Lindsay McKay" />
post banner image

Cybersecurity Tips for Small and Medium-Sized Businesses in Canada

By: Lindsay McKay

Published On: October 21, 2021

Cybersecurity Tips for Small and Medium-Sized Businesses in Canada

No matter how small or big your business is, there are minimum cybersecurity controls that you should be implementing to keep your company, employees, and clients safe. To begin with, every employee should be given online training, whether that is through self-paced cybersecurity courses or through instructor-led entry-level courses like an A+ training course, some sort of training is necessary.  

The Canadian Centre for Cyber Security released a publication with recommendations for small and medium organizations in Canada to improve their resiliency and cybersecurity investments. I will outline the document including how to determine the scope your business needs and some baseline controls your business should be implementing.  

Determining the Scope Your Business Needs 

Firstly, determine if you are a small or medium business, these baseline controls are for organizations that have less than 499 employees. If you have more, you need to invest in more comprehensive cybersecurity measures.  

Determine What Information Technology is in Scope 

Create an inventory of all computers, servers, information systems, mobile devices and all other information system assets, including owned, contracted, and how otherwise used. Before you can determine measures, it is important to know how many systems need protection and the scope of your technology use and needs. 

Determine the Value of Information Systems and Assets 

It is essential that businesses understand the value of their information, from the sensitive information of customers and clients to competitive proprietary intellectual property. Once you have an understanding of all the information, assess the injury level of each based on the confidentiality, integrity, and availability of information systems and/or data.  

Confirm the Cyber Security Threat Level and Investment Levels 

Self-identify your organization's primary cyber threat and reference the National Cyber Threat Assessment 2018 if you think you have a serious threat that minimum baseline controls won’t protect against.  

There should be someone in a leadership role that is specifically responsible for IT security. It is highly recommended that this person is greatly educated and has at minimum CySA+ training and 5+ years under their belt. While industry analysis indicates that organizations typically spend up to 13% of their IT budget on cybersecurity, it is recommended to commit to progressive improvements and constantly be auditing adding more measures depending on what your business specifically needs.  

Minimum Baseline Controls to Implement  

  1. Develop an Incident Response Plan: Focus the plan on who is responsible for detection and analysis, containment, eradication and recovery and post-event activities including internal and external communications.  
  2. Authorize Automatic Patching: Enable automatic patching for all software and hardware and conduct risk assessments to determine whether current software is capable of what you need and able to automatically updated.  
  3. Enable Security Software: Use measures that you can including anti-malware solutions and firewalls. Having someone with Security+ training on your team can enable proper firewall installation and ensure everything is up to date.  
  4. Use Strong User Authentication: Implement two-factor authentication wherever possible, have a clear policy on password length, reuse, and storage of passwords (and ensure no sharing is being done). Do not enforce mandatory password changes, changes should only happen if suspicious activity has occurred. 
  5. Provide Employee Awareness Training: As I have previously mentioned, provide ongoing training for all employees – even non-IT roles can learn more than the basics. If you are looking for corporate training check out TechnoEdge Learning. Some good basics training for non-IT employees includes online courses like Fundamentals+ and A+ training, or for IT employees a Network+ training course would be beneficial to ensure best practices for IT infrastructure. 
  6. Secure Websites: Ensure your websites meet the OWASP ASVS Level 1 guidelines 
  7. Secure Portable Media: Develop and enforce a mandate for organization-owned portable media including USB drives, SD cards, business mobile devices, and tablets.  

Protect your organization's data, networks, employees, customers, and clients; it costs too much to recover from an attack or breach, especially if unprepared.  


The information contained in this post is considered true and accurate as of the publication date. However, the accuracy of this information may be impacted by changes in circumstances that occur after the time of publication. Ashton College assumes no liability for any error or omissions in the information contained in this post or any other post in our blog


    View All Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Submit Enquiry Form