Minister's Introduction
Since our government introduced Ontario’s first ever Cyber Security Strategy in 2019, we have continued to prioritize the safety and security of Ontarians in our increasingly digital world by bolstering our defenses and launching the Cyber Security Centre of Excellence. This priority was only further reinforced with the onset of the COVID-19 pandemic, which necessitated the rapid move of many of our basic interactions online and expedited the adoption of digital systems.
As we continued on our ambitious agenda to move more government programs and services online, and as cyber threats evolve and become more sophisticated, we recognized the need to address growing concerns about cyber security defense practices within the government and the Broader Public Sector (BPS) head on.
That is why in 2020 my ministry established a ten-person Cyber Security Expert Panel to provide critical advice on how to improve cyber resilience across all of government, including the Ontario Public Service (OPS) and BPS organizations like hospitals, school boards, colleges and universities, and children’s aid societies. In its report, the Expert Panel provides recommendations to introduce new defensive practices and enhance existing ones within the OPS and BPS and focuses on four core themes:
- reinforcing governance and operating models
- improving education and training
- expanding communication between organizations, and
- embracing cross-sector shared services to better mitigate future cyber attacks
The Expert Panel’s recommendations will form the foundation of our cyber security policies and help develop best practices shared across all sectors. They will also inform future targeted investments in our cyber defences, so that we are well equipped to handle inevitable cyber attacks.
This report is a major milestone on our path to improving our cyber resilience and creating secure online services for Ontarians. Our ongoing digital transformation has already delivered significant benefits to the public and businesses, and we must continue to protect them from cyber threats so we can deliver on our government’s plan to make life easier and build a stronger Ontario.
The lessons we have learned so far are invaluable, and as we prepare to tackle the challenges of the future, we must also continue to innovate the tools and techniques we employ. This report will enable our government to do just that.
Kaleed Rasheed
Minister of Public and Business Service Delivery
Executive Summary
The Expert Panel reviewed Ontario’s current cyber security landscape across ministries, the OPS, and BPS organizations, with a focus on the education, child welfare, health, and municipal environments, and identified common and sector-specific challenges.
To improve cyber resilience within the BPS, the Expert Panel provides recommendations for the four key challenges identified that reflect the unique needs of our province.
Governance and Operating Model
Challenge
Current BPS governance structures for cyber security are not all the same, as each have their own policies, procedures, and accountabilities. Cyber initiatives are happening across different sectors but they are not coordinated by a single strategy or model. While many larger organizations are being proactive and engaging in risk and maturity assessments, smaller organizations are at a disadvantage thanks to the limited access to these common resources and expertise.
Recommendation
Ontario should reinforce its existing governance structures to enable effective cyber security risk and maturity management across the BPS.
Education and Training
Challenge
The province lacks diversity and age-specific content in cyber security education. K-12 education does not have a sufficient cyber curriculum, and while higher education does offer specialized training, there are limited opportunities for hands-on experience. Training programs are being developed in response to the growing demand for more robust cyber-related content, but better access to these resources is needed for it to benefit a wider audience.
Recommendation
Ontario should continue to develop diverse and inclusive awareness and training initiatives for cyber security across all age-levels of learning. This should be supported by a variety of content and hands-on activities, available to all and targeted to key groups.
Communication
Challenge
Communication is limited amongst organizations within the BPS. This is due to a lack of awareness and clarity in common platforms and programs. Although current information-sharing rules exist to inform the government in the event of a cyber security incident, these protocols do not support the overall cyber security of the sector. The BPS requires a better, clearer view of their internal communication channels so that cyber resilience can be improved.
Recommendation
Ontario should implement a framework that encourages the organizations within the BPS to securely share information related to cyber security amongst itself with ease.
Shared Services
Challenge
BPS organizations have different levels of cyber security awareness and each use different standards and frameworks. Compared to their larger counterparts, smaller entities lack critical cyber risk management capabilities. These capabilities are now considered vital and are often required in order for organizations to qualify for cyber insurance policies. Therefore, acquisition of cyber security insurance is becoming more difficult and expensive for smaller organizations to obtain due to increasing security expectations and a lack of dedicated, qualified cyber security personnel.
Recommendation
Ontario should continue to develop, improve, and expand shared services and contracts for cyber resiliency across the BPS, considering sector-specific needs where required.
Conclusion
Cyber security is becoming increasingly important for building convenient, reliable, and accessible government services in a data-driven world. As more and more services move online, our government has launched several initiatives to enhance cyber awareness and cyber resilience across BPS. Despite these efforts, BPS organizations still have different cyber maturity levels, requiring a tailored and flexible approach to achieve the overall cyber security goal. Regardless of the size or mandate of the BPS organization, there is a general desire for more cyber security resources, investments, and expertise.
The Expert Panel believes that building a secure cyber environment requires strong governance, continuous education, effective communication, and collaboration across different sectors. Successful implementation of the recommendations in this report will help create a healthy cyber security environment and deliver more convenient services for Ontarians. This will support economic growth and build a more prosperous future for our province.
In response to the government’s growing use of digital technology to deliver essential services, cyber security must remain a top priority so that we can continue to mitigate disruptions for Ontarians today and into the future.
Disclaimer
If you require this information in an alternative format, please contact infompbsd@ontario.ca.
We will:
- acknowledge your request within 3-5 business days
- provide you with the content within 15-20 business days