A year ago a certification program for confirming to the public that a Canadian business has at least minimal cyber security controls was announced by CyberNB, an arm of the New Brunswick government.
Since then it’s been slow getting firms and government departments certified that they have passed the Cyber Essentials Canada test and can display its logo on websites and marketing material.
Today the program hopes to make a major leap by announcing a partnership with the Canadian Chamber of Commerce, which will give it greater visibility to 200,000 businesses who are members of the 450 chambers and boards of trade across the country.
As an incentive, those members will get a 25 per cent discount on the certification fee they have to pay to be tested.
Only a few firms and government departments – New Brunswick’s Liquor Corp. is one – have been certified so far. However, Waite said, 50 are in the middle of the certification process.
Scott Smith, senior director of intellectual property and innovation policy at the Canadian Chamber, said he would like to see “a few thousand” firms either certified or on the process by the end of 2019.
In an interview he said the Chamber is endorsing the program for several reasons: ”Much of our network are small to medium enterprises. We do what we can to make sure they have the tools to conduct business effectively and are competitive. I think many small businesses are challenged on the cyber security front in having a tool available to them that is both cost-effective and simple to implement.”
Internationally-accepted standards like the National Institute of Standards and Technology (NIST) cyber security framework are difficult and expensive for a small business to implement, he said. Cyber Essentials covers five of the 20 controls most frameworks include, is achievable but still effective, he said.
In addition, he said that increasingly companies will demand proof from their suppliers that they are cyber-secure, Finally, a Cyber Essentials certification may help lower insurance premiums.
There’s also the logic that the cost of being certified is far less than the cost of recovering from a data breach, Smith added.
The idea of a certification program will also to give Canadian consumers some comfort that a business they are dealing with has at least a minimal ability to keep their personal data safe.
According to a recent report by Statistics Canada, just over one-fifth (21 per cent) of over 10,000 Canadian firms reported that they were impacted by a cyber security incident which affected their operations. But only 13 per cent of businesses surveyed said they had a written policy in place to manage or report cyber security incidents.
Just over half of large businesses said they conducted regular cyber security risk assessments of their operations. By comparison, 59 per of small-sized businesses and 56 per cent of medium-sized businesses said irregularly conducted assessments.
CyberNB, which promotes the cyber security industry in Nova Scotia, decided one way to fight the problem was to create a national certification program, modeled after the Cyber Essentials program in the U.K.
There are two levels to the program:
–Cyber Essentials Basic. To meet this standard an organization has to show it runs five cyber security controls: boundary firewalls and Internet gateways, secure configuration of servers and software, a patch management regime, access control over users and malware protection. It costs $1,750 to be tested.
–Cyber Essentials Plus: To meet this standard an organization has to meet the basic standard and has passed an on-site vulnerability assessment by a third party. The cost to be tested can be negotiated with the company that does the certification, but it would run around $4,500.
So far three organizations are accredited to do the testing: CGI, a national integrator with offices across the country; WatSec Cyber Risk Management of Waterloo, Ont., and Bulletproof Solutions Inc. of Fredericton, N.B.
CyberNB says following those five controls should stop 80 per cent of cyber attacks.