The 13 Baseline Cyber Security Controls Every Canadian SMB Should Have
If you’ve ever felt paralyzed by cybersecurity advice — too many tools, too many acronyms, no obvious starting point — the Canadian Centre for Cyber Security (CCCS) built something for you. Its Baseline Cyber Security Controls for Small and Medium Organizations distills the essentials into 13 controls. Get these in place and you’ve addressed the large majority of the attacks that actually hit small businesses.
These same 13 controls underpin CyberSecure Canada certification, so working through them does double duty.
Why a baseline matters
Most breaches at small organizations don’t involve clever, custom attacks. They involve a missing patch, a reused password, a click on a phishing email, or a backup that turned out not to work. The baseline is deliberately unglamorous because the fundamentals are what fail. It’s also risk-prioritized: it focuses your limited time and money on the controls with the biggest payoff.
The 13 controls, in plain language
1. Develop an incident response plan. Write down — before anything happens — who to call, how to isolate systems, and how to communicate. A one-page plan beats improvising at 2 a.m. (We have a free outline.)
2. Automatically patch operating systems and applications. Turn on automatic updates everywhere you can. Unpatched software is one of the most common ways in.
3. Enable security software. Run reputable anti-malware on every endpoint and keep it on. Modern EDR goes further than traditional antivirus — see MDR vs antivirus.
4. Securely configure devices. Change default passwords, disable unused features and services, and don’t ship with factory settings.
5. Use strong user authentication. Multi-factor authentication is the single highest-impact control on this list. Start with email, remote access, and admin accounts. Our MFA rollout guide walks through it.
6. Provide employee awareness training. Your people are the front line. Brief, regular training plus simulated phishing dramatically cuts click rates.
7. Back up and encrypt data. Follow a 3-2-1 approach, keep at least one copy offline or immutable, encrypt backups, and — critically — test that you can restore.
8. Secure mobility. Phones, tablets, and laptops leave the building. Use device management, screen locks, and encryption so a lost device isn’t a breach.
9. Establish basic perimeter defences. A properly configured firewall, email filtering, and web protection stop a lot of noise before it reaches a person.
10. Secure cloud and outsourced IT services. Your SaaS apps and IT providers are part of your attack surface. Turn on their security features and understand who’s responsible for what.
11. Secure websites. Keep your public-facing sites patched, use HTTPS, and lock down admin access.
12. Implement access control and authorization. Least privilege: give people access to only what their job needs, and remove access promptly when roles change or someone leaves.
13. Secure portable media. Control USB drives and external storage — they’re an easy route for malware in and data out.
Where to start
Don’t try to do all 13 at once. A sensible order for most SMBs:
- MFA (control 5) — biggest risk reduction for the least money.
- Backups you’ve tested (control 7) — your safety net against ransomware.
- Patching (control 2) — closes the most common entry point.
- Awareness training (control 6) — addresses the human factor.
From there, work through the rest and document what you’ve done — that documentation is most of what an assessor or insurer will want to see.
The honest part
The baseline isn’t hard to understand; it’s hard to sustain. Patches lapse, new staff need onboarding, backups silently fail. Getting to “all 13 in place” is a project. Keeping them all in place, month after month, is the real job — and the reason many Canadian businesses hand the day-to-day to a managed security partner.