This featured article was made possible by

All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.

Background

In 2018, CyberSecure Canada was launched as a Government of Canada effort to establish a cyber certification program to help support small and medium-sized enterprises (SMEs) to improve their cyber security. The certification and program were created through a collaboration between Innovation, Science and Economic Development Canada (ISED), the Communications Security Establishment (CSE) and the Standards Council of Canada (SCC).

Some research suggests that as many as two-thirds of cyber security incidents target SMEs. Compared to larger businesses, SMEs are more likely to lack the knowledge, skills, resources, or connections to adequately respond to major cyber security incidents. ISED created CyberSecure Canada to address this issue.

Under the direction of the 2018 National Cyber Security Strategy to support SMEs, ISED launched the CyberSecure Canada program in 2019 to provide a mechanism to increase SME investment in cyber security to improve their cyber security posture. To accomplish this, ISED worked with CSE and the Canadian Centre for Cyber Security (CCCS) to create the certification backing the program and with SCC to accredit conformity assessment bodies to certify SMEs against the CCCS Baseline Controls for Small and Medium Organizations. The CCCS Baseline Controls was later published as a National Standard of Canada through expert deliberation and included updates. In addition to the security benefits, those who receive the certification could display the CyberSecure Canada certification mark on their website.

After I set out to learn more about CyberSecure Canada and the National Standard of Canada, I have come to learn that there are a lot of misconceptions about the Program. As a result, this article serves as a reintroduction to CyberSecure Canada and how organizations like the Digital Governance Council and Digital Governance Standards Institute are advancing new strategic initiatives, including the CyberReady Validation Program to further strengthen the cybersecurity posture of SMEs.

What happens when ISED walks away?

What started as a strong idea to provide a mechanism for SMEs to improve cybersecurity faded into the background of the government’s efforts to improve cyber security. On March 31, 2023, ISED relinquished its status as scheme owner of CyberSecure Canada and the supporting certification mark, but it is unclear if this was the intention from the beginning or if there were other reasons for ceasing its work on CyberSecure Canada.

Although ISED appears to have wiped their hands of CyberSecure Canada and the certification mark, the standards and accreditation community are working to ensure this work does not get lost and to get more SMEs to achieve certification. Contrary to how CyberSecure Canada is often framed, it still functions without ISED’s involvement. SCC still maintains its authority to accredit organizations to certify SMEs against the National Standard of Canada, CAN/DGSI 104, as part of CyberSecure Canada. The Digital Governance Standards Institute has helped maintain and update the standard, and theDigital Governance Council and others provide services to validate, review, or assist SMEs in implementing CAN/DGSI 104.

ISED is Out - Did Something Go Wrong?

No.

The program worked as intended, and the certification is sound and still recommended for SMEs. ISED launched CyberSecure Canada in 2019 as a five-year program with $28.4 million in funding to create the supporting certification and manage the launch of CyberSecure Canada.

Some cite the lack of SMEs obtaining the certification as one reason ISED is stepping away. CyberSecure Canada's original goal was to get 5,000 SMEs certified by 2025, but by August 2023, they had only certified 41 businesses. Although the number has since increased, the target was not met, and the program was more of a victim of not understanding the market and setting unachievable expectations. This is often the end of the discussion, but this undervalues the benefits of CyberSecure Canada and the CAN/DGSI 104 standard.

CyberSecure Canada Was Not a Failure

There are certainly high-level policy discussions about the program's effectiveness and management, but it is important to recognize that CyberSecure Canada was not a failure. I have previously stated falsely that CyberSecure Canada was a failure and a victim of some of its common talking points. However, looking at the program in absolute terms shows a different picture.

In 2019, ISED launched CyberSecure Canada, a five-year program with a $28.4 million budget and a goal of certifying 5,000 SMEs. Without this goal, would we still consider this program a failure? BlackBerry estimates that the average cost of a ransomware attack in 2023 was approximately $4.45 million USD (~$6.44 million CAD). This is not to say that all 41 businesses that received the certification have stopped a potential ransomware attack, but it significantly reduces this risk. In addition, this can also greatly reduce the impact of ransomware incidents as well, potentially meaning the difference between a costly recovery versus losing your entire business.

As the CAN/DGSI 104 continues to be supported by the Digital Governance Standards Institute and SCC, more businesses will continue to get certified and increase the benefits of this program.

Digital Governance Council Launches CyberReady Validation Program

On February 6, 2025, the Digital Governance Council launched its new CyberReady Validation Program to provide a mechanism for SMEs to assess and validate their cybersecurity plans under CAN/DGSI 104. It also helps SMEs to prepare for certification. As part of the program, SMEs can also choose to use 123 AuditPrep™, which helps organizations create cyber security policies and prepare for a CAN/DGSI 104 audit. Making things even better, purchasing 123 AuditPrep™ provides a complimentary CyberReady Validation audit.

Altogether, these products are cheaper than many previous options and fundamentally center on providing SMEs with the tools and knowledge for cyber security that go beyond just trying to certify a business.

Not all cyber security enterprises and certifications are the same. The needs of a large multinational organization will be entirely different from those of an SME in Northern Ontario or rural Alberta. When working with SMEs who are starting from nothing, it becomes essential to provide a level of knowledge transfer so that businesses understand why the actions taken to receive the certification are important.

Most of all, CAN/DGSI 104 is not always the end point either but can serve as a stepping stone to prepare a business for expansion in the future. Two of the most common instruments businesses use are ISO/IEC 27001 and Systems and Organization Controls (SOC) 2, but are much more expensive to comply with and enforce if you are an SME. In addition, not all SMEs operate at the level where they would need these complex requirements to ensure cyber security protections when other mechanisms exist. That ultimately was one of the primary reasons for the creation of CyberSecure Canada and CAN/DGSI 104. If an SME grows to the level where additional security compliance mechanisms are warranted, CAN/DGSI 104 is likely to equip businesses better to comply with ISO/IEC 27001 and SOC 2. CAN/DGSI 104 as a stepping stone to ISO/IEC 27001 and SOC 2 would help by providing a basic framework that organizations can use to lay the foundation to grow which can also contribute to early investments into technology and organizational management of compliance, thereby potentially making ISO/IEC 27001 and SOC 2 compliance cheaper through early cost savings.

Setting Expectations - Marketing vs Security

Readers of Canadian Cyber in Context and the average business owner will generally all agree that cyber security is important for its own sake to protect yourself and your customers from harm. However, to what degree will the average business owner with under 500 employees know or understand the full extent to which they should to protect their computers, networks, employees, customers and all the data in between? Further, how many of these businesses have easy access to a reliable or trustworthy individuals to help manage their IT needs?

The average person armed with Google can learn a lot, but resources are becoming increasingly difficult to differentiate between good sales versus what is actually needed to ensure your business has proper cyber security. Fundamentally, a business enterprise IT environment is much different from a home or hobby environment, so many businesses even with tech enthusiast owners may struggle to establish an IT environment with proper security.

However, with the creation of a new cyber security certification, the creator must market and communicate the advantages of obtaining that certification. Your average SME owner must make tough decisions about the money they spend and more often than not the decision will not be to invest in cyber security. With the creation of CyberSecure Canada and the CAN/DGSI 104 standard, these are new mechanisms that are ultimately competing against other options to ensure the cyber security of a business. ISED’s error was ultimately not understanding how much marketing and competition plays a role in how the cyber security industry works and there are other options. However, this should not overlook that CAN/DGSI 104 is still in use and being used to help SMEs.

The Certification for SMEs - CAN/DGSI 104

Since the launch of CyberSecure Canada, the supporting certification has undergone a few changes and updates since its initial creation. CSE and the Canadian Centre for Cyber Security initially created the Baseline Controls for Small and Medium Organizations for CyberSecure Canada in 2019, with final updates completed in 2020. This initial standard had 13 controls, including:

• Cyber security employee awareness training

• Develop an incident response plan

• Automatically patch operating systems and applications

• Enable security software

• Securely configure devices

• Use strong user authentication

• Back up and encrypt data

• Establish basic parameter defenses

• Implement access control and authorization

• Secure mobility

• Secure cloud and outsourced IT services

• Secure websites

• Secure portable media

In November 2021, the CIO Strategy Council (now the Digital Governance Council and Digital Governance Standards Institute) published the National Standard CAN/CIOSC 104:2021, Baseline cyber security controls for small and medium organizations, which added five new controls to the standard:

• Leadership

• Accountability

• Cybersecurity risk assessment

• Point of sale and financial systems

• Computer security log management

This new certification would be adopted as the CyberSecure Canada standard in January 2023 as ISED appeared to be prepared to end its role as scheme owner of the certification in March 2023.

This leads us to where the standard is today, with the Digital Governance Council (DGC) and Digital Governance Standards Institute (DGSI) working to preserve the work that started under CyberSecure Canada and use it to help SMEs. Most recently, the National Standard has been updated by the Digital Governance Standards Institute (DGSI) to become CAN/DGSI 104, which includes updates to terms and additional clarity on the difference between conformance to level 1 or level 2 requirements within the standard.

Where do we go from here?

Although ISED’s funding and window as a scheme owner is over, CyberSecure Canada and its underlying CAN/DGSI 104 standard are still being used. It is a common trope in the public policy space that as soon as a government program ends and funding stops, it effectively no longer is able to provide any benefits. While in many cases this is true, for the CAN/DGSI 104 National Standard of Canada for SMEs this is the opposite. ISED being the scheme owner is not the norm because standards development and promotion have largely been left to the SCC since its creation in 1970. Although this is not the norm for ISED, especially in cyber security, other parts of the government have a more long-term approach to standardization in areas such as health and finance. A significant amount of this criticism about ISED’s approach is rooted in a desire for greater government engagement to support Canada’s standardization system, which contributes billions to Canada’s economy. The Digital Governance Council’s CyberReady Validation, and 123 AuditPrep™ software show that CAN/DGSI 104 and the work started under CyberSecure Canada continues and provides a strong option for SME owners who are trying to demonstrate their commitment to cyber security and improve their cyber security posture for their business.