Canada’s new Cyber Security Program for SMOs: An inside look at the development of Canada’s National Cyber Security Standard

18-August | Written by Matthew MacNeil

Small-and-medium organizations (SMO) are vulnerable to cyber attacks. With limited IT budgets and technical resources, SMOs are prime targets for bad actors. According to Statistics Canada: 19% of small businesses and 28% of medium businesses reported a cybersecurity incident in 2017. A key contributor to this issue is the lack of comprehensive and easy-to-implement guidance available that SMOs can manage on their own, and that specifically addresses the needs of their business.

In 2019, the Government of Canada announced a plan to combat this issue with the announcement of their “CyberSecure Canada” program. Developed and managed by the Innovation, Science and Economic Development (ISED) in collaboration with the Communications Security Establishment (CSE) and Standards Council of Canada (SCC), the program aims to improve the cyber posture of Canadian SMOs.

The CyberSecure program is in a pilot phase. The pilot phase is intended to continue until the establishment of the National Standard of Canada. In December 2019, the SCC engaged the CIO Strategy Council to facilitate the development of the Standard to support the “CyberSecure Canada” program.

Here is an inside look at the development of the national standard and why it is important for Canadian organizations.

As an accredited standards development organization in Canada, the CIO Strategy Council’s standards development process is open and transparent, ensuring all stakeholders and interested parties’ voices are heard. The technical committee responsible for the standard, is comprised of multi-stakeholder groups representing industry, all levels of government, and end-users. Recruitment for the technical committee is ongoing and new participants are welcome any time. To date, a few iterations of the draft standard have been reviewed and commented on by the technical committee; and as the draft standard matures, it will be made available for public review for additional feedback. It typically takes one year for a National Standard of Canada to be published, from start to finish.

Why a national standard like this is important in the SMO space?

Standards are proliferating in the sphere of technology. Saying that, most available and accepted standards can be too costly or technical for the average SMO to implement. Stakeholders have sought for a framework that is written in common, non-technical language, that gives SMOs clear and achievable requirements in order to protect their business, employees and customers. Adopting the National Standard of Canada will help SMOs to build cyber resilience while also increasing consumer confidence.

How the national standard will address security controls for organizations with limited budget and resources?

SMOs will benefit from time and cost savings that result from the development process of the Standard. The CIO Strategy Council’s technical committee responsible for the development of the Standard is composed not only of a wide range of subject matter experts and thought leaders, but also the SMOs standing to benefit from the program. The Standard will introduce baseline cybersecurity controls to help SMOs reduce the risks of cyber security incidents and data breaches, putting them in the position to detect, respond, and recover. The recommended security controls from this Standard aim to advise and guide SMOs on how to maximize the effectiveness of their cyber security investments.

Still time to get involved.

The most critical success factor to improving the cyber posture of Canadian SMOs is to have direct participation from the SMO community in this important standard setting work. We strongly encourage all SMOs, regardless of size, industry or IT knowledge to help shape the Standard and promote a more secure Canada.