Cyberattacks on Canadian small businesses aren’t a hypothetical risk — they’re a daily reality. According to the Canadian Centre for Cyber Security, small and medium-sized businesses are disproportionately targeted because they hold valuable data but typically have weaker defences than larger enterprises. In BC, where many businesses lack dedicated IT staff, the gap between risk and readiness is especially wide.
This checklist is written for BC small business owners who want practical, actionable steps — not a graduate-level cybersecurity course. Work through it section by section. Each item you complete reduces your real-world risk.
Section 1: Accounts and access
✅ Use strong, unique passwords for every account
Every business account — email, banking, cloud storage, accounting software, social media — should have a unique password that is not reused anywhere else. Use a password manager (Bitwarden, 1Password, or similar) to generate and store them.
✅ Enable multi-factor authentication (MFA) on everything that matters
MFA is the single most effective security control available to small businesses. It means that even if your password is stolen, an attacker still can’t get in without a second factor (your phone, a hardware key, etc.). Enable it on: email, banking, cloud storage, accounting software, your website admin panel, and any system that contains client data.
✅ Remove accounts that no longer need access
Former employees whose accounts are still active are a serious vulnerability. Review your user accounts quarterly. Remove or deactivate anyone who no longer works with you, and revoke access to any shared accounts they were using.
✅ Use separate admin and regular user accounts
Your day-to-day computer use should be from a standard user account, not an administrator account. If malware runs under an admin account, it has far more power to do damage. Create a separate admin account for software installation and system changes only.
Section 2: Devices and software
✅ Keep all software and operating systems updated
The vast majority of successful cyberattacks exploit known vulnerabilities — flaws that already have patches available. Keeping Windows, macOS, browsers, and all business software updated closes these doors automatically. Enable automatic updates wherever possible.
✅ Install endpoint protection on every device
Windows Defender (built into Windows 10/11) is adequate baseline protection for most small businesses. For businesses handling sensitive client data, consider a more robust endpoint detection and response (EDR) solution. Whatever you use, make sure it’s active and updated on every device that touches your business data.
✅ Encrypt sensitive data on laptops and mobile devices
If a laptop is stolen, encryption means the data on it is unreadable without the correct login credentials. Enable BitLocker on Windows or FileVault on Mac. For mobile devices, modern iOS and Android devices encrypt by default — ensure devices are protected with a PIN or biometric lock.
✅ Establish a policy for personal devices (BYOD)
If employees use personal phones or laptops for work, your business data is on devices you don’t control. At minimum, require that personal devices used for work have a PIN/password, encryption enabled, and automatic screen lock.
Section 3: Email security
✅ Train yourself and staff to recognize phishing
Phishing — fraudulent emails designed to trick you into handing over credentials or clicking malicious links — accounts for a large percentage of successful cyberattacks against small businesses. Red flags include: unexpected urgency, requests for passwords or wire transfers, sender addresses that look almost-right, and unexpected attachments.
When in doubt: don’t click. Go directly to the website by typing the address into your browser. Call the sender on a known phone number to verify.
✅ Set up email authentication (SPF, DKIM, DMARC)
These are DNS records that make it harder for attackers to impersonate your email domain. Your hosting provider or IT support team can configure these. They’re non-negotiable for any business with a custom domain email address.
✅ Enable spam filtering and malware scanning on email
If you’re using Microsoft 365 or Google Workspace, built-in filtering is solid and should be enabled. Check that it’s actually active — it’s not always on by default on lower-tier plans.
Section 4: Backups
✅ Follow the 3-2-1 backup rule
Three copies of your data, on two different types of media, with one copy offsite (or in the cloud). For most BC small businesses this looks like: local files + an external drive + a cloud backup service.
Popular options like Microsoft 365 OneDrive, Google Drive, Dropbox, and Amazon S3 work well and are widely used — but it’s worth knowing that all are US-based companies, meaning your data is subject to US law, including the CLOUD Act, which allows American authorities to compel access to data stored by US providers regardless of where the servers physically are. For Canadian businesses handling sensitive client information, that’s a meaningful distinction.
If data sovereignty matters to you — and for many Canadian & BC businesses it should — a fully Canadian backup solution keeps your data under Canadian jurisdiction and subject only to PIPEDA and BC’s PIPA. ClientVaultPro is one such option: Canadian-owned, Canadian-hosted, built specifically for businesses that need to know exactly where their data lives and who can access it.
✅ Test your backups regularly
A backup that hasn’t been tested is not a backup — it’s a hope. At least quarterly, restore a sample of files from your backup to verify the process actually works. Discovering your backup is corrupted or incomplete after a ransomware attack is a catastrophic situation.
✅ Keep at least one backup offline or air-gapped
Ransomware increasingly targets connected backup systems and encrypts them along with your main files. An offline backup (an external drive that is disconnected when not in use) can’t be encrypted remotely.
Section 5: Network security
✅ Change default router credentials
The default admin username and password on most routers (often “admin” / “admin”) are publicly known. Change them immediately on any router you control. While you’re there, make sure the router firmware is updated.
✅ Use a separate guest Wi-Fi network
Clients, visitors, and personal devices should use a separate guest network that is isolated from your main business network. This prevents a compromised device from spreading to your business systems.
✅ Secure remote access with a VPN
If staff connect to office systems remotely, they should do so through a VPN — not directly through exposed remote desktop or file sharing ports. Exposed RDP (Remote Desktop Protocol) ports are one of the most common entry points for ransomware attacks.
Section 6: PIPEDA compliance for BC businesses
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to most private-sector businesses in BC that collect, use, or disclose personal information in commercial activity. Key obligations include:
- Obtaining meaningful consent before collecting personal data
- Limiting collection to what’s necessary for the stated purpose
- Protecting personal information with appropriate security measures
- Notifying individuals and the Privacy Commissioner of Canada in the event of a breach that poses a “real risk of significant harm”
- Retaining personal data only as long as necessary
If your business collects client names, addresses, emails, payment information, or any other personal data — PIPEDA applies to you. A basic privacy policy on your website and documented data handling practices are the starting point.
Section 7: Incident response
Have a basic plan before you need it:
- Isolate the affected device — disconnect it from Wi-Fi and unplug the ethernet cable immediately
- Don’t pay the ransom — it doesn’t guarantee file recovery and funds criminal enterprises
- Call your IT support provider — immediately; don’t try to fix it yourself
- Preserve evidence — don’t wipe the device until your IT team has assessed it
- Notify affected parties — if client data was compromised, you have legal obligations under PIPEDA
Getting professional help with cybersecurity in Vernon BC
This checklist covers the essentials, but implementation — especially for businesses without in-house technical staff — often requires professional support. Tachyon’s Website Maintenance & Security Plans and IT services include security monitoring, patch management, backup oversight, and guidance on the controls above.
Contact Tachyon for a free cybersecurity assessment →
The bottom line
Most successful cyberattacks against BC small businesses exploit preventable weaknesses — weak passwords, unpatched software, absent backups, or employees who don’t recognise phishing. Working through this checklist systematically puts you ahead of the majority of small business targets.
Start with Sections 1 and 4 — accounts/access and backups — and work from there.
Tachyon Business & Computer Solutions provides cybersecurity, IT support, and website security services for businesses in Vernon BC and throughout the Okanagan Valley. Contact us to discuss your security needs.
Need local IT support or cybersecurity help in Vernon BC? See how Tachyon can help →
Is your business protected against today’s threats?
Tachyon helps Vernon BC businesses stay secure with our Website Maintenance and Security Plans and IT support services – built for small business budgets. Contact us for a free security check
