Canadian organizations are confronting a cybersecurity landscape that’s more complex and menacing than ever before. According to the 2025 CIRA Cybersecurity Survey, more than four in ten organizations (43 per cent) experienced a cyber attack (attempted or successful) in the past 12 months. These costly and disruptive incidents continue to plague businesses, hospitals, utilities, municipalities and non-profits. No sector is immune. In 2025 alone, we’ve seen high profile incidents including a ransomware attack on Nova Scotia Power, a data breach in the House of Commons and an attack on servers and software systems at WestJet.
Data sovereignty trumps cost as the top consideration
As organizations shore up their defences to prevent future attacks, one of their key priorities is investing in third-party cybersecurity solutions. While cost is a key consideration for any purchase decision, nearly seven in ten (69 per cent) organizations cite data sovereignty—the assurance that their data will be stored in Canada and subject to our laws—as the most important consideration when sourcing a cybersecurity solution (up from 60 per cent in 2024).
This trend is strongest in the private sector, where 71 per cent rate it as their top buying consideration, followed by 57 per cent in the public sector and 54 per cent in the MUSH sector (municipalities, universities, schools and hospitals). In contrast, less than a third (29 per cent) identified price as their top concern.
Why is data sovereignty so important? Global political uncertainty, driven by shifting trade and regulatory conditions in the U.S., and the increasing sophistication of attacks launched by state actors are two key factors. With their preference for home-grown cybersecurity solutions, Canadian organizations are looking for more control over their data, along with the peace of mind that comes from knowing it’s stored, processed and protected within our “digital borders.”
By putting data sovereignty first, they’re ensuring their economic independence, reducing the risk of foreign access and avoiding being subject to another country’s laws and surveillance powers. Perhaps most importantly, Canadian organizations are committed to protecting their customers’ data.
Survey results show a strong focus on vendor origin: 82 per cent of organizations say it is more important than a year ago when selecting cybersecurity vendors, and just over half (56 per cent) have reviewed their use of U.S.-based providers due to trade or political conditions.
What’s more, nearly nine in ten (89 per cent) are concerned about supply chain risks or disruptions stemming from global political uncertainty.
Organizations are taking additional steps to improve security
Beyond cybersecurity solutions, professionals are also implementing a variety of other measures designed to protect their data, IT infrastructure and people. Almost three quarters of organizations (74 per cent) are devoting more human resources to cybersecurity protection than they did in 2024, while nearly all (98 per cent) are offering regular cybersecurity training. More than half (56 per cent) are allocating between 10 and 25 per cent more financial resources to IT systems management and cybersecurity than the previous year.
When it comes to cybersecurity, there’s broad agreement among professionals that buying Canadian makes sense. To dig deeper into the reasons why keeping your data in Canada is the best option for your organization, your customers, your employees and your data, check out Just how valuable is cybersecurity data sovereignty for Canadian organizations?
Jon Ferguson leads the Cybersecurity & DNS services unit at CIRA that builds upon the organization’s world class DNS services to provide cybersecurity services and training to Canadians and the global internet community. For the past 15 years, Jon has worked in product leadership roles for organizations building globally distributed Internet of Things and Cybersecurity solutions.
