In an exclusive interview with CanadianSME Small Business Magazine, Sheena Barnett, Vice President of Management, Cyber, and Professional at NFP Canada, shares her expert insights on building cyber resilience for Canadian SMEs. With over a decade of experience in the insurance industry, Sheena brings a wealth of knowledge on cyber threats, risk management, and business continuity. In this conversation, she explores the rapid evolution of cybercriminal tactics, the gaps in cyber readiness among SMEs, and the practical steps businesses can take to defend against AI-driven cyber risks. Sheena also highlights the importance of fostering a proactive organizational culture and offers invaluable advice on future-proofing operations in the face of ever-evolving cyber threats.
Interview By Kripa Anand
At NFP, an Aon Company, Sheena Barnett leverages over a decade of industry experience to drive innovation in management, cyber, and professional insurance solutions. Before joining NFP, she gained valuable expertise through roles at Intact and AIG. Her diverse background includes underwriting in cyber, Errors & Omissions (E&O), and Architects & Engineers (A&E), as well as business development management—sharpening her skills in broker relationship management, training, and sales enablement. Sheena is committed to delivering tailoredinsurance solutions that enhance clientresiliency.
Her focus onbuilding strong professional relationships and developing effective market strategies has been integral to her team’s success in growing and retaining a diverse portfolio of clients.
With AI rapidly advancing, how are you seeing cybercriminal tactics evolve, and which new risks should Canadian SMEs be on alert for within the next year?
AI is helping cybercriminals to mimic legitimate communications almost perfectly. Phishing appears credible, free of grammar errors and even translated seamlessly, removing past tell-tale signs. If cybercriminals get inside, they can move laterally with unprecedented speed. Often going undetected.
The real shift isn’t the type of attack but how much more effective familiar tactics have become. Canadian SMEs should prepare for an uptick in AI-driven phishing, deepfake voice scams, and supply chain breaches. Traditional detection methods based on obvious red flags are no longer sufficient.
The smartest move is to modernise defences: review security, privacy and data governance frameworks. Keep security awareness training ongoing, implement timely patching, and run realistic incident simulations. Backups should be secure, segmented, and tested, multi-factor authentication (MFA), endpoint detection and response (EDR), incident response planning and a broker-supported plan should be in place, so expert help is on call the moment something is detected.
Based on your experience with a diverse portfolio of clients, what are the most common gaps in cyber readiness among Canadian small and medium-sized businesses?
Many SMEs still underestimate the value of knowing their own digital environment. Any questions often go unanswered: What data do you have? Where is it stored? How is it protected? Without this baseline, it is difficult to assess risk, risk transfer or meet governance expectations.
Other gaps include insurance carrier expectations of all SME businesses to deploy and have an over-reliance on multi-factor authentication (MFA). MFA remains important but won’t stop every attack and some insurers will put policy limitations or absolute exclusions on policies to deny claims if it’s absent, even in unrelated breaches. Untested incident response plans and backups are other weak points, as is a lack of clarity on what a cyber policy truly covers. Insurance brokers work hard to provide additional clarity and support as many SME businesses lack cybersecurity experts to support them.
Finally, vendor quality in breach response is often overlooked. A poorly matched legal partner can increase costs, slow recovery, and affect claim outcomes. Addressing these issues takes active leadership, documented processes, and regular reviews of controls and coverage terms.
What are the top, practical steps SMEs can implement right now to reduce their vulnerability to AI-driven cyber threats—especially considering limited budgets and resources?
The cyber insurance market remains competitive despite increases in attacks. Comprehensive risk transfer solutions that fit SME business is critical.
All SME business owners should review and continue to be aware of their security, privacy and data governance policies. :
- Review backup processes, store copies in more than one secure location, and test them regularly.
- Apply software updates promptly and retire unsupported systems.
- Introduce verification processes with callbacks for all payment and fund transfer requests.
- Run phishing simulations and awareness refreshers so staff can recognize suspicious activity
Cyber insurance should be part of this mix. It not only offsets costs but also gives SMEs access to vetted investigators, legal experts, and recovery teams, some accessible for early-stage concerns without filing a formal claim. One incident can more than justify the cost, and pairing in-house diligence with expert external support offers far more protection than relying solely on technology.
How can leadership teams go beyond technical safeguards to foster a culture of organizational readiness and proactively respond to evolving cyber risks?
Culture is the deciding factor in whether an organization recovers quickly or stumbles. SME business owners need to treat cyber risk as a standing agenda item, not a once-a-year checkbox.
That means integrating security considerations into everyday decisions, from approving new tools to onboarding suppliers. When adopting AI or other emerging technologies, provide training at launch so staff understand both the benefits and the risks.
Promote verification habits to counter social engineering, and maintain clear escalation paths if something seems suspicious. Work with external partners who can provide readiness resources, from targeted training to proactive risk monitoring. A culture of preparedness builds confidence, speeds response, and reduces the odds of an incident escalating.
As a closing thought, what key advice would you offer to Canadian small and medium-sized businesses looking to strengthen their cyber resilience and future-proof their operations?
Cyber resilience is built before the breach. Test backups, practice incident response, recovery and review vendor and cloud contracts to know exactly how large-scale outages or breaches will be handled.
Threats will keep evolving, so policies, training, and safeguards must evolve too. Prepare for both targeted attacks and systemic events — such as a major cloud provider outage — that could affect hundreds of businesses at once.
Treat cyber risk as you would finance or compliance: an ongoing operational priority. With 73% of Canadian SMEs hit by an incident in the past year, the cost of inaction is high. The most resilient companies blend disciplined governance, adaptable defenses, and a culture where cyber readiness is seen as central to long-term success.
Disclaimer:
The views and experiences shared in this interview represent those of the guest and are intended to inform and inspire CanadianSME’s readers. CanadianSME Small Business Magazine is committed to supporting small business owners and professionals from diverse backgrounds and does not offer legal or immigration consultancy advice. Readers are encouraged to seek professional guidance tailored to their individual needs.
