Five Questions with Ian L. Paterson, CEO of Plurilock

Plurilock is a Canadian cybersecurity company specializing in solving IT and cybersecurity challenges under demanding circumstances. Known for their industry-leading rapid mobilization capabilities, Plurilock protects organizations from evolving digital threats.

CEO Ian L. Paterson recently sat down with CCI President Benjamin Bergen to discuss the state of cybersecurity in Canada, the role of innovation in addressing emerging threats, and what it takes to operate in one of the most high-stakes industries.

Cette transcription a été éditée pour des raisons de longueur et de clarté.

‍

Benjamin Bergen: Ian, thanks for joining us. Can you share a bit of the backstory on Plurilock and how the company has evolved since the company was founded?

Ian L. Paterson: Plurilock is a cybersecurity and AI company. Early on, we identified that the cybersecurity industry is highly fragmented. While we began with advanced analytics and AI capabilities, which formed the genesis of the company, our team has always been mission focused. That means we are motivated to solve problems for our customers, solving 'unsolvable' cybersecurity and IT problems that others might shy away from.

We realized that some of those challenges required technology solutions, while others needed different approaches. This perspective led us to go public on the TSX Venture Exchange in 2020. Since then, we’ve successfully completed four acquisitions, including one in Ottawa, and we now have a growing business across North America, working with clients to solve their most challenging cybersecurity and IT problems. Along the way, we’ve also started conversations about these critical topics with global experts through the Code and Country Podcast, where I discuss technology and security with guests like Chris Lynam from the RCMP and Ed Hammersla, a director on our board and former President of Raytheon Cyber Products.

‍

BB: That’s super interesting in terms of how you help organizations strengthen their security. What does that look like in practice? How many different areas do companies need to defend against these days?

IP: All of them. The more organizations get connected, digitize their capabilities, and bring operations online, the more they expose themselves to risk. The attack surface grows as more systems are connected, and while companies may intuitively understand this, they don’t always know how to secure it effectively.

Plurilock works primarily with large enterprises and federal agencies across North America, often tackling unique and complex challenges. For example, a couple of weeks ago, one of our large manufacturing clients experienced a security issue at one of their sites. The team involved detected that a multi-million-dollar piece of equipment was behaving suspiciously. It had made 30,000 unexpected network connection attempts to unauthorized IP addresses. Then, within 24 hours, the hard drive caught fire and melted.

It’s the kind of problem no customer ever wants to face. But when they do, they need experts to figure out what happened, assess the damage, and ensure it won’t affect the rest of their operations. That’s where we come in.

‍

BB: Interesting. So, it’s large enterprises and government agencies that make up the bulk of your customers. Who, then, is behind these kinds of attacks? What areas should companies be most mindful of? Are these threats criminal, foreign operatives, or something else?

IP: I’d broadly group them into four main categories. First, you have cybercrime, where threat actors are primarily motivated by money. This has driven the surge of ransomware over the last few years.

Then there are nation states that engage in espionage, stealing intellectual property to benefit their domestic industries or credential access. One example is an advanced persistent threat Volt Typhoon, widely attributed to China, which targets critical infrastructure with prepositioning attacks.

You also have insider threats—disgruntled employees who may exploit vulnerabilities from within. Finally, there’s a smaller, but still present, category of hacktivists, who use cybersecurity exploits to push political agendas.

For our customers, the two most common threats are nation states and financially motivated threat actors. What makes things even more challenging is that these groups often use the same tools, tactics, and procedures. They frequently operate out of the same geographies and may even share some of the same resources. This overlap makes attribution difficult. At the end of the day, was it a nation state, a criminal group, or even the same individual working for a government by day and freelancing by night?

What’s clear is that the scale of the cyber problem is growing. Stats Canada reported that in 2023, damages from cybersecurity incidents doubled year-over-year to $1.2 billion in Canada alone. Some estimates suggest that the cybercrime industry could rival the world’s largest economies, ranking just behind the United States and China. It’s a massive challenge.

‍

BB: That’s wild to think about—the sheer scale of it, with cybercrime potentially being that large in terms of value. You kind of touched on this already, but is the situation getting better or worse? It sounds like it’s getting worse, just from what you’ve described. Anything you’d like to elaborate on?

IP: Well, I think there’s consensus that it’s getting worse. Most government agencies responsible for cybersecurity seem to be sounding the alarm, and I don’t see any signs that the problem is improving.

Take the cybersecurity insurance industry in Canada as an example. Not long ago, Canadian cyber insurance providers had a loss ratio of 400%, meaning they paid out $4 in claims for every $1 they collected in premiums – completely upside down. And this kind of example can be seen across the board.

Cybersecurity is a significant issue. It’s arguably one of the largest problems businesses face when you consider the risk and the potential impact it can have—not just on operations but on their very ability to survive.

‍

BB: That makes sense—AI brings both opportunities and risks. Considering Canada's position in cybersecurity, what do you see as the role of the government in supporting these efforts, and how can public-private collaboration improve Canada’s overall cybersecurity posture?

IP: I think greater collaboration between the public and private sectors is clearly needed. The reality is that private sector participants are on the front lines of most cyber breaches. The Canadian government lacks the authority to directly defend Canadian commercial enterprises, which means that the organizations actively defending against bad actors are private companies.

There needs to be a recognition that this is a team effort. Public-private collaboration is essential if we want to defend Canada and our allies holistically. Without that cooperation, our ability to address the growing cybersecurity challenges will be limited.

‍

À propos du Conseil

Le Conseil des innovateurs canadiens est un conseil d'affaires national regroupant plus de 150 entreprises technologiques à grande échelle dont le siège social se trouve au Canada. Nos membres sont des créateurs d'emplois, des philanthropes et des experts en commercialisation dans l'économie numérique du 21e siècle.