In the 7th edition of the IT Trends report, a concerning statistic has emerged: only 54% of Canadian businesses have implemented a business continuity plan. This finding is contradictory to the fact that 22% of Canadian businesses claim to have suffered from a cyber threat, as per this study conducted by Leger and the NOVIPRO Group.
In a world where business activities increasingly rely on digital systems and data, a business continuity plan is essential for all companies. Roger Ouellet, Director of Security Practice at NOVIPRO, emphasizes, "Cyberattacks are now a tangible risk for any company, regardless of its size and sector. A cyberattack can suddenly deprive it of the IT resources or data necessary for its operations."
It is crucial for all companies to establish procedures and strategies to ensure resilience and continuity of operations in case of emergencies or crises.
Without a business continuity plan in place, a company is exposed to numerous risks. In the event of a major incident, it may suffer significant financial losses, lose clients, damage to its reputation, or even close.
| "How long can a company sustain its operations if it no longer has access, for example, to the details of current orders, customer contact information, the volume of merchandise in stock, or the information needed for employee payroll? It is necessary to prepare for such risks of business interruption by adopting a business continuity strategy." | 
Roger Ouellet, Director of Security Practice at NOVIPRO |
Discover more cybersecurity statistics in the 7th edition of the IT Trends, download it here!
Protecting Yourself to Comply with Legislation… and Sustain Your Operations
Security breaches leading to data leaks can have significant financial, contractual, and legal impacts. In the United States, the National Cyber Security Alliance notes that 60% of SMEs that suffered from a cyberattack close their doors within six months.
In September 2022, the province of Quebec passed Law 25, requiring all businesses to report any incident that threatens data confidentiality or results from a cyberattack. The law mandates that companies inform individuals potentially affected by a security breach that exposes their personal data to risks.
In the same vein, the Canadian government aims to strengthen consumer protection of personal information through Bill C-27.
Despite these regulatory advances, the IT Trends report highlights that only 43% of Canadian businesses take the initiative to communicate with their clients in the event of a cyberattack.
Companies violating Quebec’s law face severe penalties: fines of up to 25 million dollars, or an amount equivalent to 5% of their gross annual revenues for large and very large enterprises.
Therefore, it is essential for companies to adopt a transparent approach with consumers and align it with their business continuity plan. This approach is crucial not only for maintaining the company's reputation but also for its financial health.
The Example to Follow: Groupe Master's Operations Continuity Plan
Secure access to data is crucial for companies operating enterprise resource planning systems (ERP). This is exemplified by Groupe Master. With over 1300 employees, the Canadian leader in the distribution of heating, ventilation, air conditioning, geothermal, and refrigeration provides a concrete example of efficient management. With its online purchasing site and distribution centers supplying around 40 retail points, Groupe Master must always remain operational.
"Because of online sales and our distribution centers open at night to prepare deliveries for the next day, we are in operation 24 hours a day," explains Martin-Charles Pilon, Vice President of Information and Digital Technologies at Groupe Master. "I must ensure that all our employees and partners have constant access to the technological tools and data they need to support our activities."
Although the company has not experienced security incidents in the past, its management has taken a proactive approach by developing a business continuity plan. In collaboration with NOVIPRO, Groupe Master's IT team works with managers from various departments to identify the most critical resources, set the level of security with which they must be protected, and implement security measures.
Martin-Charles Pilon emphasizes the company's strategic vision in information security: "I am fortunate to be part of a company that understands the need for robust and always available systems. Our executive committee knows that it is strategically important to take the necessary measures to ensure the security of our information and telecommunication systems. We must be prepared to respond to breakdowns, disasters, or cyberattacks that can occur at any time.”
Business Continuity: A Shared Responsibility in the Company
Like Groupe Master, every company operates today in a complex ecosystem, where data exchanges with suppliers, partners, and customers are frequent. Therefore, it is the responsibility of all company departments to actively participate in assessing risks and implementing appropriate measures for data protection, defence, and cyber resilience. Roger Ouellet emphasizes, "Ultimately, developing a business continuity strategy, as well as operations, is not a technology project: it is a business project in which top management and all business units must engage."
In summary, cybersecurity is everyone's business.
Key Considerations Before Designing a Business Continuity Plan (BCP)
1. What vulnerabilities threaten your company?
Identify risks and pinpoint vulnerabilities that could compromise your operations. Explore emerging threats, systemic vulnerabilities, and external factors that could jeopardize your company's security.
This in-depth analysis is crucial for establishing a robust BCP.
2. How will incidents impact your company?
Catalogue the possible financial, operational, and reputational repercussions. Evaluate the consequences on your processes and identify criteria to quantify and qualify these impacts.
This list guides the design of a BCP tailored to your reality.
3. What strategies to choose for restoring technologies and adapting IT processes?
Explore concrete solutions to restore your technologies and adjust your processes in case of incidents. Identify recovery measures to deploy, examine data restoration protocols, and detail specific actions to minimize operational impact.
This reflection strengthens your company's resilience to disruptions.
4. What intervention plan to implement for each emergency affecting personnel, visitors, etc.?
Develop specific intervention plans for each emergency, focusing on the protection of personnel, visitors, and other stakeholders.
These plans mitigate risks and ensure rapid and effective communication throughout the incident.
