‘Security is not just an application, it’s a lifestyle’
Allen Dillon, vice president of CyberNB, discusses the launch of the Cyber Essentials Canada certification program.
Following a successful testing process last year, Canadian businesses of all sizes can now play an even more active role in their fight against cybercrime, as the Cyber Essentials Canada certification program is rolled out across the country.
Spearheaded by CyberNB, Cyber Essentials Canada is intended as a cost-effective, user-friendly set of standards and best practices to help mitigate the vast majority of common internet threats.
The program aims to help ensure SMEs are protected against an increasingly sophisticated array of cyber-threats, while at the same time acting as a hallmark of a company’s ability to safeguard its customers’ information.
Two weeks after the launch of Cyber Essentials Canada, The Daily Swig caught up with Allen Dillon, vice president of CyberNB, who discussed the inner workings of the certification program and his plans for the initiative in 2018.
Could you provide a brief history of the Cyber Essentials Canada program? What are the main aims of the certification?
Allen Dillon: Cyber Essentials was borne out of GCHQ in the UK. Around four years ago, the agency started working on some basic – but essential – steps that would help protect small businesses in an affordable way.
The program was created to help raise the bar when it comes to cybersecurity for businesses. It was so successful that the certification has progressed from being an opt-in, volunteer scheme to a mandatory requirement for enterprises who wish to do business with the UK government.
The value of the certification is significant and was one of the key components of the strategy developed for CyberNB. In a previous role, I was the CEO of a cybersecurity business and was becoming increasingly frustrated with the lack of awareness – both generally and in the government – when it comes to security issues.
The Government of New Brunswick launched CyberNB almost two years ago with the aim of bringing the Cyber Essentials leadership program over to help build a safer internet and protect businesses.
Following testing with a selection of micro businesses and large enterprises last year, we officially launched the program on January 4.
The program has been created to help protect businesses against the majority of cyber-threats. What are the core areas of focus?
AD: Cyber Essentials consists of five key technical controls to keep businesses cyber safe. These controls are: boundary firewalls and internet gateways; secure configuration; user access control; malware protection; and patch management.
While the program focuses on dozens of other specific elements, it is ultimately built around the idea that security is not just an application, it’s a lifestyle. The certification does just that – it’s an essential program to build up awareness through very simple, but very important steps.
How does Cyber Essentials Canada differ from its UK counterpart? What are the main advantages of the program, compared with other certifications?
AD: The Canadian version includes some minor modifications, including being made available in French and certain elements that are specific to the country’s privacy laws, but the principles are the same.
One of the challenges that we have in cybersecurity is that there is a lot of snake oil in the industry. Cyber Essentials Canada is here to show that businesses do not need to spend hundreds of thousands of dollars to accommodate good cybersecurity.
This standard maps very well to ISO:27000. It’s a smaller, much more focused capability, but it’s also a practical based audit and assessment. Businesses get tremendous value at a fraction of the cost.
To receive (and maintain) an ISO:27000 certification annually is minimum in the hundreds of thousands of dollars. In Canada, there are approximately 94 companies that are ISO:27000 certified. It’s too expensive for the average business and even many of the larger ones.
With Cyber Essentials Canada, for as little as C$500 you have yourself a great, comprehensive cybersecurity certification. It’s a tremendous asset in this regard.
What do the coming weeks and months have in store for Cyber Essentials Canada?
AD: Since doing initial testing for the program with small businesses and larger enterprises last year, we have augmented the capability of the tool and we have a great roadmap for the future.
We are still very early in the adoption phase, but we have already got a few dozen companies involved, and we have thousands of businesses lined up at the door. Those working in defense, finance, and various other sectors are seeing the immediate enterprise value of the initiative.
As the internet evolves, and things like IoT continues to grow, the standards will evolve. Cyber Essentials Canada has built-in flexibility to allow for this evolution. We are currently planning a Phase Three evolution of the tool, and this will bring tremendous value to our country.