What is the CyberSecure Canada Program?

5/5 - (4 votes)

This national cyber security certification program for small- and medium-sized organizations can help you protect your business—and build trust with your clients, too.

At F12, cyber security is one of our many passions, so it may be of no surprise we were one of the first companies in the IT industry to officially become accredited by CyberSecure Canada. We feel so strongly that other organizations should also get their certification that our CMO Devon Gillard recently hosted a webinar inviting Vanessa Garofalo, a senior policy analyst of CyberSecure Canada, to explain the program, as well as Calvin Engen, F12’s CTO, and Eddy Lamontagne, VP of Timmins Mechanical Solutions, to share their experiences of their respective companies’ accreditation process. Here are the highlights of the webinar.


What is the CyberSecure Canada program?

This voluntary cyber security program for small and medium organizations—defined as fewer than 500 employees—was developed in collaboration with the Canadian Centre for Cyber Security. The program takes organizations through the implementation process of 13 security controls; upon completion of a successful audit, the organization receives a certification mark that’s valid for two years. It serves as a visual signifier to other organizations, partners, suppliers, investors and clients that you’ve taken action to ensure your cyber security controls meet a national standard. [6:00]


Why is cyber security important?

You can’t turn on the news without new information about a cyber attack or ransomware attack affecting everything from government to businesses to hospitals. Attacks are becoming more prevalent and sophisticated. In 2020 alone, cyber attacks rose by 300 percent. [8:00]


Why are cyber threats happening today more than ever?

Criminal threat actors want access to Canadian businesses because they want access to payment information, financial information, data about their customers and proprietary information. It’s easy for cyber threat actors to target these small businesses because their information may be less protected than larger corporations.

It can be more challenging for these smaller organizations to recover from these types of attacks. Devastating impacts on small businesses include financial loss, reputational damage, job loss and business closure. According to the Insurance Bureau of Canada, 60 percent of small businesses targeted by a cyber attack last year closed down within six months. Of those businesses that were attacked, 41 percent said it cost them over $100,000 to recover. [9:00]


What’s involved with the CyberSecure Canada certification process?

It takes about six to eight months for organizations to complete the certification process with CyberSecure Canada, and costs about $2,000 to $5,000 depending on the size of the organization, complexity of the data stored, and the number of connected devices. By comparison, most third-party cyber security organizations charge upwards of $20,000. [12:00]


How it Works

Step 1: Prepare by engaging a local managed service provider (like F12.net) to make sure you’re implementing the proper controls. Alternatively, you can use the new e-learning module and video series to complete the 13 controls on your own.


Step 2: Implement the security controls by working with your leadership team to make sure that you have those policies and procedures in place, like password policies and incidence response plan.


Step 3: Select one of the four accredited certification bodies that best fits then needs of your organization: Bulletproof Solutions, Cyber Security Canada, SourcetekIT, Watsec Cyber Risk Management.


Step 4: Submit audit request and begin audit. Provide supporting documentation. If, for some reason, your audit is not successful, you’ll be given the opportunity to make improvements until your audit is successful.


Certification is valid for two years.


Should my business do the CyberSecure Canada certification program?

Both Engen and Lamontagne agreed the certification program is worth the time, effort and cost.

“This really becomes a business differentiator. I think it says to your clients, you’re taking cybersecurity seriously. You’re protecting your clients’ data. It’s a badge of honour.” – Engen [26:00]

“We were invited to attend Canada’s largest global defence and security trade show in Ottawa. You can only bid on contracts if you have cyber security certification. The certification allowed us to brag that we are secure. We’re dealing with large companies around the world that want to make sure we’re safe. I’m sold on it; I’m very glad we got it.” – Lamontagne [33:00]


Is my business ready for CyberSecure accreditation?

“We know that cyber breaches are sector agnostic . .  . so we have a huge part to play in awareness building, going to events like this and making sure that SMEs realize that you know this is attainable for them, this is within their reach and this is really something that they need to be thinking of. Even if organizations are not at the point where they’re ready to be certified, they can look at the 13 controls and get a better sense of what the certification entails. They can think about how to apply those controls to their own organization, and then maybe explore the certifications when they’re ready. It’s not a one-size-fits-all and it’s not an all-or-nothing; there’s little things you can do along the way.” –Garofalo [40:00]

“This program is the entry point. The controls are achievable. This is a federal program that’s creating awareness around the security needs of our of our supply chains across Canada. While it was slow to get started in Canada [compared to the rest of the world], I’m really looking forward to the future.” – Engen [25:00]

Have questions about CyberSecure Canada? Email Calvin Engen at cengen@f12.net, CTO at F12.net.