Digital pixel image of padlock



Improving cybersecurity with internal resources and outsourced services

Cybersecurity is a fundamental issue for organizations of all kinds and sizes, but many organizations have limited financial and human resources available to implement comprehensive cybersecurity measures. In October 2022, the Canadian Centre for Cyber Security issued guidance to help Canadian organizations assess and improve their cybersecurity posture and effectively outsource cybersecurity to a managed security service provider.

The cybersecurity challenge

Cybersecurity is important for all Canadian organizations. The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2023-2024 warns that cybercrime continues to be the cyber threat activity most likely to affect Canadians, and ransomware is a persistent threat to Canadian organizations.

Government agencies and other organizations have issued cybersecurity guidance for organizations of all sizes and kinds, including small and medium organizations with limited resources. For example, the Canadian Centre for Cyber Security’s guide titled Baseline Cyber Security Controls for Small and Medium Organizations provides guidance to help Canadian organizations maximize the effectiveness of their cybersecurity investments. The recommended controls reflect the view that organizations can mitigate most cyber threats through awareness and best practices and successfully apply the 80/20 rule – achieve 80% of the benefit from 20% of the effort – in the cybersecurity domain. See BLG bulletins Cybersecurity Guidance for Small and Medium Size Enterprises and Cybersecurity Certification for Small and Medium Enterprises.

Nevertheless, comprehensive cybersecurity programs can be expensive and time-consuming to implement and require technical knowledge and resources that are beyond the means of many organizations. For those reasons, many organizations outsource part or all of their cybersecurity requirements to a managed security service provider (MSSP).

The Guide

In October 2022, the Canadian Centre for Cyber Security published guidance titled Choosing the best cyber security solution for your organization (the Guide) to help organizations improve their cybersecurity posture using internal resources and outsourced services. Following is a summary of key aspects of the Guide.

Cybersecurity assessment and best practices

The Guide encourages organizations to assess their cybersecurity posture by conducting a risk assessment and identifying the organization’s specific cybersecurity requirements. The Guide provides a list of preliminary questions that organizations of all sizes should ask when conducting a cybersecurity risk assessment.

The Guide recommends organizations implement the cybersecurity controls described in Baseline Cyber Security Controls for Small and Medium Organizations for all information technology systems and assets (whether owned, contracted or otherwise used). The Guide explains that organizations with limited technological or financial resources should start with the following foundational controls: (1) implement strong user authentication; (2) patch operating systems and applications; (3) backup and encrypt data; (4) train employees; and (5) develop an incident response plan. The Guide explains that implementing the following advanced controls might require the assistance of a service provider: (1) enable security software; (2) secure websites; (3) secure mobile devices; (4) access control and authorization; (5) establish basic perimeter defences; (6) configure devices securely; (7) secure portable media; and (8) secure cloud and outsourced services (including outsourced cybersecurity services).

The Guide notes that cybersecurity service providers can provide organizations with tailored cybersecurity advice and guidance, including assistance in developing and implementing an effective cybersecurity plan.

Outsourcing cybersecurity

The Guide notes that outsourcing some or all cybersecurity requirements has become a common practice for organizations of all sizes. The Guide reminds that organizations that outsource cybersecurity to a service provider remain legally responsible for protecting their IT systems and data (including personal information). The Guide explains that a decision to outsource cybersecurity services should be based on a thorough understanding of the organization’s cybersecurity objectives/requirements and the ability of a proposed service provider to address those requirements. The Guide also reminds that the organization should ensure the outsourced cybersecurity services are periodically reviewed and updated to meet the organization’s evolving business priorities and systems.

The Guide summarizes the different kinds of cybersecurity services provided by different kinds of service providers – Internet service providers, IT/cybersecurity consultants, cloud service providers (CSP), managed service providers (MSP), and managed security service providers (MSSP). The guide also details the differences between an MSP (which focuses primarily on information technology administration/management) and an MSSP (which focuses on cybersecurity).

The Guide describes some of the benefits and risks of outsourcing to an MSSP. The Guide details the services typically provided by an MSSP: (1) consultancy/advisory services; (2) managed security service technologies; (3) data protection and security monitoring; (4) risk and vulnerability assessment and management; and (5) compliance monitoring and management. The Guide explains that selecting an MSSP “is a complex decision for any organization and requires thorough research and analysis”. The Guide includes a list of criteria to help evaluate an MSSP and its services.

Comments and recommendations

Key Contacts