Cyber Insurance Security Requirements Every Business Must Know

Small Business Cyber Security: How to Stay Safe Online

SMBs are not too small to be hacked. They are the least guarded, and attackers are aware of it. This is a guide to the current real risks, the best defensive actions giving the largest ROI, and how ComputerWorks would assist Vancouver and Lower Mainland businesses to create workable, affordable cyber resilience.

Why SMBs are in the crosshairs

Cybercrime is no longer a big-game hunting game, but high-volume, high-paying targets. There are three trends as to why SMBs are in-scope:

The most popular methods with attackers include credentials, phishing, and unpatched software, which have not changed. Credential theft was reported in 38 percent of breaches, phishing in 15%, and exploited vulnerabilities in 14% in the 2024 Data Breach Investigations Report (DBIR) of Verizon, and breaches led by exploits increased 180% per year.
The most significant variable is humans. DBIR places the blame of a non-malicious human factor (errors, stolen creds, social engineering) in attacks in 68% of breaches.
Violations are becoming more expensive and disturbing. According to IBM, the 2024 Cost of a Data Breach has the global average at USD $4.88M, which is a 10% increase over the last year, and AI/automation presents the highest cost savings in the event of its widespread use.
Lesson: Hackers do not have to crack all the locks; they seek the one that is not secured, the one without a patch, the one that was made in a hurry on a phishing email. This is the reason why a few must-do controls can make a disproportionate difference.

The five high‑impact controls every SMB should implement first

1) Turn on MFA everywhere (and prove it)

Account takeover is minimized by multi-factor authentication (MFA). Microsoft found MFA decreases the risk of compromise by ~99%, and dedicated authenticator apps are more effective than SMS. Nevertheless, two-thirds of SMBs are not yet required to use MFA, and in many cases, it is because it is perceived as expensive and difficult.

What “good” looks like:

Not just IT, but all users and administrators should be required to use MFA.
For privileged access, enforce phishing-resistant techniques (app push, FIDO2 keys).
You will be asked to enforce documents for audits and insurance.

2) Patch with urgency (especially internet‑facing apps)

Exploit-based attacks went up drastically due to high-profile vulnerabilities in web applications and edge services. The attack window remains long, with many organizations taking half of the critical vulnerabilities to patch in a month.

What “good” looks like:

Weekly vulnerability scans and a 14-day SLA for critical systems that are visible to the internet.
Patch channel emergency for CVEs that are being actively exploited.
Monitor closure rates on a dashboard because they influence behavior.

3) Protect endpoints with next‑gen EDR + default hardening

Ransomware and extortion continue to advance. Most hands-on-keyboard attacks do not propagate, and beforehand, they are blocked by endpoint detection and response (EDR), attack surface reduction rules, and application controls. Defender for Business by Microsoft is an offering that offers enterprise-level EDR, threat and vulnerability management, and automated response to SMBs, which are offered individually or as part of Microsoft 365 Business Premium.

What “good” looks like:

Onboard all Windows/macOS devices to EDR.
Enable tamper protection and ASR rules.
Auto‑isolate compromised devices during investigations.

4) Train people on modern phishing (and test them)

About a third of untrained users do not pass a phishing test; pretexting by attackers on a target basis is expensive in Business Email Compromise (BEC). Role-based training and simulated campaigns reduced the rate of clicks drastically in 90 days through continuous training.

What “good” looks like:

Quarterly micro‑learning; monthly simulations that mirror current lures.
Executive and finance‑team specific BEC drills.
Clear “report phish” process; reward quick reporting.

5) Back up, isolate, and rehearse

The effects of ransomware are based on how to recover. Experienced restoration recovery plays alongside encrypted offline backups make a crisis a nuisance. CISA recommendations: have offline backups, patch, rehearse response.

What “good” looks like:

3‑2‑1 backups with immutable copies.
Quarterly bare‑metal or VM restore tests with recovery time targets.
Documented incident response with roles and contact trees.

Don’t overlook compliance: Canadian SMB obligations at a glance

Breach-notification requirements may be mandatory on you, in case you are operating in Canada (including BC, AB, or QC). Under PIPEDA, an organization will be required to disclose any breach to the Privacy Commissioner, in which it has the probability of causing material damage, inform people who were affected, and maintain a record of all breaches. Provinces such as Quebec (Law 25) and Alberta PIPA impose their demands.

Action items:

Keep a breach log (even near misses).
Regulator and customer notification templates must be prepared now, not in a crisis.
Consider aligning your controls (MFA, encryption, retention) to provincial needs in case you serve the residents of BC/AB/QC.

How ComputerWorks helps SMBs in Greater Vancouver & the Lower Mainland

ComputerWorks is your virtual IT team, which designs, delivers, and maintains the end-to-end controls on top of it so your team can concentrate on the growth.

What you can expect from us:

CyberSecurity Protection and Insurance Compliance: We help you stay in compliance by matching controls (MFA, backups, EDR, and logging) with what cyber-insurers and frameworks require.
Microsoft 365 Security Enablement: We install and configure Microsoft 365 Business Premium security (Office 365 Defender, Defender for Business, and Conditional Access) in your setting.
Backups and Business Continuity: To prevent ransomware from becoming a business-ending event, offline, encrypted backups with frequent restore testing are essential.
24/7 HelpDesk & Monitoring: proactive maintenance, real-time alerts when something is amiss, and remote and on-site support.
Firewalls, patching, endpoint baselines, and vulnerability remediation are all components of network and endpoint hardening that are measured and reported on a monthly basis.

Our 45+ years of experience in the business technology industry of the region have exposed our team to (and resolved) virtually everything: server outages, multi-site migrations, and incident recovery.

A practical 30‑day cyber hardening plan (you can start this week)

Week 1: Stop easy account takeovers

Make MFA mandatory for all users and mandate phishing-resistant techniques for administrators.
Turn on Conditional Access templates and block legacy protocols (IMAP/POP).

Week 2: Patch and protect endpoints

Find critical vulnerabilities and expedite internet-facing patches.
Enable auto-isolation and ASR rules after all devices have been onboarded to Defender for Business.

Week 3: Backups and rehearsals

Use at least one offline, immutable copy to confirm 3‑2‑1 backups.
Conduct a tabletop exercise that combines a ransomware and email compromise scenario.

Week 4: People and processes

Start specialized phishing training for executives, front desk staff, and finance personnel.
Complete the PIPEDA-compliant notification and incident response templates.

Looking to have a partner to execute this plan to the end? ComputerWorks is able to provide it as a fixed-price sprint and hand over metrics and documentation to the leadership and insurers.

Frequently asked questions (FAQ)

“We’re tiny, are we really a target?”

Yes. Hackers and attackers are scaling and automating discovery, and they exploit known vulnerabilities in mass; extortion and supply-chain projects often prioritize small vendors due to fewer defenses. These entry vectors are found to be universal, as confirmed by DBIR data, not enterprise-specific.

“Isn’t MFA enough?”

MFA has the highest ROI of all controls, although it needs to be combined with patching, EDR, backups, and phishing defenses to address the other highest vectors and blast radius.

“What if we’re breached? Who do we notify in Canada?”

With PIPEDA, you are required to disclose breaches that are likely to result in serious damage to the Office of the Privacy Commissioner, inform affected individuals, and maintain records of all breaches. Obligations may be added in provincial laws (e.g., QC Law 25, AB PIPA). Have templates ready.

Key takeaways (and next steps)

The easy route is taken by attackers using known vulnerabilities, phishing, and stolen credentials. Take care of those first.
Invest where it pays off: the best risk reduction per dollar is provided by MFA, EDR, patching, backups, and user awareness.
Measure and prove it: MFA enforcement, quick patching, tested backups, and an incident plan are now required by auditors and insurers.

Ready to make your business harder to hack?

To benchmark your current security posture and receive a customized 30-day hardening plan for your environment, schedule a free consultation with the ComputerWorks team. (You can reach us by phone at 604-552-4008 or online.)