Cybersecurity buyer's guide for Canadian businesses.

The threat landscape for Canadian SMBs

The most common incidents affecting Canadian businesses of 20 to 500 people fall into a short list: ransomware delivered via phishing or exposed remote desktop, business email compromise (BEC) that redirects payments or impersonates executives, credential theft from password reuse or phishing, and supply chain compromise through a vendor or software dependency. The vast majority of these incidents succeed because of a small number of control failures — not because attackers defeated sophisticated defences.

The implication for buyers is useful: the controls that would have stopped most of the incidents you read about in the news are not exotic. Multi-factor authentication, patched software, endpoint protection with monitoring, and tested backups stop most of what actually hits businesses at your scale. Getting those things right, consistently, is the work.

What cybersecurity your business actually needs

Before evaluating any vendor, map your current posture against the baseline that security frameworks and insurers have converged on for Canadian SMBs.

Endpoint protection

Every device that touches your network or data should have endpoint detection and response (EDR) running on it — not legacy antivirus, which operates on known signatures and misses a large class of modern attacks. EDR detects suspicious behaviour rather than known malware files, and most platforms include some degree of response capability. The key question is not just whether it is installed, but whether anyone is reviewing alerts.

Identity and access controls

Multi-factor authentication on every remote access system, every cloud application, and every email account is no longer optional for any business carrying meaningful data. It is the single highest-ROI control for most organizations and the first thing your insurer will ask about. Beyond MFA: least-privilege access (people have access to what they need, not everything), prompt deprovisioning of former employee accounts, and regular reviews of who holds admin credentials.

Backup and recovery

Backup protects you from ransomware, hardware failure, and accidental deletion. A backup that has never been tested is a backup of unknown value. The detail that has become critical with ransomware: backup isolation — your backup data needs to be in a location or configuration that a ransomware attack cannot reach and encrypt. That typically means offsite or cloud backup with immutable storage or air-gapped separation from your primary systems.

Email security

Email is the primary delivery mechanism for phishing, BEC, and ransomware delivery. Filtering that blocks malicious attachments and links, combined with some form of user awareness training, addresses the most common entry point. Advanced email security platforms add impersonation detection and link sandboxing — useful additions, but secondary to the basics being in place.

Patching

A large share of successful attacks exploit vulnerabilities that have patches available. The question is whether your patching process is actually running, on what cadence, and whether it covers all endpoints including remote workers. This is an operational discipline question as much as a technology question.

MDR vs. managed firewall vs. SIEM: what each layer does

The managed security market uses acronyms interchangeably in ways that obscure what you are actually buying. Here is what each layer provides.

Managed firewall. A third party manages and monitors your perimeter firewall — rule updates, patching the firewall itself, and alerting on unusual traffic. This is infrastructure management, not active threat hunting. Useful for businesses without the internal expertise to manage network security devices, but it does not provide visibility into what is happening on your endpoints or inside your cloud environment.

MDR (Managed Detection and Response). MDR provides active monitoring of your environment — typically endpoints and sometimes network and cloud — with human analysts who investigate alerts and take containment actions. The key differentiator from just having EDR software is the human response layer. MDR services vary significantly in scope: what environments they cover, whether response is automated or human-led, and response time commitments. Clarify these before signing.

SIEM (Security Information and Event Management). A SIEM aggregates logs and events from across your environment and applies detection rules to identify suspicious patterns. By itself, a SIEM is a tool that requires skilled analysts to get value from — it generates alerts that someone needs to investigate. Managed SIEM wraps analysts around it. For most SMBs, a well-configured MDR service addresses the monitoring need without the complexity and cost of a standalone SIEM.

How cyber insurance is reshaping what you need to buy

Cyber insurance has become one of the most practical drivers of security improvement for Canadian businesses — because insurers have gotten specific about what they require. The controls that appear most consistently on insurer questionnaires: MFA on remote access and email, EDR on endpoints, backup isolation, and documented incident response steps. Some insurers now also ask about privileged access management, security awareness training frequency, and whether you have a third-party security assessment.

The risk in the current environment is attesting to controls you do not actually have. Insurers are increasingly scrutinizing claims, and a gap between what you attested to and your actual posture at the time of an incident can result in a denied claim. Review your application before your next renewal and confirm you are in compliance with what you signed.

Red flags when evaluating vendors

The evaluation checklist

1. 01Audit what you currently have before you buy anything new. Many businesses are paying for tools that are installed but misconfigured or unmonitored.
2. 02Review your cyber insurance application and confirm you are in compliance with every control you attested to.
3. 03Confirm MFA is enabled on every remote-access system, cloud application, and email environment. This is the single highest-leverage control for most SMBs.
4. 04Test your backups with an actual restore — not just confirm that backup jobs are completing.
5. 05Map your endpoint coverage: are EDR agents installed and active on every device that accesses your network or data?
6. 06Ask any managed security provider specifically what they do when they detect a threat — alert only, or active response?
7. 07Confirm patch cadence: how long does a critical patch take to deploy across your devices?
8. 08Understand your identity perimeter: who has admin access, is privileged access reviewed regularly, and are former employee accounts deprovisioned promptly?
9. 09Ask a vendor about their SOC coverage model — is it 24/7, and is it in-house or outsourced?
10. 10Check whether your security tools produce reports you can share with your insurer or auditor if required.

When to bring in a procurement desk

Cybersecurity procurement is harder to compare than most technology categories because vendors structure their services differently, scope their managed agreements loosely, and price in ways that make side-by-side comparison genuinely difficult. Our desk works with a curated set of Canadian security providers and can help you map your requirements to the right level of service — including cases where your existing controls are adequate and the answer is to optimize what you have, not buy something new.

Reviewed by the SwitchU procurement desk — last reviewed June 2026.