The Canadian government has released a Cyber security controls standards document meant for small and medium sized business (499 employees or less), along with a certification program called CyberSecure Canada.
Cyber risks seem to be getting worse. Dangers include external hackers, phishing and social engineering attempts, and intentional and unintentional internal leaks. Responsibility is now considered to be at the board level, and does not stop at the CIO.
Cyber security can be a daunting task for small business. As the standard says, normal security standards “… are expensive to implement, beyond the financial and/or human resources means of most small and medium organizations in Canada.” The goal of this standard is to achieve 80% of the benefit from 20% of the effort.
Topics covered include incident response plans, backup, encryption, two-factor authentication, firewalls, keeping software up to date, and employee training.
There is a pilot certification program to go along with the standard. Businesses will be able to obtain certification to the standard that they can display on websites and other promotional material.
One caveat is that while this security strategy contains elements that are helpful to meet privacy and other legal obligations, complying with the strategy alone is not in itself sufficient to comply with various laws.
Small and medium sized enterprises (including law firms) should review the standard and identify and correct any gaps they find in their security measures. It is crucial for every enterprise to deal with cybersecurity. Failure to take the right security measures can lead to breaches that can be embarrassing, expensive to manage, and even cripple the business. The right security measures can also reduce the impact of a breach if one does happen.