Most cybersecurity advice is either too vague to act on or written for enterprise IT teams with six-figure security budgets. This is neither. What follows is the actual baseline that every Montreal business with 10 to 200 employees should have in place. It's also roughly what your cyber insurer is checking when they underwrite your policy — and what Quebec's Law 25 expects you to have done.

Go through this with your IT team or provider. Anything unchecked is a risk that's currently sitting on your balance sheet.

Identity

Multi-factor authentication on every account that matters. This means Microsoft 365, Google Workspace, your banking portals, your VPN, your cloud backups, and your IT management tools. MFA on your Microsoft 365 account alone blocks the overwhelming majority of credential-based attacks. If someone's not using an authenticator app (not SMS — SMS MFA is bypassed regularly with SIM swapping), fix that first.

No shared passwords. Shared login credentials are an audit and security failure. When someone leaves the company, you don't know what they still have access to. Every person gets their own account. Full stop.

Privileged access management. Your IT admin accounts should not be the same as your daily-use accounts. Admins should have a separate account used only for administrative tasks — never for checking email or browsing. In Microsoft 365, this means having a standard account for day-to-day use and a separate cloud-only Global Admin account with MFA enforced.

Offboarding process exists and is followed. When an employee leaves, their accounts need to be disabled the same day — not "sometime this week." Define who's responsible for this and document the steps. Every account active for a departed employee is an open door.

Endpoints

Patch management is automated and verified. Windows updates, macOS updates, and third-party application patches (Chrome, Adobe, Java, Office if not using 365) should be handled automatically and confirmed monthly. Unpatched systems are the most common initial entry point for ransomware. Tools like NinjaRMM, Intune, or WSUS can automate this at scale.

EDR is deployed — not just antivirus. Traditional signature-based antivirus misses most modern threats. Endpoint Detection and Response (EDR) tools like Microsoft Defender for Business (included in Microsoft 365 Business Premium at ~$26/user/month), SentinelOne, or CrowdStrike Falcon Go actually detect behavioral anomalies and can isolate infected machines before the damage spreads.

Disk encryption is on. BitLocker on Windows, FileVault on Mac. Every laptop, every time. If a laptop is lost or stolen and the disk isn't encrypted, whatever's on it is readable by whoever finds it. This is also a Law 25 requirement if you store personal information.

Network

Firewall with logging enabled. A firewall that doesn't log is only half useful. You need to be able to look back at what happened when something goes wrong. Consumer-grade routers from your ISP are rarely sufficient for business use. A Sophos, Fortinet, or pfSense-based firewall with monitored logging is the standard.

Guest WiFi is separated from your main network. Your guest network should have no access to internal systems, file shares, or printers. If a client or visitor connects to your WiFi and their device is compromised, that compromise should not be able to reach your servers.

VPN for remote access. Employees working from home or remotely should connect to company resources via VPN — not via exposed RDP ports or third-party remote access tools left open to the internet. Exposed RDP (port 3389) is actively scanned and attacked daily. If you have it open, close it.

Data

3-2-1 backup rule in place. Three copies of your data, on two different media types, with one copy offsite. In practice for most SMBs: your production data, a local backup (NAS or external drive), and a cloud backup (Backblaze B2, Azure Backup, or Veeam Cloud). The offsite copy is what saves you from ransomware that targets local backups.

Restore tests happen monthly. A backup that's never been restored is an assumption, not a safety net. Someone on your team — or your IT provider — should pull a file or a folder from backup every month and confirm the restore actually works. Document it.

Sensitive data isn't sitting on personal devices. Personal devices being used for work are a data governance problem. If an employee's personal laptop has client contracts, personal health information, or financial data on it, and that laptop is lost, stolen, or compromised — that's potentially a Law 25 breach notification event.

Compliance (Law 25)

Quebec's Act respecting the protection of personal information in the private sector (Law 25) has been in full effect since September 2023. The obligations that apply to most Montreal SMBs:

Data mapping is done. You should know what personal information you collect, where it lives, who has access to it, and how long you keep it. This doesn't need to be complicated — a spreadsheet works — but it needs to exist.

You have a privacy officer. Every organization subject to Law 25 must designate someone responsible for personal information protection. This is often the owner, office manager, or IT manager. Their name should be published on your website.

You have a breach notification plan. If a privacy incident occurs, you have 72 hours to report it to the Commission d'accès à l'information (CAI) if there's a "serious risk of harm." You need a documented process for detecting, assessing, and reporting incidents. Improvising this after a breach is significantly worse.

Cyber Insurance Reality Check

Most SMB cyber insurance policies now require — at minimum — MFA on email and remote access, endpoint protection beyond basic antivirus, and documented backup procedures before they'll pay a claim. If you don't have these and you file a claim, insurers will look for reasons to deny it. The checklist above covers what they're looking for.

If you want help running through this against your current environment, that's exactly what we do. Contact IPCONNEX for a no-pressure infrastructure audit — we'll tell you where you stand.

Cybersecurity Checklist for Montreal Businesses in 2026