Alexander Poizner Contributor

*Originally Published in the Toronto Star on April 5, 2026, BUSINESS OPINION*

Water Testing Cybersecurity

If Canadians are going to take digital sovereignty and cybersecurity seriously, writes Alexander Poizner, they need to understand how close to home and dangerous these risks really are. Sameer Al-Douny/AFP via Getty Images file photo

Summary

  • The federal government is prioritizing digital sovereignty, but many Canadian businesses are not focused on cybersecurity.
  • This disconnect creates a national vulnerability, as companies often depend on foreign controlled digital infrastructure.
  • Proposed solutions include government incentives, like tax credits and procurement standards, for continuous cybersecurity testing.

Canada’s federal government is prolific on the subject of “digital sovereignty.”

Indeed, Evan Solomon, our nation’s first minister of artificial intelligence and digital innovation, seems to speak of little else.

It is now a given among Canadian policy wonks that critical data and digital infrastructure should be governed by Canadian laws, not dependent on foreign systems beyond our control.

This is an encouraging mindset for the safety and security of our nation, at a time when both feel in short supply.

What is less encouraging, however, is that outside the Ottawa policy bubble, the dream of digital sovereignty is largely disconnected from the immediate priorities of most businesses.

In the back offices of many small and medium-sized companies, business leaders are trying to keep operations running and cover payroll amid constant tariff threats. They are not typically engaged in matters of cybersecurity and sovereignty in the cloud.

The data bears this out.

According to Statistics Canada, in the second quarter of last year, only “one in five Canadian businesses and organizations planned to take new or additional cybersecurity actions over the next 12 months.”

Close to half of those businesses did not have plans to pursue “any new cybersecurity measures” and nearly three in five claimed not to need them.

This lack of urgency matters deeply because digital sovereignty and security only works if there is buy-in from all stakeholders in our economy.

After all, many of the tools and platforms Canadian businesses rely on are hosted abroad, subject to foreign legal regimes and security standards. We may speak confidently about digital sovereignty, but much of our economy still runs on infrastructure we often do not control; and technology that is inconsistently tested and monitored.

In the private sector, where I work with businesses to safeguard their digital infrastructure, it is common for companies to test for vulnerabilities on an annual basis — if that. Meanwhile, cyber threats evolve daily, fuelled by constant software updates, vendor changes and supply-chain shifts.

In other words, digital systems require continuous testing and safeguarding, much in the same way drinking water does. Think about it: Water systems are tested continuously because contamination could occur anytime.

Bacteria don’t wait to appear at the precise moment a scheduled audit is occurring. The same principle applies to cybersecurity: a hacker doesn’t miraculously attack at the precise moment a specialist is there to ward him off. Thus, consistent regular testing is necessary to protect the safety and sovereignty of Canada’s digital technology and economy.

Still, too many corporate leaders approach cybersecurity as a one-and-done endeavour — or worse, not at all.

There are solutions to this problem. If we want a truly safe and sovereign digital economy, we should incentivize corporate Canada to take up the cause.

This incentivization could take many forms.

For example, the federal government could implement specific corporate tax incentives to organizations that demonstrate a serious effort to test their systems not once, but on a continuous basis. In other words, we could take a “water testing” approach to cybersecurity.

Federal procurement standards could follow suit, requiring companies that operate in critical sectors to engage in regular monitoring of their systems.

Indeed, even as Ottawa contemplates changes to the Telecommunications Act, there is no universal requirement for continuous cybersecurity testing among critical service providers. Federal decision makers can change that.

In a hyper-connected digital economy, the distance between a minor oversight and a national vulnerability is shorter than we would like to believe.

Small and mid-sized companies, deeply embedded in critical supply chains and often handling sensitive data, are expected to shoulder cyber risks with limited budgets and little in-house expertise.

In the end, we need fewer high-minded philosophical debates about digital sovereignty and more down-to-earth conversations about how these issues impact everyday business owners.

If Canadians are going to take digital sovereignty and cybersecurity seriously, they need to understand how close to home these risks really are, and how easily an overlooked detail can become a vulnerability that threatens their livelihoods — and Canada itself.