The Cyber Arms Race
For years, cybersecurity has been an invisible backbone of the Canadian financial system—a quiet set of protections humming beneath the country’s largest institutions. But according to Adam Evans, Chief Information Security Officer at RBC, the landscape has shifted dramatically. The criminals have evolved faster than most organizations can react.
“We’re seeing the industrialization of the criminal complex,” he says. “Threat actors are retooling their toolkit with next-gen technologies that give them speed and scale we’ve never seen before.”
It’s a blunt assessment, but one increasingly shared across the industry. Cybercrime today is a $10.5 trillion economy (the third largest in the world) and growing at a pace that outstrips legitimate innovation. As fraudsters adopt AI, deepfakes, impersonation tools, and franchised “crime-as-a-service” capabilities, organizations are entering what Evans describes as a full-blown “arms race.”
And not everyone will survive it.
A New Digital Divide: The Cyber Poverty Line
As cyber criminals industrialize, Evans warns of a widening gap, a “cyber poverty line” that many organizations are slipping below.
“The cyber poverty line is the inability of an organization to meet the demands of the threat landscape they’re operating in,” he explained. “If you can’t invest in talent, tools, education, or intelligence, your chances of successful compromise rise dramatically.”
For small and medium-sized businesses—which make up the vast majority of the Canadian economy—the risk is especially high.
They often lack:
- the funding to buy modern security tools
- the people to run them
- the culture to sustain cyber hygiene
- and the intelligence to understand which threats matter most
It’s an uncomfortable reality: the businesses least able to afford a breach are often the most vulnerable to one. But the resource gap isn’t the only challenge. Even for well-funded institutions, the threat landscape is evolving faster than the workforce.
“We’re not creating enough educated people to manage this,” Evans said. “There are four million security jobs globally that are unfilled. And now we don’t just need technologists—we need communicators, collaborators, analysts, educators. The diversity of skills required is exploding.”
AI: The Criminal’s New Engine
AI is reshaping the cybercrime landscape at a pace that few organizations have ever had to defend against.
Criminals are now using tools that can:
- weaponize vulnerabilities in hours
- generate deepfake voices indistinguishable from loved ones
- automate scams at scale
- impersonate institutions with near-perfect accuracy
- produce crime kits they can license to other bad actors
This reinvention of the cybercriminal business model is fueling a new era of professionalized, franchised, AI-powered crime.
“It’s creating a new engine for crime-as-a-service,” Evans said. “As they build new capabilities, they can franchise them to other criminals. That’s only increasing their revenue streams — and attracting more people into that economy.”
The result is a rapidly intensifying threat landscape, with attackers advancing faster than most organizations can respond.
RBC’s Playbook: A Factory for Continuous Defense
So what does cybersecurity look like when the threats evolve by the hour?
For RBC, it means abandoning the old idea of static protection and embracing something closer to a security factory: adaptive, iterative, and relentlessly efficient.
“You need to continuously and iteratively make changes to keep pace,” Evans said. “Threat actors can weaponize vulnerabilities in hours. That means we need to detect, respond, and improve security in that same timeframe.”
At RBC, that involves:
- clear, threat-informed strategy
- “best of breed” tools that are constantly tuned
- automation and AI layered after the fundamentals are strong
- cross-functional collaboration between data scientists, threat hunters, hackers, and analysts
- high-fidelity insights that enable real-time decision-making
But Evans cautions that automation is not a silver bullet.
“With automation, if you get it wrong, you can break things—take systems offline, impact services,” he said. “You need humans in the loop. And you need really good fundamentals before you automate anything.”
The Human Firewall: Changing Behavior, Not Just Systems
Technology may be advancing, but Evans insists that the real battleground is human behavior.
“It’s not a lack of understanding,” he said. “It’s a lack of knowing what step to take first.”
That’s why RBC invests heavily in security culture—from basic cyber hygiene to reinforcement learning that helps employees and clients form lasting habits.
“People already lock their doors and cars. We need them to think about their digital assets the same way.”
And when the stakes are emotional, criminals exploit urgency. Evans sees it all the time.
“When I talk to people who’ve been compromised, most will tell you they sensed something was wrong—but they didn’t stop. They didn’t take a breath.”
Threat actors count on that moment of panic. That’s why Evans believes the simplest move is often the most effective: hang up the phone, break the attack chain, and call the bank back using the number printed on your card.
Even families, he says, need to start treating digital safety as a shared responsibility. He points to his own mother.
“We set up systems so I get a text whenever there’s a transaction on her accounts. It’s an extra set of eyes. It lets us detect something quickly.”
It's a reminder that cybersecurity is no longer something individuals can manage alone;it’s communal.
The Rising Tide of Social Media Scams
If there is one threat that worries Evans most right now, it’s the explosion of scams across social media: fake ads, impersonation attacks, voice clones, deepfake videos, and synthetic content designed to weaponize trust.
“Threat actors understand that people have unwavering trust in institutions like banks and government,” he said. “That’s why impersonation attacks are so effective.”
The trend is so severe that even governments are now stepping in with new funding to curb fraud.
The Missing Piece: Global Disruption
For Evans, the final—and most crucial—part of the puzzle is collaboration at a scale that matches the criminal world. That means governments, institutions, and law enforcement coordinating far more deeply.
“There’s a lot of criminal behaviour that goes unchallenged,” he said. “We need to make it more costly for them to target companies. And government needs to play a bigger role in that.”
The challenge? Cybercriminals operate across borders, with specialists in every stage of the attack chain scattered around the world.
“You can’t take down a cybercrime gang by focusing on one country,” he said. “Law enforcement has to collaborate across borders the same way the criminals do.”
A Future That Requires Everyone
Despite the urgency, Evans is not pessimistic. He believes in transparency, education, and shared responsibility—what he calls the “citizenry of security.”
“It takes more than my program to keep the bank safe,” he said. “It takes clients, suppliers, employees. Everyone.”
The threats may be evolving at extraordinary speed, but the way forward, in his view, is both simple and collective.
“Education is power. Awareness is power. The first step is knowing where you stand—and taking a step. Any step.”
In an era defined by AI, deepfakes, and an economy built on criminal innovation, Greg’s message lands as both warning and call to action.
True security comes from shared awareness and shared action.
And the sooner organizations—and individuals—understand that, the better prepared they’ll be for the waves still coming.
