For Canadian Oil & Gas Owners and Executives

Are you exposed? Find out in five minutes.

Twelve questions across the cyber risks that actually matter for Canadian oil & gas companies of 10–100 people. Answer honestly. See where you stand. No email required.

Why this matters now

Ransomware attacks on oil & gas surged 935% globally between April 2024 and April 2025 (Zscaler). The Canadian Centre for Cyber Security’s 2025–2027 outlook names ransomware the top cybercrime threat to Canadian critical infrastructure through 2027. The questions below are the ones that separate the operators that survive a cyber event from the ones that don’t.

Quick answer

The Vencer Cyber Risk Self-Score is twelve calibrated questions a Canadian oil & gas operator or service company (10–100 people) answers in about five minutes. It scores your posture against the twelve controls underwriters actually check in 2026 and returns a defensible, board-ready summary you can take into your next renewal conversation. No email required.

0 of 12 answered

01 / 12

When someone in your company requests a wire transfer, or a vendor asks to change their payment details, do you verify the request through a separate channel - a phone call to a known number - before acting?

Critical Control

AlwaysEvery request, every time

MostlyUsually, but not always

SometimesDepends on who’s asking

NeverNo formal process

Don’t knowNot sure of policy

02 / 12

If you discovered a breach at 2am tonight - who do you call first, what gets shut down, who tells your team and your customers? Is any of that written down somewhere people can actually find it?

Critical Control

YesWritten, current, accessible

PartialInformal, not written down

NoNo plan exists

Don’t knowHaven’t thought about it

03 / 12

Does everyone in your company have to confirm logins with a code from their phone or an authenticator app (sometimes called “MFA”) - with no exceptions for executives, field crews, or contractors?

Critical Control

YesEnforced for everyone

PartialMost people, with exceptions

NoNot enforced

Don’t knowNot sure of setup

04 / 12

Do you have backups of your important data stored somewhere an attacker can’t reach or encrypt - and have you actually tested the restore process in the last 90 days?

Critical Control

FullyIsolated + tested recently

MostlyIsolated, but tested 6+ months ago

PartiallyBackups exist, isolation unclear

Not at allNo isolated backups, no tests

Don’t knowNot sure of setup

05 / 12

If something bad happened on a Saturday night - accounts taken over, data being stolen, systems acting strange - would a monitoring service catch it and start responding within minutes?

High Impact

Yes24/7 monitoring in place

PartialBusiness hours only

NoNo active monitoring

Don’t knowNot sure

06 / 12

Do your computers, servers, and equipment - including the equipment at field locations - get their critical security updates installed within 30 days of release?

High Impact

AlwaysAutomated & verified

MostlyOffice yes, field lags

SometimesDone, but not tightly

NeverNo regular process

Don’t knowNo visibility

07 / 12

When was the last time someone checked your remote access - the way people connect to your systems from outside the office - to make sure nothing is exposed, outdated, or still using default passwords?

High Impact

RecentlyIn the last year

A while ago1–2 years ago

Long time3+ years ago

NeverNo audit ever done

Don’t knowNot sure

08 / 12

Do you know exactly who has the highest level of access - the “admin” accounts that can change anything on your systems? And is that list short, current, and reviewed regularly?

High Impact

FullyShort list, regular review

MostlyKnown, but not reviewed regularly

PartiallyProbably more admins than needed

Not at allNo idea who has admin

Don’t knowNo visibility

09 / 12

When someone leaves your company, are their accounts and access removed completely within 24 hours - email, shared drives, accounting systems, vendor portals, everything?

Important

AlwaysWithin 24 hours, every time

MostlyWithin a few days

SometimesMain accounts only

NeverNo formal process

Don’t knowNo visibility

10 / 12

When your team uses personal phones or laptops to access work email or files, do you have a way to remotely remove that access if the device is lost or the person leaves?

Important

YesMobile controls in place

PartialSome devices, not all

NoNo controls in place

Don’t knowNot sure

11 / 12

Has anyone specifically set up your email to catch phishing - the fake messages pretending to be your CEO, your bank, or a vendor? (Microsoft 365 and Google have stronger filters available, but they’re off by default.)

Important

YesConfigured beyond defaults

PartialSome tuning done

NoDefault settings only

Don’t knowNot sure

12 / 12

Do you carry cyber insurance with good coverage? And in the last 18 months, has your policy been stable - no decline, no cancellation, no sharp premium increase?

High Impact

YesGood coverage, stable

PartialCoverage with conditions/spikes

NoNo coverage / declined

Don’t knowNot sure of status

Almost there.

Answer all 12 questions to see your score, your top gaps, and a 30/60/90-day action plan. No email required.

Your cyber risk score

0 / 74

Your highest-priority gaps

The questions below scored lowest - and each one represents a real, concrete exposure. Critical Controls (weighted 2×) appear first because their failure most directly enables a material event.

Where this puts you

What to do in the next 90 days

Prioritized for impact and feasibility. None of these require a major IT project to start - they require decisions you can make this quarter.

Optional

Want this emailed to you?

Your score, top gaps, and 30/60/90-day plan delivered as a PDF you can forward to your CFO or take into your next renewal call. No follow-up sequence unless you reply.

We don't sell lists. One email, then silence unless you reply. Skipping this is fine - your score and plan are already shown above.

Next step - no commitment

Book a free 30-minute Cyber Posture Review

In 30 minutes, a senior Vencer engineer - not a sales rep - walks through your specific gaps with you, pressure-tests the answers above, and gives you a one-page summary of where you stand and what to address first. No pitch. No follow-up sequence unless you ask for one. Just the truth, from a Calgary partner with 19 years and zero data breaches in 11 years of managed security.

Book the Free Review

About this score. The 12 questions are weighted by severity tier - Critical Controls (wire fraud verification, incident response, MFA, backup recoverability) carry 2× weight because failure on these most directly enables material events. High Impact controls carry 1.5× weight. Important controls carry 1×. Maximum score is 74 points. Sources for the threat context: Canadian Centre for Cyber Security, Ransomware Threat Outlook 2025-2027 (modified January 2026); Zscaler ThreatLabz Ransomware Report 2025 (oil & gas attack surge); Google Cloud Security Cybersecurity Forecast 2026; Trustwave 2025 Energy & Utilities Threat Landscape; Cyfirma Q1 2026 Energy & Utilities Industry Report. Peer baseline reflects Vencer Group’s assessment experience across Canadian oil & gas mid-market clients. This is a diagnostic tool, not a substitute for a formal cyber assessment. For validated assessment, contact Vencer Group, Calgary.

What this is. What this isn't.

A self-assessment tool, not a certified audit. Results reflect self-reported inputs and pattern-matched benchmarks from operator experience. For a verified assessment, the IT Assessment is the appropriate step.

→ Book the 30-min review

Are you exposed? The 5-minute cyber risk self-score for Canadian oil & gas

Are you exposed? Find out in five minutes.

Your highest-priority gaps

What to do in the next 90 days

Want this emailed to you?

Book a free 30-minute Cyber Posture Review

Are you exposed? The 5-minute cyber risk self-score for Canadian oil & gas