Federal Government Announces New Certification Program to Enhance Cyber Security

The CyberSecure Canada Certification Program

Earlier this month, Bill Morneau, Canada’s Minister of Finance, launched the CyberSecure Canada certification program, which aims to achieve an increased baseline level of cyber security controls among SMEs (small to medium enterprises).

As more businesses and consumers embrace the use of digital technologies to conduct business online, cyber attacks and data breaches are becoming a serious and more frequent issue to both business owners and consumers alike.

The objective of this voluntary program is to protect small and medium-sized businesses from cyber threats and increase consumer confidence in using Canada’s digital and data platforms.

By offering this certification to SMEs, the government’s goal is to make it safer and more secure online for all businesses and consumers by preventing financial loss, protecting our privacy and safeguarding intellectual property.

CyberSecure Canada Banner

Quote from the Government of Canada news release:

“There’s so much Canadians can do online—from connecting with friends and family, to personal shopping, to building a business. This online activity is good for our economy and helps create good, well-paying jobs. At the same time, it’s critical that Canadians feel confident about the security of their interactions and information. Today’s announcement is an investment in skills, in businesses and in the future of our economy.”
– The Honourable Bill Morneau, Minister of Finance

Certification Program Details

Currently, the CyberSecure program is in the pilot phase and will continue until the National Standard of Canada (NSC) is fully established.

Baseline Cyber Security Controls PDF - SMAlthough the program is targeted at SMEs (with a maximum of 499 employees), large and even enterprise businesses are also eligible for the program, including for-profit and non-profit organizations.

In order to become certified, organizations must demonstrate that they have implemented all of the specific baseline cyber security controls as developed and established by the Canadian Centre for Cyber Security.

Security controls are a detailed outline that lists what companies and organizations must do to protect their digital environments, such as their physical networks, computers, mobile devices, websites, web applications, cloud storage, social media accounts and more.

Quote from the Government of Canada news release:

“As the Government of Canada’s authority on cyber security, and as part of the Communications Security Establishment, the Canadian Centre for Cyber Security has over 70 years of experience protecting Canada’s most sensitive information and networks. Canadian businesses are being, and will continue to be, targeted by cyber threat actors. Many of the most common cyber threats can be mitigated through awareness and best practices. CyberSecure Canada will help raise the cyber security bar for small and medium organizations across Canada and build confidence in our digital economy.”
– Scott Jones, Head, Canadian Centre for Cyber Security

A few of the basic security controls to minimize cyber threats to your business include:

  • Developing a plan for responding to incidents
  • Updating and patching your computer operating systems and applications
  • Installing and configuring anti-virus, anti-malware, company firewalls, etc.
  • Using strong user authentication (implementing two-factor authentication, password length and re-use, changing passwords frequently, etc.)
  • Having a data backup and encryption policy

For the complete list of baseline controls, visit the security control for SMEs page to download the PDF.

Once a business is enrolled in the program, federal government accredited certification bodies will evaluate the implementation of the security controls using an audit checklist defined by a strict set of criteria.

Certification bodies (CBs) are public and private-sector businesses which have met all of the requirements and have been fully accredited by the Standards Council of Canada (SCC).

Authorized and accredited certification bodies include:

After certification, a unique CyberSecure Canada identifier for your company website will be given to you to let your customers know that you have taken the necessary measures to implement security controls to ensure that your business meets the latest cyber security standards and best practices.

The certification is valid for two years. Upon expiration, you will be required to follow a re-certification process to maintain certification status.

The cost for certification is individually set by each of the particular certification bodies. However, some CBs may choose not to charge for the certification if your business uses their products or services that meet the security requirements. Other CBs may charge from hundreds to thousands of dollars depending on the complexity of your organization and its structures.

Why Certification Matters For Your Business

Cyber attacks and cyber threats can have catastrophic effects that directly impact you as a business owner, including:

  • Financial loss caused by cyber fraud or other means
  • Damage to business reputation
  • Lawsuits
  • Loss of business

As of now, certification is not mandatory and completely voluntary. However, having the CyberSecure designation will give your customers, partners and suppliers extra assurance and trust that their valuable information (personal and/or confidential, credit card and/or financial, etc.) will be secure and that as a business, you have decreased their risk of cyber threats.

With the CyberSecure Canada certification mark, your business will have the official recognition by the federal government for demonstrating compliance with their baseline security controls.

Example CyberSecure Certified Logo - EN

Once your business has been CyberSecure Canada certified, it can display a government-issued certification seal to be used in digital and print formats.

How to Become CyberSecure Canada Certified

You can find more information and apply for enrolment into the program by going to the Get Certified page. Follow the step-by-step process on how to get started to make your business cyber secure.

Start Taking Proactive Measures With Your Security

The federal government has created this program, focusing on a foundation of security best practices, with methods and strategies to help SMEs guard against the threat of cyber attacks. But it is important to recognize that, while it is a great initiative, this is just the minimum standards approach to cyber security.

As a business owner, you should understand that these minimum standards, audited by the various accredited certification bodies, only gives you a basic level of security.

Quote from the Government of Canada website:

“Certification does not guarantee complete protection from cyber threats. However, the processes and best practices learned as you make your way through the certification process, will provide businesses owners, managers and employees with the tools and abilities to improve your level of cyber risk and to better deal with breaches, if they occur.”

Unfortunately, many organizations only take an interest in their security after their digital space has been compromised by cyber attacks and the damage has already been done. With our many years of experience in the cyber security industry, we recommend that you be proactive in your approach when it comes to your organization’s security.

You can only truly evaluate the strengths or weaknesses of your security structure and policies by hiring a qualified expert to test your organization’s network defences. Call or contact us to schedule a free consultation today.