A Practical Cybersecurity Checklist for Small Businesses in BC
Small businesses hold information that matters: customer records, email, invoices, payroll data, cloud files, passwords, and access to financial accounts. Attackers do not need to defeat an enterprise security team if a reused password, unpatched computer, exposed remote-access tool, or convincing phishing message gives them an easier route.
The good news is that meaningful improvement does not require chasing every security product. It starts with a small number of well-implemented controls, clear ownership, and regular verification. The Canadian Centre for Cyber Security recommends a baseline approach for small and medium organizations that includes updates, multi-factor authentication, backups, training, access control, and incident readiness.
This checklist is a practical starting point for small businesses in Maple Ridge and across British Columbia.
1. Know what systems and information you depend on
You cannot protect what nobody has documented. Create a current inventory of computers, mobile devices, network equipment, cloud services, business applications, domains, websites, email accounts, payment systems, and third-party providers.
For each item, record who owns it, who has administrative access, how it is updated, where its data is stored, and what happens if it becomes unavailable. Identify the information that would cause the greatest operational, legal, or reputational damage if it were lost or disclosed.
This inventory becomes the foundation for backup planning, account cleanup, software maintenance, and incident response.
2. Use stronger authentication—especially for critical accounts
Passwords alone are not enough for email, cloud storage, remote access, financial services, social media, domain registration, and administrative accounts. Enable multi-factor authentication wherever possible.
Not all MFA methods offer equal protection. The Canadian Centre for Cyber Security recommends phishing-resistant options such as FIDO2 security keys, passkeys, and Windows Hello for Business. These methods are designed to resist sophisticated login pages that attempt to capture both credentials and session tokens.
Begin with the accounts that can reset other accounts or control the business:
- Primary email and Microsoft 365 or Google Workspace administrator accounts
- Domain registrar, DNS, and website hosting
- Accounting, banking, and payment systems
- Remote-access and VPN accounts
- Backup administration
- Social media and advertising platforms
Avoid shared administrator logins. Each person should use an individual account with only the access needed for their role. Review accounts promptly when responsibilities change or a staff member leaves.
3. Keep operating systems, applications, and network devices current
Security updates close known weaknesses in operating systems, browsers, office software, business applications, routers, firewalls, access points, and other connected equipment. Establish a patching routine and verify that updates actually complete.
Unsupported software is a separate risk. If a device cannot run a supported operating system or a critical application no longer receives fixes, plan its replacement or isolation. Windows 10 standard support, for example, ended in October 2025. Our guide to Windows 10 end of support and Windows 11 readiness explains the migration choices once that replacement article is published.
For managed environments, managed IT services can provide consistent monitoring, patching, maintenance, and direct support instead of relying on somebody to remember every device manually.
4. Back up essential data—and test the restore
A backup is only useful if it contains the right information, is protected from the same incident, and can be restored when needed. The Cyber Centre recommends backing up essential business information to a secure external location, encrypting backups, restricting access, and regularly verifying restoration.
A strong plan usually includes multiple layers. Local recovery can be fast, while an off-site or appropriately isolated copy protects against theft, fire, hardware failure, and ransomware that reaches connected storage. Cloud synchronization alone should not automatically be treated as a complete backup; accidental deletion or malicious changes may also synchronize.
Define:
- Which systems and folders are essential
- How much data the business can afford to lose
- How quickly each system must be restored
- Where backup copies are stored
- Who can access or delete them
- How often restore tests are performed
Document the result of each test. “The backup job is green” is not the same as proving that files, permissions, and applications can be recovered.
5. Reduce phishing and payment-fraud risk
Modern phishing is often polished, timely, and tailored to normal business activity. Staff should have a simple procedure for verifying unexpected requests, password prompts, banking changes, gift-card purchases, urgent invoices, and file-sharing links.
For sensitive changes, use a second trusted communication channel. Do not confirm a banking change by replying to the same email that requested it. Teach staff how to report suspicious messages quickly without embarrassment; early reporting can reduce the impact of a compromised account.
Email-domain protections such as SPF, DKIM, and DMARC can also make it harder for attackers to impersonate your domain, but they need to be configured carefully to avoid disrupting legitimate mail.
6. Separate devices and secure remote access
Guest devices, personal devices, smart equipment, cameras, payment systems, and business computers should not automatically share unrestricted access to the same network. Appropriate network segmentation limits unnecessary communication and can reduce the impact of a compromised device.
Remote-access tools should be approved, current, protected by strong MFA, and restricted to the people who need them. Review installed remote-control software and remove tools that are unused or were added for a one-time support session.
2Tech Computing provides cybersecurity services for home and business and premium business networking so identity, endpoints, backups, and network controls can be assessed together.
7. Prepare for an incident before one occurs
Write down who should be contacted if an account is compromised, a computer is encrypted, data is exposed, or a business system becomes unavailable. Include the IT provider, insurer, legal or privacy contacts, financial institutions, critical vendors, and internal decision-makers where applicable.
Preserve logs and evidence. Do not immediately wipe a device or pay a demand without expert guidance. Know how to isolate affected systems, reset credentials from a trusted device, notify relevant parties, and continue the most critical business operations.
An incident plan does not need to be complicated, but it must be accessible when normal email or file systems are unavailable.
Frequently asked questions
Is antivirus enough for a small business?
No. Endpoint protection is important, but it cannot replace MFA, updates, secure backups, access control, phishing procedures, network security, and incident planning.
What should receive MFA first?
Start with email, administrator accounts, remote access, backup systems, domain and hosting accounts, financial services, and any account that can reset other credentials.
How often should backups be tested?
Testing frequency should reflect how critical the data is and how quickly it changes. The essential requirement is a documented schedule and proof that restoration works—not merely confirmation that a backup task ran.
Can cybersecurity support be delivered remotely across BC?
Many account, endpoint, cloud, policy, and configuration tasks can be handled through secure remote support. Network installation or physical hardware work may require on-site service depending on location and scope.
Turn the checklist into a maintained system
Security controls lose value when accounts, devices, software, and staff change but the plan does not. Contact 2Tech Computing for a practical cybersecurity review or ongoing IT support tailored to the size and risk profile of your business.
0 comments