Since its launch in 2018 as an arm of the Canadian Security Establishment, the Canadian Centre for Cyber Security (CCCS) has been the federal government's primary agency for responding to cyber security events, improving public awareness of cyber risks, and empowering Canadians with tools and best practices for staying cyber safe.

The COVID-19 crisis has seen an increase in opportunistic attacks from bad actors seeking to take advantage of employee fear and curiosity about the pandemic, and of the hurried transition of office staff to less secure work-from-home arrangements.[1] The CCCS has responded to the crisis by marshaling new and existing cyber security insights into two curated portal sites: one aimed at the needs of research and development organizations,[2] and another aimed more generally at Canadians and Canadian business.[3]

The portals offer articles on a range of topics from basic cyber hygiene tips,[4] to business advice on contracting with managed service providers,[5] to technical advice for IT managers and professionals on subjects such as cloud security risk management, email domain protection, and tailored cyber security training for company employees. Of particular relevance to the heightened threat environment created by hackers taking advantage of COVID-19 are the following articles:

The CCCS's COVID-19 portals provide a timely complement to its existing initiatives to protect Canadian businesses, including its Baseline Cyber Security Controls for Small and Medium Organizations[11] (first published in 2019 and updated in February 2020), and its national cyber security certification program, CyberSecure Canada,[12] under which small and medium enterprises (SMEs) demonstrating compliance with the CCCS's baseline controls are certified by the Innovation, Science and Economic Development Canada.

Despite the federal government's efforts, not enough Canadian businesses are aware of the CCCS and the resources it has been making freely available for over a year. This is unfortunate, because as litigation ensues—and it should be noted that the first wave of COVID-related lawsuits has already begun—courts will seek objective sources on which to base standards of care, and the publicly available advice from official sources such as the CCCS are likely to inform the content of those standards. Now more than ever, counsel should be taking the time to make sure their clients, particular SMEs, which are generally less sophisticated in cyber matters and have fewer resources to protect them, are aware of the CCCS's offerings and are taking steps to implement its advice.


[2] CCCS, Cyber Security Advice and Guidance for Research and Development Organizations During COVID-19

[3] CCCS, Focused Cyber Security Advice and Guidance During COVID-19

[11] CCCS, Baseline Cyber Security Controls for Small and Medium Organizations V1.2