This report examines the cybersecurity and privacy protection views of small and medium sized enterprises (SMEs) in Canada, and how the interaction of factors external to an SME (e.g., government policies, industry forces, advancement in technology) and factors internal to an SME (e.g., privacy, reputation, ethical considerations) affects cybersecurity (CS) adoption within these organizations. Insight and evidence were collected through interviews with SMEs, organizations supporting SMEs, the industry, and policy influencers. In the first instance, the relevant literature on cybersecurity adoption is reviewed. Next, after examining the data, the researchers highlight 5 controversies: 1) differences in how CS and privacy are viewed, 2) Problematic education levels, 3) CS for privacy viewed as unnecessary costs, 4) misaligned roles, responsibilities and priorities between SMEs and the industry, and 5) the government’s come-to-me model. Based on the discourses identified, the researchers find that Canadian SMEs’ response to cybersecurity and privacy demands can be characterized into 4 categories, based on how they experience push vs. pull: 1) CS for privacy isn’t a serious thing, 2) Reliance on the goodness of my heart, 3) Don’t see the importance, but I (think) I’ll get in trouble if I don’t do it, and 4) Disenchantment and disincentivizing. The report concludes by providing recommendations, from SMEs and the researchers, on how to help Canadian SMEs become more cybersecure.