CyberSecure Canada: What You Should Know

Cybersecurity incidents are becoming more common as organizations adapt to the digital landscape. Although the extortion of a multi-billion dollar organization makes for sensational headlines, these incidents are often completely preventable if the company had adhered to their compliance standards. While large organizations get much of the attention, small and medium-sized enterprises (SMEs) have been largely ignored when it comes to security guidelines, compliance standards, and certifications. There are countless options, but the most widely recognized standards are created for large organizations as a legal requirement and can be too costly and complicated for an SME.

The Government of Canada has launched the CyberSecure Canada certification program to help SMEs protect against cyberattacks to their business, clients, and partners. The program applies industry best practices that attempt to adhere to the 80/20 rule; achieve 80% of the benefit from 20% of the effort. Keep reading for information on the requirements, benefits, and the first steps necessary for earning your CyberSecure certification.

What is CyberSecure Canada?

The Government of Canada launched the CyberSecure Canada certification, in part as a response to concerns facing SMEs laid out in the National Cyber Security Strategy. The certification program outlines five organizational controls and thirteen baseline security controls that organizations can implement to protect themselves against cybersecurity threats. These controls focus on a range of topics, including incident response plans, authentication schemes and password policies, web application security testing, etc.

The CyberSecure security controls are as follows:

Organizational Controls

o Assess Organization Size

o Determine What Information Technology is in Scope

o Determine the Value of Information Systems and Assets

o Confirm the Cyber Security Threat Level

o Confirm the Cyber Security Investment Levels

Baseline Controls

o Develop an Incident Response Plan

o Automatically Patch Operating Systems and Applications

o Enable Security Software

o Securely Configure Devices

o Use Strong User Authentication

o Provide Employee Awareness Training

o Backup and Encrypt Data

o Secure Mobility

o Establish Basic Perimeter Defences

o Secure Cloud and Outsourced IT Services

o Secure Websites

o Implement Access Control and Authorization

o Secure Portable Media

Overall, an organization that follows the CyberSecure standard and implements all its controls will be hardened against common threats and weaknesses and resilient against incidents.

For a more in-depth description of the CyberSecure certification, please refer to the official documentation:

Who Qualifies for the CyberSecure Certification?

The CyberSecure standard is intended for small to medium-sized organizations operating in Canada that employ less than 500 workers and do NOT expect cybersecurity threats that are beyond the level that medium-sized organizations typically face, such as cyber espionage or other advanced cyber threats.

Why Get CyberSecure Certified?

There are three major reasons your organization should obtain the CyberSecure Canada certification:

Organizing your IT assets and creating plans for incident response according to the CyberSecure standard certifies your organization conducts its IT operations securely and has a response plan ready in case of a cybersecurity incident or disaster.
Other organizations looking to work with yours will be more confident about collaboration when they see that your organization implements the well-defined security practices of CyberSecure.
As strong security becomes a requirement for all organizations, CyberSecure certification will ensure your organization is already hardened against common threats and can capitalize on future opportunities that require a commitment to security.

Get Started

Start evaluating your organization’s readiness by reviewing the CyberSecure Canada Baseline Controls document published by the Government of Canada, or better yet, take advantage of the free CyberSecure Canada Checklist from Websec:

[PLACEHOLDER FOR GITHUB LINK]

Use this checklist to evaluate your readiness, track your progress, or as a framework for securing your organization for future certification. Start by reviewing each Organization Control and Baseline Control and consider how they apply to your organization. If you are unsure about a topic, you can consult the official documentation.

Once your organization has implemented the controls in the checklist, you are ready to begin the certification process:

Register an account at the Government of Canada website
Fill out and submit the appropriate application
Choose an accredited certification body to conduct an audit and schedule the tests

In Summary

The CyberSecure Canada certification is an effective way of securing an organization's assets and verifying that they are hardened against cyberattacks, and ensures that the organization has addressed common security risks, and can recover from an incident. The security controls implemented through CyberSecure ensure that your organization uses industry best practices to inform its security posture. The certification also demonstrates to clients and partners that your organization takes steps to safeguard the data which they have shared. Lastly, certification ensures that business opportunities that require cybersecurity certifications in general or the CyberSecure certification, in particular, will be immediately available to pursue.

Even if your company is not ready for CyberSecure certification, you can use Websec’s CyberSecure Canada Checklist to assess your weaknesses, guide your improvements, and develop procedures to safeguard the business. Either way, check out our checklist and get started: