Canadian SMEs have a new tool to help them take steps to protect themselves and personal information in their possession. A standard, developed by the CIO Strategic Council.
What is the new Cyber Security for SEMs Standard?
The new standard, CAN/CIOSC 104:2021, was developed by a technical committee of more than 100 cybersecurity experts to establish minimum cybersecurity controls for small and medium organizations that typically have fewer than 500 employees.
This standard is part of the requirements of CyberSecure Canada, a voluntary certification program launched by Innovation, Science and Economic Development Canada (ISDE) and the Communications Security Establishment (CSE) to help SMEs achieve a reasonable level of cyber security.
Who is this new SME cybersecurity standard for?
This standard is specifically intended for small organizations that do not have the resources to develop customized security plans to comply with national and provicial laws. It supports SME managers and their team in their training and is a basic cybersecurity resource. This standard also allows to be well prepared for the questions asked by insurers in order to pay only for the coverage that the company needs. On this subject we refer you to our article: What is cyber risk insurance and what coverage does my business really need?
The government gets involved: Bill 64 of the Quebec National Assembly
The Quebec government has adopted Bill 64 to revise the penalties for businesses that are not diligent in protecting personal information in their possession. This law, which will come into effect on September 23, 2023, will impose penalties on the violating company ranging from $15,000 to $25 million or 4% of the company’s turnover.
How do you evaluate your level of risk?
The standard includes a questionnaire to assess the level of risk of SMEs to encourage them to strengthen their organization’s security against cyber threats.
Here are some sample questions from the questionnaire :
- Are all IT and IT security roles and responsibilities clearly outlined in your organization?
- Does your organization have an incident response plan?
- Does your organization have cybersecurity insurance?
- Has your organization assessed the potential injury to the confidentiality, integrity and accessibility for information systems and assets?
If you would like to see the CAN/CIOSC 104:2021 questionnaire, go to page 28 of the standard (Annex B).
The organization must establish a response plan to be prepared to effectively manage security incidents. The standard document provides a plan that defines the roles, responsibilities, types of incidents, approaches and basic controls to be adopted in order to be able to minimize the consequences of these incidents.
Here is an example of an action to take:
“Automatically patch operating systems and applications” (Ref: Standard CAN/CIOSC 104:2021, page 19)
“A small and medium organization can enable automatic updates for all software and hardware upgrades, if such an option is available-or consider replacing products with ones that provide the option. This includes replacing software and hardware that is no longer receive updates because the vendor ended support (i.e. products past their end of life). This will keep standalone devices, operating systems, applications, ensures that the organization’s standalone devices, operating systems, applications and security software are up-to-date and free of known vulnerabilities.”
For more information, please see the full CAN/CIOSC 104:2021 standard document.
This standard is new and will certainly evolve. It is, in our opinion, already a very comprehensive tool to formalize the security of your information technologies.
If you are interested in understanding your position with respect to this standard or the new Bill 64 of the Quebec government, contact us for a no obligation evaluation.