Cyberattacks are no longer a "big business problem." The Canadian Centre for Cyber Security reports that small businesses now represent 43% of all cyberattack targets in Canada. The Canadian Internet Registration Authority (CIRA) found that 25% of Canadian businesses suffered a ransomware attack in 2024 — and for businesses that paid the ransom, the average payment was $280,000 CAD. A U.S. National Cyber Security Alliance study found that 60% of small businesses that experience a significant cyberattack close within 6 months.
The economics of cybercrime have shifted. Automated attack tools have made it trivially cheap for criminals to probe thousands of small businesses simultaneously for vulnerabilities. You don't need to be high-profile to be targeted — you need to be vulnerable. And the vast majority of successful attacks against SMBs exploit basic security gaps that are entirely preventable.
The good news: the Canadian Centre for Cyber Security estimates that 80% of successful cyberattacks could be prevented by implementing basic cyber hygiene measures. Here is your complete 15-step checklist — organized by priority tier, with specific tool recommendations and Canadian cost benchmarks.
Tier 1 — Foundational Controls (Complete These First)
These five controls address the most commonly exploited attack vectors. If you implement nothing else, implement these.
1. Enable Multi-Factor Authentication (MFA) on Every Account
MFA is the single most impactful security control available to a small business. Microsoft's own data shows that MFA blocks 99.9% of automated account compromise attacks. The majority of successful business email compromises, ransomware delivery via phishing, and unauthorized access incidents involve accounts that did not have MFA enabled.
Enable MFA on every account that holds business or customer data: Microsoft 365 and Google Workspace, banking and financial portals, your CRM and accounting software, domain registrar and hosting control panels, cloud storage (Dropbox, OneDrive, Google Drive), and all social media business accounts.
Use an authenticator app (Microsoft Authenticator, Google Authenticator, or Duo) rather than SMS-based MFA. SMS can be intercepted through SIM-swapping attacks. App-based TOTP codes cannot. Setup time: 30 minutes for a 5-person business. Cost: free.
2. Deploy a Business Password Manager
The average employee manages 85 passwords (LastPass research). Without a password manager, the inevitable result is password reuse — the same password on a low-security site and a high-security account. When that low-security site suffers a breach (which happens constantly), attackers use credential-stuffing tools to automatically try the leaked credentials across hundreds of services. If you've reused that password on your Microsoft 365 or banking portal, you're compromised within hours of the original breach.
A password manager generates a unique, cryptographically strong password for every account, stores them encrypted, and auto-fills them on demand. The security upgrade is enormous; the usability impact is positive once the team adjusts.
Recommended tools for Canadian SMBs: 1Password Teams (~$5 USD/user/month, excellent UI, Canadian-friendly), Bitwarden Business ($3/user/month, open-source, EU data hosting available for PIPEDA compliance), or Dashlane Business ($8/user/month, includes dark web monitoring).
3. Keep All Software Rigorously Updated
The Verizon Data Breach Investigations Report consistently finds that 60% of breaches exploit known vulnerabilities — security flaws that have published patches available. The window between a vulnerability disclosure and the first active exploit is now measured in hours to days, not weeks. Running unpatched software is the equivalent of leaving your front door unlocked and hoping no one walks by.
Enable automatic updates for: Windows and macOS operating systems, all web browsers, your website's CMS (WordPress is the most targeted — see Step 9), all plugins and extensions (unpatched WordPress plugins account for the majority of WordPress site compromises), and all business applications. For Windows, ensure Windows Update is set to automatic for both feature and security updates.
For servers and network equipment, establish a monthly patching schedule with a designated person responsible for confirming updates have been applied.
4. Deploy Business-Grade Endpoint Protection
Free consumer antivirus software is not adequate for business environments. It lacks centralized management, threat detection telemetry, and the behavioral analysis needed to catch modern threats like fileless malware and ransomware that doesn't trigger traditional signature-based detection.
Options for Canadian SMBs:
- Microsoft Defender for Business: ~$3/device/month. Included in Microsoft 365 Business Premium (~$26 CAD/user/month). Strong integration with Microsoft 365 environment. Recommended for businesses already on Microsoft 365.
- SentinelOne Singularity Core: ~$4/device/month. Excellent behavioral AI detection. Catches threats that signature-based tools miss.
- Malwarebytes for Teams: ~$4/device/month. Strong malware removal; less capable on prevention than the above options but significantly better than free consumer tools.
Centralized management visibility is essential — you need to know the protection status of every device in your business, not rely on each employee to manage their own.
5. Secure Your Business Wi-Fi Network
Your Wi-Fi network is an entry point. An inadequately secured network allows anyone in physical proximity to intercept unencrypted traffic, attempt to access network-connected devices, and potentially pivot to business systems.
- Use WPA3 encryption. If your router only supports WPA2, upgrade the router — modern $150–$300 business routers support WPA3 and include features like network segmentation.
- Create a separate guest network for visitors, customers, and IoT devices (smart TVs, printers, security cameras). Guest networks are isolated from your main network, preventing a compromised IoT device from accessing your business systems.
- Change the default router admin password immediately. Default passwords for common router models are publicly published. An attacker with physical access or network access can take over an unprotected router.
- Disable WPS (Wi-Fi Protected Setup). WPS has known cryptographic weaknesses that allow brute-force attacks against the PIN.
- Hide your SSID — not a security control by itself, but reduces automated scanning visibility.
Tier 2 — Data Protection Controls
6. Implement the 3-2-1 Backup Strategy
The 3-2-1 rule is the industry standard for backup resilience: 3 copies of your data, on 2 different media types, with 1 copy stored offsite (cloud). The logic: a single backup that lives on the same server as your primary data is destroyed alongside it in a ransomware attack. A backup on an external drive in the same office is destroyed in a fire. A cloud backup in a geographically separate data centre survives both scenarios.
Critical rules for backups that actually protect you:
- Test your backups quarterly. A backup that has never been tested is a backup that will fail when you actually need it. Schedule a quarterly restore test: pick a random file or folder and restore it from backup. Verify the integrity. Log the test result.
- Immutable backups for ransomware protection. Ransomware increasingly targets and encrypts backup systems. Use a cloud backup solution that supports immutable snapshots — backups that cannot be encrypted or deleted even if your systems are compromised. Backblaze B2 and Wasabi both support immutable backups at low cost.
- Define your Recovery Time Objective (RTO) and Recovery Point Objective (RPO). How long can your business function without access to its data (RTO)? How much data loss can you accept — last hour, last day (RPO)? These answers determine your backup frequency and recovery infrastructure requirements.
7. Encrypt Sensitive Data at Rest and in Transit
Encryption transforms data into an unreadable format that requires a decryption key to access. Even if an attacker steals your laptop or gains access to your storage, encrypted data is useless without the key.
At minimum for a Canadian SMB:
- Enable full-disk encryption on all computers: BitLocker on Windows 10/11 Pro (built-in, free), FileVault on Mac (built-in, free). This protects data if a laptop is stolen — the theft of an unencrypted laptop containing customer data is a PIPEDA-reportable breach.
- Encrypt all portable drives containing customer or business data. VeraCrypt is free and open-source. BitLocker To Go handles encrypted USB drives on Windows.
- Ensure all web connections use HTTPS (TLS encryption). Your website, your web apps, your cloud services. Never transmit customer data over an unencrypted HTTP connection.
Under PIPEDA, you are required to protect personal information with security measures appropriate to its sensitivity. For digital data, encryption is the accepted standard. An organization that suffers a breach and cannot demonstrate they encrypted personal data will face significantly more scrutiny from the Office of the Privacy Commissioner.
8. Harden Your Email Security
According to Verizon DBIR, over 90% of cyberattacks begin with a phishing email. Email is the primary attack vector against small businesses — and it's not primarily because employees are careless. Modern phishing emails are highly sophisticated, impersonating trusted contacts, invoices, delivery notifications, and banking alerts with convincing accuracy.
Three DNS records you must configure immediately:
- SPF (Sender Policy Framework): A DNS TXT record that specifies which servers are authorized to send email on behalf of your domain. Without SPF, anyone can send email that appears to be from your domain, enabling impersonation attacks against your clients.
- DKIM (DomainKeys Identified Mail): A cryptographic signature added to outbound emails that allows recipients to verify the email genuinely originated from your servers and wasn't modified in transit.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Tells receiving mail servers what to do when an email fails SPF or DKIM verification (reject, quarantine, or report). Start with policy=none (monitoring) and advance to policy=reject once you've confirmed your legitimate email is passing authentication.
For enhanced protection, Microsoft Defender for Office 365 Plan 1 (~$2.50 CAD/user/month) adds anti-phishing AI, safe link scanning, and safe attachment sandboxing. For Google Workspace users, Advanced Protection Program provides equivalent capabilities.
9. Secure Your Business Website
Your website is a public-facing attack surface. A compromised website can be used to deliver malware to visitors, host phishing pages, exfiltrate customer form submissions, or become part of a botnet. WordPress sites in particular are heavily targeted due to their prevalence and the frequency of vulnerable plugins.
- SSL certificate (HTTPS) — non-negotiable. Mandatory for visitor trust, Google ranking, and PIPEDA compliance. Most hosting providers include free SSL via Let's Encrypt.
- Keep WordPress (or any CMS), themes, and plugins updated weekly. The majority of WordPress compromises exploit plugins that had patches available but weren't applied. Enable automatic updates for minor versions; review and apply major updates within 2 weeks of release.
- Use a Web Application Firewall (WAF): Cloudflare's free tier provides excellent protection against common attacks (SQL injection, XSS, bad bots). The paid Pro tier ($20/month) adds more sophisticated threat intelligence.
- Implement rate limiting on login pages to block brute-force password attacks. Cloudflare handles this; WordPress-specific plugins like Wordfence also provide this capability.
- Disable XML-RPC in WordPress if you're not using it — it's a common attack vector for brute force and DDoS amplification.
- Run quarterly vulnerability scans. Tools: Sucuri SiteCheck (free), WPScan (free for basic scanning).
10. Enforce the Principle of Least Privilege
Every employee should have access only to the systems and data they need to perform their specific job — nothing more. This principle, called "least privilege," limits the blast radius of a compromised account. If an attacker gains access to a customer service rep's credentials, they should not be able to access financial systems, HR data, or admin panels.
Practical implementation:
- Conduct a quarterly access rights review: list every system, list who has access, and remove any access that isn't actively needed.
- Use separate admin accounts for administrative tasks — don't use admin credentials for day-to-day work.
- Immediately revoke all access when an employee leaves the organization. This is consistently cited as a top source of insider incidents. Build a formal offboarding checklist that includes access revocation as a required step.
- Use role-based access controls (RBAC) in your CRM, file storage, and business applications wherever available.
Tier 3 — Response Readiness
11. Build a Cyber Incident Response Plan
A cyber incident response plan is a documented, pre-agreed process for what your organization does when a security incident occurs. The worst time to figure out your response process is during an active incident, when time pressure, stress, and information overload make rational decision-making difficult.
Your response plan must cover:
- Detection: How will you know when an incident has occurred? Who is responsible for monitoring alerts?
- Containment: What are the immediate steps to isolate affected systems and prevent the incident from spreading? (Typically: disconnect from the network, change credentials, preserve logs.)
- Assessment: What data was accessed or exfiltrated? Does this meet the PIPEDA "real risk of significant harm" threshold for mandatory reporting?
- PIPEDA notification: If reportable, the process for notifying the Office of the Privacy Commissioner and affected individuals. Pre-draft notification templates — don't write them during a crisis.
- Recovery: How do you restore from backups? What is your recovery sequence?
- Post-incident review: What allowed the incident to occur, and what controls will prevent recurrence?
Test your plan with a tabletop exercise annually — a facilitated walk-through of a simulated incident scenario with your key staff.
12. Run Regular Employee Security Awareness Training
Your employees are simultaneously your biggest security vulnerability and your best potential defense. Most successful attacks reach your systems through employee actions — clicking a phishing link, responding to a pretexting call, downloading a malicious attachment.
Security awareness training that actually works:
- Phishing simulations: Tools like KnowBe4 (~$15 CAD/user/year for small businesses) or Proofpoint Security Awareness Training send simulated phishing emails to your staff and track who clicks. People who click the simulation receive immediate training on what they missed. This is dramatically more effective than lecture-based training because it creates a teachable moment at the exact moment of failure.
- Quarterly training on specific topics: Recognizing phishing; secure handling of customer data; password hygiene; safe remote work practices; social engineering and pretexting tactics. Keep sessions short (15–20 minutes maximum) and specific — abstract training on "cybersecurity importance" produces near-zero behavior change.
- Create a "no blame" reporting culture. If employees are afraid to admit they clicked a phishing link because they'll be blamed, they'll hide it until the damage is far worse. Make it explicitly safe to report immediately — recognition, not punishment, for catching and reporting incidents.
13. Secure Your Remote Workforce
38% of Canadian knowledge workers work remotely at least part-time (Statistics Canada). Each remote worker represents a potential entry point — home networks are far less secure than corporate networks, and personal devices used for work introduce risks that corporate-managed devices don't.
- Require VPN for all remote access to internal business systems. A VPN encrypts traffic between the remote worker's device and your systems, preventing interception on insecure networks (coffee shop Wi-Fi, hotel Wi-Fi). Microsoft Azure VPN, Cisco AnyConnect, or simpler options like NordLayer work well for SMBs.
- Implement Mobile Device Management (MDM) for all devices used for work. MDM allows you to enforce security policies (screen lock, encryption), remotely wipe a device if lost or stolen, and separate corporate data from personal data on BYOD devices. Microsoft Intune (included in Microsoft 365 Business Premium) or Jamf (for Mac/iOS environments) are the standard SMB options.
- Establish a Bring Your Own Device (BYOD) policy if personal devices are used for work. Define what security controls are required before a personal device can access business systems.
14. Conduct Annual Security Assessments
An annual security assessment is a systematic review of your security posture — identifying vulnerabilities, gaps in controls, and compliance deficiencies before an attacker finds them.
What a security assessment covers:
- Review of all implemented controls against this checklist and industry frameworks (CIS Controls, NIST Cybersecurity Framework)
- Vulnerability scanning of internet-facing systems
- Review of user access rights
- Phishing simulation results analysis
- PIPEDA compliance gap assessment
LocalHost Digital provides PIPEDA-aligned cybersecurity assessments for Canadian SMBs starting at $1,200, with a written report, prioritized remediation roadmap, and 30-day follow-up review. For more mature security programs, external penetration testing (simulated attacks by authorized security professionals) is recommended every 2–3 years.
15. Purchase Cyber Insurance
Even organizations that implement all 14 controls above remain at some residual risk. Cyber insurance transfers the financial consequences of a breach — incident response costs, legal fees, breach notification costs, credit monitoring for affected individuals, ransomware payments, and business interruption losses — to an insurer.
Canadian cyber insurance for SMBs typically costs $800–$3,000 CAD/year depending on industry, revenue, and security controls in place. Major Canadian providers: Intact Insurance (Intact Cyber), Aviva Canada (Cyber Protection), Chubb Canada (Cyber Enterprise Risk Management).
Important: insurers increasingly require evidence of specific controls before issuing a policy. MFA, endpoint protection, and backup practices are commonly required. The underwriting process for cyber insurance is itself a useful security assessment — it forces you to inventory and document your controls.
Your Cyber Health Score
Score yourself honestly: 0–4 controls implemented = Critical Risk | 5–9 = High Risk | 10–12 = Moderate Risk | 13–14 = Good Posture | 15 = Strong Posture. Most Canadian SMBs score between 3 and 7 on first assessment. The goal is steady improvement — prioritize the Tier 1 controls first, then work through Tier 2, then Tier 3.
At LocalHost Digital, we provide PIPEDA-aligned cybersecurity assessments, implementation services, and managed security support for Canadian SMBs. Book your free cybersecurity assessment — we'll score you against this checklist, identify your highest-risk gaps, and give you a prioritized remediation plan you can start acting on immediately.