Cybersecurity 2025: The 10 Essential Controls for SMEs in Quebec

A list of priority, concrete, and affordable actions to reduce 80% of risks, meet insurers’ requirements, and comply with Law 25.

Attacks targeting SMEs are on the rise, and insurer requirements are tightening. Here are 10 essential, pragmatic and quickly applicable controls to strengthen your security posture in Quebec. 1) MFA Everywhere Enable multi-factor authentication for email, VPN, CRM/ERP, remote access and administrator accounts. Favor authentication apps over SMS. 2) Patch Management Automate Windows/macOS, browser and third-party application updates. Establish a monthly patching schedule with compliance reports. 3) 3-2-1 Backups and Testing 3-2-1 rule: 3 copies, 2 media types, 1 offline/immutable. Test restoration quarterly, not just backup success. Document RPO/RTO. 4) Modern EDR/Antivirus Deploy an EDR solution with behavioral detection and automated response. Monitor servers, workstations and managed mobile devices. 5) Identity and Access Management Principle of least privilege, separation of admin accounts, quarterly access reviews. Quickly disable accounts upon departure (automated offboarding). 6) Microsoft 365/Google Workspace Security Enable baseline protection: MFA, sharing policies, DLP, Safe Links/Attachments, audit and logs. Configure legal archiving according to your obligations. 7) Awareness and Phishing Simulations Short and regular training sessions, in French, followed by simulated phishing campaigns. Measure click rates and reward reporting. 8) Incident Response Plan Draft a simple plan: who to contact, how to isolate, who decides, communication procedures. Conduct an annual table-top exercise. 9) Logging and Monitoring Centralize critical logs (authentication, M365/Google, firewall, EDR) and define alerts. Outsource to a SOC service if you don't have an internal team. 10) Third-Party Management and Cyber Insurance Inventory suppliers and external access. Assess their security controls. Prepare documentation required by insurers (MFA, backups, EDR, IRP). Bill 25 Compliance Inventory of personal information, retention policies, consent mechanisms, incident register

Version française · Managed IT (MSP) · Cybersecurity · Cloud Solutions · IT Integration · Security Audit