Devised by the Canadian Centre for Cyber Security and administered by industry leaders in Cyber Security, ‘CyberSecure Canada’ is a certification program designed to help SMBs counter the most common online threats and thrive in today’s digital economy. By becoming ‘CyberSecure certified’ you’ll let customers, suppliers and investors know that their sensitive data is safe in your business’ hands.
How could certification help my business?
> It will help you guard against the most common threats. Designed with the 80/20 rule in mind (achieve 80% of the benefit from 20% of the effort), the program is designed to help sub-500 employee businesses counter the most widespread cyber threats using easy-to-implement technical measures that don’t cost the earth.
> You could avert a business-crippling cyber attack. The fallout from ransomware attacks and the theft of sensitive personal information such as banking details can be extremely serious both in financial and reputational terms.
> Attract new business and investors. Once certified you’ll be able to display the CyberSecure Canada certification mark and share news of your certification success with clients, suppliers and partners.
What must my business do to become certified?
Before you begin the process of gaining CyberSecure accreditation you’ll need to choose an accredited certified body to help assess your business’ online security credentials and guide you through the process. These ‘certified bodies’ are private companies accredited by the Standards Council of Canada.
Contact Cyber Security Canada, letting them know you’re interested in Cyber Secure certification and inform them of your chosen certification body. Contact details can be found here.
Implement the Baseline Cybersecurity controls (we’ll explore these in more detail in a moment). Your chosen certification body may provide a variety of services to help you implement theses foundational steps, such as staff training or security vulnerability assessments.
Submit documentation to Cyber Security Canada and undergo a certification audit.
Once the required measures are in place and the necessary controls are verified and documented, you’ll be awarded certification. This will last for 2 years, after which you will be required to repeat the process to maintain certification – it will be an easier second time around. During this 2-year period, you’ll be free to display your CyberSecure Canada badge freely – a mark of commitment to sound cybersecurity practices.
The Baseline Security controls
To achieve Cyber Secure accreditation, businesses should strive to implement 13 controls set out by the Canadian Centre for Cyber Security. Depending on the nature of your business’ IT network, some of the controls may not be applicable, but applying the controls as extensively as possible is recommended to ensure Cyber resilience.
The 13 controls are:
Develop a response plan
This involves considering how your business would react to a Cyber Attack and the actions you’d take to recover data and operational ability.
Ensuring software and operating systems are properly maintained is a critical aspect of good cybersecurity practice.
You should protect all devices within the scope of your network with anti-malware software programs. Such programs will help detect and remove harmful threats such as ransomware, trojan horses, worms and viruses.
Ensure Devices are configured securely
This means configuring devices, software and operating systems to be as secure as possible. Default settings are almost never the most secure; ensure default passwords (which are often publicly known) are replaced with more secure ones. Additionally, consider removing unused programs which could provide a path of entry for malware.
Enforce strong authentication protocol
Maintain tight control over your digital real estate by enforcing the most secure authentication procedures. Consider using 2-factor authentications (where multiple access criteria are required to be met) to ensure that only trusted personnel are able to gain access to your network.
Train employees on the basics of online security
With human error so often providing a route of entry for the cyber bad guys, it’s important that your workforce understands the importance of taking great care when online. Stress the importance of good password practice and ensure staff can identify phishing scams and links to malicious sites.
Effective backup strategy
It’s important to have a comprehensive backup strategy in place so that you can restore sensitive and business-critical information following a damaging event. Threats to your data could be virtual (a cyber-attack) or they could be physical (theft, fire, flooding) so it’s vital to back up data frequently to multiple locations in order to recover from any eventuality.
Secure Mobile devices
You should develop and implement a strategy to secure business data stored on all mobile devices. Consider measures such as Mobile Device Management software, device encryption and the use of VPNs to keep sensitive information out of the wrong hands.
Strong Perimeter defences
Safeguard your network at its outer edge with Firewall protection.
Ensure Cloud Services and other outsourced service providers are secure.
Assess the security credentials of the third-party service providers you work with. Question where your data is being stored, the level of security in place, privacy policies and data retention/destruction policies. If anything isn’t up to standard, consider switching to a more secure alternative.
Ensure Website security
Make sure your website is handling data securely in accordance with the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) .
Implement strong access controls
Restrict access to resources and services on a ‘needed-to-perform-the role’ basis. Administrative accounts should feature particularly severe functionality restrictions to reduce the chance of them being corrupted by malware.
Ensure portable storage devices are secure
Devices such as flash drives and external hard drives are susceptible to loss and theft due to their small size and portability. Ensure such devices are encrypted to prevent data loss and consider how such devices can be safely disposed of when they reach the end of life.
That’s a lot to consider, where should I begin?
In this short blog series, we shall explore 5 of these controls in greater depth; taking a look at some of the technical terms and how you can deploy the required technical measures to achieve CyberSecure certification. If you decide to go ahead with the certification process, your chosen Certified Body will be able to offer additional guidance and support with any of the technical controls mentioned above.
How much will the certification cost?
This is a hard question to answer. The cost of certification to your business will depend on several factors such as the Certified Body you choose to go with, and the size and complexity of your IT network. Costs can range from a few hundred dollars to several thousand. See the link below which contains answers to some of the most frequently asked questions about the scheme.
We’re KDI, how can we help?
Get advice, service and products that fit your unique needs. KDI is an expert partner for complete IT Services and Networking Support based out of the Greater Vancouver area. We are your one-stop IT solution, uniquely combining aspects of information technology, software development, and accounting expertise to make your work life easier.