CyberSentryFoxSummary
Maple Cloud Inc. is a small Canadian web development company with 12 employees, operating for over 5 years. Their services include designing client websites, setting up email hosting, and building internal development tools.
To improve their internal security posture against emerging cyber threats and build greater trust with clients, they have decided to pursue CyberSecure Canada certification.
Audit Objective
This mock audit was performed to assess Maple Cloud Inc.’s cybersecurity readiness against a selection of controls from the CyberSecure Canada standard. The objective was to identify key strengths and weaknesses in their current practices and recommend actionable steps to reduce risk and align with certification requirements.
Audit Scope:
- MFA on email and cloud accounts
- Employee security awareness
- System updates and antivirus
- Device and password policies
Risk Assessment – Maple Cloud Inc.
The following risks were identified during the assessment:
| Asset | Threat | Vulnerability | Risk Score | Recommended Control |
|---|---|---|---|---|
| Gmail Accounts | Phishing Attacks | No MFA enabled | Critical | Enforce MFA across all accounts |
| Employee Laptops | Malware Infection | Outdated Antivirus | High | Regular Antivirus updates and auto-protect |
| Web Server | Unauthorized Access | Default admin credentials | Medium | Change default credentials, limit access |
Control Review Snapshot (Audit Checklist )
| Control Area | CyberSecure Control # | Compliance | Notes |
|---|---|---|---|
| Multi-Factor Authentication | #7 | ❌ | Gmail does not have MFA enabled |
| Automatic Security Updates | #6 | ⚠️ Partial | 2 laptops have updates disabled |
| Security Awareness Training | #1 | ✅ | Completed in Q1 2025 and well documented |
Findings:
- Major Finding: Multi-Factor Authentication is not enabled on company Gmail accounts.
- Minor Finding: Two laptops have Windows Update turned off.
Positive Observations:
- Employee security awareness training is current and well documented (last completed: Q1 2025).
Remediation Plan for Identified Gaps
| Finding | Action | Responsible | Due Date | Follow-up |
|---|---|---|---|---|
| No MFA on Gmail accounts | Enforce MFA via admin console | IT Admin | 2025-04-30 | 2025-05-05 |
| Windows updates disabled on laptops | Turn on auto-updates / patch manually | SysAdmin | 2025-05-15 | 2025-05-20 |
This case study was developed as a simulated audit scenario to demonstrate CyberSecure Canada audit-readiness support in a small business context.
🔍 Why even tech companies?
Tech ≠ Security by default. Developers are great at building features, but security often lags behind, like using weak password policies, skipping patching, or missing documentation.
Certification gives them a structure, helping the team move from “we think we’re secure” to “we know we are.”