Cybersecurity frameworks, threat intelligence, and training resources
A curated reference for businesses navigating compliance requirements across Canada, the United States, and internationally. Updated regularly with the latest framework versions, threat landscape data, and training resources.
Last updated: February 2025
What businesses are facing right now
Compiled from published threat reports by CrowdStrike, Mandiant, CISA, the Canadian Centre for Cyber Security, and Verizon DBIR. This summary reflects the most significant trends affecting North American businesses.
Ransomware-as-a-Service (RaaS)
Ransomware attacks increased 74% in 2024 (CrowdStrike Global Threat Report 2025). The RaaS model has lowered the barrier to entry — affiliates with minimal technical skill can now deploy sophisticated ransomware. Double and triple extortion (encryption + data leak + DDoS) is now standard. Average recovery cost for mid-market businesses: $1.82M (Sophos State of Ransomware 2024).
AI-Powered Social Engineering
Generative AI has made phishing emails nearly indistinguishable from legitimate communications. Voice cloning (vishing) attacks increased 442% between H1 and H2 2024 (CrowdStrike). Business email compromise (BEC) remains the #1 financial loss vector, accounting for $2.9B in reported losses in 2023 (FBI IC3). AI-generated deepfake video calls are now being used in executive impersonation attacks.
Supply Chain & Third-Party Attacks
Attacks targeting software supply chains and managed service providers continued to rise. The MOVEit, Okta, and SolarWinds incidents demonstrated that compromising one vendor can cascade to thousands of organizations. 91% of organizations experienced a software supply chain incident in the past year (Gartner). Vendor risk management is no longer optional.
Identity-Based Attacks
75% of attacks to gain initial access are now malware-free, relying on stolen credentials, session hijacking, and MFA bypass techniques (CrowdStrike 2025). Credential stuffing from massive data breaches, infostealers, and SIM swapping make identity the new perimeter. Organizations without phishing-resistant MFA (FIDO2/passkeys) are significantly more exposed.
Cloud Misconfiguration & Exposure
Cloud intrusions increased 75% year-over-year (CrowdStrike 2025). Misconfigurations, overly permissive IAM policies, and exposed storage buckets remain the primary attack surface. Multi-cloud environments increase complexity. Most breaches aren't sophisticated — they exploit the basics that were never locked down.
Vulnerability Exploitation Acceleration
Over 40,000 CVEs were published in 2024. The average time from vulnerability disclosure to active exploitation collapsed to 5 days in 2023, down from 63 days in 2019 (Mandiant). Automated scanning and exploit toolkits mean businesses with slow patching cycles are sitting targets. 34% increase in attackers using vulnerabilities for initial access in 2024.
Framework directory by region
Direct links to the latest versions of major cybersecurity and privacy frameworks. Whether you need to comply with Canadian privacy law, US federal standards, or international requirements — start here.
🇨🇦 Canada
PIPEDA
Current — under reviewPersonal Information Protection and Electronic Documents Act. Federal private-sector privacy law governing how businesses collect, use, and disclose personal information.
Applies to: All private-sector organizations operating across provincial bordersBill C-27 (CPPA / AIDA)
Upcoming — in ParliamentDigital Charter Implementation Act. Will replace PIPEDA with the Consumer Privacy Protection Act (CPPA) and introduce the Artificial Intelligence and Data Act (AIDA). Includes significant new penalty provisions.
Applies to: All organizations subject to PIPEDA + AI systems operatorsPHIPA (Ontario)
CurrentPersonal Health Information Protection Act. Ontario's health-sector privacy law governing custodians of personal health information.
Applies to: Healthcare providers, hospitals, pharmacies in OntarioCCCS Guidance
OngoingCanadian Centre for Cyber Security publishes baseline security controls, advisory alerts, and sector-specific guidance for Canadian organizations.
Applies to: All Canadian organizations (recommended)OPC Privacy Toolkit
CurrentOffice of the Privacy Commissioner compliance and training tools. Practical guidance for PIPEDA compliance including self-assessment tools.
Applies to: Businesses seeking PIPEDA compliance guidanceBill C-26 (CCSPA)
Upcoming — Royal Assent pendingCritical Cyber Systems Protection Act. Establishes cybersecurity obligations for operators of critical infrastructure including telecom, finance, energy, and transportation.
Applies to: Critical infrastructure operators in federally regulated sectors🇺🇸 United States
NIST CSF 2.0
Version 2.0 — February 2024NIST Cybersecurity Framework. The gold standard voluntary framework organized around six functions: Govern, Identify, Protect, Detect, Respond, Recover. Version 2.0 added the Govern function and expanded supply chain guidance.
Applies to: All organizations (voluntary, widely adopted)SOC 2 Type II
Current — AICPAService Organization Control reports evaluating controls relevant to security, availability, processing integrity, confidentiality, and privacy. Type II reports cover a sustained period of operation.
Applies to: SaaS companies, service providers, any org handling client dataPCI DSS 4.0.1
Version 4.0.1 — June 2024Payment Card Industry Data Security Standard. Updated requirements for organizations that store, process, or transmit cardholder data. v3.2.1 retired March 2024. Key changes: customized approach, enhanced authentication, and targeted risk analysis.
Applies to: Any organization processing card paymentsHIPAA
Current — updated Security Rule proposed 2024Health Insurance Portability and Accountability Act. Mandatory security and privacy protections for protected health information (PHI). HHS proposed significant Security Rule updates in late 2024 including mandatory encryption and MFA.
Applies to: Healthcare providers, insurers, business associatesCMMC 2.0
Version 2.0 — Final Rule December 2024Cybersecurity Maturity Model Certification. Required for Department of Defense contractors. Three levels: Foundational, Advanced, Expert. Final rule published Dec 2024, phased enforcement begins 2025.
Applies to: DoD contractors and subcontractorsCISA CPGs
Version 1.0.1 — March 2023Cross-Sector Cybersecurity Performance Goals. Voluntary, prioritized security practices for critical infrastructure. Designed as a quick-start guide for organizations that need to know "where to begin."
Applies to: Critical infrastructure (voluntary, recommended baseline)FTC Act (Section 5)
Current — active enforcementThe FTC uses its authority over "unfair or deceptive practices" to enforce data security. No specific cybersecurity law, but the FTC has taken action against hundreds of companies for inadequate security practices.
Applies to: All US businesses (de facto enforcement)NIST Privacy Framework 1.0
Version 1.0 — January 2020Voluntary framework for managing privacy risk. Designed to complement the Cybersecurity Framework. Organized around Identify, Govern, Control, Communicate, Protect.
Applies to: All organizations (voluntary)🌍 International & EU
GDPR
Current — May 2018General Data Protection Regulation. The EU's comprehensive data protection law with extraterritorial reach. Applies to any organization processing data of EU residents, regardless of where the organization is located.
Applies to: Any org processing EU resident dataNIS2 Directive
Effective — October 2024Network and Information Security Directive 2. Expanded scope covering essential and important entities across 18 sectors. Mandatory incident reporting within 24 hours, supply chain security, and management accountability with personal liability for executives.
Applies to: Essential & important entities operating in the EUDORA
Effective — January 2025Digital Operational Resilience Act. EU regulation for financial sector ICT risk management. Covers ICT risk frameworks, incident management, digital operational resilience testing, third-party risk, and information sharing.
Applies to: EU financial entities and their ICT service providersISO/IEC 27001:2022
Version 2022International standard for information security management systems (ISMS). Certifiable framework covering 93 controls across organizational, people, physical, and technological domains. Updated in 2022 with restructured controls.
Applies to: Any organization seeking certification (global recognition)EU Cyber Resilience Act
Upcoming — enforcement from 2027Mandatory cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security throughout the product lifecycle, report vulnerabilities, and provide security updates.
Applies to: Manufacturers and distributors of digital products in the EUEU AI Act
Phased — 2024-2027World's first comprehensive AI regulation. Risk-based approach: prohibited practices (Feb 2025), high-risk system requirements (Aug 2025), general-purpose AI rules (Aug 2025), full enforcement (Aug 2027).
Applies to: Any org deploying or developing AI systems used in the EU🏢 Industry-Specific
HITRUST CSF
Version 11 — January 2024Health Information Trust Alliance Common Security Framework. Integrates requirements from HIPAA, NIST, ISO 27001, PCI DSS, and others into a single certifiable framework for healthcare organizations.
Applies to: Healthcare organizations, health tech companiesSWIFT CSCF
Version 2024Customer Security Controls Framework. Mandatory security controls for all SWIFT users. Updated annually with evolving mandatory and advisory controls.
Applies to: Financial institutions using SWIFT networkCIS Controls v8.1
Version 8.1 — June 2024Center for Internet Security Controls. Prioritized set of 18 defensive actions. Implementation Groups (IG1-IG3) scale from essential hygiene to advanced. Widely used as a practical starting point for security programs.
Applies to: All organizations (practical baseline)CSA Group Standards
CurrentCanadian Standards Association cybersecurity standards. Adopts ISO 27001 for Canada and publishes additional guidance for Canadian organizations including critical infrastructure.
Applies to: Canadian organizations seeking domestic certificationFree security resources for your team
AI-generated scams, deepfake calls, and sophisticated phishing attacks are harder to detect than ever. These free resources help your team stay ahead of evolving threats.
🎣 Phishing & Social Engineering
🤖 AI & Deepfake Threats
📚 Security Awareness Training
🛡️ Incident Response
Not sure which frameworks apply to your business?
We'll map your regulatory landscape, identify gaps in your current posture, and recommend a prioritized action plan — starting with a free 30-minute security assessment.
Typical response time: Within 24 hours