GUEST EXPERT. Cybersecurity: Where are we in Canada?

October is Cybersecurity Awareness Month, actually it is an international campaign to raise awareness about the importance of cybersecurity. Social networks are flooded with beautiful speeches about the importance of protecting our companies and the personal data of our fellow citizens and their customers. Good intentions and good talk aside, what is the current situation really like when it comes to cybersecurity in Canada?

The Digital Arms Race: The Age of State Cyberattacks.

There is increasing evidence that some states support cybercriminal groups to achieve their geopolitical goals. Using sophisticated technologies, these cybercriminals not only target critical digital assets of rival nations, but also extend their attacks to companies. This worrying duality shows that cyberattacks have evolved into a new form of conflict, with war waged digitally and informal sanctions imposed through cybercrime, with financial extortion becoming increasingly common.

In the context of the conflict between Russia and Ukraine, several cyberattacks have been carried out in retaliation against NATO countries that officially support Ukraine. More recently, the murder of a Sikh community leader in Surrey, a suburb of Vancouver, raised tensions between India and Canada. These tensions quickly led to cyberattacks.

Here are some examples, only for September 2023:

It would be possible to continue the list over several pages, but you get the idea…

Does the Canadian government have a strategy?

In 2018, a $500 million budget was allocated to improve Canada’s cybersecurity strategy. This strategy is supported by the collaboration of various Canadian government agencies. This significant budget enabled the following:

· Funding the new Canadian Cyber ​​Security Center to support leadership and collaboration between different levels of government and international partners.

· The creation of the National Cybercrime Coordination Unit to strengthen the RCMP’s capacity to investigate cybercrimes.

· Funding to promote innovation and economic growth and develop cybersecurity talent in Canada.

Despite these laudable efforts, it is clear that Canada, its businesses and its critical infrastructure remain highly vulnerable. Most Canadian companies do not have a plan to deal with a cyberattack and are unaware of how the Canadian Cyber ​​​​Security Center could help them. Do companies supporting critical infrastructure such as energy, telecommunications, financial services, transportation and health have resilience strategies in place that are consistent with Canada’s strategy? I think there is still a lot to do.

Do SMEs also take part?

Another important topic, in my opinion, is how to help small and medium-sized enterprises (SMEs) improve their cybersecurity posture. SMBs are highly vulnerable to cyberattacks and often do not have dedicated cybersecurity teams. Even if they have IT teams, they may not have the skills needed to deal with threats.

Some initiatives, such as the CyberSecure Canada certification program, have been launched. However, the program is currently on hold due to low uptake by SMEs due to the cumbersome process and inability to address problems directly.

fundamental. The situation is somewhat repeated with the Canadian Digital Adoption Program. There is also a focus on cybersecurity posture assessment and plan creation by accredited consultants. The main goal of consultants is to sell consulting hours, which is understandable. To specifically help SMEs, government funding programs should prioritize concrete and actionable measures such as backups, multi-factor authentication, monitoring and malware detection. These are essential cybersecurity controls that all SMBs need.

What incentives are there for companies?

Fear, of course no one wants to become a victim of a cyber attack. Insurers require cybersecurity measures to be in place before they can offer cyber insurance coverage. Investors begin assessing cybersecurity risks as part of their due diligence. Large customers are increasingly demanding sophisticated cybersecurity from their partners. Finally, Bill 25 in Quebec certainly encourages companies to think about it. Bills C-26 and C-27 in Canada will certainly provide additional pressure to encourage them to prioritize their investments