Free Resource · BC Small Business

IT Security Checklist

50 security controls your business should have in place. Built for BC small and mid-size businesses. No jargon, no upsell - just the checks that matter.

What is inside

Identity and access management (8 checks)
Email and phishing protection (6 checks)
Endpoint and device security (8 checks)
Network and firewall controls (7 checks)
Backup and disaster recovery (6 checks)
Software and patch management (6 checks)
Staff security awareness (5 checks)
Compliance and documentation (4 checks)

🔒

Used by BC businesses to prepare for cyber insurance

Insurers in BC increasingly require documented security controls. This checklist covers the top requirements most insurers ask about.

📊

Interactive - check items off as you complete them

The checklist is interactive in your browser. Print or save as PDF when done. No software required.

Free Download

Get instant access

Enter your details below. The full checklist will appear on this page immediately. No spam, ever.

Your progress

0 of 50 items complete

Get a Free IT Assessment

IT Security Checklist

Check off each control as you confirm it is in place. Gaps become your action list.

1 - Identity and Access Management

Multi-factor authentication (MFA) on all accountsMFA is enabled on Microsoft 365, Google Workspace, banking, and any system accessible from outside the office.

Password manager in useAll staff use a business password manager (e.g., Keeper, 1Password, Bitwarden). No shared sticky-note passwords.

Minimum password length of 14 characters enforcedPassword policy is set via Active Directory, Entra ID, or Google Admin and enforced automatically.

Admin accounts are separate from daily-use accountsStaff do not log in as domain admins for day-to-day work. Higher-level access is used only when needed.

Least-privilege access enforcedUsers only have access to the files, systems, and applications required for their role.

Offboarding checklist exists and is followedWhen an employee leaves, their accounts are disabled within 24 hours. Email forwarding, device recovery, and access removal are documented.

Shared/service accounts are inventoriedAll shared logins (e.g., reception@, admin@) are documented and reviewed at least annually.

Access review completed in last 12 monthsUser access rights were reviewed to confirm no former employees or unnecessary access remains active.

2 - Email and Phishing Protection

SPF record published and validYour domain has an SPF DNS record that authorizes your email sending services (e.g., Microsoft 365, Brevo, Google).

DKIM signing enabledYour email provider signs outgoing messages with DKIM. This prevents spoofing and helps deliverability.

DMARC policy set to reject or quarantineYour DMARC record instructs receiving servers to reject or quarantine unauthenticated email claiming to be from your domain.

Email filtering and anti-spam activeA third-party or built-in mail filter (Microsoft Defender, Proofpoint, etc.) scans inbound mail for malware and phishing.

External email warning banners enabledEmails arriving from outside your organization display a banner alerting staff before they click links or open attachments.

Phishing report button available to staffEmployees can report suspicious email with one click (Microsoft "Report Message" or a Phish Alert Button).

3 - Endpoint and Device Security

EDR (Endpoint Detection and Response) on all devicesAll company computers run a business-grade EDR solution (e.g., SentinelOne, Microsoft Defender for Business), not basic consumer antivirus.

Full-disk encryption enabledBitLocker (Windows) or FileVault (Mac) is enabled on all laptops and desktops. Recovery keys are stored securely off-device.

Automatic OS updates enabledWindows Update or macOS auto-update is configured to install security patches within 30 days of release.

Screen lock set to 10 minutes or lessAll devices lock automatically after a short idle period. Staff cannot disable this policy.

Company devices inventoriedYou have a current list of all company-owned computers, laptops, tablets, and phones, including make, model, serial number, and assigned user.

Mobile Device Management (MDM) in placeCompany-owned and/or BYOD devices used for work are enrolled in an MDM solution (Intune, Jamf, etc.) for remote wipe capability.

USB ports restricted on sensitive systemsEmployees cannot copy data to USB drives on servers or systems handling sensitive data.

End-of-life devices identified and replacedYou know which computers are running unsupported operating systems (e.g., Windows 10 end-of-life: Oct 2025) and have a replacement plan.

4 - Network and Firewall Controls

Business-grade firewall in placeYou have a dedicated firewall (Cisco, Fortinet, Sophos, etc.), not just a consumer router, protecting your network perimeter.

Guest Wi-Fi is separate from staff Wi-FiClients, visitors, or personal devices connect to a guest SSID that cannot reach internal servers or workstations.

VPN required for remote access to internal systemsStaff accessing on-premise servers, files, or internal apps from outside the office must connect via VPN.

Firewall firmware updated in last 6 monthsNetwork equipment (firewall, switches, access points) firmware is patched regularly and vendor support is current.

DNS filtering enabledDNS filtering (e.g., Cisco Umbrella, Cloudflare Gateway) blocks access to known malicious domains before a connection is made.

RDP (Remote Desktop) not exposed to the internetRemote Desktop Protocol is not accessible directly on port 3389 from the public internet. Access is behind VPN or a jump server.

Network diagram exists and is currentA diagram of your network layout (servers, switches, Wi-Fi, internet link) was updated within the last 12 months.

5 - Backup and Disaster Recovery

Daily automated backups runningAll critical business data (files, databases, email) is backed up automatically at least once per day.

Backups are stored off-site or in the cloudAt least one copy of your backup is stored in a separate physical location or cloud service, not just on-site.

Backup restores tested in last 6 monthsA test restore was performed to confirm data can actually be recovered. Successful backup jobs alone do not confirm restorability.

Retention policy documentedYou know how long backups are kept (e.g., 30 days daily, 12 months monthly) and this is set in your backup software.

Microsoft 365 or Google Workspace data backed up separatelyCloud email and files are not automatically protected against accidental deletion or ransomware. A third-party backup (Veeam, Datto SaaS, etc.) is in place.

Recovery time target (RTO) is definedYour team knows how long the business can tolerate downtime, and your backup strategy matches that expectation.

6 - Software and Patch Management

Software inventory is maintainedYou have a current list of all software installed across company devices, including version numbers.

Third-party software is patched regularlyApplications like browsers, Office, Adobe Reader, and Java are updated within 30 days of a security patch release.

Unsupported software removed or isolatedSoftware that no longer receives security updates (e.g., Windows 7, Office 2013) has been removed or isolated from the network.

Staff cannot install unauthorized softwareStandard user accounts cannot install software without IT approval, reducing the risk of accidental malware installation.

Patch management tool or process in placePatches are tracked and applied systematically, not ad hoc. This can be an RMM tool, WSUS, Intune, or a documented manual process.

Server OS patches applied within 30 daysOn-premise servers running Windows Server or Linux receive security updates within 30 days of release.

7 - Staff Security Awareness

Security awareness training completed in last 12 monthsAll staff completed a formal security awareness training program covering phishing, social engineering, and safe data handling.

Phishing simulation tests conductedStaff are tested with simulated phishing emails at least twice per year to measure and improve awareness.

IT Acceptable Use Policy (AUP) in placeA written policy exists covering acceptable use of company devices, internet, email, and data. All staff have signed it.

New employee IT security orientation completedNew hires receive IT security briefing as part of onboarding, covering passwords, phishing, reporting, and acceptable use.

Incident reporting process is known by all staffEvery employee knows who to contact and what to do if they suspect a security incident, click a phishing link, or lose a device.

8 - Compliance and Documentation

Written information security policy existsYour organization has a documented security policy covering data classification, access control, and acceptable use.

Incident response plan documentedYou have a written plan for responding to a breach, ransomware attack, or data loss, including contacts, steps, and notification obligations under PIPEDA.

Third-party vendor security reviewedVendors and service providers with access to your data or systems have been reviewed for their security posture (SOC 2, ISO 27001, or equivalent).

Annual security review scheduledA formal IT security review is scheduled at least once per year to assess gaps, review policies, and update controls.

Not sure how to close your gaps?

If you have more than a few unchecked items, our team can help. We work with BC businesses to implement the controls above on a flat monthly rate.

Get a Free IT Assessment Take the Security Quiz