Twelve months ago Ottawa announced a cybersecurity certification program to encourage small and mid-sized businesses to take security more seriously and enable them to show customers and partners that they take it seriously.
Those passing the CyberSecure Canada minimum standards audit get to display a logo on their websites and marketing material to increase confidence in dealing with the business.
A year later, only three organizations have passed the certification test by one of four independent examination firms. A few others are preparing for certification. To put that in perspective, there are 1.15 million small businesses in the country and about 21,000 medium-sized firms.
One sign of the modest interest in the program: After its launch, CyberSecure Canada listed six IT service firms that could perform certifications. Since then, Bell Canada and Siemens Canada have dropped off the list.
Asked why, Marc Choma, Bell’s director of communications, said in an email that “We were happy to help in getting the program up and running. Our day to day focus at Bell Business Markets is on providing our enterprise customers with specific security solutions for their needs.”
Messages left with Siemens Canada have not been returned.
There has been some business interest in the program, according to the Ministry of Innovation, Science and Economic Development (ISED), which is responsible for CyberSecure Canada. There have been over 500 inquiries about the program, and half asked how to achieve certification; 32 per cent wanted to know how to become a certification body; and 19 per cent were general questions.
“The government is pleased with the progress to date,” said Hans Parmar, an ISED media spokesperson, said in an email, citing how some companies already certified. Still to come is a final national standard, being drafted by the CIO Strategy Council for the Standards Council of Canada. Due to the pandemic that standard won’t be revealed until late next year or early 2022.
“Our next phase, now that we’re up and running, is to launch a major public outreach, engagement, and awareness-raising campaign to ensure businesses are aware of this initiative and the benefits it can provide,” said Parmar. That campaign is expected to start either late this year or early next year.
The president of one of the four remaining certification firms, Watsec Cyber Risk Management of Waterloo, is disappointed with the private sector reaction. Doug Blakey thought two dozen companies would have gone through the certification process by now. Instead, only 15 are working on, or are seriously considering, starting the process. Only one firm has been certified, with another close to it.
“So our expectation has not been met,” he said. “It’s because companies come to us thinking it will be a slam dunk. And then they look at it and find they aren’t as well prepared as they should be.”
He also faults Ottawa for not promoting the program. “Government goes at a snail’s pace, to begin with,” he said. He believes the fall election and then the COVID-19 pandemic has held most of the government’s attention in the last 12 months. “The lack of publicity has not helped.”
This is important, Blakey said, because COVID is making some companies think about the importance of cybersecurity.
The CyberSecure Canada program is based on the Cyber Essentials certification program created in 2017 by New Brunswick’s CyberNB agency, which borrowed elements from a similarly named program in the U.K. The Cyber Essentials program is being folded into CyberSecure Canada.
Businesses wanting to become certified can prepare by hiring a consulting firm for assistance (not one of the certification bodies) or learn a lot through e-learning courses offered by CyberSecure Canada.
To be certified, a business has to show it meets the lengthy security controls set by the government. These include proving the organization has an inventory of IT assets, an incident response plan, securely configured devices, uses strong login authentication, has established basic perimeter defences, encrypts critical data, has a backup plan and meets other criteria.
Certification bodies like Watsec will demand proof only that applicants have the technology in place but also policies and procedures that demonstrate there is proper cyber risk management.
“The biggest problem we see is the lack of useful [internal] documentation,” said Blakey. “They say they have a backup and recovery plan. We ask to see a screenshot of the table of contents and other things. They might take to months to come back to us with that. They’re learning that they really don’t have things in order the way they should.”
Preparation for certification may not only be time-consuming, but it can also be expensive.
Vaughan, Ont.-based Salefish Software, which makes a cloud-based document management solution for residential builders and developers, is one of the about a dozen firms that were certified under the Cyber Essentials Plus program. CEO Rick Haws estimates it cost the firm $5,000 and 1,000 hours of work to be ready for certification by Watsec.
He admits he didn’t think it would take almost a year to meet the standard.
“I would describe our cybersecurity prior to Cyber Essentials as ‘industry standard.’ We had encryption for data in transit — very bare-bones type of things. After Cyber Essentials it was different: The encryption is significantly different.
“The one thing that I don’t think people understand is a lot of the security requirements are around policies and procedures as much as technical solutions. Now we’re completely ahead of the curve. There’s nobody else in the real estate software space that has the certification we have, and we’re really proud of it.
“It’s absolutely worth it. It’s really enlightening. When you start the process, you think it’s about switches and encryption … As you go through the process and understand the care that needs to be taken with people’s data and the steps that have to be taken, you really begin to understand how important data is.”
He also said he believes certification has helped gain them business because it increases the trust of customers.
“For this program to be successful,” Blakey added, “managed service providers and other IT specialists really need to be on-board. Managed service providers have the keys to the kingdom for a lot of clients, so the hackers are targeting managed service providers. We have a lot of expertise that can help with the technical aspect of this, and they can really play a huge role in this program. But they need to get their house in order first, and then they need to bring this program to their clients.”
Other certification bodies include:
- Cyber Security Canada, a service provider with offices in Toronto and Montreal;
- Bulletproof Solutions, a Frederickton-based security solution provider with offices in Toronto, Ottawa, Montreal and the Maritimes;
- SourcetekIT, a Bolton, Ont.,-based IT services firm
(Correction: An earlier version of the story said Salefish Software was one of three companies certified under the Cyber Essentials program, which is winding down in place of the CyberSecure Canada program. The story has been updated to say about a dozen firms have Cyber Essentials certification)
