Cybersecurity & Insurers: 12 essential controls for an SMB in Quebec

La Cyber insurance has become one of the financial safeguards for SMBs. Problem: insurers are increasingly refusing applications without minimum controls. Here are the 12 measures that often make the difference between an accepted quote and a denial.

1) MFA everywhere

• Enable two-factor authentication on email, VPNs, admin consoles (Microsoft 365/Google Workspace, firewalls, routers, backups). FIDO2 tokens are a plus.

2) EDR or MDR

An EDR protects and isolates endpoints; an MDR adds a SOC 24/7 for detection and response. Insurers prefer MDR to reduce response time.

3) 3-2-1-1-0 backups

Three copies, two media types, one offsite, one immutable, zero restore errors. Test monthly restores (samples) and quarterly the BCDR plan.

4) Patch management

Automate system patches (Windows/Linux/Mac), VPN drivers, browsers, and software. Set an SLA : critical patches in < 7 days.

5) Hardening & least privilege

Disable SMBv1/obsolete SSL, apply password policies, remove inactive accounts, separate admin and user.

6) Network segmentation

Isolate servers, workstations, IoT, guests. VLANs + ACLs + separate Wi-Fi. Less impact in case of an incident.

7) DNS & email filtering

Secure DNS (malware/phishing blocking), SPF/DKIM/DMARC in quarantine/reject to limit spoofing.

8) Centralized logging

Retain logs (firewall, EDR, AD, M365/GWS) 90 days minimum. Alerts on admin logins, abnormal failures, account creations.

9) Anti-phishing training

Short quarterly modules + simulations. Measure the click rate and target at-risk teams.

10) Third-party management

Vendor access reduced and tracked (individual accounts, expiration, MFA). Contractual security clauses.

11) IR (Incident Response) plan

Who decides, who communicates, who isolates? Runbooks per scenario (ransomware, compromised email). Tabletop exercises 2×/year.

12) Governance

An security owner (internal/MSP), with policies that are concise and living (access, backups, classification, mobility).