Governance & Compliance
SMB cybersecurity checklist: 15 essential measures
Protecting your business against cyber threats may seem complex, especially for SMBs with limited resources. Yet, the majority of security incidents could be avoided by implementing fundamental measures. Here is a checklist of 15 essential cybersecurity measures that every Quebec SMB should implement to protect itself effectively.
1. Multi-factor authentication (MFA)
MFA adds an extra layer of verification beyond a simple password. By requiring a second factor (authentication app, push notification or physical key), you block over 99% of account compromise attacks. Enable MFA on all your critical services: email, VPN, cloud applications and administration tools.
2. EDR solution (Endpoint Detection and Response)
Traditional antivirus is no longer sufficient against modern threats. An EDR solution continuously monitors the behaviour of workstations and servers to detect suspicious activities, even those using unknown techniques. EDR also allows automatically isolating a compromised workstation to prevent the spread of an attack across the entire network.
3. Backups following the 3-2-1 rule
The 3-2-1 rule is the industry standard for backups: keep 3 copies of your data, on 2 different types of media, with 1 copy offsite (ideally in the cloud with encryption). Test your restores regularly — a backup that has never been tested is worthless when you need it. Also ensure your backups are protected against ransomware through an immutability mechanism.
4. Email security (DMARC, SPF, DKIM)
Email remains the number one attack vector. The SPF, DKIM and DMARC protocols prevent cybercriminals from spoofing your domain name to send fraudulent emails on your behalf. Configure these three protocols on your domain and enable a DMARC policy in "reject" mode to block unauthenticated emails. Add an advanced filtering solution that analyzes attachments and links in real time.
5. Employee cybersecurity training
Your employees are both your weakest link and your first line of defense. Regular cybersecurity training, combined with monthly phishing simulations, significantly reduces the risk of an employee falling for an attack. Training should cover recognizing suspicious emails, secure password management, and best practices for remote work.
6. Patch Management
Unpatched software vulnerabilities are one of the most exploited entry points by cybercriminals. Implement a patch management process that applies critical security updates within 48 hours of their release. This includes not only the operating system, but also web browsers, PDF readers, office tools, and all business applications.
7. Network Segmentation
Segmentation involves dividing your network into distinct zones to limit the spread of an attack. If a workstation is compromised, the attacker should not be able to directly access your critical servers or sensitive data. At a minimum, separate your network into zones: workstations, servers, IoT devices, and guest network. Use firewall rules to control traffic between these zones.
8. Incident Response Plan
An incident response plan documents the procedures to follow in the event of a cyberattack: who to contact, how to isolate affected systems, how to communicate with stakeholders, and how to restore operations. Draft this plan, distribute it to key personnel, and test it at least once a year with a simulation exercise. In a crisis situation, it’s not the time to improvise.
9. Cyber Risk Insurance
Cyber risk insurance covers the costs associated with a security incident: response costs, data restoration, business interruption losses, civil liability, and legal fees. In 2026, insurers require minimum security measures (MFA, backups, EDR) to grant coverage. Consider insurance as a financial safety net, not as a substitute for good security practices.
10. Regular Access Reviews
Apply the principle of least privilege: each user should only have access to the resources strictly necessary for their work. Review access rights at least once per quarter, immediately disable the accounts of employees who leave the company, and limit the number of administrator accounts to the strict minimum. Orphaned accounts or those with excessive privileges are a gold mine for attackers.
11. Data Encryption
Encrypt sensitive data at rest (on hard drives and in backups) and in transit (during transmission over the network). Enable BitLocker on all Windows workstations, use TLS encryption for communications, and ensure your cloud backups are encrypted with keys you control. In the event of a stolen laptop, encryption prevents access to data.
12. DNS Filtering
DNS filtering blocks access to known malicious websites before the connection is even established. It’s a simple but extremely effective layer of protection that works across the entire network, including mobile devices and remote workstations. DNS filtering also blocks communication attempts between a compromised workstation and the attacker’s command server.
13. Vendor Risk Management
Your vendors often have access to your systems or your data. A breach at a vendor can become your breach. Assess the security posture of your critical vendors, require contractual commitments regarding security, and limit access granted to the strict minimum. Maintain a registry of all third parties that have access to your data and review it regularly.
14. Logging and Monitoring
If you don’t monitor your systems, you won’t know you’ve been compromised — sometimes for months. Enable logging on all your critical systems (servers, firewalls, cloud services) and centralize logs in a monitoring tool. Ideally, use a managed security monitoring service (SOC) that continuously analyzes alerts and responds quickly to detected threats.
15. Compliance with Law 25
Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) is fully in effect in Quebec. Any company that collects, uses, or communicates personal information must comply with its obligations: appoint a person responsible for the protection of personal information, publish a privacy policy, maintain an incident register for privacy incidents, conduct privacy impact assessments, and obtain valid consent for data collection.
Where to Start?
Implementing all 15 measures at once may seem intimidating. Here is a suggested priority order for SMBs starting from scratch:
- Week 1-2: Enable MFA on all critical accounts and deploy a password manager.
- Week 3-4: Set up 3-2-1 backups and verify they are working.
- Month 2: Deploy an EDR solution and configure email security (SPF, DKIM, DMARC).
- Month 3: Launch the employee training program and set up DNS filtering.
- Month 4-6: Work on network segmentation, patch management, incident response plan, and Law 25 compliance.
The important thing is to start. Each measure implemented significantly reduces your attack surface and increases your resilience against cyber threats.
Frequently Asked Questions
Are these measures sufficient to comply with Law 25?
These measures cover the technical aspects of compliance, but Law 25 also requires organizational elements: a published privacy policy, an incident register, a complaint handling process, and privacy impact assessments. Professional guidance is recommended to ensure all aspects are covered.
How much does it cost to implement these 15 measures?
The cost varies depending on the size of the company and the current state of its infrastructure. For an SMB with 15 to 50 employees, expect between $1,500 and $5,000 per month for a managed services package that includes the majority of these measures. That’s significantly less than the average cost of a data breach, which reaches $6.9 million in Canada.
Can I implement these measures myself without IT expertise?
Some basic measures like MFA and employee training can be implemented without in-depth expertise. However, measures such as EDR, network segmentation, DMARC configuration, and centralized logging require specialized technical expertise. A managed service provider (MSP) can implement and manage all of these measures for you.
How often should I review my cybersecurity posture?
Review your security posture at least once a year with a comprehensive audit. Access reviews should be quarterly, backup tests monthly, and threat monitoring continuous (24/7). After any major change in your environment (new software, new integration, team growth), an additional review is recommended.
What is the first measure to implement if I’m not doing anything currently?
Multi-factor authentication (MFA). It’s the most effective measure relative to its cost and ease of implementation. It blocks the vast majority of account compromise attacks and can be enabled within a few hours on most cloud services such as Microsoft 365 and Google Workspace.
