Canadian SMB Security Scorecard
10 questions. 2 minutes. Find out where your business is exposed before an attacker does.
Do employees use multi-factor authentication (MFA) to log in to business email and key systems?
MFA is one of the most effective controls against credential-based attacks, which account for the majority of Canadian SMB breaches.
When an employee leaves the company, how quickly are their accounts disabled?
Orphaned accounts are an easy entry point. Former employees with active credentials remain one of the most common insider risk vectors.
Has your team received any security awareness training in the past 12 months?
AI-generated phishing emails now bypass traditional spam filters. Human awareness is the last line of defence when technology fails.
Do employees know who to contact or what to do if they suspect a phishing email?
A clear reporting path reduces dwell time when an attack slips through. Most SMBs have no defined process.
Are your business-critical data backups stored separately from your main network?
Ransomware frequently targets connected backup systems. Offline or isolated backups are what allow businesses to recover without paying a ransom.
Has your business ever tested its ability to recover from a backup or system failure?
An untested backup is not a backup. Many businesses discover their recovery process does not work only during an actual incident.
Are operating systems and business software kept up to date with security patches?
Unpatched systems are the most common entry point in SMB ransomware cases. Attackers actively scan for known vulnerabilities.
Do employees only have access to the data and systems they need for their specific role?
Least privilege access limits the blast radius of any breach or insider incident. Overpermissioned accounts are a frequent finding in SMB security reviews.
Does your business collect, store, or process personal information from customers or employees?
If yes, your business has obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) and potentially Bill C-27 when it comes into force.
If your business experienced a ransomware attack today, does anyone know the immediate steps to take?
Most SMBs lose days of recovery time simply because no one knows what to do in the first hour of an incident.
Want to know what to fix first?
Book a free 30-minute call with one of our specialists. We’ll walk through your results and help you prioritize the gaps that matter most for your business.
Book a Free Consultation →