The 2025 CIRA Cybersecurity Survey was conducted by The Strategic Counsel in August of 2025. It collected 500 online responses from cybersecurity decision-makers across Canada. The goal was to identify industry trends in perceptions and attitudes.
You can find the full survey results and a summary of the findings below.
↓
Executive Summary
In 2025, malicious cyber attacks and the dangers they pose to Canadian organizations of every stripe are no longer news to anybody, least of all the people who practice cybersecurity for a living. No one wants to be in the crosshairs of the ever-expanding ranks of cyber criminals, but as pessimistic as it may seem, when it comes to cyber attacks, it’s no longer a question of if, or even when, but when again.
Fortunately, Canada’s cybersecurity professionals are standing on guard, taking proactive steps to bolster their resilience and fend off the coming wave of AI-driven attacks.
The risk from generative AI is on the rise
If cyber crime already carries an air of inevitability, the rise of generative AI is causing organizations to worry about its potential to unleash ever more sophisticated and damaging attacks. Seven in ten (70 per cent) say they’re worried about these new threats, citing AI-powered cyber attacks (54 per cent), privacy breaches (52 per cent) and data poisoning (48 per cent) as the greatest areas of concern. There is also heightened concern about data gathered by AI tools (65 per cent), improved phishing emails and texts (61 per cent) and deepfake images and videos (52 per cent).
Resources and preparedness
As in 2024, most Canadian organizations are diligently following best practices for protecting their organizations from cyber threats and are making smart investment decisions to further fortify their defences. Over three quarters of organizations (78 per cent) allocated between 10 and 25 per cent more funds to IT systems management and cybersecurity. Many are earmarking some of those funds to purchase third-party cybersecurity solutions, with data sovereignty (69 per cent) trumping price (29 per cent) as the top consideration.
Other preparedness measures include integrating AI tools into workflows, something 65 per cent of organizations have done (up from just 44 per cent 2023) and providing cybersecurity training to their employees (98 per cent).
Cyber incidents
Canadian organizations in the public, private and MUSH sectors (municipalities, universities, schools and hospitals) continue to be targeted by cyber criminals. More than four in ten (43 per cent) have been targeted in a cyber attack and a similar share (42 per cent) have experienced a breach of customer or employee data in the last 12 months (up from 29 per cent in 2022). Ransomware attacks show no signs of letting up, with just under a quarter of organizations (24 per cent) saying they’ve been the victim of one in the last 12 months. Of those, a staggering 74 per cent paid the ransom demands.
Recovery from cyber incidents
Recovery from cyber incidents is improving for many Canadian organizations. In the past 12 months, two-thirds (66%) reported using their cyber incident response plan, with the majority able to restore IT systems to pre-incident capacity in under a month, including 42 per cent which successfully recovered within a week. Similarly, most organizations were able to recover compromised or stolen data in under a month, with 42 per cent achieving full recovery in less than a week, highlighting the effectiveness of structured response plans and preparedness.
