The Complete IT Security Checklist for Small Businesses in BC

Most small business owners want to do the right thing on cybersecurity but don’t know where to start. The advice from large enterprise security frameworks (NIST, ISO 27001) is overwhelming, and the marketing from cybersecurity vendors is full of jargon.

Here’s a practical, prioritized checklist of the security controls every BC small business should have in place — in order of priority.

Tier 1: The non-negotiables (do these first)

1. MFA on every email account. Microsoft 365 and Google Workspace both make this free. There is no excuse not to enable it.
2. MFA on every cloud business application. Banking, payroll, accounting, CRM, file storage. If it has business value, it needs MFA.
3. A password manager for every employee. 1Password Business or Bitwarden Business. Eliminates password reuse, which is the root cause of most credential attacks.
4. Endpoint Detection & Response (EDR) on every computer. Microsoft Defender for Business is included with M365 Business Premium. SentinelOne or CrowdStrike if you need standalone.
5. Automatic operating system and browser patching. Configured to install patches within 7 days of release.

Tier 2: The serious controls (do these in the first 90 days)

6. Email security with link rewriting and attachment sandboxing. Built into M365 Business Premium, or add-on solutions like Avanan or Proofpoint.
7. Tested, immutable cloud backups. Of all business-critical data, with quarterly restore tests.
8. Documented offboarding process. When an employee leaves, their access is revoked within 24 hours. Document the steps; don’t rely on memory.
9. Security awareness training for all staff. Phishing simulation tools like KnowBe4 deployed quarterly.
10. Disk encryption (BitLocker on Windows, FileVault on Mac). If a laptop gets stolen, encrypted data is useless to the thief.

Tier 3: The mature controls (do these in the first 6 months)

11. Conditional access policies. Restrict access to business systems based on device compliance, location, or risk score.
12. Mobile device management (MDM). Encrypted phones and tablets, remote wipe for lost devices.
13. Network segmentation. Guest WiFi separated from business WiFi, IoT devices on isolated networks.
14. Documented incident response plan. A written plan for what happens during a ransomware incident, data breach, or major outage.
15. Vendor security review process. Before adding a new SaaS tool, verify their security posture (SOC 2 report, MFA support, data processing terms).

Tier 4: The compliance-ready controls (for regulated industries)

16. Data classification policy. Know which data is sensitive (PHI, PII, financial) and apply enhanced controls.
17. Audit logging on all sensitive systems. Track who accessed what and when.
18. Privileged access management. Admin accounts separated from daily-use accounts; just-in-time elevation for administrative tasks.
19. Annual third-party security assessment. An external review identifies gaps your internal team will miss.
20. Cyber liability insurance. With a documented control posture that satisfies the insurer’s underwriting requirements.

Where to start

If you’re reading this list and most of the Tier 1 items aren’t in place, start there. MFA on email alone blocks the majority of credential attacks. EDR alone blocks most malware. These are the highest-impact, lowest-cost wins.

If you’d like a specific assessment of your current posture against this checklist, we offer a free 30-minute consultation. We’ll review where you are, identify your top three gaps, and give you a prioritized plan.

arvin