Our distinctive
experience

Our distinctive
experience

Driven by collaboration between its members, Cybereco’s projects tackle the challenges of cybersecurity in concrete terms. By leveraging collective intelligence, the organization fosters the co-creation of innovative solutions, the development of concrete tools and a positive influence on the sector’s direction.

Its agile, impact-driven approach enables us to anticipate emerging challenges and sustainably strengthen the digital resilience of Canadian organizations.

20/07/25

Cybertrousse Community

Raising awareness and providing cybersecurity tools for SMEs

The Cybertrousse community was created in response to a crying need: to offer small and medium-sized enterprises (SMEs) concrete resources to strengthen their cybersecurity posture. Too often left to fend for themselves in the face of growing threats, SMEs lack accessible tools tailored to their reality. This community brings together experts, practitioners and partners committed to co-constructing a clear, useful and directly applicable awareness kit.

Objective and main deliverable

The community’s flagship deliverable is a cybersecurity awareness kit, designed specifically for SMEs. This kit aims to :

– Raising companies’ awareness of the main digital risks;

– Guide them in adopting best practices;

– Offer simple tools to start or structure their cybersecurity approach;

– Promote a gradual, realistic and sustainable rise in maturity.

Why this approach

Cybersecurity is no longer a luxury reserved for large organizations. In a context where SMEs are becoming prime targets for cybercriminals, it is essential to provide them with concrete, understandable and actionable resources. The Cybertrousse community is part of this drive to democratize cybersecurity and foster a culture of vigilance and digital resilience within Quebec SMEs.

Kit contents

The kit comprises several key components, each addressing a fundamental issue:

Phishing

Recognize and react to fraudulent e-mail or messaging attempts

Password

Adopt secure access management practices

Data protection

Ensuring the confidentiality and integrity of sensitive data

Fraud by personification

Protecting against digital identity theft

Remote working

Supervising the safe use of mobile devices and teleworking

Ransomware

Understand the threat and implement preventive measures

20/07/25

Community Internal threats

Better understanding, better prevention

The Internal Threats community has been set up to equip organizations to deal with a risk that is all too often underestimated: that which comes from within. As detection tools (SIEM, DLP, behavioral AI, etc.) multiply, governance, compliance and privacy issues become central. This community aims to provide a space for reflection and co-construction to better understand, frame and mitigate the risks associated with internal threats.

Main deliverable

The community is currently working on updating and enriching the internal threat protection guide. This guide aims to :

– Present the types of detection mechanisms used in organizations ;

– Draw up an overview of the ethical, legal and operational issues associated with their deployment;

– Offer concrete recommendations that can be applied in different organizational contexts.

Why this approach

The insider threat is a complex, multidimensional phenomenon that affects all organizations, whatever their size or sector. Managing it requires close coordination between security teams, legal departments, human resources and management. By pooling expertise within the community, we aim to :

  • Promoting a shared understanding of the phenomenon ;
  • Define a balanced framework for action that is both effective in terms of security and respectful of rights ;
  • Provide organizations with the tools they need to implement prevention strategies tailored to their specific situation.

What we're working on

The guide is structured along the following lines:

Background and definition

Understand the nature of internal threats, how they manifest themselves and the impact they have on organizations.

Detection technologies

Exploration of tools such as SIEM, DLP, AI solutions, and their integration into IT environments

Privacy and surveillance

Balance between security and respect for fundamental rights, principles of proportionality, consent and minimization

Regulatory frameworks

Compliance with Bill 25 (QC), RGPD (EU), CCPA (California), etc.

Governance

Roles and responsibilities of CISOs, DPOs, management and partners in implementing an effective program.

Legal risks

Case studies, case law, consequences of non-compliance.

Practical recommendations

Practical tools (checklists, sample contract clauses, best training practices).

20/07/25

Community Third-party management

Managing risk, supporting SMEs

The Third-Party Management community was created to meet a growing need: to help organizations, particularly SMEs, structure and strengthen their management of suppliers, subcontractors and digital partners from a cybersecurity perspective. In a context where supply chains are increasingly interconnected, third parties now represent a major vector of risk. Incidents such as SolarWinds and MOVEit have demonstrated the extent to which an external breach can have serious internal consequences. Yet SMEs often lack the resources, time or expertise to implement robust practices.

Main deliverable

The community is working on a strategic and pragmatic white paper, specifically adapted to the context of Quebec SMEs. This document will aim to :

  • Take stock of current third-party management practices;
  • Analyze applicable legal obligations (e.g. Law 25) ;
  • Integrate international standards (ISO, NIST, etc.) in a contextualized way;
  • Propose concrete, actionable recommendations.

Why this approach

Because third-party management is now a pillar of organizational security, and without support, SMEs risk remaining weak links in the chain. This community wishes to :

  • Offer a credible, applicable and localized reference in Quebec;
  • Provide SMEs with practical tools to enable them to take action without the burden of jargon;
  • Possibly lay the foundations for simplified certification mechanisms or concerted sectoral initiatives.

What we're working on

The community mobilizes its collective expertise in the following areas:

Identifying issues specific to Quebec SMEs

Regulatory analysis: Law 25, RGPD, sectoral obligations

Adaptation of international best practices (ISO 27036, NIST SP 800-161, etc.)

Production of pedagogical and operational content: templates, grids, tools

Definition of a progressive implementation path for low-resource organizations

Intended contents of the white paper

The document will be enriched with practical resources to facilitate its adoption in the field:
  • Maturity self-assessment tools ;
  • Standard contractual clauses to govern relations with third parties ;
  • Threat catalogs by supplier type ;
  • Maturity grids to guide organizational progress.
20/07/25

Post-quantum cryptography community

Preparing for the transition, mitigating risks

The Post-Quantum Cryptography community was created to support Cybereco member organizations in the face of a major technological transformation: the imminent arrival of quantum computing and the risks it poses for current cryptography.

The objective is clear: to put in place a structured and adapted transition framework to enable organizations to prepare for this revolution now, and thus mitigate the risks associated with the future compromise of traditional cryptographic algorithms.

Main deliverable

The community is working on a strategic and operational support framework to facilitate the migration to quantum-attack-resistant cryptography.

This framework will include :

  • An inventory of the risks associated with the emergence of quantum computing ;
  • Concrete mitigation measures (crypto-agility, asset management, prioritization) ;
  • Transition planning tools ;
  • Examples of progressive implementation (roadmap, best practices, multi-year migration plan).

Why this approach

Cryptography is the foundation of modern digital security. But this foundation will be undermined as soon as quantum computers reach a critical power threshold.

Waiting for the threat to become a reality means exposing yourself to retroactive attacks on sensitive data stored today.

By structuring the transition now, this community enables organizations to :

  • Anticipating technological and regulatory impacts;
  • Avoid rushing into decisions under pressure;
  • Protect their assets, customers and reputation over the long term.

What we're working on

The guide is structured along the following lines:

Understanding the threat

Explanation of the impact of quantum on RSA, ECC and other classical algorithms; "store now, decrypt later" scenario.

Cryptographic asset mapping

Identification of systems, data and suppliers at risk.

Organizational impact assessment

Legal (Law 25, RGPD), technological (hardware, software) and operational (supply chains) aspects.

Migration plan to post-quantum cryptography (CPQ)

Definition of priorities, integration of crypto-agility, alignment with NIST recommendations.

Raising awareness among management and stakeholders

Get the subject recognized as a strategic risk that needs to be addressed now.

20/07/25

Community Data protection

Structuring, labeling and securing information

The Data Protection community was created in response to the growing challenges associated with managing unstructured data, which today accounts for a large and growing proportion of all data. and often often neglected part of the organizations’ information assets. This data (documents, e-mails, images, videos, messages, etc.) is difficult to inventory, classify and protect, making it a major vector of legal, operational and strategic risk.

Main deliverable

The community is working on a practical guide to protecting unstructured data, with a particular focus on labeling, governance, compliance (Law 25, RGPD) and technological tools.

This guide is aimed at a multidisciplinary audience: CIOs, DPOs, security managers, IT architects, data managers and operational teams.

Why this approach

Regulatory obligations (notably Bill 25 in Quebec) demand rigorous control of personal information, including in unstructured formats. Yet most organizations underestimate the volume and sensitivity of this data.
This community aims to :

  • Strengthen collective expertise on these technical, legal and organizational issues;
  • Equip organizations with applicable practices and concrete models;
  • Foster innovation in information security, based on a collaborative and evolutionary approach.

What we're working on

Understanding unstructured data


- Definition, use cases, distinctions with structured and semi-structured data;

- Specific problems: lack of schema, varied formats, accessibility, dispersed storage.

Why label data?


Legal reasons (Act 25, RGPD, NIST) and compliance issues;

Information security: classification, protection, encryption;

Efficiency: automation, archiving, lifecycle, risk reduction.

Taxonomy and labeling systems


Sensitivity, compliance and business labels;

Recognized standards (Microsoft Purview, ISO/IEC 27001/27002);

Integration into Microsoft 365, DLP, SIEM, etc. environments.

Stages of a classification project


Identification of sources, scope and objectives;

Selection of tools (manual, automated, classification AI);

Deployment, training, adoption and ongoing governance.

Best practices and pitfalls to avoid


Avoid under/over-classification;

Keep classification alive and relevant;

Align policies with business needs and legal requirements.

20/07/25

DevSecOps & AppSec community

Securing development, equipping teams

This community aims to integrate cybersecurity into all stages of the software development cycle. By combining DevSecOps and AppSecIts mission is to strengthen application and infrastructure security, while adapting practices to the realities of Quebec organizations.

Objectives

  • Create a forum for practitioners to share challenges, tools and best practices;
  • Promote the adoption of “by design” security right from the software design stage;
  • Identify relevant partners, tools and frames of reference within the Canadian ecosystem;
  • Collectively evaluate centralization strategies, RACI models and remediation approaches ;
  • Promote a culture of security among developers, with structuring support from the AppSec team.

Why it matters

At a time when software vulnerabilities account for a growing proportion of security incidents, this community enables :

  • Aligning development and cybersecurity practices in a collaborative approach;
  • Take advantage of feedback from organizations of all sizes;
  • Develop practices pragmatically, in line with the constraints and operational realities of IT teams.

Deliverables and work in progress

The guide is structured along the following lines:

Thematic sessions based on real cases and AppSec roadmaps

Comparative analysis of centralized vs. decentralized approaches to safety in development

Discussions on integrating security models into CI/CD pipelines, including secret detection, WAF "as code" management and SBOMs

Development of recommendations on targeted training tools, threat modeling, partial remediation automation and internal CTFs as a culture lever.

20/07/25

Data Loss Protection (DLP) Community of Practice

Prevent leaks, share best practices

The DLP Data Loss Prevention community brings together technical experts from the public and private sectors to collectively strengthen the security posture of organizations in the face of the risks of exfiltration, leakage or mishandling of sensitive data.

It aims to create a collaborative space for sharing configurations, testing innovative approaches, solving common challenges and supporting each other around data loss prevention platforms.

Objectives

  • Create a forum for practical exchanges on DLP tools;
  • Document and compare labeling, encryption and policy configuration strategies;
  • Sharing learning from large organizations ;
  • Pool knowledge to avoid recurring errors;
  • Promote the adoption of technical best practices within cybersecurity teams.

Why it matters

As sensitive data is increasingly dispersed across hybrid environments (cloud, local, mobile), DLP tools need to be finely tuned and adapted to the business context.

This community enables organizations to :

  • Share their successes and failures, to avoid duplication of effort;
  • Co-construct a common base of useful configurations, adapted to their realities;
  • Support innovation and operational agility, while maintaining strict compliance with regulatory obligations (Law 25, ISO standards, etc.).

Working shutters

The community is organized around several sub-themes and collaborative workshops:

Microsoft Purview & AIP pane

RegEx & detection section

OCR component & exfiltration monitoring

EDM / IRM component (information rights management)

SASE & new technologies

20/07/25

GIA Community of Practice

Control access, protect assets

The GIA community was created to equip organizations in one of the critical foundations of their cybersecurity posture: identity and access management. As digital environments become more complex and distributed remote users, cloud access, third-party suppliers access control is becoming a strategic issue, as much to prevent intrusions as to comply with regulatory requirements (Law 25, RGPD, etc.).

The aim of this community is to bring together experts, architects, IT managers and governance professionals around concrete solutions adapted to the realities of Quebec organizations.

Objectives

  • Promote the sharing of identity and access management practices, models and architectures;
  • Clarify roles, responsibilities and processes related to the identity lifecycle (creation, modification, deletion);
  • Explore key technologies (IAM, IGA, MFA, SSO, RBAC, etc.) and their integration in various contexts;
  • Support alignment between IT teams, HR departments, security teams and management ;
  • Help organizations build consistent, sustainable and compliant IAM governance.

Why this approach

Poor identity and access management is at the root of many security incidents. Yet it remains a major challenge, especially for organizations with limited resources or heterogeneous environments.

This community enables organizations to :

  • Develop a structured approach based on real-life use cases;
  • Improving resilience to internal and external threats ;
  • Simplify audits and reinforce compliance;
  • Reduce friction for end users, while increasing safety levels.

Work in progress

The community structures its exchanges and deliverables around the following axes:

GIA governance models


- Definition of roles (identity owners, approvers, operators, auditors);

- Stakeholder and process mapping.

Identity lifecycle


- Onboarding, internal mobility, temporary access management, offboarding;

- Integration with HR systems, ERP, CRM, etc.

Access control


- RBAC, ABAC models, principles of least privilege, separation of duties;

- Privileged Access Management (PAM).

Authentication and federation


- Implementation of multifactor authentication (MFA);

- SSO and identity federation (SAML, OAuth, OpenID Connect).

Audits and compliance


- Access monitoring, periodic reviews, anomaly alerts;

- Alignment with regulatory requirements (Law 25, ISO 27001, etc.).