Canada has launched a cybersecurity certification program to try and get small to midsize enterprises (SMEs) up to speed with a basic level of protection.
Launched at the University of New Brunswick's Canadian Institute for Cybersecurity by Minister of Finance Bill Morneau, CyberSecure Canada is a voluntary program that will help small organizations achieve a minimum required level of cybersecurity, according to the government.
The initiative requires Canadian SMEs to stick to a baseline set of cybersecurity controls developed by the Canadian Centre for Cyber Security. These controls include establishing an incident response plan, regularly patching operating systems and applications, using security software and securely configuring devices. Other measures in the list include using strong user authentication, offering employee awareness training and backing up and encrypting data.
Those passing the certification can display a mark showing that they have demonstrated compliance with the controls. Those businesses will also be listed on the program's website.
The Canadian government uses six certification bodies to check that companies have implemented the controls properly: Cyber Security Canada, Bell Canada, Bulletproof Solutions, Siemens, SourcetekIT, and WatSec. If businesses are using products and services from these companies that already meet the security controls, then some of the companies may certify them for free, the government's website says. Others may charge anywhere from a few hundred dollars to several thousand.
The certification lasts for two years, at which point businesses must go through the certification process again to continue using the certification mark.
The move follows growing concern over the cybersecurity preparedness of Canadian SMEs. In October, the Canadian Internet Registration Authority (CIRA) launched its 2018 Cybersecurity Security Survey, which gauged cybersecurity responses from 500 individuals at SMEs across Canada. It found that 40% of respondents had experienced a cyber-attack in the prior 12 months. Of the respondents, 88% were concerned with the prospect of future attacks, and 71% didn't have a formal software patching policy.