Technologia: You have extensive experience in cybersecurity, having worked for international and provincial organizations. In your opinion, are Quebec companies aware of the risks they face?
Benoit Tremblay: Unfortunately not, despite the spectacular cases that regularly make the headlines. Everyone has heard about data leaks or systems blocked by ransomware, but that doesn't seem to be enough to raise awareness.
T: Why do you think that is?
Benoit Tremblay: It's a combination of factors. It ranges from "my company isn't big enough to interest hackers" to "someone in the organization is probably in charge of this". These are misperceptions that can be costly. Especially since the hacking is not necessarily spectacular, with thousands of pieces of information stolen or huge ransoms demanded to restore systems. Sometimes, it's simply a foreign competitor spying on your processes to bring out a product identical to yours, at a lower cost because they have saved on R&D. The order book empties and you go bankrupt.
T: Is cybersecurity the exclusive responsibility of I.T.?
Benoit Tremblay: Absolutely not! On the one hand, the implementation of Law 25 makes the management team responsible in the broadest sense, especially for SMEs. On the other hand, any manager should be able to ask the right questions to the right people in order to get an idea of the state of data security in his company, without being a specialist.
T: That's a tall order and responsibility to boot. How can management or executive teams prepare for it?
Benoit Tremblay: By proceeding methodically to make a high-level plan. It's not so much about technology as it is about governance, employee training, and the policies in place in companies. In my training, I put the participants in a "real" situation based on a real-life case. This gives them the means to identify IT weaknesses, establish the necessary preventive actions, prioritize them in an action plan and ensure the necessary follow-ups... without being IT specialists!
To go further:
Cybersecurity: setting up an action plan to protect the company
