Resource Guide
A practical baseline covering network security, access controls, endpoint protection, data backup, email security, vendor risk, and incident response readiness.
This checklist is a baseline — the controls that most Canadian businesses should have in place, not a comprehensive security framework. It is organized into seven areas; each item is a binary check: in place, or not.
Work through it as a gap analysis: identify what is in place, what is partially implemented, and what is missing entirely. Then prioritize the gaps by risk — the items with the highest potential impact (MFA, backups, endpoint protection) should come before the less critical ones.
This checklist does not substitute for a professional security assessment for businesses with complex environments, regulated data, or high-value targets. It is a practical starting point for businesses building or auditing a security baseline.
Firewall in place at every location — not just the default router/modem combination from the ISP.
Separate guest Wi-Fi network isolated from the business network.
No default credentials on any network device — routers, switches, Wi-Fi access points.
VPN required for all remote access to internal systems.
Network segmentation between operational technology (if applicable) and corporate IT.
Multi-factor authentication (MFA) enabled for all email, cloud services, and remote access.
Principle of least privilege — staff have access only to what their role requires.
Administrator accounts separate from day-to-day user accounts.
Offboarding process that terminates all system access on the employee's last day.
Password policy requiring minimum length and no reuse — or a password manager.
Endpoint detection and response (EDR) software on all company devices.
Automatic OS and software updates enabled — or a managed patching process.
Full disk encryption on all laptops.
Mobile device management (MDM) for company mobile devices, with remote wipe capability.
Clear policy on personal device use for company work — and what company data can be on personal devices.
Regular automated backups of all critical business data.
Backup copies stored separately from the primary data — ideally offsite or in a separate cloud account.
Backup restoration tested at least annually — untested backups are not backups.
Recovery time objective (RTO) and recovery point objective (RPO) defined for critical systems.
Immutable backups in place for critical data to protect against ransomware.
Email filtering in place — SPF, DKIM, and DMARC records configured.
Advanced threat protection or email security gateway for phishing and malicious attachment detection.
Staff trained to recognize phishing emails — at minimum an annual awareness session.
Clear process for reporting suspected phishing internally.
Executive email accounts monitored for business email compromise (BEC) indicators.
Inventory of all third-party vendors with access to your systems or data.
Security questionnaires or assessments completed for vendors handling sensitive data.
Data processing agreements in place with all vendors that process personal information.
Process to revoke vendor access when the relationship ends.
Monitoring in place for alerts about major incidents at key vendors.
Incident response plan documented and accessible offline.
Clear ownership for incident response — who leads, who is notified, in what order.
Cyber insurance policy in place and coverage limits understood.
Legal counsel identified who specializes in privacy breaches.
PIPEDA/provincial breach reporting obligations understood — who to notify, within what timeline.
Canadian context
PIPEDA requires organizations to implement security safeguards appropriate to the sensitivity of the personal information they hold. Mandatory breach reporting to the Office of the Privacy Commissioner applies to breaches that create a real risk of significant harm — with notification also required to affected individuals.
Quebec’s Law 25 (Bill 64) adds requirements with meaningful teeth: a designated Privacy Officer, mandatory privacy impact assessments for certain cross-border transfers, and mandatory prompt notification of confidentiality incidents to the Commission d’accès à l’information and affected individuals. Organizations operating in Quebec should treat Law 25 compliance as a floor, not a ceiling.
British Columbia and Alberta both have private-sector privacy laws that apply in place of PIPEDA for provincially regulated activities. The baseline controls on this checklist satisfy the practical security requirements of all three statutes — the compliance differences are primarily in the notification and governance obligations, not the technical controls.
Common questions
Get started
SwitchU sources cybersecurity services — endpoint protection, email security, managed detection and response — alongside internet and voice. Tell us what you are looking to address.
For what we source and how the desk works, see our cybersecurity solution page.