Final Report to the Minister of Public and

Business Service Delivery

September 2022

The rapid evolution and pervasive integration of technology are disrupting the future of work. Businesses, and society in general, are more reliant than ever on digital systems to interact and conduct transactions. The ongoing digital transformation has delivered significant benefits while introducing new risks to the economy. As the cyber environment steadily evolves, the need for additional resources to combat cyber security risks continues to increase.

The Minister of Government and Consumer Services, now the Ministry of Public and Business Service Delivery, established a Cyber Security Expert Panel in 2020 as part of Ontario’s Cyber Security Strategy. Since its inception, the Panel has led collaborative initiatives to identify common and sector-specific challenges and provided advice to improve cyber resilience and create a more cyber-secure future for the Ontario Broader Public Sector (BPS).

In this report, the Panel assesses the current state of cyber security across four (4) BPS sectors (K-12 and higher education, children’s aid services, and municipalities). It provides recommendations to incorporate new and enhance existing capabilities within the BPS.

The Expert Panel reviewed Ontario’s current cyber security landscape in the education, child welfare, health, and municipal environments and identified common and sector-specific challenges.

To improve cyber resilience within the BPS, the Expert Panel provides recommendations aligned with the four key challenges identified, reflective of the specific needs of the Province of Ontario and requiring joint effort from all stakeholders within the ecosystem. The four key observations and corresponding recommendations from the Expert Panel include:

Click on each icon for more details

Challenge: Policies, procedures, and accountabilities within the current BPS governance structures for cyber security are disparate. Cyber-related initiatives are happening in parallel across different sectors without a centrally coordinated strategy or model. While many larger organizations are proactively engaged in risk and maturity assessments, smaller organizations suffer disproportionately from limited access to common cyber security risk management resources and expertise.

Recommendation: Ontario should reinforce existing governance structures to enable effective cyber security risk management across the BPS.

Challenge: The province lacks risk- and age-specific content and diversity in cyber security education. K-12 education does not have a sufficient cyber-featured curriculum; higher education offers specialized training but limited opportunities for hands-on experience. Integrated training programs are being developed in response to the growing demand for more robust cyber-related content, however, better access to these resources is required to benefit a wider audience.

Recommendation: Ontario should continue to develop diverse and inclusive cyber security awareness and training initiatives across all age-levels of learning, supported by a variety of common and tailored content and hands-on activities.

Challenge: Communication is limited amongst BPS organizations due to unclear cyber security constituents and a lack of awareness of common platforms. Current information-sharing protocols exist to inform the government in the event of an incident, but these protocols do not serve to support the overall cyber security of the sector. BPS entities require a comprehensive view of communication channels within their network to facilitate and enhance existing cyber resilience.

Recommendation: Ontario should implement a framework that encourages BPS entities to share information related to cyber security securely amongst each other with ease.

Challenge: BPS organizations have varying levels of cyber security awareness and employ a variety of standards and frameworks. Compared to their larger counterparts, smaller entities lack critical cyber risk management capabilities such as incident response and backup and recovery plans. These capabilities are now considered fundamental and are often required to qualify for cyber insurance policies. Therefore, acquisition of commercial cyber security insurance is becoming more difficult and expensive for smaller organizations due to lack of dedicated, qualified cyber security personnel and increasing cyber security maturity expectations.

Recommendation: Ontario should continue to develop, improve, and expand shared services and contracts for cyber resiliency across the BPS, considering sector-specific needs where required.

Cyber security is becoming increasingly critical for building convenient, reliable, and accessible government services in a data-driven world. As more and more services incorporate digital technology, the Government of Ontario has launched several initiatives to enhance cyber awareness and cyber resilience across the Broader Public Sector (BPS). Despite these efforts, BPS organizations still have varying cyber maturity levels, requiring a tailored and flexible approach to achieve the overall cyber security goal. Regardless of the size or mandate of the BPS organization, there is a general desire for more cyber security resources, investments, and expertise.

The Expert Panel believes that building a secure cyber environment requires strong governance, continuous education, effective communication, and cross-sector collaboration. Successful implementation of the recommendations in this report will foster a healthy cyber security ecosystem while delivering more convenient services and supporting economic growth to build a more prosperous future for all Ontarians.

In response to Ontario’s steadily increasing dependence on digital technology to deliver essential government services, cyber security must remain a top priority for the Minister to mitigate disruptions for its citizens today and into the future.