In Canada there are 1.15 million SMBs – Very few have passed CyberSecure Canada’s certification test

In Canada there are 1.15 million SMBs – Very few have passed CyberSecure Canada’s certification test

Twelve months ago Ottawa announced a cyber security certification program to encourage small and medium-sized businesses to take security more seriously and to enable them to show customers and partners that they take it seriously Huh. 

Those who pass the CyberSecure Canada Minimum Standards audit are required to show a logo on their website and marketing material to build confidence to deal with the business. A year later, only three organizations have passed certification exams by one of the four independent examination firms. Some others are preparing for certification. In that perspective, the country has 1.15 million small businesses and about 21,000 medium-sized firms.

An indication of modest interest in the program: After its launch, CyberSecure Canada listed six IT services firms that could do the certification. Since then, Bell Canada and Siemens Canada have been off the list. When asked, Bell's communications director, Mark Choma, said in an email, 

"We are happy to help get the program up and running. Our day focus on the Bell Business Market is on providing security solutions specific to our enterprise customers for their needs. "

Messages left with Siemens Canada have not been returned.

According to the Ministry of Innovation, Science and Economic Development (ISED), the program has some business interests, which Cybersecure Canada is responsible for. There have been more than 500 inquiries about the program, and half asked how to obtain certification; 32 percent wanted to know how to become a certification body; And 19 percent were general questions. 

"The government is pleased with the progress to date," ISED Media spokesman Hans Parmar said in an email. There is a final national standard still to come, which is being drafted by the CIO Strategy Council for the Standards Council of Canada. 

The standard will not appear until the next year or the end of 2022 due to the epidemic. "Our next phase, now as we get up and running, is to launch a major public outreach, engagement and awareness-raising campaign to ensure that businesses are aware of this initiative and the benefits it can provide." Is aware, "said Parmar. 

The campaign is expected to begin later this year or early next year. One of the four remaining certification firms, Waterloo's WhatsApp Cyber ​​Risk Management, is disappointed by the private sector's response . 

Doug Blakey thought that two dozen companies would have gone through the certification process by now. Instead, only 15 are working, or are seriously considering starting the process. Only one firm has been certified, One who has another pass. 

"So our expectation is not fulfilled," he said. "Because companies come to us thinking that it will be a slam dunk. And then they look at it and find that they are not ready As they should be. 

”He also blamed Ottawa for not promoting the program. 

"The government runs at a snail's pace, to begin with," he said. He believes that the fall in the election and then the COVID-19 epidemic has attracted most of the government's attention in the last 12 months. "The lack of publicity has not helped." 

This is important, Blakey said, because COVID is thinking about the importance of cyber security to some companies. 

The Cybersecure Canada program is based on the Cyber ​​Essential Certification Program created in 2017 by the CyberNB agency of New Brunswick, the U.K. Elements borrowed from a program with a similar name in CyberSecure Canada are being folded. 

Businesses wishing to become certified can learn a lot by hiring a consulting firm (not one of the certification bodies) for assistance or through e-learning courses offered by Cybersecure Canada. To be certified, a business must show that it meets the lengthy security controls set by the government. 

This includes proving that the organization has a list of IT assets, an incident response plan, securely configured devices, uses strong login authentication, has established basic perimeter security, encrypts important data Is, has a backup plan and meets other criteria. 

Certification bodies such as WhatsApp will not only ask for proof that applicants have the technology, but also policies and procedures that demonstrate that there is proper cyber risk management. "The biggest problem we see is a lack of useful [internal] documentation," 

Blakey said. "They say they have a backup and recovery plan. We ask to see a screenshot of the table of contents and other things. 

They may take months to get back with us. They are learning that they are actually things. Are not the way they should be. 

"Not only can preparation for certification be time-consuming, but it can also be expensive. Vaughan is one of about a dozen firms that were certified under the Cyber ​​Essentials Plus program, Ontarus-based Sailfish Software, which builds cloud-based document management solutions for residential builders and developers. CEO Rick Hubbs estimated that the firm cost $ 5,000 and 1,000 hours to prepare for certification by WhatsApp.

He admitted that he did not think it would take about a year to meet the standard. 

I will describe our cyberspace as "the industry standard before cyber imperatives". We had encryption for data in transit - very bare-bones types. After Cyber ​​Essential it was different: encryption is quite different. 

"One thing that I don't think people understand is that a lot of security requirements policies and procedures are similar to technical solutions. 

Now we are completely ahead of the curve. There is no one else in the real estate software space that we have certification for, and we are really proud of it. "It's absolutely worth it. It's really enlightening. 

When you start the process, you think it's about switches and encryption ... as you go through the process and understand the care that With people's data to be taken and the steps that have to be taken, you really start to understand how important data is. 

"He also said that he believes certification helped him gain business Is because it increases customer confidence. 

"For this program to be successful," Blakey said, "Managed service providers and other IT specialists really need to be on-board. Managed service providers have a state key to a lot of customers, so hackers manage service Are targeting providers. 

We have a lot of expertise that can help with the technical aspect of this, and they can really play a big role in this program. But they need to get their house in order first , And then they need to bring this program to their customers. "