In an exclusive interview with CanadianSME Small Business Magazine, Loïc Calvez, Co-Founder and CEO of ALCiT, shares insights on how small and medium-sized businesses can enhance their cybersecurity posture without breaking the bank. With over 25 years of experience across high-compliance industries, Loïc has made it his mission to bring enterprise-level cybersecurity solutions to SMEs—helping them navigate the evolving threat landscape with a practical, cost-effective approach. From achieving SOC 2 certification to educating businesses on cyber resilience, he discusses how ALCiT is transforming the way SMEs protect their digital assets. Loïc also offers key strategies for businesses just beginning their cybersecurity journey, emphasizing that security is not just about prevention but about response and recovery as well.
Loïc Calvez is Co-Founder and CEO of ALCiT. Over the last 25 years, he had the privilege to work with small and large organizations, as a client buying solutions and as a vendor selling them. Most of them were in highly compliant verticals such as finance, energy, and pharma, covering multiple compliance bodies in North America and Western Europe (SOC, NERC, HIPAA, FDA, PCI, PIPEDA …) giving him great exposure to the nuances of the world. Today, via ALCiT, Loïc is focusing on building secure solutions that work in the real world as well as speaking at events to help raise awareness around Cybersecurity. ALCiT specializes in taking large enterprise tools, packaging them through standardized configuration, and making them available to Small and Medium Business helping them become and stay Cybersecure.
ALCiT’s mission is to make enterprise-grade cybersecurity tools accessible to small and medium organizations. What are the biggest challenges in adapting these tools for SMEs, and how does ALCiT overcome them?
The cybersecurity landscape is evolving faster than ever and just keeping up with all the new tools, services, processes, and best practices is enough to keep a team busy, so when you add the configuration, maintenance and 24/7 review, it becomes impossible for a smaller organization to keep up. Enterprise tools are usually the best ones (which is why they buy them!), but they are often more complex and require dedicated resources to manage. At ALCiT, since configuring and managing those tools is what we do, we train our resources to work with those vendors and define what is the best way for a smaller company to leverage them. This allows us to create processes and templates we can reuse across all our clients, savings us time and saving them money.
Your company emphasizes the importance of cyber resilience. How do you help clients transition from a purely preventative mindset to one that also incorporates response and recovery strategies?
The main point is to understand that we no longer live in a world of “if” (you’re going to get attacked), but that we now live in a world of “when”. Businesses are under attack every day, at some point one of those attacks will succeed and once you understand that an attack is inevitable, making sure you can respond becomes the only viable objective. That’s where resiliency comes in: having the tools and processes to detect early, (so you can start responding quickly to minimize damage) and have the backups and redundancy to keep going (or recover quickly), and ideally with cyber insurance so that any financial impact is minimized.
ALCiT recently achieved SOC 2 certification. How has this process influenced your approach to cybersecurity, and what benefits do you see it bringing to your clients?
Although we were already doing a lot of things to keep us and our clients cyber secure, going through the SOC2 Type 2 process was a great way to bring formality to all of it. It forced us to ask the hard questions on what we were doing where, both on the too much (overspending to protect a low-class asset) or too little (new threat vectors not being fully mitigated). The main benefits for our client it that SOC2 is externally audited; typical SMBs are not cybersecurity experts and when your business it literally at risk, trusting your IT provider “to do the right thing” is a lot of faith to put in another company, so involving a trusted neutral third party helps in that regard. This also transfers to their clients, as a service provider, we have access to many of our clients system that they use to provide services to their clients, and explaining that their IT provider is SOC2 Type 2 certified carries a lot more weight then “We’ve been working with them for years, they’re good people”.
With the rapid evolution of cyber threats, how does ALCiT stay ahead of emerging risks and ensure that your clients’ security measures remain effective?
It starts with partnership and education: Cybersecurity is what we do; so first, we keep up to date on industry news, trends, and ongoing global events. Then we do training, both with our partner vendors and with specialized external sources. Finally, we layer this with great conversations with those partners, auditors and peers, and ask what they are seeing, what’s working and what’s not. With all that knowledge, we can then have great conversations with our clients, understand their priorities, their goals, and what’s makes them special. With that, we create a roadmap with short term goals for the high-risk items, and long-term goals for the more directional objectives. Then we get to trust and verify: cybersecurity needs to be constantly audited, so vulnerability scans and pen testing go a long way in making sure the defenses are effective. And finally, rinse and repeat: cybersecurity is a journey, not a destination, so plans and roadmaps need to be constantly updated to reflect changes in the business and in the world.
To conclude, what advice would you offer to small and medium-sized businesses that are just beginning their cybersecurity journey, especially those with limited resources?
My first tip is always the same one: start; every bit helps, so by starting, you are already better than you are before you did. Second, there are a lot of things you can do that are free! (Multi Factor Authentication, Automated patching, Acceptable Use Policy, Cybersecurity Incident Response Plan…), so no excuse not to do it. Third, train your people! Cybersecurity training is not expensive and will transform your people from liabilities to first line of defense. After that, start building layers: The main point of attacks are email and web, so deploy an email security solution and use a next generation firewall. Your last line of defense are your PCs, so deploy a very good Endpoint Detection and Response (EDR), this is not the place to go for “free” tools. Lastly, find a good IT partner, they should be able to explain things in a language you understand and help you make those decisions (and they should be SOC2 or ISO27001 certified, because trust only goes so far when your business is on the line).
The post Cyber Resilience for All: ALCiT first appeared on CanadianSME Small Business Magazine.