The federal government on Monday launched the long-awaited cybersecurity certification for small and mid-sized businesses in hopes of increasing the attention SMBs pay to cybersecurity as well as increasing the confidence of online shoppers who buy from Canadian sites.
The CyberSecure Canada program allows organizations to prove to a certification body approved by the Standards Council of Canada that they meet certain minimum standards. Those that pass are entitled to use a logo on websites and promotional material attesting that they have met the standard. They will also be listed in a searchable registry available for consumers and partners.
The program is tailored specifically for SMBs (up to 499 employees) because they have fewer IT resources, and they account for a significant number of data breaches. According to StaySafeOnline.org, which is overseen by Public Saftey Canada, 71 per cent of data breaches are suffered by small businesses. It figures nearly half of all Canadian small businesses have been the victim of a cyberattack.
However, enterprise-sized companies and not-for-profits are also eligible.
Finance minister Bill Morneau made the announcement in Fredericton at the University of New Brunswick’s Canadian Institute for Cybersecurity.
“There’s so much Canadians can do online—from connecting with friends and family, to personal shopping, to building a business,” he said in a statement. “This online activity is good for our economy and helps create good, well-paying jobs. At the same time, it’s critical that Canadians feel confident about the security of their interactions and information. Today’s announcement is an investment in skills, in businesses and in the future of our economy.”
However, Global News quoted Morneau as describing the program at this point as a pilot.
In an email a spokesperson Innovation, Science and Economic Development Canada explained that in the short term companies that apply for certification will have to meet the “Baseline Cyber Security Controls for Small and Medium Organizations” created by the Communications Security Establishment (CSE). Ultimately companies will have to meet a national security standard set by the Standards Council of Canada. However, that isn’t expected to be set until the fall of 2021.
Morneau also announced funding for Tech Impact to help the organization that offers IT training for Canadian non-profits with a talent development pilot for the cybersecurity sector. Through the Atlantic Canada Opportunities Agency, the federal government is providing $997,000 to Tech Impact to develop and deliver the project.
Companies authorized so far to do certification are:
- Bell Canada
- Siemens Canada
- Cyber Security Canada, a service provider with offices in Toronto and Montreal
- Bulletproof Solutions, a Frederickton-based security solution provider with offices across the Maritimes
- SourcetekIT, a Bolton, Ont.,-based IT services firm
- WatSec Cyber Risk Management, a Waterloo, Ont., -based consultancy
To be certified an organization has to prove to a certification body that it has implemented the 13 basic security controls listed here. These start with basics (inventory hardware and software assets; assess potential threats; develop an incident response plan) to the technical (install and securely configure anti-virus/ anti-malware software as well as firewalls, change administrative passwords, use multi-factor authentication; have a data backup and encryption policy).
Innovation, Science and Economic Development Canada will register certified business, allowing them to use promotional materials. Organizations will have to be re-certified after two years.
On its website the government notes that certification does not guarantee complete protection from cyber threats. “However, the processes and best practices learned as you make your way through the certification process, will provide businesses owners, managers and employees with the tools and abilities to improve your level of cyber risk and to better deal with breaches, if they occur.”
The price for certification is set by the certification bodies. The government says they may choose not to charge for the certification if a business uses their products and services that already meet the security controls. Others, the website says, “may charge anywhere from a few hundred dollars to several thousand depending on the complexity of your business and the audit required.”
“One of the problems is in Canada people don’t think security,” he said. The readiness of SMBs in Ontario and Quebec he sees ranges from “zero, to wide-open networks, to networks with antivirus and firewalls — but no one’s looking at the firewall.”
This week, for example, Beitner’s firm is helping an organization that suffered a data breach with “a brand name firewall. But it was never configured properly.”Many SMBs don’t want to spend much on cyber security, he said.
Beitner wants to spread awareness “from the top down” by urging managed service providers to get certified under the Cyber Essentials or CyberSecure Canada programs. Then they will spread the word about certification to their customers, he hopes.
“The average business may not find out about it, but they all have IT,” he said. “They work with someone who manages their infrastructure, and they should know the risks. We’re trying to reach the IT people because they understand. The only time businesses are interested [in cybersecurity] is when they’re hacked.
He hopes IT pros will tell their clients certification “is not a terrible thing, it will help them lower their risks and become more resilient in the event of a compromise.”