A Critical Business Imperative for Small and Medium Businesses: Cybersecurity

By 18 October 2019 No Comments

By National Cyber Security Leadership Council

Each month and certainly at the end of each year, we hear about business statistics that alarm many. Data breaches, malware, ransomware and more continue to be issues that can significantly impact a business’ bottom line. For large enterprises, they are equipped with entire teams and hosts of consultants who focus exclusively on mitigating cyber-risks. But where do small and medium business fall within this complex business and security environment?

The Information and Communications Technology Council (ICTC) has assembled a National Cybersecurity Leadership Council on Youth and Education to discuss these issues, as well as many others. Capturing the discussions and sharing them, we are creating a series of posts, in which we will explore some of the most challenging issues that face organizations of all sizes.

In this post, we focus on Small and Medium Business (SMB) challenges.

Changing Legislation – Are You Aware of the Impacts to Your Business?

During 2018 significant changes in legislation occurred. The Government of Canada updated its privacy legislation and on November 2, 2018, the Personal Information Protection and Electronic Documents Act otherwise known as PIPEDA. With this change, mandatory reporting for certain types of privacy breaches was implemented.  Specifically, reporting requirements that relate to a “breach of security safeguards,” that is defined in PIPEDA as: the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or from a failure to establish those safeguards.

The burden for SMBs has increased as a result of this change. Additionally, and perhaps more burdensome is the requirement for any business with clients in Europe, to comply with the General Data Protection Regulation (GDPR).

“I believe that in its purest sense, cybersecurity is a creative endeavour,” said Jamie Rees, chair of the National Cybersecurity Leadership Council on Youth and Education and CISO of NB Power. “The attacks and threats change daily, so we have to be creative in the way we address them or risk falling behind.”

There is no question that the ICTC National Cybersecurity Leadership Council can foresee more stringent privacy legislation in the future for Canadians. This is only a given with the changing laws in Europe and California’s new privacy law that comes into effect at the beginning of 2020.  The continuing discussions around Facebook, Equifax and too many others to list, only increase the complexity for SMBs. We may even see the requirement for all organizations to have a Data Privacy Officer. This concept is a very interesting one and something that is already a requirement under GDPR. For SMBs having someone dedicated only to data privacy may be too extreme, but it may be a role that could be combined with other functions. Additionally, it maybe a service that could be shared by many SMBs. It is a thought-provoking concept that governments, Councils like ICTC and Chambers will likely revisit in the future.

“Increasingly SMBs are understanding the value in having adequately trained privacy professions,” stated Dr. Ian Furst, council member, Oral & Maxillofacial Surgeon Coronation Dental Specialty Group & Cambridge Memorial Hospital and CEO of Swisscross Foundation. “Privacy is no longer something that can be an afterthought. It must be integrated in our business planning and operations.”

Changing Insurance Options

For several years now there have been conversations around cybersecurity insurance, but it has not been clear what this means with respect to privacy breaches. Obtaining cybersecurity insurance currently is not a given for many SMBs. Risk assessments are carried out and if deemed to be too high a risk, a carrier will not offer coverage. This is an area that the Government of Canada has discussed, as has the Canadian Chamber of Commerce. Having a certification program or process in place for SMBs could help reduce the risk and ensure that companies can obtain the necessary coverage.

Implementing a National Strategy

The Government of Canada is working to implement a national strategy and with its announcement of the Canadian Centre for Cyber Security, many new initiatives are expected, including activities specific to SMBs.

ICTC’s National Cybersecurity Leadership Council is looking forward to these developments and in the interim, reminds all members of SMBs to take note of these impending changes and start strategizing the necessary cyber safeguards for their businesses. With more malicious email making their way into our inboxes, arming ourselves and our employees with the necessary information and tools on how to spot and counteract these malicious attempts is increasingly important.

Next Steps

We believe that the work being done at the provincial and federal levels of government is more critical than ever when it comes to our privacy, our businesses and thus, our economy is protected.

We support the role of the government to create and/or support new and existing educational programs and/or certification standards for SMBs.

We continue to support provincial interests to create curricula to inform, educate, and build future generations of cyber ready talent to safeguard the interest of our economy and society.

These are some of the highlights of our most recent discussion. Next time we will focus more on our next generation of human resources and how the industry can play a prominent role in this space.

Have ideas that you would like to share with our Leadership Council on this topic? We would love to hear from you. Visit us at