Canada’s new Cybersecurity Standard: What you must know and why take action

Editor's Note

This article is sponsored by CyberCatch

Cybersecurity expert Sai Huda says Canadian small to mid-sized enterprises (SMEs) are far too vulnerable to stealth attacks from hackers. 

Huda understands that SMEs are Canada’s economic engine, but don’t have the resources to handle their own cybersecurity.

A 20-plus-year veteran of cybersecurity, Huda was shocked when his own information was hacked and stolen. He wrote Next Level Cybersecurity to find out how and share what he learned. 

Since then, Huda helped draft the Canadian cybersecurity standards with the CIO Strategy Council - the first of their kind in the world. He also founded CyberCatch (a company based in San Diego and Vancouver) to embed those standards in an automated, easy-to-use cyber security tool. 

OBJ’s Michael Curran spoke with Huda to pass on some cybersecurity tips SMEs can implement right away.

MC: Why is cybersecurity critical for SMEs?

SH:  If you have a website or use email, you could be attacked. Hacking is a $600 billion problem for SMEs in terms of the impact of loss of IP or data.. It’s happening daily across the globe and an attack can shut down your business for weeks. When CyberCatch scanned SMEs for vulnerabilities (using an ethical, white hat approach) they discovered that too often website code isn’t up to par, particularly in Canada. This leaves the door open for a hacker to install a fake form on a SME’s website that gathers information about its customers. CyberCatch also conducted a blind survey with SMEs about ransomware, discovering that 30 per cent of SMEs don’t have a written incident response plan. If you don’t have an incident response plan, how are you going to respond to a ransomware attack? You’re not going to know what to do.

MC: Tell us about Canada’s new national cyber security standards from the CIO Strategy Council: Standard CAN/CIOSC 104.

SH: These standards are the first of their kind in the world. Canada has recognized SMEs are a grown engine and is taking a leadership position. The CIO Strategy Council’s standards include 55 proven recommendations presented in two tiers. Level one has 22 recommendations, with Level two adding another 33 that provide an additional layer of protection for higher risk websites, like those that exchange information or conduct transactions (like e-commerce). But you can implement all 55 if you wish.Any organization, for-profit or non-profit in Canada that has less than 500 employees should really implement these controls because they work. The controls include prevention, detection and response. So even if someone gets in, you can take action that will keep the damage negligible. It’s an opportunity for team Canada to step up together, and make the nation stronger. Because if everyone implements these standards, we’re going to be strong as a country.

MC: How can SMEs take action on cybersecurity?

SH: This is where CyberCatch comes in. What good is coming up with a standard if you’re not providing a path, an easy way for SMEs to get into compliance? The CIO Strategy Council chose CyberCatch to provide a solution SMEs can afford. The result is a patented, user-friendly, cloud-based solution called the CAN/CSIOC Compliance Manager. The first step is achieving compliance with the new standards. The tool gets you there by conducting a gap analysis to determine your initial Cyber Hygiene score , the experts weigh in on the results and provide recommendations, and then you train your employees to be on the alert for attempts at hacking like phishing and ransomware. The second step is staying compliant. That means ongoing scanning for vulnerabilities so your efforts to become compliant pay off. Those tests are conducted automatically in the background. You set the parameters best for you and get back to the day to day running of your business. The Canadian government is taking notice, with the Minister of Innovation, Science and Industry Canada, the Honourable Francois-Philippe Champagne publicly backing the tool.

Thanks to the efforts of Sai Huda, Canadian SMEs can become an army of cyber security soldiers who feel confident telling the god of stealth ‘not today.’