Most cybersecurity content for small businesses is either too vague (“use strong passwords!”) or too enterprise-oriented to be useful. This guide is different. These are the specific, actionable steps every Atlantic Canada SMB should take — in order of impact.
Why This Matters Now
Canadian SMBs are increasingly targeted by cybercriminals. This isn’t paranoia — it’s statistics:
- 43% of cyberattacks target small businesses globally (Verizon DBIR)
- The average cost of a data breach for a Canadian SMB is over $180,000 (IBM Cost of a Data Breach Report)
- 60% of small businesses that suffer a significant cyberattack go out of business within six months
The reason SMBs are targeted: they have real data and real money, but typically far less security infrastructure than large enterprises. Attackers follow the path of least resistance.
In Nova Scotia specifically, PIPEDA (Canada’s federal privacy law) applies to most businesses that handle personal information. A breach that exposes customer or employee data isn’t just a technical problem — it’s a legal one.
The 8 Things You Actually Need to Do
1. Enable Multi-Factor Authentication (MFA) on Everything
This is the single highest-impact security control you can implement. MFA means that even if an attacker has your password, they can’t log in without a second factor (typically a code from your phone).
Enable MFA on:
- Email (Microsoft 365 or Google Workspace — both have MFA built-in, just turn it on)
- Your IT admin accounts (domain admin, server access, cloud consoles)
- Any SaaS tools with access to customer or financial data (accounting software, CRM, etc.)
- Your website admin panels (WordPress, Shopify admin, etc.)
- VPN access
Use an authenticator app (Microsoft Authenticator, Google Authenticator, Authy) rather than SMS where possible — SMS MFA can be bypassed via SIM swapping.
Time to implement: 1–2 hours across your organization.
2. Run Tested Backups — Monthly at Minimum
Ransomware is the biggest threat facing SMBs today. In a ransomware attack, attackers encrypt your files and demand payment to decrypt them. If you have clean backups, you can recover without paying. Without backups, you’re at their mercy.
Your backup strategy needs:
- Frequency: Daily backups for critical data, weekly for less critical
- 3-2-1 rule: 3 copies of data, on 2 different media, with 1 offsite (cloud)
- Tested restores: A backup you’ve never restored is a backup you can’t trust. Do a test restore quarterly.
- Offline or immutable backups: Cloud backup providers like Backblaze B2, Wasabi, or AWS S3 with Object Lock prevent ransomware from deleting your backups
Common mistake: Businesses that use OneDrive or Google Drive as their only backup. Ransomware can encrypt and sync those files, destroying your backup.
3. Patch Software Promptly
The majority of successful cyberattacks exploit known vulnerabilities that have patches available — attackers scan for unpatched systems at scale. Keeping software updated is one of the most effective defenses.
What to patch:
- Operating systems (Windows Update, macOS updates — turn on auto-updates)
- Applications, especially browsers, Office, Adobe products
- Plugins on websites (especially WordPress plugins — a major attack vector)
- Server software and firmware
How often: Critical/security patches within 72 hours of release. Routine updates within 2 weeks.
4. Train Employees on Phishing
90%+ of successful cyberattacks start with a phishing email — an email that tricks an employee into clicking a malicious link or entering credentials on a fake site.
Practical training approach:
- Run phishing simulations: Services like KnowBe4 or Proofpoint send simulated phishing emails and track who clicks. Use results for targeted training, not punishment.
- Teach the key signals: Urgency, unfamiliar sender, mismatched URLs, requests for credentials or payment
- Have a reporting process: Employees should know exactly what to do when they suspect a phishing email (forward to IT, don’t click)
This doesn’t require an expensive security awareness program. Even a 30-minute annual session with real phishing examples dramatically reduces click rates.
5. Use a Password Manager
Password reuse is rampant in SMBs. When one service gets breached and credentials leak, attackers test those same credentials against every other service — a technique called credential stuffing.
A password manager (1Password, Bitwarden, Dashlane) solves this by generating and storing a unique, complex password for every service. Employees only need to remember one master password.
Business deployment: Most password managers have team/business plans that allow centralized management and policy enforcement ($3–$8 per user per month).
6. Review Access — Who Has What
“Principle of least privilege” means people should only have access to what they need to do their job. In practice, most SMBs have access sprawl: former employees with active accounts, everyone in the admin group, shared passwords to everything.
Quarterly access review checklist:
- Remove accounts for people who no longer work there (especially critical — offboarding is a major security gap)
- Audit who has admin access to key systems
- Remove access to services people no longer use
- Ensure shared accounts (like a
web@company.caemail) have their password changed after personnel changes
7. Configure Your Firewall Properly
If you have any servers or network equipment, default configurations are often insecure. Basic firewall hygiene:
- Don’t expose RDP (Remote Desktop Protocol, port 3389) directly to the internet — RDP brute force is an extremely common attack
- Don’t expose SSH on port 22 to the world — use non-standard ports or, better, VPN/bastion host access
- Review what’s actually listening on your public IP — use a tool like Shodan.io to see what attackers see
- On cloud infrastructure, use security groups (AWS) or firewall rules to restrict inbound access to only what’s needed
8. Have an Incident Response Plan
When (not if) something goes wrong, having a plan dramatically reduces the damage and recovery time.
Your plan doesn’t need to be elaborate. Write down:
- Who’s responsible for deciding if you have an incident?
- Who do you call (IT support, cybersecurity incident response)?
- What do you do first? (Disconnect affected systems from the network is often step one)
- What’s the communication plan? (Staff? Customers? Regulators?)
- What are your reporting obligations? (PIPEDA requires reporting breaches of significant harm to the Privacy Commissioner of Canada)
Keep this document somewhere accessible — not just on systems that might be compromised.
PIPEDA and Nova Scotia Businesses
PIPEDA applies to federally regulated organizations and private-sector organizations that collect, use, or disclose personal information in commercial activities. Most Nova Scotia businesses qualify.
Key PIPEDA obligations relevant to cybersecurity:
- Safeguard personal information with appropriate security measures
- Report “breaches of security safeguards” that create a “real risk of significant harm” to affected individuals and to the Office of the Privacy Commissioner of Canada
- Keep records of all breaches, whether or not they meet the reporting threshold
Practically: if your customer database gets breached, you likely have a notification obligation. An incident response plan that includes a reporting procedure is not just good practice — it’s required.
Getting Started
If you haven’t addressed cybersecurity at all, start with items 1 (MFA) and 2 (backups). Those two controls prevent the majority of catastrophic incidents. Then work through the list in order — you don’t need to do everything at once.
Our cybersecurity services include security assessments, employee training, and ongoing security monitoring tailored for Atlantic Canada SMBs. Contact us to get started.