← Back to resources

Cybersecurity for SMEs: 7 Essential Habits

By Guillaume Knepper · May 6, 2026 · ~6 min read

In 2025, 60% of cyberattacks in Canada targeted SMEs. And among those hit, nearly one in five never recovers. Yet most of these attacks exploit simple vulnerabilities: a weak password, a phishing email, a forgotten update.

The good news? You don't need a 20-person IT department to protect yourself. Here are 7 concrete habits any SME can adopt today.

1. Enable multi-factor authentication (MFA) — everywhere

This is the most effective and simplest measure. MFA adds a second layer of verification when logging in: beyond your password, you confirm your identity via your phone or an authenticator app.

According to Microsoft, MFA blocks 99.9% of automated attacks. Enable it on:

• Your business email (Microsoft 365, Google Workspace)
• Your cloud tools (CRM, ERP, online accounting)
• Your banking and financial accounts
• Your company social media accounts

Immediate action: Check right now if MFA is enabled on your business email.

2. Train your team to recognize phishing

Phishing remains the number one attack vector. An email that appears to come from your bank or a supplier, with a malicious link — that's all it takes to compromise your network.

Warning signs to teach your team:

• Artificial urgency — "Your account will be suspended in 24 hours"
• Suspicious sender address — check the actual domain, not just the display name
• Suspicious links — hover over the link before clicking to see the real URL
• Unexpected attachments — especially .zip, .exe files or documents asking to enable macros
• Unusual wording or errors — though AI is making attempts increasingly convincing

Immediate action: Send an internal email to your team with these 5 warning signs.

3. Update your software — no exceptions

Updates fix known security vulnerabilities that attackers actively exploit. An unpatched system is an open door.

What needs regular updating:

• Operating system — Windows, macOS, Linux
• Web browsers — Chrome, Firefox, Edge
• Business applications — ERP, CRM, accounting software
• Equipment firmware — routers, firewalls, network printers

Immediate action: Enable automatic updates on all workstations.

4. Back up your data using the 3-2-1 rule

Ransomware encrypts your data and demands payment. The best defense? Reliable backups.

The 3-2-1 rule:

• 3 copies of your data (the original + 2 backups)
• 2 different media (e.g., local disk + cloud)
• 1 off-site copy (disconnected from the main network)

The critical point: regularly test your restores. A backup that doesn't work when you need it is worthless.

Immediate action: Check when your last backup was made.

5. Limit access to what's strictly necessary

Every employee should only access the systems and data they need for their job — nothing more. This is the principle of least privilege.

• Don't give admin rights to everyone
• Immediately disable accounts of departing employees
• Separate personal and professional accounts
• Review access permissions at least quarterly

Immediate action: List all active accounts in your systems. How many belong to people who no longer work for you?

6. Secure your Wi-Fi network and remote access

Your office Wi-Fi is an often-overlooked entry point. With remote work, distant connections multiply the attack surface.

• Change the default password on your router
• Use WPA3 encryption (or WPA2 at minimum)
• Create a separate guest network for visitors and personal devices
• Use a VPN for remote connections
• Disable remote access on services that don't need it

Immediate action: Check your router password. If it's still the factory default, change it immediately.

7. Prepare an incident response plan

The question isn't if you'll be targeted, but when. A simple but documented response plan makes all the difference.

Your plan should answer these questions:

• Who to contact first? — IT manager, service provider, cyber insurer
• How to isolate the threat? — Disconnect the affected workstation, don't shut down (preserve evidence)
• How to communicate? — Ready-to-use communication template
• Where are the backups? — Documented restoration procedure
• What legal obligations? — In Quebec, Bill 25 (Law 25) requires reporting incidents involving personal information to the Commission d'accès à l'information

Immediate action: Write a one-page document with names, numbers and steps to follow in case of an incident.

Cybersecurity is a habit, not a project

None of these measures is complex or expensive. Most are free. But they require consistency and discipline. Cybersecurity isn't a one-time project — it's a set of habits that must become part of your company culture.

At CONSEIL SNDGK, we systematically factor in security when working on digital transformation mandates. Because an automated or connected system that isn't secured is a vulnerable system.