Give tax break so small Canadian firms can invest in cybersecurity, Parliament told

Ottawa should deploy a wide range of strategies, including tax breaks, to encourage small businesses to take cybersecurity more seriously, a member of a think tank told a parliamentary committee this week.

“I think the government should incentivize companies to adopt the latest security measures, such as the cybersecurity standard established by ISED (Innovation, Science and Economic Development) and CSE (the Canadian Security Establishment, the country’s electronic spy agency that also protects federal IT networks) for small and medium organizations,” Aaron Shull, managing director and general counsel of the Centre for International Governance Innovation (CIGI) told the House of Commons defence committee.

The standard he referred to is CyberSecure Canada, a program for small and medium-sized firms. Companies that meet certain criteria and pass a security audit can tell customers and partners they have met the certification standard.

Started in 2019, the program hasn’t been widely adopted. A year after the program was announced, IT World Canada found that only three firms had been certified.

“The standard provides a high level of protection,” Shull told the committee, “but its adoption — and this is the problem — has been limited. Implementing a tax benefit system as an incentive to help increase the overall level of cybersecurity in the country and reduce the risk of cyberattacks on businesses would be a way forward.”

Second, the federal government should establish a clear and concise legal framework for  how the private sector can deal with cyber attacks, including guidelines for attribution of attackers, response, and for liability should companies be allowed to hit attackers back. But, he added, the framework should also be “nimble and respond to a fast-changing environment. And the regulations should be driven by “sound policy” and not politics.  The cabinet would set standards, a code of practice and certification programs to act as an integrated compliance program, he said.

Third, Shull said, Ottawa should convene an annual cybersecurity conference for a wide range of stakeholders — companies, the IT industry, provincial, territorial, and municipal governments, academics, Indigenous communities, non-profits — to learn more about cybersecurity and do tabletop exercises. Not all sessions would be open to the general public.

One model, he added, is a “cybersecurity dialogue” that CIGI will host in June in Waterloo, Ont., where it is headquartered.

“In my view, cybersecurity is a whole of society concern for Canada,” Shull explained, “and everyone should do more to address this issue.”

In an interview, Shull noted the CyberSecure Canada program has been put forward by the Standards Council of Canada and the Digital Governance Council (formerly the CIO Strategy Council of Canada). “If you are a small and medium-sized enterprise you will probably be OK” to withstand attacks from unsophisticated threat actors, he said. It’s “relatively rare” for nation-state actors to go after SMEs here, he said.

But the federal government needs to give incentives to the private sector to act, Shull said. “We always wait for the ‘Oops’ moment before we do something.”

He isn’t sure how much of a tax incentive Ottawa should offer, other than “make it big enough that people will actually do it.”

But he added, the economic benefit of having companies spend less on recovering from a cyber attack should increase government revenue, and spur innovation.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.