Guardlyne
← All articles
For IT & Operations·8 min read·May 18, 2025

The Canadian SMB Cybersecurity Checklist: What IT Teams Need to Cover in 2025

A practical, prioritized cybersecurity checklist for IT managers and ops leads at Canadian small and medium businesses — covering identity, endpoints, data, email, and incident response without enterprise budgets.

You're the person who gets the call when something goes wrong. You're also the person expected to prevent it — usually with a fraction of the budget and headcount that the problem actually demands.

This checklist is for you.

It's built around the security domains that matter most for Canadian SMBs in 2025, prioritized by impact-to-effort ratio, and grounded in the threat landscape that Canadian businesses actually face. It's not exhaustive. It's actionable.

Work through it section by section. Use it to identify gaps, prioritize remediation, and have honest conversations with leadership about where investment is needed.

Before you start: know your baseline

Before checking any box, you need answers to three foundational questions:

  1. What data does your organization hold? Customer PII, employee records, financial data, health information — every category of sensitive data you hold is a liability and a PIPEDA obligation.

  2. Where does that data live? On-prem servers, cloud storage, employee laptops, third-party SaaS tools, email archives — if you don't know where the data is, you can't protect it.

  3. Who has access to it? Over-provisioned access is one of the most common and most exploited vulnerabilities in SMB environments. The principle of least privilege is not an enterprise concept — it's basic hygiene.

If you can't answer these three questions confidently, start there before anything else.

Identity and access management

Identity is the new perimeter. Most breaches in 2025 start with compromised credentials — not sophisticated exploits.

Critical:

  • [ ] Multi-factor authentication (MFA) enabled on all email accounts
  • [ ] MFA enabled on all cloud services (Microsoft 365, Google Workspace, AWS, etc.)
  • [ ] MFA enabled on accounting, payroll, and banking platforms
  • [ ] Password manager deployed and in use across the organization
  • [ ] Shared or generic accounts eliminated (every user has an individual account)
  • [ ] Offboarding process formally documented — access revoked same day for departing employees

Important:

  • [ ] Admin accounts separated from daily-use accounts
  • [ ] Privileged access review conducted in the last 90 days
  • [ ] Conditional access policies in place (block logins from unusual locations or devices)
  • [ ] Single sign-on (SSO) implemented where possible to centralize access control

Endpoint security

Every device that touches your network or your data is a potential entry point.

Critical:

  • [ ] Antivirus/EDR solution deployed on all Windows and macOS devices
  • [ ] Automatic OS updates enabled on all endpoints
  • [ ] Disk encryption enabled (BitLocker on Windows, FileVault on macOS)
  • [ ] Remote wipe capability configured for all mobile devices
  • [ ] Company devices inventoried — you know every device that accesses company data

Important:

  • [ ] BYOD policy defined and communicated
  • [ ] MDM (Mobile Device Management) solution in place for mobile devices
  • [ ] USB storage restricted or monitored on company devices
  • [ ] Browser extensions reviewed and restricted on managed devices
  • [ ] Laptop screen lock enforced after idle period

Email security

Email is the #1 vector for phishing, business email compromise, and ransomware delivery. Your email configuration is a direct indicator of your overall security posture.

Critical:

  • [ ] SPF record configured and published in DNS
  • [ ] DKIM signing enabled
  • [ ] DMARC policy published (at minimum p=none with reporting; ideally p=quarantine or p=reject)
  • [ ] Anti-phishing and anti-malware filtering active (M365 Defender or equivalent)
  • [ ] External email banners enabled (flags emails originating outside your domain)

Important:

  • [ ] Safe links and safe attachments enabled in M365 (or equivalent)
  • [ ] Impersonation protection configured for executive and key personnel names
  • [ ] Email forwarding rules audited — auto-forwarding to external addresses is a major exfiltration risk
  • [ ] Phishing simulation run in the last 6 months
  • [ ] Email archive and retention policy defined

Network security

Critical:

  • [ ] Default router/firewall admin credentials changed
  • [ ] Firmware on networking equipment up to date
  • [ ] Guest Wi-Fi network separated from internal network
  • [ ] Remote access via VPN — direct RDP exposure to the internet is unacceptable
  • [ ] RDP port (3389) not exposed to the public internet

Important:

  • [ ] Network segmentation between critical systems and general user network
  • [ ] Firewall logs reviewed regularly (or alerts configured for anomalies)
  • [ ] Unused ports and services disabled on all devices
  • [ ] DNS filtering in place (blocks known malicious domains)

Data protection and backup

Ransomware is survivable with good backups. It's catastrophic without them.

Critical:

  • [ ] Full backup of all critical business data running on automated schedule
  • [ ] Backups stored offsite or in cloud — not solely on the same network as production systems
  • [ ] Backup restoration tested in the last 6 months (untested backups are not backups)
  • [ ] Backup access restricted — ransomware actively targets and destroys accessible backups

Important:

  • [ ] Data retention policy defined and documented
  • [ ] Sensitive data encrypted at rest
  • [ ] Sensitive data encrypted in transit (HTTPS, TLS)
  • [ ] Data classification policy — not all data needs the same level of protection
  • [ ] Cloud storage permissions audited — no publicly accessible buckets containing sensitive data

PIPEDA compliance

If you collect, use, or disclose personal information about Canadians in the course of commercial activity, PIPEDA applies to you.

Critical:

  • [ ] Privacy policy published and accessible (website, app)
  • [ ] Personal data inventory completed — you know what PII you hold and why
  • [ ] Data breach notification process defined — you know what triggers a reportable breach and who to notify
  • [ ] Consent obtained appropriately for data collection
  • [ ] Data retention limits defined — you're not holding personal data longer than necessary

Important:

  • [ ] Data processing agreements in place with third-party vendors handling personal data
  • [ ] Privacy impact assessment completed for any new systems that process personal data
  • [ ] Employees trained on basic privacy obligations

Incident response

Not having an incident response plan is the most common and most costly gap in SMB security. You don't need a 40-page document. You need a plan that exists and that your team knows about.

Critical:

  • [ ] Incident response plan exists in written form
  • [ ] Key contacts documented: IT, legal, insurance broker, PR, law enforcement (RCMP Cybercrime)
  • [ ] Critical systems identified — you know what to isolate first if you detect a breach
  • [ ] Cyber insurance policy in place and coverage limits understood
  • [ ] Breach notification obligations understood — PIPEDA timeline is 72 hours for real-risk breaches

Important:

  • [ ] Tabletop exercise conducted in the last 12 months
  • [ ] Forensic preservation procedure documented — evidence handling matters for insurance claims
  • [ ] Communications templates prepared for breach notification to customers and regulators

Security awareness training

Your controls are only as strong as your least-informed employee.

Critical:

  • [ ] Security awareness training completed by all employees in the last 12 months
  • [ ] Phishing awareness specifically covered — employees know how to identify and report suspicious email
  • [ ] Password policy communicated and enforced

Important:

  • [ ] Quarterly security reminders or brief training updates in cadence
  • [ ] Onboarding security training for new employees
  • [ ] Acceptable use policy signed by all employees

Using this checklist

A checklist is only useful if it leads to action. After working through this, you should have:

  1. A clear picture of which items are covered, which are gaps, and which are partial
  2. A prioritized remediation list — not everything can be addressed at once; start with the critical items in identity and email
  3. A business case for leadership — security investment is easier to justify when the gaps are concrete and the consequences are documented

If you want a faster way to assess your full security posture across all 8 domains — and get a scored, prioritized report you can share with leadership — Guardlyne's free assessment was built exactly for this.

Run your free Guardlyne security assessment →

It covers everything in this checklist and more, and gives you a report you can actually use to drive decisions and budget conversations.

How secure is your business right now?

Take Guardlyne's free cybersecurity assessment — 8 domains, 387 questions, clear results in under 30 minutes. No sales call required.

Start your free assessment

Free · No credit card · Results delivered instantly

← Back to all articles