Here at Grant Thornton, we’re close to mid-market businesses internationally. Around the world our member firms support mid-market companies across all sectors, from retail to manufacturing.

This gives us considerable insight into how the mid-market is feeling about the changing risks and opportunities it faces. Every year we deepen this understanding through our International Business Report (IBR), the longest running survey of mid-market attitudes, including views on sustainability.

We know that mid-market companies are keen to become more sustainable, reflecting their forward-looking, entrepreneurial nature. We also recognise the vital role we, as service providers can play in supporting the transition to net-zero. This is why we recently joined the Net Zero Financial Service Providers Alliance. As the COP26 goals point out: “We can only rise to the challenges of the climate crisis by working together.”

Mid-market businesses see action on sustainability as a business imperative, rather than just ‘doing the right thing’, given increasing pressure from their large multinational supply chain customers, consumers and competitors. Our most recent IBR research confirms this – 62% of those surveyed say sustainability is as important as, or more important than, financial success. And 72% say that prioritising sustainability has become more important than it was pre-pandemic.

Read the full article here.

Going public is a good way to help your business grow. However, it’s important to be well prepared and rely on a solid team of internal and external specialists.

This was the message to entrepreneurs from Paul Raymond, President and CEO of Alithya, during a one-on-one meeting with Emilio B. Imbriglio, Raymond Chabot Grant Thornton President and CEO.

Alithya, a Québec-based digital strategy and technology company, was first listed on the Toronto Stock Exchange and NASDAQ in November 2018. Under Raymond’s leadership, Alithya has completed 11 acquisitions in the past 10 years, the latest being R3D Conseil (600 professionals) in April 2021. Alithya now employs over 3,300 people, 16 times more than in 2011.

An accelerated IPO

“Alithya decided to launch an initial public offering to address growth objectives in response to client requirements,” explained Paul Raymond.

Its clients were asking it to quickly reach a certain critical mass so they could use its services for strategic projects. Alithya therefore increased its acquisitions and began planning an IPO, in particular, in order to make it easier to share the wealth created among its shareholders.

While the organization was quietly preparing for a potential IPO, the 2018 purchase of U.S.-based, publicly-traded Edgewater Technologies pushed the process into high gear. “The only way we were going to be able to complete the transaction was to become a public company through the acquisition of this company,” Paul Raymond said.

“In my mind, we had two years to prepare for our IPO, but with this transaction, we had to pull out all the stops to complete both the acquisition and the IPO in just six months,” he added.

When Alithya started to negotiate with Edgewater, “We already had a committee consisting of management and external experts, we had external investors and we had started to put governance mechanisms in place, but we were a long way from the governance of a public company”.

Alithya hired a Chief Financial Officer and a Chief Legal Officer with public company experience to successfully complete the transaction and go public.

Advice to CEOs

Paul Raymond and Emilio B. Imbriglio both stressed that preparing an IPO is a demanding process that requires the support of external specialists in all aspects of finance, law, corporate strategy and management.

Before taking the company public, “you need to have a very good vision of its next two years,” advises Alithya’s President. A CEO must be well surrounded in order to be able to delegate certain tasks to trusted managers, because investor and analyst relationships can be time-consuming.

“These people want the CEO to explain the company’s strategy,” said Paul Raymond, who advises entrepreneurs thinking of taking their companies public to get public communications training.

“I’m a big believer in having a good plan when going public, but you also have to be willing to listen and change, which is not always easy for a CEO,” said Paul Raymond, recipient of Investissement Quebec’s CEO Emeritus Award in 2020.

“I’ve seen entrepreneurs who have completely transformed themselves during an IPO process, but I’ve seen others who didn’t anticipate having to deal with this new category of partners (investors) and thought they could continue to do everything just like before,” said Emilio B. Imbriglio.

Paul Raymond also recommend that entrepreneurs learn from their peers and the many support resources in the business community: “In Québec, public company executives are very generous with their time and advice. And there is a whole ecosystem to help entrepreneurs who are considering going public.”

Benefits of being public

According to Paul Raymond, the demands placed on public companies dictate a rigorous management framework and transparent accountability that is to their benefit. “I really like the discipline and quality of governance that being a public company brings because you answer to more than just one shareholder.”

An added benefit of being publicly traded is that there is no need to look for a buyer for the company when the principal executive retires. “There is a natural transfer of power, and the company can continue to grow,” said Paul Raymond.

However, being on the stock market does have some drawbacks. For example, the transparency required means that competitors can see the company’s financials and learn its strategy. “We’re still discovering downsides,” he acknowledged, noting the level of complexity associated with a Québec company being listed on the U.S. stock exchange.

That said, Emilio B. Imbriglio reminds us that public financing is a good way to grow. “Many Québec companies that have become national and international leaders have been able to realize their dreams thanks to public financing. Nevertheless, Québec accounts for only 7% of Canadian companies listed on the two main TMX Group stock exchanges. This is still too few, considering that Québec’s economic weight (GDP) accounts for about 20% of the Canadian economy,” he said.

Emilio B. Imbriglio and Paul Raymond would like the government to consider creating a new plan based on the old Stock Savings Plan (SSP). They say this would allow many companies to benefit from new capital.

The human side above all

Paul Raymond believes it is essential for people to be at the heart of a company’s technological progress and strategic decisions, whether it be employees, customers or shareholders.

“I have always felt that people have an incredible capacity to adapt. We’ve seen that over the last year and a half. When employees understand why changes are being made, it’s much easier to introduce those changes and train them.”

He said the rise of telework as a result of the pandemic is now a fact of life and is beneficial on many levels, from increased employee productivity to a reduced environmental footprint, for example.

The rollout of high-speed internet across the province is a major wealth-creating project, he said. “We’re sitting on a gold mine in Québec with green energy, high-speed internet in every home and the world’s largest market less than an hour’s drive from Montréal.”

Updated on July 13, 2023

Your data is worth a fortune on the dark web. What are the best practices to adopt for your company’s cybersecurity?

To protect your computer data, make sure you have a good computer security posture:

• Classify your data by importance
• Be aware of internal threats
• Choose the best means of protection

Understanding how cybercriminals work is key to ensuring that your corporate computer data is safe. How do they gain access to your data?

They steal your identity information, either by using phishing emails sent to your users or by exploiting vulnerabilities in systems and applications that may be out of date. They then determine which of your data are the most sensitive so they can exploit them.

Here are some best practices to improve your protection.

Classify your data by importance

The first step in a process to improve your computer security posture is to classify your data by importance. Here are a few key questions you need to answer BEFORE starting to implement efficient controls in a governance context:

• What needs to be protected?
• What is the level of sensitivity?
• Where is the data?
• Who has access to the data and when was the last time they accessed it?

Once you are able to properly answer these questions, you can begin to build a defence system to protect your most critical data according to your organization’s risk level. Too often, organizations spend a lot of money on controls to mitigate attacks, without ever taking that crucial first step.

Be aware of internal threats

A ransomware attack is the act of breaking into your systems and taking over your data by encrypting it and compromising your backups.

The criminals will demand a ransom in exchange for the encryption key that will allow you to recover your data. However, in many cases, even if you pay the ransom, your data will already be made available to other criminal organizations on the dark web. This is the multiple extortion model where a second lever can be used through blackmail, or worse, making you lose access to your data forever, since criminals find that selling this data on the dark web is of greater interest. This is why it’s important to protecting yourself against it.

However, the threat to your data can also come from within and you must also take this into account in your protection plan. Here are a few examples.

Careless workers

Careless workers may unintentionally put the organization at risk:

• storing sensitive data on an unencrypted USB drive or disk;
• leaving a laptop or other device unattended where that data could be stolen;
• leaving confidential documents on a desk.

Employees who leave

Employees who are terminated or voluntarily leave could take organizational data with them:

• intellectual property or organization data generated or used by the employee;
• customer lists;
• trade secrets.

Hindrance to productivity

Employees could circumvent security because it hinders their productivity:

• saving files to a personal hard drive;
• using applications not approved by the organization;
• unapproved collaboration.

Malicious employees

Malicious employees who have a grievance against an organization may choose to act on it:

• disclose confidential data;
• commit sabotage;
• alter or delete sensitive data.

Infiltrators

Infiltrators, working on behalf of an outside group may want to commit a data breach or other industrial espionage attack and allow an outside group to gain access and user privileges. These insiders may be:

• malicious;
• deceived through social engineering;
• coerced through bribery or blackmail.

Third-party partners

Note that third-party partners can pose the same threats and cause the same damage as an organization’s employees with similar access.

According to Threatpost, 94% of organizations provide their vendors, suppliers, business partners and others with access to their networks and systems, and 72% of these third parties have elevated permissions on those systems.

If they have poor cybersecurity hygiene, they put you at risk every time they log into your systems.

Choose the best means of protection

Once you have classified your data, there are practical and simple ways to protect your most sensitive and critical data from any type of attack.

Encryption

Make your data virtually unreadable by anyone who doesn’t have the key, both while in storage and while in transit or in use.

Secure, offline backups

Make sure your backups are not only online, otherwise they could also be compromised, making them impossible to restore.

Eliminate unauthorized file editing, deletion and movement

If you are using Active Directory (AD), there are simple solutions to protect your unstructured data and set up monitoring of your dark web footprint.

Email threat filtering

No single solution can eliminate all malware and attacks, but by eliminating most of them, you will significantly reduce your attack surface and risks.

User awareness

Your users have phones, tablets and social media accounts. Make sure they are aware of their dangers to the organization.

Password policy

How many of your users have the same password for work, their social media or their bank accounts?

Multi-factor authentication

The second static factor is no longer sufficient and hasn’t been for a long time. You need a solution that incorporates time and location and other attributes to prevent remote access to your data.

Third-party suppliers and super-administrator access

You need an approval process for all external and internal access to sensitive systems, as well as a complete audit trail and indexed log of every action, including orders.

24/7 detection and response management year round

Monitoring of your files, desktops, servers, networks, mailboxes, and user behaviour should be ongoing and include real-time automated risk mitigation, isolation and remediation.

Zero trust model

This innovative security model ensures a secure connection by eliminating transitive trust and continuously identifying and authenticating each device and user before granting them access to network applications. Your onsite and remote users can securely log in to their work environment with trusted user and endpoint identification and multi-factor and biometric authentication.

You need to construct layered data protection with redundant controls to make it more difficult for cybercriminals to access your data. No single solution will eliminate all threats. However, knowing what your IT security posture is and what IT data needs to be protected to ensure your business’s health provides your organization with solid protection against cyberattacks.

This article was written in collaboration with Harold Walker, Senior Director of VARS, a subsidiary of Raymond Chabot Grant Thornton, specialized in cybersecurity.