are testing and how deeply. A narrow external network test sits at the low end, while a broad web application test or a multi-environment engagement climbs toward the top. The table below reflects the typical ranges we scope for mid-market clients across Toronto and the GTA.

Test typeTypical CAD rangeTimeline
External network penetration test$5,000 to $12,0001 to 2 weeks
Internal network penetration test$6,000 to $15,0001 to 2 weeks
Web application penetration test$7,000 to $20,000+1 to 3 weeks
Cloud (Azure, M365, AWS) review and test$8,000 to $18,0001 to 2 weeks
Social engineering / phishing simulation$3,000 to $8,0001 to 2 weeks
Full red team engagement$25,000 to $60,000+4 to 8 weeks

These ranges assume manual testing by certified professionals, not an automated scan. A one-off scan of a small environment can be had for under $2,000, but it is a different product. For a fuller breakdown of the test types themselves, see our guide on what penetration testing is and the types available.

What affects the price of a penetration test?

The single biggest cost driver is scope: the number of live IP addresses, applications, user roles, and environments in play. When we scope a test for a GTA client, the quote moves on the count of targets far more than on the vendor’s day rate. A 5-page brochure site and a 40-screen customer portal with three user tiers are both “a web app,” but the second takes five times the effort to test properly.

Beyond raw scope, these factors push the number up or down:

  • Methodology and manual depth. Automated scanning is cheap. Skilled humans chaining vulnerabilities together, the way a real attacker does, is where the cost and the value sit.
  • Tester seniority and certifications. OSCP, GPEN, and CREST-certified testers command higher rates because they find what junior testers and tools miss.
  • Retesting. A reputable firm retests after you fix findings to confirm the holes are closed. Some vendors bundle one retest; others charge extra.
  • Reporting depth. A prioritized report with business context and remediation guidance costs more to produce than a raw tool export, and it is worth it when you have to hand it to an auditor or a board.
  • Compliance requirements. Tests scoped to satisfy SOC 2, PCI DSS, or PIPEDA expectations follow stricter methodologies and documentation standards.
Warning:

We regularly see mid-market firms buy a $2,000 “penetration test” that turns out to be an automated vulnerability scan with a consultancy logo on the PDF. The tell is the timeline: a genuine manual test of a real environment does not finish in 48 hours. If the engagement has no scoping call, no named tester, and no retest, you are buying a scan, not a test.

What do you actually get at each price tier?

Price tier maps directly to how much human expertise is involved and how usable the output is. A budget engagement is largely tool-driven and rarely satisfies an auditor. A mid-market engagement blends manual testing with automation and produces a report you can act on and defend. A premium engagement simulates a determined adversary against specific objectives. The table shows what separates them.

What you getBudget ($2K to $5K)Mid-market ($8K to $20K)Premium ($25K+)
MethodologyMostly automated scanManual + automated (OWASP, PTES)Objective-based red team
Named certified testerRarelyYesYes, senior team
Retest after fixesRarelyUsually one includedYes
Report qualityRaw tool outputPrioritized, business contextExecutive + technical + attack narrative
Compliance-readyNoSOC 2, PIPEDA, PCIYes, advanced

Ask every vendor a single question before comparing prices: “How many hours of manual testing are in this quote, and who is doing them?” A firm quoting real expert hours will answer directly. A firm selling a scan will get vague. That one question tells you more than the dollar figure.

Penetration test vs vulnerability scan: why the price gap?

A vulnerability scan and a penetration test are different products at different prices because they answer different questions. A scan is an automated tool that lists known weaknesses, often hundreds of them, with no confirmation of which are actually exploitable. It costs a few hundred dollars and takes hours. A penetration test uses those findings as a starting point and has a human confirm what an attacker could truly reach, chaining flaws together to reach real business impact. That expert time is why a test costs 10 to 40 times more than a scan.

Both have a place. Run vulnerability scans continuously to catch new issues cheaply, and commission a penetration test periodically to validate your actual exposure. The mistake is paying scan prices and expecting test-grade assurance, or paying test prices for what turns out to be a scan.

Do you need a penetration test for SOC 2 or PIPEDA compliance?

For most Canadian mid-market businesses, yes, at least in practice. PCI DSS explicitly requires annual penetration testing for organizations that handle cardholder data. SOC 2 does not name penetration testing in the criteria, but auditors routinely expect one as evidence that you actively test your controls, and a missing test is a common finding. Under PIPEDA and Quebec’s Law 25, businesses must protect personal information with safeguards appropriate to its sensitivity, and regular testing is how you demonstrate that duty of care.

Here is the practical part that saves money: nine times out of ten, the SOC 2 auditor wants an external network test plus a web application test, not the full red team engagement a vendor may try to upsell. Scoping the test to the compliance requirement, rather than to the biggest possible engagement, is one of the easiest ways to control cost without failing the audit. If compliance is your driver, our compliance readiness team scopes the test to exactly what your framework requires.

$6.32M CAD

Average total cost of a data breach in Canada in 2024, according to IBM’s Cost of a Data Breach Report. A single mid-market penetration test costs a fraction of one percent of that.

How should you budget for penetration testing?

Budget from your risk and your obligations, not from a competitor’s invoice. Start by defining what a breach of each system would actually cost you, then scope the test to protect what matters most. Use this framework to arrive at a defensible number.

Define the driver: Compliance requirement, client demand, or genuine risk reduction. This sets the minimum viable scope.

Inventory your attack surface: Count external IPs, public web apps, and cloud tenants. This is the number that moves the quote.

Prioritize crown jewels: Test the systems holding customer data or running revenue first. You do not have to test everything in year one.

Confirm manual hours and retest: Insist the quote states manual testing hours and includes at least one retest after remediation.

Plan for annual cadence: Budget for a test at least once a year and after any major change, such as a new application launch or a cloud migration.

For most GTA mid-market companies, a realistic first-year budget of $10,000 to $18,000 CAD covers a properly scoped external and web application test with remediation retesting. Choosing the right partner matters as much as the budget, and our guide on how to choose a penetration testing company in Toronto walks through what to vet.

A penetration test is not a commodity, and the cheapest quote is usually the most expensive mistake. Budget $8,000 to $20,000 CAD for a proper mid-market test, scope it to your real risk and compliance needs, and confirm you are paying for expert manual testing with a retest, not an automated scan in disguise.

At BALANCED+, we have scoped and delivered penetration tests for mid-market businesses across Toronto and the GTA since building our security practice, and we price every engagement to the client’s actual attack surface and compliance requirements, not a one-size template. As a SOC 2 and ISO 27001 certified MSSP with a 24/7 security operations centre, we scope the test you need and help you fix what it finds. Explore our penetration testing services or get a scoped quote for your environment.

Sources

FortiBleed: Fortinet Credential Leak, What To Do Now

If your business runs a FortiGate firewall or Fortinet SSL VPN, this week’s headlines deserve a measured response, not panic. A credential-harvesting campaign that researchers have nicknamed “FortiBleed” is circulating working login credentials for tens of thousands of internet-facing Fortinet devices worldwide. Here is the part the alarming name obscures: there is no new zero-day. The credentials were largely stolen in earlier Fortinet compromises and are now being fired back at organizations that never rotated them.

This post breaks down what FortiBleed actually is, what Fortinet has said about it, why it still poses real risk despite being “old” data, and the specific steps Canadian mid-market teams should take to close the exposure.

FortiBleed is not a new vulnerability or a fresh breach of Fortinet’s products. It is a large collection of credentials harvested in earlier incidents, now being reused against organizations that never rotated them. Fortinet has stated the activity is not related to any recent incident or advisory. The risk is real but the fix is hygiene: if you run internet-facing Fortinet devices and have not rotated credentials in years, assume exposure, rotate every credential, enforce MFA, and pull the management interface off the public internet.

What is FortiBleed?

FortiBleed

FortiBleed is the informal name given in June 2026 to a large dataset of administrator and SSL VPN credentials for internet-facing Fortinet devices, primarily FortiGate firewalls. Despite the dramatic name, it is not a vulnerability or a new product flaw. The credentials were largely gathered from device configuration files and weak password hashes exposed in earlier Fortinet compromises, and are now being reused and brute-forced against live devices across 194 countries.

The campaign came to light after security researcher Volodymyr “Bob” Diachenko found an attacker-controlled server left publicly accessible, exposing the operation’s stolen credentials, victim lists, and tooling. Threat intelligence firm SOCRadar independently analyzed the same infrastructure and rated the campaign critical. The scale is what makes it notable: depending on the dataset analyzed, researchers count between roughly 74,000 and 87,000 affected devices and tens of thousands of verified working credentials across more than 22,000 domains.

194 countries

Scope of the FortiBleed campaign, spanning 22,405 unique domains across telecom, government, healthcare, and finance (SOCRadar, 2026)

What has Fortinet said about FortiBleed?

Fortinet has stated it is aware of the credential-harvesting activity targeting FortiGate firewalls and VPN devices, but that the activity is based on data from previous incidents and is not related to any recent incident or advisory. In other words, attackers are reusing previously exposed credentials and applying brute-force techniques against devices, rather than exploiting a new flaw in current Fortinet products.

This matches what security researchers concluded after examining the dataset: there is no associated CVE or patch for “FortiBleed” itself because there is no new vulnerability. Much of the credential and configuration data traces back to older Fortinet compromises, including devices exploited through CVE-2022-40684, an authentication-bypass flaw from 2022. The data was collected years ago and is now being recirculated and tested at scale.

Important:

The takeaway is not “ignore it.” It is “this is a hygiene problem, not a patch problem.” Organizations most at risk are those that never rotated administrator or VPN credentials after the 2022-era Fortinet compromises. If that describes your environment, those old passwords may still work, and that is exactly what attackers are counting on.

Why is patching alone not enough?

Because the exposed credentials remain valid regardless of firmware version. Security researcher Kevin Beaumont noted that many of the affected devices were on fairly recent patches, and that the data appears to have come from exports of device configurations. A fully patched device still grants access to anyone holding a credential that was never rotated.

How older credentials were stored compounds the problem. Many devices still hold passwords hashed with salted SHA-256, which is feasible to crack offline with modern GPU hardware. Fortinet moved to the stronger PBKDF2 algorithm with randomized salt in early 2025, but devices upgraded without an administrator logging back in often keep the older, weaker hashes in place. In short: a device can be patched to the latest firmware and still be carrying crackable, never-rotated credentials.

Warning:

A current FortiOS version does not mean you are safe. If your administrators have not logged in to re-hash credentials after upgrading, your device may still store passwords using the older, crackable SHA-256 format that FortiBleed operators are exploiting.

How does the FortiBleed campaign work?

FortiBleed is built on industrialized automation rather than manual hacking. According to SOCRadar’s analysis of the exposed attacker server, the operation runs as a self-perpetuating cycle: scan, validate, harvest, repeat. The mechanics break down into three reinforcing techniques.

Credential stuffing and password spraying: Attackers test large volumes of credentials gathered from infostealer logs, dark-web archives, and prior breaches against FortiGate web panels and SSL VPN portals, recording every successful login.

Passive listening posts: Once a device is compromised, attackers use it to quietly capture additional credentials flowing through the network, feeding fresh logins back into their automated scanner.

Hash interception and offline cracking: Where password reuse fails, attackers intercept SSL VPN authentication hashes and crack them offline on a GPU cluster, recovering plaintext passwords that work on internal systems too.

The end goal is straightforward and dangerous: valid credentials let an attacker log in as a legitimate user, reach the firewall and the network behind it, change security controls, and create backdoor accounts. Researchers traced the cracked passwords being used to pivot into internal Active Directory environments, which turns a perimeter exposure into a full network compromise.

Who is affected, and does it reach Canadian businesses?

Yes. With devices in 194 countries and over 20 percent of entries tied to enterprises with $1B+ in revenue, the dataset is global and includes Canadian organizations. Named victims reported in coverage include major brands such as Samsung, Siemens, Foxconn, Oracle, Accenture, and DHL, alongside government agencies in critical-infrastructure sectors.

Telecom was the single most-targeted sector, followed by government, with healthcare and finance also heavily represented. For Canadian mid-market firms, the compliance stakes are real: a credential-driven breach can trigger mandatory breach reporting under PIPEDA, and regulated organizations in finance or healthcare face additional obligations under OSFI guidance and PHIPA. The Canadian Centre for Cyber Security has repeatedly flagged edge devices like VPN gateways as a priority target, and FortiBleed is a textbook example.

~80,000+

Working Fortinet credentials verified by attackers in the FortiBleed dataset, spanning admin and SSL VPN accounts (SOCRadar, 2026)

What should you do right now?

If your organization runs internet-facing Fortinet appliances and has not rotated credentials in the last few years, treat your existing credentials as potentially exposed until proven otherwise. The actions below are the same whether or not your specific device is in any dataset, because they close the reuse window that FortiBleed depends on. From a security operations standpoint, the response order matters: contain access first, then verify exposure, then harden.

Rotate every credential: Force a complete reset of all passwords tied to Fortinet VPN access and local administrative accounts. Assume current passwords are already in the attackers’ dataset.

Enforce MFA everywhere: Require multi-factor authentication on every administrator and remote-access session. Stolen passwords alone should never be enough to log in.

Pull the management interface off the internet: Restrict the FortiGate admin interface so it is not directly exposed to the public internet. Limit SSL VPN access to known sources where possible.

Upgrade FortiOS and re-hash credentials: Update to a supported FortiOS release (Fortinet guidance points to 7.2.11+, 7.4.8+, and 7.6.1+), then have every admin log in after the upgrade so passwords are re-stored using the stronger PBKDF2 algorithm.

Hunt for compromise: Review VPN and admin login histories for unfamiliar sources, check for unauthorized admin accounts or config changes, and watch for lateral movement into Active Directory. Engage incident response if anything looks off.

Do not just reset passwords and move on. Because compromised devices were used as passive listening posts, any credential that traversed that network, not only the firewall login, should be considered exposed. Rotate downstream service and domain accounts too, and monitor for replays over the following weeks.

Patching vs. credential hardening: where to focus

FortiBleed is a reminder that perimeter security is about identity as much as firmware. The table below maps the common assumption against the reality of this campaign, so you can prioritize the actions that actually reduce risk.

ActionStops a software exploit?Stops FortiBleed?
Apply latest FortiOS patchYesPartially (firmware alone leaves old hashes)
Rotate all VPN and admin credentialsNoYes, removes the stolen credentials
Enforce MFA on all accessNoYes, blocks reuse of stolen passwords
Remove admin interface from public internetPartiallyYes, shrinks the attack surface
Re-hash passwords to PBKDF2 after upgradeNoYes, defeats offline cracking
Good to know:

Track developing indicators of compromise and the latest outbreak guidance directly from Fortinet’s FortiGuard Labs outbreak alerts. Pair vendor advisories with active monitoring rather than relying on either alone.

The lesson of FortiBleed is that a patched device is not automatically a secure device. Credentials, MFA, exposed management interfaces, and password-hash hygiene are what separate the breached organizations from the protected ones. If you cannot quickly confirm all four are handled across your Fortinet estate, you have exposure to close.

If you are not certain whether your Fortinet devices store crackable hashes, expose their management interface, or enforce MFA on every session, that uncertainty is the gap attackers are counting on. As a managed security partner to Canadian mid-market firms, our team handles exactly this kind of rapid exposure review: credential rotation, MFA rollout, and locking down edge devices. Start with our managed Fortinet firewall services, harden access with a zero-trust MFA rollout, or get continuous detection through our MDR and XDR service. If you suspect you are already affected, our incident response and forensics team can help you scope and contain it.

Frequently asked questions

Is FortiBleed caused by a Fortinet vulnerability?

No. Fortinet has stated the activity is not related to any recent incident or advisory, and there is no CVE or patch for “FortiBleed” because it is not a new flaw. It is a collection of credentials harvested in earlier compromises, some tracing back to CVE-2022-40684 in 2022, now being reused and brute-forced against live devices. That is why patching alone does not resolve it: you have to rotate the old credentials and re-hash passwords with PBKDF2.

How do I know if my Fortinet device is affected?

Assume potential exposure if any FortiGate or Fortinet SSL VPN interface is reachable from the internet. Review VPN and admin login histories for unfamiliar source addresses, check for unauthorized admin accounts or configuration changes, and watch for unusual Active Directory activity. Threat-intel lookup tools released alongside the campaign can also indicate whether your domain appears in the dataset.

Does enabling MFA fix the problem?

MFA is essential but not sufficient on its own. It blocks attackers from reusing stolen passwords, which is critical, but you still need to rotate the exposed credentials, remove the management interface from public internet access, and re-hash stored passwords to PBKDF2. MFA is one layer of a four-part response, not a single fix.

What are the compliance implications for Canadian companies?

A credential-driven breach can trigger mandatory breach-of-security-safeguards reporting to the Office of the Privacy Commissioner under PIPEDA, with notification to affected individuals where there is a real risk of significant harm. Regulated organizations in finance or healthcare may have further obligations under OSFI guidance or provincial health-privacy laws such as PHIPA. Document your response and timeline carefully.

Sources

Email Security for Small Business: What Your MSP Should Be Doing

Most small businesses assume their email is secure because it’s hosted on Microsoft 365 or Google Workspace. That assumption gets expensive fast. Default filtering blocks obvious spam, but it doesn’t stop the targeted phishing campaigns, business email compromise attempts, and vendor impersonation attacks that make up the majority of successful breaches today.

This post covers what effective email security for a small business actually includes, where Microsoft 365’s built-in tools stop and where you need additional layers, and what a competent managed IT provider should be handling on your behalf.

Default email filtering is not enough. Small businesses need layered protection: authentication records (SPF, DKIM, DMARC), advanced phishing protection, BEC detection, email encryption, and ongoing monitoring. If your MSP isn’t actively managing these, your email environment is likely exposed.

Email security is the set of technologies, processes, and policies used to protect an organization’s email infrastructure from threats including phishing, malware delivery, business email compromise, spam, and unauthorized access. For small businesses, email security covers both inbound threat filtering and outbound controls: authentication records, encryption, data loss prevention, and user-facing protection against social engineering attacks.

Why Email Is Still the Top Attack Vector for Small Businesses

Email isn’t a legacy problem that newer tools have solved. It remains the primary delivery mechanism for the majority of cyberattacks because it works. According to the Verizon 2024 Data Breach Investigations Report, over two-thirds of breaches involve the human element: phishing, stolen credentials, and social engineering. Email is the most common vehicle for all three.

Small businesses are disproportionately targeted for a specific reason: they often have weaker controls than enterprises but handle valuable data (customer records, financial transactions, legal documents, health information) that attackers can monetize or ransom. A law firm with 20 employees is a much softer target than a bank, but it holds equally sensitive material.

What’s Built Into Microsoft 365 vs. What You Actually Need

Microsoft 365 includes Exchange Online Protection (EOP) on every plan: spam filtering, basic malware scanning, and some phishing detection. On Business Premium and above, you also get Microsoft Defender for Office 365 Plan 1, which adds safe links, safe attachments, and anti-impersonation protection. That’s a meaningful baseline, but it has well-documented gaps that attackers actively exploit.

Capability M365 EOP (all plans) Defender for O365 P1 (Business Premium) What you still need
Spam and bulk filtering Yes Yes Tuning and custom rules
Basic malware blocking Yes Yes Sandbox detonation for zero-day payloads
Anti-phishing (generic) Basic Enhanced AI-based behavioral detection
Safe Links (URL rewrite) No Yes Time-of-click re-evaluation
Safe Attachments (sandbox) No Yes Extended detonation window
Anti-impersonation (BEC) No Yes Vendor and third-party impersonation detection
SPF / DKIM / DMARC enforcement Partial Partial Full DMARC enforcement with reporting
Email encryption (S/MIME, OME) No No Requires separate configuration
Outbound DLP No No Microsoft Purview or third-party DLP
Security awareness training No Attack Simulator (basic) Dedicated phishing simulation platform

The practical gap is the bottom half of that table. Most small businesses on M365 Business Basic or Standard are running EOP only, roughly equivalent to a locked front door with no alarm system.

The Core Email Security Controls Every Small Business Needs

These aren’t optional extras. They’re the baseline. If any of them are missing from your environment, you have an exploitable gap.

SPF, DKIM, and DMARC records: These DNS-based authentication standards verify that emails claiming to come from your domain actually originate from your servers. Without them, attackers can spoof your domain and send fraudulent emails that look like they came from you, a common tactic in vendor fraud and invoice scams. DMARC enforcement (policy set to “reject”) is the end goal; SPF and DKIM are prerequisites. Many Canadian small businesses have SPF configured but have never moved DMARC beyond “p=none,” which monitors but doesn’t block anything.

Advanced phishing and impersonation detection: Generic anti-phishing rules look for known malicious indicators. Modern attacks use newly registered domains, lookalike URLs, and hijacked legitimate accounts, none of which trigger rule-based filters. AI-based detection that analyzes sender behavior, email patterns, and content anomalies catches what rules miss.

Safe attachments with sandboxing: Attachments are detonated in an isolated environment before delivery. Standard antivirus scans signatures; sandboxing catches zero-day payloads that haven’t been seen before. This is especially important for businesses that regularly receive documents from external parties: accounting firms, law offices, healthcare providers.

Email encryption for sensitive communications: Not every email needs encrypting, but if your business handles personal health information under PHIPA, legal communications, or financial data, you need a mechanism to encrypt specific messages and attachments in transit and at rest. Microsoft 365 Message Encryption (OME) and S/MIME both work, and neither is configured out of the box.

Phishing simulation and user training: Technical controls catch a lot, but not everything. The most effective defence against the emails that get through is a trained user who recognizes the warning signs. Quarterly phishing simulations with targeted training for users who click are standard practice at any well-run MSP. Platforms like KnowBe4, Proofpoint Security Awareness Training, and Microsoft Attack Simulator all handle this at different price points.

Business Email Compromise: The Threat Most Filters Miss

Business email compromise (BEC) is the most financially damaging email threat facing small and mid-market businesses, and it’s the one that standard filters are worst at catching. BEC attacks don’t deliver malware. They use social engineering: impersonating a CEO, CFO, or vendor to request a wire transfer, change a payroll account, or redirect an invoice payment.

According to the FBI Internet Crime Complaint Center (IC3) 2023 Annual Report, BEC resulted in over $2.9 billion USD in reported losses in the United States alone. Canadian businesses face the same threat and report incidents to the Canadian Anti-Fraud Centre (CAFC), which has tracked consistent increases in business fraud losses year over year.

BEC attacks often come from legitimate, compromised email accounts rather than spoofed domains, which means SPF, DKIM, and DMARC alone won’t stop them. Detection requires behavioral analysis: flagging unusual sending patterns, login anomalies, and out-of-character requests. This is why BEC detection needs to be explicitly configured, not assumed.

For a deeper look at how BEC works and how to recognize the warning signs, see our post on What Is Business Email Compromise (BEC).

What Your MSP Should Be Managing for Email Security

If you’re paying a managed IT provider for Microsoft 365 management, email security should be a defined deliverable, not something you have to ask about. Here’s what active management looks like in practice:

  • DMARC policy progression: Starting at “p=none” for monitoring, moving to “p=quarantine,” and eventually enforcing “p=reject” as false positives are ruled out. This takes weeks of monitoring, not a one-time configuration.
  • Defender for Office 365 policy tuning: Default policies are intentionally permissive. A managed provider tightens safe attachment policies, configures anti-impersonation protection for key executives and vendors, and adjusts link-rewriting settings based on your user workflow.
  • Alert monitoring and response: Email security tools generate alerts when suspicious patterns are detected. Someone needs to triage those alerts, investigate potentially compromised accounts, and take action. An unmonitored alert is the same as no alert.
  • Phishing simulation cadence: Running simulations quarterly, tracking click rates by department, and assigning targeted training to high-risk users.
  • Incident response for compromised accounts: When an account is compromised (and eventually one will be), your MSP should have a defined playbook: revoke sessions, reset credentials, audit mailbox rules for forwarding, check sent items for exfiltration, and notify affected parties under PIPEDA’s breach reporting requirements if personal data was exposed.

Ask your current provider to show you your DMARC policy and the last 90 days of aggregate DMARC reports. If they can’t produce them in under five minutes, email authentication isn’t being actively managed. Free tools like MXToolbox’s DMARC lookup show your current record in seconds, and you can check it yourself right now.

Email Security and PIPEDA: What Canadian Businesses Need to Know

Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), businesses are required to report breaches that pose a real risk of significant harm to affected individuals and to notify the Office of the Privacy Commissioner of Canada. Email is one of the most common breach vectors: a compromised inbox containing client records, health information, or financial data triggers reporting obligations.

For Ontario healthcare organizations, PHIPA adds additional requirements: health information custodians must implement administrative, technical, and physical safeguards appropriate to the sensitivity of the data. Weak email controls are a direct compliance gap. The Information and Privacy Commissioner of Ontario has issued formal findings against healthcare organizations for exactly this kind of oversight, as the province’s first-ever PHIPA fines demonstrated earlier this year.

PIPEDA breach reporting is not optional. If a phishing attack compromises an employee account containing personal information about clients or employees, you are required to assess whether the breach meets the reporting threshold and document your findings. Email encryption and access controls reduce both the likelihood of a breach and the scope of what gets exposed if one occurs.

How to Assess Your Current Email Security Posture

You don’t need a full security audit to get a baseline read on where you stand. These five checks surface the most common gaps:

  • Check your DMARC record: Use MXToolbox’s DMARC lookup to verify your record exists and what policy is set. If it’s “p=none” or missing, your domain can be spoofed.
  • Verify your M365 plan: Business Basic and Standard do not include Defender for Office 365. Business Premium does. If you’re not on Business Premium, you’re missing safe links, safe attachments, and anti-impersonation protection.
  • Look for suspicious inbox rules: Compromised accounts frequently have forwarding rules set to external addresses or rules that auto-delete specific emails (like security alerts). Review inbox rules for all administrator accounts.
  • Test your users: Send a simulated phishing email through Microsoft Attack Simulator or KnowBe4’s free trial. The click rate among staff who have never been trained is typically higher than leadership expects.
  • Confirm MFA is enforced on all mailboxes: Multi-factor authentication doesn’t prevent phishing, but it prevents credential theft from resulting in account access. If any mailbox accepts password-only login, it’s one leaked credential away from compromise.

Email security for small business isn’t a product you buy once. It’s a set of ongoing controls: authentication records maintained and enforced, advanced filtering tuned to your environment, users trained and tested, and someone monitoring alerts and responding when something gets through. If your MSP isn’t doing all of this actively, there are gaps in your coverage.

At Balanced+, email security is part of every managed cybersecurity and managed IT engagement we run: Defender for Office 365 configuration and tuning, DMARC implementation and monitoring, phishing simulations, and a defined incident response process for compromised accounts. If you’re not sure where your current email setup stands, reach out for a no-obligation assessment and we’ll tell you exactly what we find.

Frequently Asked Questions

What does email security for small business include?

Effective email security for small business includes spam and malware filtering, anti-phishing protection, email authentication records (SPF, DKIM, DMARC), safe attachment sandboxing, email encryption for sensitive communications, and phishing simulation training for staff. Most small businesses on standard Microsoft 365 plans have only basic filtering in place and are missing several of these layers.

Is Microsoft 365 email secure enough for small businesses?

Microsoft 365’s built-in protection (Exchange Online Protection) is a reasonable baseline for spam and known malware, but it has significant gaps for targeted phishing, business email compromise, and zero-day attachment threats. Microsoft 365 Business Premium adds Defender for Office 365, which closes most of those gaps. Businesses on Basic or Standard plans are running minimal protection and should consider upgrading or adding a third-party email security layer.

What is DMARC and does my small business need it?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a DNS record that tells receiving mail servers what to do with emails that fail authentication checks: monitor, quarantine, or reject them. Without DMARC enforcement, attackers can send emails that appear to come from your domain, enabling vendor fraud and impersonation attacks. Every business that uses email should have SPF, DKIM, and DMARC configured, with DMARC ultimately set to “reject.”

How much does email security cost for a small business in Canada?

Microsoft 365 Business Premium, which includes Defender for Office 365, runs approximately CAD $28 to $32 per user per month. Dedicated phishing simulation platforms like KnowBe4 add roughly $15 to $25 per user per year at small-business pricing. A managed provider handling configuration, monitoring, and incident response typically bundles email security into a broader managed IT or cybersecurity contract, which is often more cost-effective than licensing tools independently.

Sources

What Is Business Email Compromise (BEC)?

Every year, businesses lose more money to business email compromise than to ransomware, data breaches, and most other forms of cybercrime combined. And unlike ransomware, you often don’t know it happened until the funds are already gone and the attacker has disappeared.

This post breaks down what BEC is, how attacks unfold step by step, and what controls actually stop them before money moves.

Business email compromise attacks impersonate trusted contacts (executives, vendors, lawyers) to trick employees into transferring funds or handing over sensitive data. They’re cheap to execute, hard to detect with standard tools, and devastatingly effective. The good news: the right combination of controls stops the vast majority of them.

What Is Business Email Compromise?

Business Email Compromise (BEC)

Business Email Compromise (BEC) is a type of cyberattack in which criminals impersonate a trusted individual or organization via email to deceive employees into transferring funds, sharing sensitive data, or taking other harmful actions. Unlike mass phishing campaigns, BEC attacks are targeted, personalized, and often bypass technical defenses entirely because they contain no malicious links or attachments.

The FBI tracks BEC separately from other cybercrime precisely because of its outsized financial impact. According to the FBI Internet Crime Complaint Center (IC3) 2023 Annual Report, BEC and its variant email account compromise (EAC) generated over $2.9 billion in reported losses in the United States alone in 2023, making it the highest-loss cybercrime category tracked by the FBI for the third consecutive year.

$2.9B+

Reported BEC and EAC losses in the US in 2023, per the FBI IC3 2023 Annual Report : the highest of any cybercrime category.

How Does a BEC Attack Work?

BEC attacks follow a recognizable pattern even when the specifics vary. The attacker doesn’t need malware or a zero-day exploit. They need a convincing email, a sense of urgency, and a target who hasn’t been trained to pause and verify.

Reconnaissance: The attacker researches the target organization using LinkedIn, company websites, press releases, and social media. They map out executive names, reporting structures, vendor relationships, and pending transactions. This phase can take days or weeks.

Account compromise or spoofing: The attacker either gains access to a real email account (via a prior phishing attack or credential stuffing) or spoofs one by registering a look-alike domain (e.g., “balanced-plus.ca” instead of “balancedplus.ca”) or using a display name trick where the visible name is correct but the sending address is not.

The request: A well-timed, urgent message instructs a finance employee to wire funds, update vendor banking details, or share payroll records. The request often arrives Friday afternoon, when oversight is thin and time pressure is real. It frequently includes a reason to bypass normal approval: “don’t loop in IT, this is a confidential acquisition.”

Funds move: The employee acts. Money reaches an attacker-controlled account and is typically laundered within hours through layered transfers, making recovery extremely difficult even when the fraud is caught quickly.

Warning:

BEC attacks don’t require malware, exploits, or technical sophistication. They exploit trust, authority, and urgency. Technical defenses alone will not stop them.

The Five Types of BEC Attacks

The FBI IC3 categorizes BEC into five primary scenarios. Knowing which type is targeting your organization shapes how you respond and train.

  • CEO fraud: An executive’s email is spoofed or compromised. Finance or accounting receives an urgent wire transfer request, often referencing a real deal or deadline.
  • Vendor/invoice impersonation: Attackers pose as a known supplier and request a banking detail change on a pending invoice. The next legitimate payment lands in the attacker’s account.
  • Account compromise: A legitimate employee’s email account is hacked and used to request fraudulent payments from customers or partners who trust the sender.
  • Attorney impersonation: Criminals pose as a law firm handling a sensitive, time-critical transaction and pressure the target to act quickly and confidentially.
  • Data theft (W-2 and payroll fraud): HR or finance is tricked into sending employee payroll data, W-2 equivalents, or PII that enables follow-on identity fraud or tax fraud.
Good to know:

In our work with GTA mid-market firms, the most effective BEC attempts we’ve seen reference real details: a specific vendor name, an upcoming renewal, or an executive who is publicly traveling. Attackers do their homework before sending a single email.

BEC vs. Phishing: What’s the Difference?

BEC is often grouped with phishing, but they are meaningfully different attacks that require different defenses. Phishing is a scattershot campaign; BEC is a targeted strike built around research and impersonation.

FactorPhishingBusiness Email Compromise
ScaleMass-distributed to thousandsTargeted at one person or department
TechniqueMalicious links or attachmentsSocial engineering and impersonation
GoalCredential theft, malware deliveryWire fraud, data theft
Detection by filtersOften caught by email security toolsFrequently bypasses filters (no malicious payload)
Research requiredMinimalDays to weeks of target research
Primary defenseEmail filtering, URL scanningVerification policies, training, MFA

Why Are BEC Attacks So Hard to Stop?

Three factors make BEC attacks unusually dangerous compared to other email threats.

They bypass technical defenses. A well-crafted BEC email contains no malicious links, no attachments, and no executable code. It can pass SPF, DKIM, and DMARC checks if the attacker has registered a convincing look-alike domain. Standard email security tools have nothing to flag.

They exploit human psychology. Urgency, authority, and secrecy are baked into every BEC script. “I need this done before the wire cutoff at 3 PM.” “Don’t loop in accounting on this, it’s a confidential matter.” These triggers short-circuit the verification habits that people apply under normal circumstances.

They’re cheap to run. Researching a target on LinkedIn costs nothing. Registering a look-alike domain costs under $20. The attacker’s return on investment is extraordinary relative to the effort required, which is why BEC volume has grown steadily even as other cybercrime tactics have faced increasing technical barriers.

Warning Signs of a BEC Attempt

Warning:

Watch for these red flags in any financial or data request received by email: the sender’s domain differs slightly from the real one; the request bypasses normal approval steps; there’s urgency paired with a request for secrecy; vendor banking details have “changed” ahead of a payment; or the request comes from an executive who is traveling or otherwise hard to reach.

Domain spoofing is subtle. Attackers register variations that look correct at a glance: adding a hyphen, swapping a letter (rn for m), or using a country-code TLD like .ca instead of .com. Training employees to check the actual sending address, not just the display name, catches a large percentage of attempts before any action is taken.

How to Protect Your Business From BEC

No single control stops BEC. The organizations that avoid significant losses combine technical safeguards with process controls and ongoing training, so that multiple layers must fail simultaneously for an attack to succeed.

Enable MFA on all email accounts: Compromised credentials are far less useful to an attacker when multi-factor authentication blocks access. Microsoft 365 and Google Workspace both support MFA natively. This is the single highest-impact control for preventing account compromise (EAC), the variant where attackers hijack a real inbox.

Deploy DMARC, DKIM, and SPF: These email authentication protocols make it significantly harder to spoof your domain and signal to receiving mail servers how to handle unauthenticated messages. The Canadian Centre for Cyber Security (CCCS) recommends all three as baseline controls for organizations of any size.

Establish a wire transfer verification policy: Any request to transfer funds, change vendor banking details, or share sensitive payroll data that arrives via email must be verbally confirmed using a known phone number before action is taken. No exceptions, regardless of how urgent the email appears.

Run BEC-specific security awareness training: Generic phishing simulations don’t prepare employees for CEO fraud or vendor impersonation. Training should include realistic scenarios that test responses to authority-and-urgency combinations, not just malicious link clicking.

Add external sender banners: A visible “EXTERNAL” tag on emails originating from outside your domain creates a pause point that catches a surprising number of impersonation attempts before they succeed.

Limit public org chart exposure: Attackers use LinkedIn to map reporting structures and identify which employees have financial authority. Review what your public profiles reveal about who approves payments and who reports to whom.

A 60-second phone call to a known number is your most reliable BEC defense. Build a formal policy: any wire transfer or banking change request received by email requires verbal confirmation before processing, regardless of the sender’s apparent authority. This one process control has prevented significant losses at organizations that had no other BEC-specific defenses in place.

What to Do If Your Business Has Been Targeted

Speed is the only meaningful variable in BEC recovery. If a fraudulent transfer has occurred, every hour reduces the chance of recovery.

Contact your bank immediately: Financial institutions can sometimes recall or freeze fraudulent wire transfers if notified within 24 to 72 hours. Call your bank’s fraud line directly, not through email. Reference the FBI’s Financial Fraud Kill Chain (FFKC) process when speaking with your bank.

Report to the Canadian Anti-Fraud Centre: Canadian businesses should file a report with the Canadian Anti-Fraud Centre (CAFC) at antifraudcentre.ca. In the US, the FBI IC3 at ic3.gov is the correct reporting channel. Document everything before taking remediation steps.

Preserve all evidence: Do not delete or modify the fraudulent emails. Your incident response team and law enforcement need the original headers, timestamps, and message content to trace the attack chain.

Notify your insurer: Many cyber insurance policies cover BEC losses, but require prompt notification. Review your policy for reporting timelines before taking remediation actions that could affect coverage.

Engage your security team: Determine whether a real account was compromised. If so, contain it immediately: force password resets, revoke active sessions, and audit email forwarding rules, which attackers often add to maintain persistent access after discovery.

Warning:

BEC fund recovery is genuinely difficult. Most wire transfers are laundered through multiple accounts within hours of reaching the attacker’s account. Prevention is far cheaper than recovery, and in many cases recovery simply isn’t possible.

BEC attacks are low-tech, high-yield, and preventable. The combination of multi-factor authentication on email, DMARC/DKIM/SPF deployment, a hard-and-fast verbal verification policy for wire transfers, and BEC-specific employee training stops the vast majority of attacks. No single control is enough; the layered approach is what works.

At Balanced+, our managed cybersecurity services include email security configuration, security awareness training tailored to BEC scenarios, and ongoing monitoring that catches the account compromise attempts that often precede a BEC attack. If you’re not confident your team and your controls would stop a well-researched impersonation attempt, let’s talk.

Frequently Asked Questions

What is the most common type of BEC attack?

CEO fraud and vendor/invoice impersonation are the most frequently reported BEC variants. In CEO fraud, an executive’s email is spoofed or compromised and used to pressure a finance employee into an urgent wire transfer. In vendor impersonation, attackers pose as a known supplier and request a banking detail update before a scheduled payment, redirecting the next legitimate payment to an attacker-controlled account.

Can spam filters stop a BEC attack?

Standard spam filters and antivirus tools are largely ineffective against BEC because the attacks contain no malicious links or file attachments. The email often looks entirely legitimate. Effective defenses are process-based (verbal verification policies) and technical (MFA, DMARC/DKIM/SPF, external sender banners) rather than filter-based.

What is the difference between BEC and EAC?

BEC (Business Email Compromise) typically involves impersonation without actually accessing a real email account. EAC (Email Account Compromise) goes further: the attacker gains control of a legitimate account and sends fraudulent requests directly from it. EAC is harder to detect because the emails originate from a real, trusted address and pass all authentication checks. The FBI IC3 tracks both under the same reporting category because the financial impact and attack goals are the same.

How much do BEC attacks cost Canadian businesses?

The Canadian Anti-Fraud Centre (CAFC) tracks BEC as one of the top fraud categories affecting Canadian organizations, though losses are widely underreported. The CCCS National Cyber Threat Assessment 2025-2026 identifies BEC as a persistent and growing threat to Canadian businesses of all sizes. US figures from the FBI IC3 serve as a useful proxy: $2.9 billion in reported losses in 2023 from roughly 21,000 complaints, suggesting an average loss well above $100,000 per incident.

Sources

The Canvas Data Breach: What the ShinyHunters Attack Means for Your Business

In late April 2026, a threat actor known as ShinyHunters quietly compromised Instructure, the company behind Canvas LMS, one of the most widely used learning management systems in the world. By the time the breach surfaced publicly in early May, an estimated 275 million students and educators across roughly 9,000 institutions had their personal data sitting in the hands of a ransomware group with a May 12 deadline to collect.

This post breaks down exactly what happened, how attacks like this unfold, and what the warning signs look like. More importantly, it covers what organizations outside education should take from this. If your business relies on a SaaS vendor for anything mission-critical, the Canvas breach is a direct signal about your own exposure.

ShinyHunters breached Instructure (Canvas LMS) around April 29-30, 2026, stealing names, emails, student IDs, and internal messages from an estimated 275 million users. No passwords or financial data were confirmed stolen. A ransom deadline of May 12 was set, and Canvas entered maintenance mode on May 7. The lesson for businesses: your vendor is your attack surface.

Third-Party Vendor Breach

A third-party vendor breach occurs when attackers compromise a software provider or service platform rather than targeting an organization directly. Because the vendor holds data from thousands of clients, a single intrusion can expose millions of records across multiple industries and geographies simultaneously. The breach of Instructure is a textbook example: attackers targeted the platform, and every institution running Canvas inherited the exposure.

What Actually Happened: The Canvas Breach Timeline

According to Krebs on Security, the intrusion appears to have begun around April 29-30, 2026. ShinyHunters, a prolific cybercriminal group previously tied to the 2021 AT&T breach and the 2022 Wattpad leak, gained access to Instructure systems and began exfiltrating data. The group claimed to have taken records covering names, email addresses, student IDs, and internal platform messages.

Instructure confirmed the breach but stated that no passwords, financial data, or government-issued IDs were among the stolen records. That is meaningful context, but it does not eliminate the risk. Names combined with institutional email addresses and internal communications are more than enough to fuel targeted phishing campaigns against students, faculty, and administrative staff.

By May 7, Canvas entered maintenance mode, disrupting access for institutions across the US, UK, Canada, Australia, New Zealand, Sweden, and the Netherlands. Multiple Canadian post-secondary institutions confirmed they were affected, though the full scope is still being assessed.

275M

Estimated users affected across ~9,000 institutions globally, per attacker claims reported by Malwarebytes

How Breaches Like This Actually Happen

ShinyHunters does not operate like a script-kiddie running vulnerability scanners. The group is known for patience and for targeting credential databases, API keys, and cloud storage misconfigurations. Based on DataBreaches.net reporting, the Canvas intrusion follows a pattern the group has used repeatedly: gain initial access via exposed or stolen credentials, move laterally through cloud infrastructure, exfiltrate quietly, then surface with ransom demands once data is secured.

The mechanics generally follow a predictable kill chain. Understanding each stage is how defenders know where to interrupt it.

Initial access: Attackers obtain valid credentials through phishing, credential stuffing, or purchasing them from prior breach databases. A single compromised service account with excessive permissions is often all that is needed.

Lateral movement: Once inside, the attacker pivots through connected systems, looking for databases, storage buckets, or admin consoles. Multi-factor authentication gaps and over-permissioned accounts accelerate this phase.

Data staging and exfiltration: Large datasets are quietly compressed and moved out, often to attacker-controlled cloud storage. This phase can last days without triggering alerts if baseline monitoring is not in place.

Ransom demand: The attacker surfaces with a deadline. In the Canvas case, a May 12 cutoff was issued with the implicit threat of public data release. The target now faces a negotiation under extreme time pressure.

Warning Signs Your Organization Should Never Ignore

Most breaches are not discovered by the victim. Inside Higher Ed noted that Canvas institutions learned about the breach from external security researchers and media reports, not from Instructure’s own detection. That gap between compromise and notification is where the real damage accumulates.

In our work with GTA mid-market firms, the signals that precede a confirmed breach tend to cluster around the same overlooked indicators.

Warning SignWhat It SuggestsAction Required
Unusual API call volumes from service accountsCredential misuse or lateral movementAlert on anomalies; review account permissions
Large outbound data transfers at off-hoursActive exfiltration in progressEgress monitoring with automatic throttling
Vendor notifies “planned maintenance” with no advance noticePossible incident response in progressContact vendor directly; activate your BCP
Users report receiving suspicious emails with accurate internal detailData already out; phishing campaign underwayIncident response; notify affected users
Third-party breach disclosed in your vendor stackYour data may be includedRequest vendor impact assessment immediately
Warning:

The May 7 maintenance mode announcement was the first public signal most institutions received that something was wrong. By that point, the data had already been exfiltrated. Waiting for your vendor to notify you is not a security strategy.

What Data Was Taken and Why It Matters

Instructure confirmed that the stolen data includes names, email addresses, student IDs, and internal platform messages. No passwords, no payment card data, no government IDs. That framing is accurate but can be misleading when evaluating actual risk.

Consider what an attacker can do with a name, an institutional email address, and the content of internal messages. They can craft a spear-phishing email that references a real conversation, a real course, a real colleague. That specificity is what makes socially engineered attacks effective. The targets are not abstract; they are 275 million real people with names, affiliations, and communication histories now sitting in a threat actor’s database.

Under PIPEDA (Canada’s federal private sector privacy law), organizations that experience a breach involving a real risk of significant harm are required to notify both the Privacy Commissioner of Canada and affected individuals. “Significant harm” explicitly includes humiliation, damage to reputation, and financial loss. A breach of this nature, particularly where internal messages are involved, likely clears that threshold for Canadian institutions. Provincial health data held by universities may also trigger PHIPA obligations depending on the context.

Good to know:

For businesses pursuing or maintaining SOC 2 compliance, a vendor breach like this directly implicates your third-party risk management controls. You need documented vendor assessments, response SLAs, and data handling agreements. Auditors will ask.

How to Protect Your Organization from Vendor-Side Breaches

You cannot prevent a breach at your vendor’s data center. What you can do is limit how much of your exposure depends on their security posture, and build the capability to respond fast when something goes wrong on their end.

Conduct third-party risk assessments annually: Every SaaS vendor that touches employee or customer data should be reviewed against a consistent framework. Ask for their SOC 2 report, penetration test results, and breach notification SLAs. If they will not provide these, that is a red flag worth escalating.

Enforce least-privilege access: If a vendor integration only needs to read calendar data, it should not have write access to your entire directory. Audit OAuth scopes and API permissions across your vendor stack at least twice per year.

Deploy email security controls: Post-breach phishing is predictable. DMARC, DKIM, and SPF enforcement at your domain level, combined with an email security gateway, meaningfully reduces the success rate of follow-on attacks using stolen contact data.

Monitor for your domain in breach databases: Services like Have I Been Pwned, threat intelligence feeds, and dark web monitoring can surface compromised credentials before attackers weaponize them. Reactive is better than nothing; proactive is the standard.

Have an incident response plan that covers vendor incidents: Most IR plans cover internal breaches. Fewer address what to do when a critical vendor is down or compromised. Document your escalation path, your communication templates, and your business continuity triggers for vendor-side events specifically.

Set a Google Alert for “[vendor name] breach” and “[vendor name] maintenance” for every SaaS tool in your stack that holds employee or customer data. It is a free, five-minute setup that can give you hours of lead time over an official notification.

What ShinyHunters’ Track Record Tells Us

This is not a first offense. ShinyHunters has been linked to breaches at AT&T, Ticketmaster, Santander Bank, and dozens of other organizations. The group operates with a commercial mindset: they find high-value targets, exfiltrate at scale, and monetize through ransom or data sales on criminal marketplaces. Education platforms are attractive because they aggregate massive user populations with historically under-resourced security teams.

According to DataBreaches.net, the word “again” in their headline is deliberate: Instructure has faced security incidents before. Repeat targeting by sophisticated threat actors is common when organizations do not remediate root causes after an initial incident.

9,000+

Institutions across 7 countries affected by the Canvas breach, including the US, UK, Canada, Australia, New Zealand, Sweden, and the Netherlands

Decision Framework: Assessing Your Vendor Risk Right Now

Use this framework to prioritize which vendors in your stack need immediate attention. It is not exhaustive, but it surfaces the highest-risk exposure quickly.

  • Data sensitivity: Does this vendor store employee PII, customer data, financial records, or communications? Higher sensitivity means higher priority.
  • Access scope: Does the vendor integration have broader system access than the use case requires? Excessive permissions amplify breach impact.
  • Breach history: Has this vendor had a prior incident? How did they handle notification, remediation, and communication?
  • Contractual protections: Do your vendor agreements include breach notification timelines, data deletion clauses, and liability provisions? If not, renegotiate at renewal.
  • Substitutability: If this vendor went into maintenance mode tonight, how long before your operations are critically impacted? Document that number and plan around it.

The Canvas breach is a reminder that your security posture includes every vendor in your stack. You cannot outsource accountability. Build third-party risk management into your security program, enforce least-privilege access, and maintain an incident response plan that covers vendor-side failures. The next ShinyHunters target could be any platform your business depends on today.

If you are not sure where your vendor risk exposure actually sits, that is exactly the kind of gap we help GTA mid-market organizations identify and close. Balanced+ provides cybersecurity assessments, third-party risk reviews, and managed security services built for organizations that cannot afford to find out the hard way. Start with our cybersecurity services page to see what a structured approach looks like.

Frequently Asked Questions

Was my Canvas account hacked?

If you have an account on any Canvas LMS platform, your name, email address, student or faculty ID, and possibly internal messages may have been included in the exfiltrated data. Instructure confirmed that passwords and financial data were not compromised. Watch for phishing emails that reference specific course names, colleagues, or internal details, as these would indicate your data is being used in follow-on attacks.

What is ShinyHunters and how dangerous are they?

ShinyHunters is a well-documented cybercriminal group known for large-scale data theft and ransom extortion. They have been linked to breaches at AT&T, Ticketmaster, Santander, and others. They typically operate by accessing cloud environments using stolen or exposed credentials, exfiltrate large datasets quietly, and then surface with ransom demands. The group is considered a persistent and sophisticated threat actor, not an opportunistic script operation.

What do businesses need to do after a vendor breach like this?

First, contact the vendor directly and request a written impact assessment confirming whether your data was in scope. Second, brief your security team and review any integrations that may have exposed data. Third, increase phishing awareness among employees, since follow-on spear-phishing is a near-certain outcome when contact data is stolen. If the vendor stores data covered by PIPEDA or PHIPA, review your notification obligations under those frameworks with legal counsel.

Does this breach affect businesses outside the education sector?

Directly, no. Canvas LMS is used primarily in education. But the broader lesson applies to any organization using SaaS platforms: your vendor’s security posture is part of your attack surface. The tactics ShinyHunters used in the Canvas breach are the same ones targeting HR platforms, CRMs, and cloud storage providers in the commercial sector. Third-party vendor risk management is not an education problem; it is a business problem.

Sources

What Ontario’s First-Ever PHIPA Fines Tell Us About Healthcare IT in 2026

Ontario healthcare organizations face a specific set of cybersecurity obligations under PHIPA, enforced by the IPC, with real financial and reputational consequences when IT controls fail. The question is no longer whether your organization will be targeted, but whether your IT environment is built to contain the damage when it happens.

In October 2023, a ransomware attack against a shared IT vendor knocked five southwestern Ontario hospitals offline for months, cost those organizations over $7.5 million, and compromised the personal health information of more than 516,000 patients and employees. Surgeries were postponed. Cancer radiation treatments were transferred to other facilities. Most systems were not restored until February 2024. The attack didn’t require a sophisticated breach of each hospital’s own infrastructure; it came through a single shared service provider that all five organizations trusted.

That case illustrates exactly why PHIPA compliance is not a paperwork exercise. This post covers what Ontario’s health privacy law requires from your IT environment, where most healthcare organizations in the GTA fall short, and what to look for in a managed IT provider that actually understands the regulatory landscape.

PHIPA (Personal Health Information Protection Act)

PHIPA is Ontario’s health privacy legislation that governs how health information custodians collect, use, and disclose personal health information. Health information custodians include physicians, hospitals, pharmacists, laboratories, long-term care homes, community health centres, and other regulated health professionals operating in Ontario. PHIPA is administered and enforced by the Information and Privacy Commissioner of Ontario (IPC), which has authority to investigate complaints, conduct audits, issue binding orders, and as of August 2025, impose administrative monetary penalties on organizations and individuals who violate the Act.

What PHIPA Actually Requires from Your IT Environment

PHIPA doesn’t mandate specific technologies. What it requires is that health information custodians take steps “reasonable in the circumstances” to protect personal health information. The IPC has consistently interpreted this through its investigations and orders to include a defined set of technical controls that any healthcare IT environment needs to address.

  • Encryption: Personal health information must be encrypted at rest and in transit. Unencrypted devices are among the most cited causes of reportable breaches in IPC investigations.
  • Access controls and audit logging: Only authorized personnel should access patient records, access should be role-based, and every access event should be logged. Without audit logs, you cannot investigate a breach or demonstrate compliance.
  • Breach detection and response: You must have the ability to detect breaches and respond to them. Ontario’s PHIPA requires notification to affected individuals at “the first reasonable opportunity,” which the IPC has interpreted as within 72 hours in most circumstances, far tighter than the 60-day window under the US HIPAA framework.
  • Written vendor agreements: Any IT provider or cloud service that handles personal health information on your behalf must be bound by a written data sharing agreement that addresses PHIPA obligations. This applies to your EMR vendor, cloud storage provider, and managed IT provider.
  • Privacy governance: The IPC’s first administrative monetary penalty, issued in August 2025 against a physician and his private clinic, found that the clinic had “sorely lacked any of the essential elements of a data privacy and security governance program.” That phrase (from the IPC’s own decision) is now the benchmark against which Ontario healthcare organizations are being measured.

The SickKids Ruling: Ransomware Is a Breach Even If Nothing Was Stolen

In 2025, an Ontario court issued a significant ruling in the Hospital for Sick Children case that every healthcare organization in the province needs to understand. The court found that a ransomware attack that makes personal health information inaccessible triggers PHIPA’s breach notification obligations, even when there is no evidence that the information was actually accessed, viewed, or stolen by the attacker.

The same ruling found that an email account compromise lasting as little as one hour constitutes both unauthorized disclosure and unauthorized use under PHIPA, triggering the duty to notify at the first reasonable opportunity.

Warning:

If ransomware locks your systems and you have no evidence data was exfiltrated, you are still likely obligated to notify affected patients and the IPC. “Nothing was stolen” is no longer a safe conclusion under Ontario law. Source: Hospital for Sick Children v. Ontario IPC, BLG, September 2025.

Real Consequences: What Has Happened to Ontario Healthcare Organizations

$7.5M

Cost to five southwestern Ontario hospitals following a single ransomware attack through a shared IT vendor in October 2023. Over 516,000 patients and employees had their data compromised. Source: CBC News / Cyber Secure Catalyst, August 2024

The southwestern Ontario hospital attack is the clearest illustration of supply chain risk in healthcare IT. All five organizations used the same IT service provider, TransForm Shared Service Organization. When that vendor was compromised, every connected hospital was affected simultaneously. The attack forced postponed surgeries, diverted cancer treatments, and generated millions in recovery costs, across organizations that individually may have had reasonable security practices.

In 2025, a vendor contracted by Ontario Health atHome suffered a ransomware attack that compromised patient information, with the breach confirmed more than two months after the initial incident. The IPC’s 2024 annual report also highlighted an investigation involving a medical imaging clinic where a ransomware attack compromised more than 500,000 patient records and the clinic ultimately paid the ransom to restore access to its systems.

These are not edge cases. They are the norm in Ontario healthcare cybersecurity, and the IPC’s enforcement posture is getting more aggressive. August 2025 saw the first-ever administrative monetary penalties issued under PHIPA, the first time any Canadian privacy commissioner had used this enforcement mechanism. The IPC can now impose penalties of up to $50,000 on individuals and $500,000 on organizations for PHIPA contraventions.

Compliant vs. Non-Compliant: What Each Looks Like in Practice

IT ControlPHIPA-Compliant EnvironmentCommon Gap (Non-Compliant)
Device encryptionFull-disk encryption enforced on all endpoints and mobile devicesEncryption not enforced or inconsistently applied across devices
Access controlsRole-based access, MFA enforced on all clinical systems, no shared accountsShared logins, no MFA, overly broad permissions
Audit loggingCentralized log management, regular review, tamper-resistant storageLogs not collected, not reviewed, or not retained long enough
Patch managementAutomated patching on a defined cycle, no end-of-life systems in productionManual patching, legacy OS still running (Windows 10 EOL October 2025)
Breach detection24/7 monitoring, incident response plan tested annuallyNo monitoring, breaches discovered days or weeks after the fact
Vendor agreementsWritten PHIPA-compliant data sharing agreements with all IT and cloud vendorsNo written agreements, cloud services adopted without privacy review
Privacy governanceDocumented policies, staff training, privacy officer designatedNo policies, no training, no governance structure

What to Look for in a Managed IT Provider for Ontario Healthcare

Not every managed IT provider is equipped to work in a PHIPA-regulated environment. A provider that serves manufacturing clients operates under entirely different risk and compliance requirements. When evaluating a managed IT partner for your healthcare organization, these are the criteria that matter:

PHIPA-compliant data sharing agreement: Before any engagement begins, your provider must sign a written agreement that defines how they handle personal health information, what controls they maintain, and how they respond if a breach occurs on their end. A provider who pushes back on this requirement is not healthcare-ready.

Familiarity with Ontario EMR platforms: Ask specifically about their experience with the platforms your organization uses: OSCAR Pro, TELUS Health (Wolf/PS Suite), Accuro, Cerner, or EPIC. Generic IT experience is not a substitute for knowing how patient data flows through clinical systems.

24/7 monitoring and breach detection: Given the SickKids ruling and the IPC’s breach notification expectations, you need a provider that can detect an incident at 2 a.m. and begin containment before business hours. Ask whether they operate a Security Operations Centre (SOC) or use a managed detection and response (MDR) service.

Documented incident response: Your provider should be able to show you a written incident response plan and walk through what happens in the first hour after a confirmed breach. If they can’t, they have not thought through the PHIPA notification timeline.

Vendor supply chain awareness: The southwestern Ontario hospital attack came through a trusted third-party vendor. A qualified healthcare IT provider will assess not just your internal environment but the security posture of every vendor in your supply chain that touches patient data.

Before your next IPC audit or renewal cycle, inventory every vendor and cloud service that has access to personal health information in your environment. Every single one should have a signed data sharing agreement on file. For most smaller Ontario clinics, this list is longer than expected and the agreements are missing. Start with your EMR vendor, billing platform, and any file storage or communication tools used by clinical staff.

PHIPA compliance in 2026 is an active, ongoing IT discipline, not a one-time policy review. The IPC is issuing penalties, Ontario courts are expanding the definition of a reportable breach, and ransomware groups are actively targeting healthcare organizations across the province. The organizations that manage this well are the ones that have an IT partner who understands the regulatory environment and owns the technical controls on their behalf.

Balanced+ works with healthcare organizations across Toronto and the GTA to build IT environments that meet PHIPA requirements without disrupting clinical operations. If you are not sure where your current environment stands, our healthcare IT services page outlines how we approach compliance and security for Ontario health information custodians. We are happy to walk through a gap assessment before you commit to anything.

Frequently Asked Questions

What is PHIPA and who does it apply to in Ontario?

PHIPA is Ontario’s Personal Health Information Protection Act, which governs how health information custodians handle patient data. It applies to physicians, hospitals, pharmacists, laboratories, long-term care homes, community health centres, and other regulated health professionals in Ontario. There is no size threshold: a sole-practitioner clinic has the same obligations as a regional hospital. The IPC enforces PHIPA and now has the authority to issue administrative monetary penalties of up to $500,000 for organizational violations.

How quickly does PHIPA require breach notification in Ontario?

PHIPA requires that affected individuals be notified “at the first reasonable opportunity” after a breach is discovered. The IPC has interpreted this as approximately 72 hours in most circumstances, which is considerably faster than the 60-day window under the US HIPAA framework. Serious and deliberate breaches must also be reported to the IPC immediately. The 2025 SickKids ruling confirmed that ransomware attacks that render data inaccessible, even with no evidence of data theft, still trigger these notification obligations.

Does my IT provider need to sign a special agreement to comply with PHIPA?

Yes. Any agent or third party that handles personal health information on behalf of a health information custodian must be bound by a written agreement that addresses PHIPA obligations. This includes your managed IT provider, EMR vendor, cloud storage service, and any other technology partner with access to patient data. Using an IT provider without a signed PHIPA-compliant data sharing agreement puts your organization in violation, regardless of how secure the provider’s own systems may be.

What does a managed IT provider do for a healthcare organization?

A managed IT provider for healthcare handles the technical controls that PHIPA requires: device encryption, role-based access management, audit logging, patch management, 24/7 monitoring, and breach detection and response. They also assist with vendor agreement reviews, incident response planning, and ensuring that cloud services meet Ontario privacy standards. For smaller clinics and specialist practices without dedicated IT staff, a qualified managed IT provider is typically the most practical way to maintain sustainable PHIPA compliance without adding internal headcount.

Sources

What Is Shadow AI? Security Risks and How to Respond

Your employees are already using AI. They’re drafting emails in ChatGPT, summarizing contracts in Claude, building reports with Copilot, and asking Gemini to review vendor agreements. None of it went through IT. None of it was approved. And in most cases, nobody knows it’s happening.

This is shadow AI, and it’s now one of the fastest-growing security and compliance risks for mid-market Canadian businesses. This post breaks down what shadow AI is, what data is actually leaving your organization, and what a practical response looks like.

Shadow AI refers to employees using generative AI tools (ChatGPT, Gemini, Claude, Copilot, and others) without IT knowledge, approval, or data governance controls in place. Unlike shadow IT (unauthorized software), shadow AI is harder to detect because it often runs entirely in the browser and leaves no footprint on your network. The risk: confidential business data is leaving your environment, there is no audit trail, and your compliance obligations may already be violated.

What Is Shadow AI?

Shadow AI

Shadow AI is the use of artificial intelligence tools particularly generative AI applications like ChatGPT, Google Gemini, Anthropic Claude, and Microsoft Copilot by employees without the knowledge, authorization, or oversight of the IT or security team. It is an evolution of the shadow IT problem, but with a critical difference: shadow AI doesn’t just introduce unapproved software into your environment; it actively transmits data out of it.

The term distinguishes between AI tools that have been formally evaluated, licensed, and governed (such as Microsoft Copilot deployed through an M365 enterprise tenant) and those being used informally through personal accounts or free-tier access. The distinction matters because enterprise and consumer versions of the same product carry fundamentally different data handling terms.

How Common Is Shadow AI in the Workplace?

More common than most IT leaders assume. According to Microsoft’s 2025 Work Trend Index, 75% of knowledge workers now use AI tools in their daily work, and 78% are bringing their own AI tools to the job rather than waiting for employer-provided options. The report refers to this as “BYOAI” (Bring Your Own AI), and it is accelerating.

78%

of knowledge workers bring their own AI tools to work rather than waiting for employer-approved options, according to Microsoft’s 2025 Work Trend Index.

The gap between employee adoption and IT governance is significant. Most organizations have policies covering software installation, data classification, and acceptable use, but very few have updated those policies to explicitly address generative AI. In our conversations with GTA mid-market IT teams, the question “do you have an AI use policy?” is still answered with “not yet” more often than not.

Warning:

The absence of an AI policy does not mean employees aren’t using AI. It means they are using it without guardrails, and you have no visibility into what data is involved.

What Data Are Employees Actually Putting Into AI Tools?

This is where the theoretical risk becomes concrete. Research from data security firm Cyberhaven found that 11% of the data employees paste into ChatGPT is confidential business data, including source code, financial records, client information, and internal strategy documents. That figure was measured across enterprise environments where employees knew their activity could be monitored.

The most documented example remains Samsung’s 2023 incident, in which engineers at the company’s semiconductor division pasted proprietary source code and internal meeting notes into ChatGPT while troubleshooting software bugs. The data was submitted before Samsung had an AI use policy in place. Samsung responded by banning generative AI tools across the company: a reaction that is effective but not sustainable for most organizations.

In practice, the most common categories of data entering AI tools without authorization include:

  • Client contracts and proposals being summarized or edited
  • Financial reports and budget documents being analyzed
  • HR data including performance reviews and compensation information
  • Internal technical documentation and system architecture details
  • Personal information about clients, employees, or patients

Employees are not being reckless; they are being efficient. The problem is that efficiency and data governance are not the same objective, and without clear guidance, employees default to the tools that get the job done fastest.

Three Security Risks Shadow AI Creates

1. Data Transmitted to Third-Party Servers Without Your Control

When an employee submits a prompt to a consumer AI tool, that data travels to the vendor’s servers. For free and personal-tier accounts, OpenAI’s privacy policy historically allowed user inputs to be used to improve their models unless users opted out. Even with opt-outs enabled, the data has left your environment and sits on infrastructure you do not control, governed by terms of service your legal team has never reviewed.

2. No Audit Trail

Email is logged. File access is logged. Cloud storage has version history. Generative AI prompts submitted through a browser on a personal account leave no trace in your systems. If a compliance audit asks what client data was shared externally in the last 12 months, you cannot answer that question. If a confidentiality dispute arises, you have no record of what was disclosed and when. This is not a hypothetical gap; it is a gap in your controls right now.

3. Confidentiality Agreement and NDA Exposure

Most client-facing confidentiality agreements were drafted before generative AI existed. They prohibit disclosure of covered information to third parties, and submitting that information to a public AI model almost certainly constitutes disclosure, even if the employee’s intent was purely to get help with a task. The exposure is real whether or not a breach occurs. If a client or partner discovers their information was processed through an unapproved AI tool, the conversation with legal is not a comfortable one.

Shadow AI and Canadian Compliance: PIPEDA and PHIPA

Canadian businesses face specific compliance obligations that make shadow AI a regulatory issue, not just a security one.

Under PIPEDA (Personal Information Protection and Electronic Documents Act), organizations are responsible for personal information under their control, including information held by third parties on their behalf. When an employee submits personal information to a consumer AI tool without a data processing agreement in place, the organization is likely in breach of its accountability obligations under PIPEDA Principle 1, regardless of whether the employee acted intentionally.

For Ontario healthcare organizations and their vendors, PHIPA (Personal Health Information Protection Act) applies an even stricter standard. Submitting personal health information to any unauthorized third-party system including an AI tool, without explicit consent and a data custodian agreement is a reportable breach. The Office of the Information and Privacy Commissioner of Ontario has been explicit that AI tools are not categorically exempt from these requirements.

Important:

The Office of the Privacy Commissioner of Canada has issued guidance indicating that PIPEDA applies to AI systems that process personal information, including third-party AI tools used by employees. Organizations cannot transfer accountability for personal data to a vendor simply by virtue of employees choosing to use that vendor’s tool.

Approved vs. Unapproved AI Tools: What’s the Difference?

Not all AI tools carry the same risk. The critical variable is not which tool is used; it is what data agreement governs how that tool handles your information.

Tool / Access TypeData Stays in Your Tenant?Audit Trail?Enterprise Data Agreement?Risk Level
Microsoft Copilot (M365 enterprise tenant)Yes (data stays within your M365 environment)Yes, via Microsoft PurviewYes, covered by Microsoft’s DPALow (with proper M365 configuration)
ChatGPT EnterpriseYes inputs not used for trainingLimitedYes enterprise data processing agreementLow-medium
ChatGPT Free / Plus (personal account)No data sent to OpenAI serversNoNoHigh
Google Gemini (Google Workspace Business/Enterprise)Yes covered by Google’s DPAYes, via Google VaultYesLow
Google Gemini (personal Google account)NoNoNoHigh
Any AI tool via personal browser, personal accountNoNoNoHigh

The pattern is consistent: enterprise-tier access with a signed data processing agreement is manageable. Consumer-tier access with a personal account is not, regardless of which AI provider is involved.

How to Build an AI Use Policy That Actually Works

Banning AI tools is not a realistic response. Employees will continue using them; the ban simply pushes activity further underground and adds compliance exposure without adding security. The goal is governance, not prohibition.

Classify your data first: Before you can govern AI use, you need to know which categories of data carry the highest risk: client information, personal data, financial records, source code, health information. Most organizations already have a data classification framework; the AI policy maps onto it directly.

Define approved tools and tiers: Publish a short, clear list of AI tools that are approved for business use specifying which tier or account type is required. “Microsoft Copilot through your M365 account: approved. ChatGPT with a personal account: not approved for any business data.”

Define what data categories can never enter AI tools: Regardless of which approved tool is being used, certain data categories should be off-limits for AI prompts client personal information, confidential contracts, employee records, health data. Write this out explicitly. Employees need clear rules, not general warnings.

Set up monitoring and logging where possible: Enterprise AI tools with admin consoles (Copilot, Gemini Workspace, ChatGPT Enterprise) provide usage data and, in some cases, prompt-level logging. Enable this. For DLP (Data Loss Prevention) tooling, configure rules that flag when sensitive data categories are being transmitted to AI endpoints.

Train your team once, clearly: A one-page policy memo is not enough. A 30-minute lunch-and-learn that explains what the policy covers, why it exists, and what employees should do when they are unsure is far more effective. People follow rules they understand the reason for.

Review the policy every six months: The AI tool landscape changes faster than annual policy review cycles. Build in a semi-annual review to add newly approved tools, remove deprecated ones, and update data classification rules as your business changes.

The fastest path to a working AI use policy is not starting from scratch. Map your existing acceptable use policy and data classification framework onto AI-specific scenarios. Most of the governance structure is already there; you are adding a layer specific to generative AI, not rebuilding from zero. A focused half-day workshop between IT, legal, and HR is usually enough to produce a first draft.

What to Do Right Now if You Have No AI Policy

If your organization does not yet have an AI use policy, you are not in a minority, but you are carrying avoidable risk. The practical starting point is not a comprehensive policy document; it is a two-step interim position you can communicate this week:

  • Communicate a temporary rule: “Until we have a formal policy, do not submit client information, personal information, or anything covered by a confidentiality agreement to any AI tool you access through a personal account.” This is not a ban; it is a data minimization instruction your team can actually follow.
  • Audit your enterprise AI tool access: Determine which AI tools your organization already has access to through existing software agreements: M365 Copilot, Google Workspace Gemini, GitHub Copilot for developers. These are your sanctioned options. Communicate them clearly so employees have an approved path rather than defaulting to personal accounts.

Shadow AI is not a future risk; it is happening in your organization right now. The question is not whether your employees are using AI tools; they are. The question is whether they are using tools that keep your data in your control, under governance terms you have reviewed, with an audit trail you can produce when asked. An AI use policy does not require banning AI; it requires channeling AI use through approved tools and clear data rules. Most organizations can produce a working first draft in a single focused session.

At Balanced+, we help GTA mid-market businesses build practical AI governance frameworks as part of broader IT and cybersecurity programs, including data classification, DLP configuration, and employee training. If you want to understand where your current AI exposure sits, a cybersecurity assessment is a good starting point. It is not a sales process it is a structured look at where the gaps are.

Frequently Asked Questions

What is shadow AI, and how is it different from shadow IT?

Shadow IT refers to any software or system used by employees without IT approval: unauthorized apps, personal cloud storage, unapproved SaaS tools. Shadow AI is a specific subset of shadow IT focused on generative AI tools like ChatGPT, Gemini, and Claude. The key difference is the data risk: shadow IT introduces unapproved software into your environment, while shadow AI actively transmits data out of your environment to third-party servers, often with no visibility or audit trail.

Is it a compliance violation for employees to use ChatGPT at work?

It depends on what data is involved and what account type is used. Using ChatGPT through a personal or free account to submit client personal information, health data, or information covered by a confidentiality agreement likely creates a PIPEDA or PHIPA compliance issue, and may breach contractual obligations with clients. Using ChatGPT Enterprise under a signed data processing agreement with proper controls is a different matter. The tool itself is not the determining factor; the governance terms and data involved are.

Can I just ban AI tools to avoid the risk?

You can issue a ban, but it will not eliminate the risk; it will push activity underground and remove whatever visibility you currently have. Employees who rely on AI tools to do their jobs will continue using them; they will simply avoid mentioning it. A more effective approach is to define approved tools with enterprise data agreements, publish clear rules about which data categories are off-limits regardless of the tool used, and monitor usage through available admin consoles. Governance is more durable than prohibition.

What should an AI use policy include for a mid-market Canadian business?

At minimum: a list of approved AI tools and the specific account type required (enterprise, not personal); a list of data categories that cannot be entered into any AI tool regardless of approval status (personal information, health data, client confidential data, source code); a process for employees to request approval for new AI tools; and a reference to existing data classification and acceptable use policies. For businesses subject to PIPEDA or PHIPA, the policy should also address third-party data processing agreements and how AI tool vendors are evaluated for compliance.

FortiGate CVEs and the Patch Management Problem

Another quarter, another FortiGate CVE with a CVSS score north of 9.0. If you manage a fleet of Fortinet devices across a mid-market business, this cadence is exhausting, and it is expensive. Worse, the window between public disclosure and active in-the-wild exploitation keeps shrinking, which means the old “we patch during the monthly maintenance window” approach is no longer a strategy. It is a liability.

This post breaks down why FortiGate vulnerabilities keep making headlines, what the real risk looks like for Toronto and GTA businesses, and how to build a patch management program that actually keeps pace.

FortiGate firewalls sit at the edge of most Canadian business networks, which makes every critical CVE a direct path into your environment. A reactive, calendar-based patch cycle is not enough. You need a continuous program: monitoring, tested emergency rollouts, compensating controls, and someone on the hook 24/7.

Patch management is the operational process of identifying, testing, scheduling, deploying, and verifying security updates across your IT environment. For network edge devices like FortiGate firewalls, it also includes monitoring vendor advisories, applying compensating controls when a patch cannot be deployed immediately, and auditing firmware versions against known CVEs.

Why FortiGate Keeps Showing Up in CVE Headlines

Fortinet is not uniquely insecure. FortiGate appliances protect a massive share of Canadian mid-market and enterprise networks, which means attackers get outsized return on any exploit they develop. When a pre-authentication remote code execution bug lands in FortiOS, it is not theoretical. Ransomware crews, state-aligned groups, and initial access brokers are scanning the entire IPv4 space within hours.

Here is a quick look at the recent track record that has kept CISOs up at night:

CVE Affected Product CVSS Impact
CVE-2022-42475 FortiOS SSL-VPN 9.8 Pre-auth RCE via heap overflow
CVE-2023-27997 (XORtigate) FortiOS SSL-VPN 9.8 Pre-auth RCE
CVE-2024-21762 FortiOS SSL-VPN 9.6 Out-of-bounds write, RCE
CVE-2024-47575 (FortiJump) FortiManager 9.8 Missing auth on fgfmd daemon
CVE-2024-55591 FortiOS / FortiProxy 9.6 Auth bypass on admin interface

Every single one of these was exploited in the wild before most organizations had finished their change management review for the patch. That is the core of the problem.

What Happens When You Fall Behind on Firmware

Unpatched firewalls are not a theoretical risk. They are the confirmed initial access vector in a growing list of Canadian ransomware incidents. In the 2024 CVE-2022-42475 cleanup cycle, Fortinet itself confirmed that attackers had planted a symlink persistence mechanism on devices that let them retain read access to config files even after the patch was applied. Patching late was not enough. The damage was already done.

If your FortiGate was exposed to the public internet on a vulnerable firmware version for even a few days, assume the device is compromised until proven otherwise. Patching does not evict an attacker who has already established persistence.

The cost of that assumption is real. IBM’s 2024 Cost of a Data Breach Report pegs the average Canadian breach at CAD 6.32 million. For a mid-market company with 100 to 500 employees, a ransomware event tied to an unpatched firewall typically runs into the seven figures once you factor in downtime, ransom negotiation, forensic investigation, and regulatory reporting under PIPEDA.

Why Most In-House Patch Programs Fail

We see the same pattern across prospects that come to us after an incident. The patch management program looks fine on paper. In practice, it falls apart for predictable reasons:

  • Monthly cadence on critical edge devices. A 30-day maintenance window is a 30-day exposure window when the CVE is being actively exploited on day two.
  • No firmware inventory. Teams cannot tell you in under five minutes which of their 40 FortiGates are on 7.2.4 versus 7.4.1. That lookup time is what makes emergency patching impossible.
  • Change management as a blocker. CAB approval flows built for ERP upgrades get applied to a 15-minute firmware update on a firewall, adding days of delay for no risk reduction.
  • No after-hours coverage. Fortinet PSIRT advisories drop on a schedule that does not care about your 9-to-5 IT team. Friday night CVEs are a reliable pattern.
  • Testing paralysis. Teams are afraid to push firmware because of past outages, so they delay indefinitely. The fear is valid. The response is not.

If you only do one thing this quarter, automate a daily firmware inventory report. Know exactly what version every FortiGate in your fleet is running, and compare that list against Fortinet’s PSIRT advisory feed. This single change cuts your mean time to patch by days.

A FortiGate Patch Management Program That Actually Works

Emergency patching on edge devices is not about cadence. It is about triage speed and execution readiness. Here is the framework we use for our Balanced+ managed firewall clients:

Monitor the advisory feed in real time: Subscribe to Fortinet PSIRT RSS and route new critical and high advisories to a monitored channel 24/7. Do not rely on email.

Triage within two hours: Confirm whether any of your fleet is on an affected version and exposed on the vector described. Pre-auth RCE with internet-facing management exposure is an all-hands scenario.

Apply compensating controls first: Disable the affected service, restrict management access to specific IPs, or enable the vendor workaround. Buy yourself time before you touch firmware.

Test on a representative device: Push the patch to one low-risk device in the fleet, verify routing, VPN, and HA pairing behaviour, then clear it for production rollout.

Staged production rollout: Deploy to branch offices first, then HQ. HA pairs patched one side at a time. Total fleet patched within 48 hours for critical CVEs.

Hunt for compromise: Check device configs for unexpected admin accounts, unfamiliar VPN users, suspicious scheduled tasks, and known IOCs from the vendor advisory. Do not assume the patch closed the door.

Build, Buy, or Co-Manage?

Once you accept that FortiGate patching needs 24/7 coverage, the question becomes how to resource it. Most mid-market Canadian businesses land in one of three models:

Model Annual Cost (CAD) Coverage Best For
In-house (2 FTE network engineers) $220K to $280K plus benefits Business hours, best effort after Enterprises with 500+ staff and a mature NOC
Fully managed MSSP $60K to $120K for typical GTA mid-market fleet 24/7 monitoring, patching, response Mid-market with no dedicated network team
Co-managed with MSSP $40K to $80K MSSP handles after-hours and emergencies, internal team owns day-to-day Teams with one network lead who needs backup

The math changes fast when you factor in the cost of one missed critical patch. A single ransomware event tied to an unpatched FortiGate will cost more than a decade of managed security spend for a typical 200-person Canadian business.

Questions to Ask Your Current Provider

If you already have an MSP or MSSP handling your network edge, put the following on your next QBR agenda. The answers tell you whether you are actually covered.

  • What is the current firmware version on every FortiGate in our fleet, and when was it last updated?
  • How quickly do you triage a new critical Fortinet PSIRT advisory? What is our SLA for emergency patch deployment?
  • Who is on call at 2 AM on a Saturday when a zero-day drops?
  • After we patch, how do you verify the device was not already compromised?
  • Do you maintain a tested rollback plan for every firmware version before you deploy it?

The patch management problem is not a Fortinet problem. It is a staffing, tooling, and operational discipline problem. The businesses that weather FortiGate CVE cycles without incident are the ones that treated patching as a continuous 24/7 function long before the next advisory dropped.

If your team is still running a monthly maintenance window for critical edge devices, you are one Friday night advisory away from a very bad weekend. Our team at Balanced+ manages Fortinet fleets across Toronto and the GTA with 24/7 monitoring, triage, and emergency patch deployment built in. If you want a second opinion on your current program, get in touch and we will walk you through how our managed firewall service handles the next CVE before it makes the news.

Why Mid-Market Businesses Can’t Staff Security Internally

Mid-market IT teams are stuck in an impossible spot. Too large to ignore enterprise-grade security requirements. Too small to staff for them internally. Every director we talk to has run the numbers at least once — and most have quietly shelved the spreadsheet.

This post walks through what the math actually looks like when a mid-market Canadian business tries to build a security team in-house, why it almost never pencils out, and what you’re really paying for when you bring in an MSSP instead.

Key takeaway: A mid-market business that tries to staff a proper security team in Toronto typically spends $500K+ on salaries alone before tools, management, or coverage gaps. That arithmetic — not trendiness — is why managed security services exist.

Mid-market business: In Canada, a mid-market business is typically defined as a company with 50 to 500 employees and annual revenue between $10M and $1B. Mid-market firms face the same cyber threats and compliance requirements as enterprises but with a fraction of the headcount and budget to absorb them.

The Math Most Mid-Market Businesses Don’t Want to Do

A fully-loaded senior security engineer in Toronto runs $130K+ in base salary alone. Add benefits (typically 20–30%), hardware, training, certifications, and management overhead, and you’re closer to $170K–$190K per head. That’s one engineer.

One engineer can’t run a security program. Threats don’t respect business hours. Critical vulnerabilities get disclosed on Fridays. Incidents happen at 2 AM on long weekends. To cover nights, weekends, vacation, and the specialty domains a modern environment demands — network, endpoint, cloud, identity, compliance — you need 3 to 5 people at a bare minimum.

$500K+ — the baseline salary cost

Annual base salary cost for a mid-market business to staff a 3–5 person in-house security team in Toronto, before benefits, tooling, recruiting, or management overhead. (Based on Robert Half 2025 Salary Guide, Canada)

Cost Category In-House (3–5 engineers) MSSP (comparable coverage)
Base salaries $400K–$700K Included
Benefits & overhead $80K–$140K Included
Tooling & licensing $100K–$250K Included
24/7 coverage Hire 5+ or pay overtime Included
Management layer +1 FTE Included
Typical annual cost $700K–$1.2M+ $120K–$300K

Even at the high end, an MSSP contract typically runs 25–35% of the cost of a comparable internal team — before you factor in the tools, recruiting time, and ramp-up you skip entirely.

⚠️ Worth noting: These numbers assume you can actually hire the people. In Canada’s tight cybersecurity labour market, open security roles at mid-market salaries routinely sit unfilled for six months or longer. The (ISC)² Cybersecurity Workforce Study has tracked a persistent global shortage of roughly 4 million cybersecurity professionals year after year.

Why One Security Engineer Isn’t Enough

Every mid-market business that tries to “just hire one good security person” eventually discovers the same thing. Security isn’t a single job — it’s a stack of specializations that rarely live in one person’s head.

  • Network security (firewalls, segmentation, VPN, SD-WAN)
  • Endpoint security (EDR/XDR, patching, device management)
  • Identity and access management (SSO, MFA, privileged access, zero trust)
  • Cloud security (Azure, AWS, Microsoft 365 hardening, CSPM)
  • Incident response (forensics, containment, recovery)
  • Governance, risk, and compliance (SOC 2, PIPEDA, PHIPA, policy)
  • Threat detection and monitoring (SIEM, SOAR, threat hunting)

A senior generalist can touch all of these, but none deeply. That’s fine until something breaks. When an actual incident happens, you need the specialist who has seen it before — and if that person works for you, they’re probably on vacation or handling tickets.

💡 Pro tip: The tell that a one-person security team is failing isn’t dramatic. It’s quiet: patching drift, unreviewed alerts, stale documentation, and the same audit findings showing up year after year. By the time something loud happens, the program has usually been underwater for months.

What You’re Actually Buying From an MSSP

Here’s the part that usually gets missed in the build-vs-buy conversation. An MSSP contract isn’t just labour arbitrage — you’re not simply renting cheaper engineers. What you’re actually buying is depth: access to a bench of specialists, tooling that’s already paid for, and playbooks built from hundreds of incidents you didn’t have to experience firsthand.

  1. 24/7 monitoring and response. Security operations coverage that doesn’t take long weekends, go on parental leave, or burn out after the third late-night incident.
  2. Specialist access on demand. Cloud architects, network engineers, incident responders, and compliance analysts when you need them, not on payroll when you don’t.
  3. Enterprise tooling already deployed. SIEM, EDR, vulnerability management, and threat intelligence platforms that would cost six figures annually to license and staff directly.
  4. Incident response playbooks. Documented, rehearsed procedures for the scenarios that would otherwise force your team to improvise at 3 AM on a Saturday.
  5. Compliance and insurance support. SOC 2, PIPEDA, PHIPA, and cyber insurance questionnaire coverage without having to hire a dedicated GRC lead.

Most of our Managed IT & Cybersecurity clients at Balanced+ come to us after they’ve tried the “hire one senior person” route and watched it collapse under the workload. By the time we take over, the answer isn’t just adding more people — it’s a different operating model altogether.

When Hiring Internally Still Makes Sense

We’re not going to pretend every mid-market business should outsource all of security. There are cases where internal headcount is the right call — and pretending otherwise would be doing you a disservice.

ℹ️ When to hire in-house: Bring security in-house when you’ve outgrown the mid-market definition (500+ employees), when you have sustained regulatory complexity that requires dedicated GRC staff, or when security itself is a core product differentiator — think fintech, healthtech, or defence contractors.

Even in those cases, most mature security organizations run a hybrid model: internal staff for strategy, architecture, and vendor management, with an MSSP or MDR partner handling 24/7 operations and specialty work. Trying to do all of it internally at 50–500 employees is what quietly breaks IT budgets across the GTA every year.

The IT-to-Employee Ratio Test

Here’s a quick gut-check we use with prospective clients. Take your total IT headcount (including any security people), divide by total employees, and see where you land. That’s your IT-to-employee ratio — and it’s a remarkably accurate predictor of whether in-house security is even a conversation worth having.

  • Worse than 1:50 — You’re understaffed for your size. Security work is getting sacrificed for helpdesk tickets, and the gap is probably already showing up in audits.
  • 1:50 to 1:100 — Industry average for Canadian mid-market. You have capacity for daily operations but almost never for dedicated security depth.
  • Better than 1:100 — You’ve invested in automation and tooling. You might have room for a security specialist, but almost certainly not a full internal team.

In every scenario above, the math for in-house security staffing gets worse, not better. Even at a healthy 1:50, you have the depth to keep the lights on — not to run a proper security program with 24/7 monitoring, incident response, and specialty coverage.

The Real Question Isn’t Build vs. Buy

The decision isn’t “in-house or outsourced security.” That framing assumes both options are economically viable, and for most mid-market Canadian businesses, in-house simply isn’t. The real question is: how do we get enterprise-grade security coverage at mid-market economics?

The answer is almost always some form of managed services — whether that’s a full MSP/MSSP relationship, a co-managed model that augments a lean internal team, or an MDR partner bolted onto existing staff. The specifics depend on your current capability, regulatory posture, and risk tolerance. The underlying arithmetic doesn’t change.

Bottom line: Mid-market businesses don’t outsource security because it’s fashionable. They outsource it because $700K+ for an incomplete internal team is worse than $200K for depth, 24/7 coverage, and specialists on demand. The arithmetic is the argument.

If you’re weighing whether to build a security team internally or partner with an MSSP, we’re happy to walk you through the math for your specific environment — headcount, coverage gaps, tooling, and all. Take a look at our Managed IT & Cybersecurity services, or get in touch for a ratio-check conversation. No pitch, just the numbers.

What Is IT Compliance? A Guide for Business Leaders

IT compliance is one of those terms that gets thrown around in boardrooms and vendor pitches, but rarely explained in plain language. If you are a business owner, COO, or IT manager at a mid-market company, understanding what IT compliance actually means is the first step toward protecting your organization from regulatory penalties, data breaches, and lost client trust.

This guide breaks it down: what IT compliance is, why it matters for Canadian businesses, what frameworks apply to you, and what a managed IT provider actually does to keep you compliant.

IT Compliance, Defined

IT Compliance

The practice of ensuring your organization meets the rules, standards, and regulations that govern how you collect, store, process, and protect data. These rules come from multiple sources, federal and provincial legislation, industry-specific regulators, contractual obligations, and voluntary frameworks your clients or partners may require.

Important:

Non-compliance is not just a legal risk. It is a business risk. A failed audit can cost you a contract. A data breach tied to negligence can trigger lawsuits, fines, and reputational damage that takes years to recover from.

Common IT Compliance Frameworks in Canada

The frameworks that apply to your business depend on your industry, where your data lives, and who you do business with. Here are the ones mid-market companies in the GTA encounter most often:

PIPEDA (Personal Information Protection and Electronic Documents Act)

Canada’s federal privacy law. It applies to every private-sector organization that collects personal information in the course of commercial activity. If you handle customer data, names, emails, financial details, health information, PIPEDA applies to you. Under the act, organizations must obtain meaningful consent, limit data collection to what is necessary, and implement appropriate security safeguards.

PHIPA (Personal Health Information Protection Act)

Ontario’s health privacy legislation. If your organization is a health information custodian or processes personal health information on behalf of one, PHIPA imposes strict requirements on access controls, audit logging, breach notification, and data residency.

Ontario Bill 194 (Strengthening Cyber Security and Building Trust in the Public Sector Act)

A newer piece of legislation that expands cybersecurity and privacy obligations for Ontario’s broader public sector, and signals where private-sector regulations are headed. If your organization works with public-sector clients, understanding Bill 194 is essential.

SOC 2

A voluntary framework developed by the AICPA that evaluates an organization’s controls around security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II certification is increasingly required by enterprise clients and partners before they will sign a contract. If your sales team keeps hearing “do you have SOC 2?”, this is what they mean.

PCI DSS (Payment Card Industry Data Security Standard)

If you process, store, or transmit credit card data, PCI DSS compliance is mandatory. Requirements include network segmentation, encryption, access controls, regular vulnerability scans, and penetration testing.

NIST Cybersecurity Framework

A widely adopted voluntary framework from the U.S. National Institute of Standards and Technology. Many Canadian organizations, and their cyber insurance providers, use NIST CSF as a baseline for evaluating security maturity. It organizes controls into five functions: Identify, Protect, Detect, Respond, and Recover.

FrameworkMandatory?Who It Applies To
PIPEDAYesAll private-sector orgs collecting personal data
PHIPAYesHealth information custodians in Ontario
Bill 194YesOntario broader public sector + their vendors
SOC 2No (contractual)Any org whose clients require it
PCI DSSYesAny org processing credit card data
NIST CSFNo (voluntary)Used as a baseline by insurers and enterprises

Why IT Compliance Is Hard for Mid-Market Companies

Enterprise organizations have dedicated compliance teams, GRC platforms, and seven-figure security budgets. Small businesses often fly under the radar. Mid-market companies get the worst of both worlds: they are large enough to be targeted by regulators and attackers, but rarely have the in-house staff to manage compliance properly.

60%

of mid-market companies face compliance requirements from multiple overlapping frameworks simultaneously

Common challenges include:

  • Overlapping frameworks. A healthcare company processing credit cards may need to satisfy PHIPA, PIPEDA, PCI DSS, and SOC 2 simultaneously, each with different controls, evidence requirements, and audit cycles.
  • Continuous monitoring. Compliance is not a one-time project. Frameworks require ongoing evidence collection, policy reviews, vulnerability scanning, and access audits.
  • Documentation burden. Auditors do not just want to see that you have controls, they want documented policies, procedures, and evidence that those controls are enforced consistently.
  • Evolving requirements. Regulations change. New legislation like Ontario Bill 194 can shift your obligations overnight. Staying current requires dedicated attention.
  • Talent gap. Compliance-qualified IT professionals are expensive and hard to find. A mid-market company competing with banks and tech firms for GRC talent is fighting an uphill battle.
Warning:

A single compliance failure can have cascading consequences. A failed SOC 2 audit does not just delay one deal, it signals risk to every enterprise prospect in your pipeline.

What a Managed IT Provider Does for IT Compliance

This is where the confusion usually starts. Many business leaders assume that hiring a managed IT provider means compliance is “handled.” The reality is more nuanced, but a good provider does take significant compliance burden off your plate.

Here is what a managed IT compliance engagement typically includes:

Gap Assessment

Your provider evaluates your current environment against the frameworks that apply to your business. This identifies where you meet requirements, where you fall short, and what needs to change. A proper gap assessment maps specific technical controls to specific compliance requirements, not just a generic checklist.

Policy Development

Compliance frameworks require documented policies: acceptable use, data classification, incident response, access management, vendor risk management, and more. Your provider helps draft, implement, and maintain these policies so they reflect what your organization actually does, not just what a template says.

Technical Controls Implementation

Policies mean nothing without enforcement. A managed provider deploys and manages the tools that make compliance real: endpoint detection and response, multi-factor authentication, encryption, backup and disaster recovery, network segmentation, and audit logging. These are not optional extras, they are the baseline controls most frameworks require.

Continuous Monitoring and Evidence Collection

Modern compliance is evidence-driven. Your provider maintains audit trails, runs scheduled vulnerability scans, monitors access logs, and collects the documentation auditors need. When audit time comes, the evidence is already organized, not scrambled together in a panic.

Audit Support

When an external auditor arrives, whether for SOC 2, PCI DSS, or a client due-diligence review, your managed IT provider works directly with the audit team. They provide documentation, answer technical questions, and remediate any findings. This is where a provider with compliance experience saves you weeks of internal scrambling.

IT Compliance Is Not Just a Security Problem

It is tempting to treat compliance as a subset of cybersecurity. In practice, IT compliance touches every part of your technology environment:

  • HR and onboarding: How are user accounts provisioned and deprovisioned? Is access reviewed when employees change roles?
  • Procurement: Are your vendors assessed for security risk? Do your contracts include data processing agreements?
  • Operations: Are your backup and disaster recovery procedures documented and tested? Can you prove it?
  • Finance: If you process payments, are your systems PCI-compliant? Is cardholder data isolated?

A managed IT provider with compliance expertise connects these dots across departments, something an in-house IT generalist often does not have the bandwidth or training to do.

How to Evaluate a Provider’s Compliance Capabilities

Not every managed IT provider is equipped to handle compliance. When evaluating a partner, ask:

  • Which frameworks do you have direct experience with? Generic “we do compliance” answers are a red flag. You want specifics: SOC 2 Type II, PCI DSS v4.0, PHIPA, NIST CSF.
  • Is your own organization certified? A provider that has achieved SOC 2 certification themselves understands the process from the inside, not just theoretically.
  • How do you handle evidence collection? Manual spreadsheets signal immaturity. Look for automated evidence collection integrated with your existing tooling.
  • What is your remediation process? When a gap is identified, how quickly is it addressed? Is remediation included in the engagement, or billed separately?
  • Can you support multiple frameworks simultaneously? If you need SOC 2 and PCI DSS, your provider should map overlapping controls rather than running two separate projects.

Ask your provider if they hold SOC 2 Type II certification themselves. A provider that has been through the audit process first-hand understands the evidence burden, timeline, and remediation pressure from the inside, not just as an outside consultant.

Getting Started with IT Compliance

If your organization has not formally addressed IT compliance, the path forward is straightforward:

Identify which frameworks apply. This depends on your industry, data types, client requirements, and geography.

Run a gap assessment. Understand where you stand today against those frameworks.

Prioritize by risk and impact. Not every gap carries equal weight. Focus on controls that address the highest-risk areas first.

Engage a provider with compliance expertise. If your internal team cannot sustain the ongoing monitoring, documentation, and remediation compliance demands, a managed compliance partner fills that gap.

IT compliance is not a checkbox exercise. It is an ongoing operational discipline that protects your business, satisfies your clients, and keeps regulators at arm’s length. The question is not whether you need it, it is whether you are doing it well enough.

Tip:

If you are unsure where your organization stands, start with a compliance readiness assessment and find out.