Cybersecurity Basics for Canadian SMBs

The threats Canadian SMBs face are not the cinematic ones. They are: business email compromise (BEC) leading to wire fraud, ransomware delivered through a phishing email or an exposed remote desktop port, and credential theft via password spraying against Microsoft 365 tenants without MFA.

Almost every incident we have responded to began with one of those three vectors. Almost every one of them was preventable by controls that were already included in the licenses the business owned.

If you do nothing else this quarter, harden identity. For most Canadian SMBs that means Microsoft 365 or Google Workspace. The non-negotiables:

Built-in antivirus catches commodity malware. It does not stop modern attackers who use legitimate tools to live off the land. A managed EDR (Endpoint Detection and Response) product - typically with a 24/7 SOC behind it - is the modern baseline. Huntress, SentinelOne and Microsoft Defender for Endpoint with managed XDR are all reasonable choices for SMBs.

The "managed" part is the point. An EDR that nobody is watching at 2 a.m. on a Sunday is just expensive antivirus.

Patch operating systems, browsers, and the handful of applications attackers actually target: Microsoft Office, PDF readers, Java if you somehow still have it, and any internet-exposed device (firewall, VPN concentrator, NAS). Firmware on switches and firewalls counts. The goal is not 100% patched on day zero - it is a documented, reviewed cadence with no nine-month-old critical CVEs sitting open.

Configure SPF, DKIM and DMARC on your sending domain. Enable anti-phishing policies with impersonation protection for executive and finance mailboxes. Train your finance team to verbally verify any payment instruction change. Wire fraud against Canadian SMBs has cost more than ransomware in some years; the controls to prevent it are essentially free.

Backups exist at most SMBs. Tested, restorable backups do not. Adopt the 3-2-1-1-0 rule: three copies, two media, one offsite, one immutable, zero errors after testing. Restore a real file, a real mailbox and a real server from backup at least quarterly. Write it down. If you cannot show a restore log from the last 90 days, you do not have a backup strategy - you have a backup hope.

Phishing simulations, run quarterly and paired with short training (under five minutes), measurably reduce click rates. They also surface the small group of users who need extra coaching - usually a predictable handful. Avoid programs that shame users; aim for awareness, not punishment.

PIPEDA applies to most Canadian businesses handling personal information. SOC 2 is increasingly required by enterprise customers. HIPAA-equivalent expectations apply to healthcare. The controls above cover most of the technical requirements for all three. Compliance is a documentation exercise on top of good security - not a substitute for it.