← All insights Insights

The 12-Point Cybersecurity Checklist Most Canadian Small Businesses Fail

May 17, 2026 · Kapa Canada

Most small business owners believe they’re “probably fine” on cybersecurity. Then they run a checklist like this one — and find three or four gaps an attacker could walk straight through.

This isn’t a 200-item audit. It’s the twelve controls that matter most for a Canadian small or mid-sized business. Go through them honestly and count how many you can genuinely tick.

1. Multi-factor authentication on every account

A stolen password should not be enough to get in. MFA is the highest-impact control on this list — start here. (More on rolling it out smoothly in our MFA guide.)

2. Strong, unique passwords

No reused passwords across accounts. A business password manager makes this realistic instead of aspirational.

3. Modern endpoint protection on every device

Every laptop and server should run modern endpoint detection and response — not just basic antivirus.

4. Software kept up to date

Operating systems and applications should update automatically or on a tracked schedule. Unpatched software is one of the most common ways in.

5. Tested, secured backups

You have backups — but are they recent, tested, and kept offline or immutable so ransomware can’t reach them?

6. Email filtering

Good email filtering stops a large share of phishing and malware before anyone ever sees it.

7. Staff security awareness training

Your people are a control. Short, regular training — including simulated phishing — keeps them sharp.

8. Least-privilege access

Staff have access to what they need, and no more. Administrator accounts are limited and used only when required.

9. Secured Wi-Fi and network

Strong Wi-Fi passwords, a separate guest network, and a properly configured firewall.

10. A written incident response plan

When something goes wrong, you want a plan instead of panic. (We’ve published a free incident response plan outline.)

11. Someone actually monitoring

Tools generate alerts; alerts need a human. If no one is watching for trouble around the clock, threats go unnoticed for weeks.

12. You know your third-party risk

Your vendors and software suppliers can be a path into your business. Know who has access to your systems and data.

How did you score?

If you ticked all twelve — genuinely — you’re in good shape. Most businesses don’t. The items missed most often are #10, #11, and #12: planning, monitoring, and third-party risk.

If you found gaps and aren’t sure where to start, get in touch. We’ll help you turn this list into a plan — fastest wins first.

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us