← Blog

The Zero Trust Identity Checklist for 1-20 Employee Canadian Businesses: A Real 90-Day Rollout With Real Pricing

2026-07-17 · 9 min read

The Zero Trust Identity Checklist for 1-20 Employee Canadian Businesses: A Real 90-Day Rollout With Real Pricing
Most zero-trust advice written for Canadian businesses is scaled for a 50-150 employee company with a dedicated IT budget — useless for the 1-20 employee shop that makes up most of Canada's SMB base. This is the checklist built for that business: a real 90-day sequence from MFA to phishing-resistant passkeys to Conditional Access to Law 25 alignment, with honest Canadian-dollar pricing at every step, including the Entra ID licensing trap that catches almost everyone. See the full guide on Small Business Cybersecurity, or if you would rather have it handled, IT Cares can roll out MFA and Zero Trust for your team.

Why Canadian Small Businesses Keep Getting Breached Through Identity, Not Malware

Antivirus is not where Canadian SMBs are losing this fight. CloudOrbis's research found that 65% of Canadian small and medium businesses experienced a cyber incident in a recent 12-month period, and the entry point in the overwhelming majority of those cases was a stolen or guessed credential, not a zero-day exploit. IBM's 2025 Cost of a Data Breach Report puts the average Canadian breach at CA$6.32 million once you count downtime, notification costs, and lost business — a number that sounds like enterprise territory until you remember that a single compromised admin login at a 12-person accounting firm can trigger the same forensic and notification obligations as a breach at a bank. The Canadian Centre for Cyber Security (CCCS) treats this as predictable enough to name it directly: authentication is Baseline Control BC.5 in its 13 Baseline Cyber Security Controls for Small and Medium Organizations (ITSAP.30.030, ITSAP.30.032, ITSAP.00.105), which exist specifically because most breaches start with someone logging in as you, not hacking around you. The reason this keeps happening at the smallest end of the market specifically is documented by the CFIB: 68% of Canadian small businesses cite a lack of specialized IT security talent as their top barrier to doing anything about it. Nobody in a five-person shop has time to read a NIST framework. What follows is not a framework. It is a sequence — four phases across 90 days, each with a real dollar figure attached, built for the business that has 1 to 20 employees and one person who also does the books.

Weeks 1-2: Turn On MFA Everywhere Before You Do Anything Else

Microsoft's Digital Defense Report found that multi-factor authentication blocks over 99.2% of automated identity attacks — the single highest return on effort available to a small business, and it costs nothing to start. Microsoft 365 and Google Workspace both include basic MFA in every tier, including Business Basic, a point CybersecurityCanada.ca correctly flags as underused. Turn it on for every account this week: email, the accounting platform, remote access, and any admin panel — not just the owner's login, but every employee's, including the part-timer who only logs in twice a week. Push-based app authenticators (Microsoft Authenticator, Google Authenticator) are the fastest rollout and adequate for phase one; SMS codes are better than nothing but should be treated as a stopgap, not the destination, since SIM-swap attacks specifically target them. There is now a hard deadline attached to this step for every Canadian business owner: starting February 2026, the CRA requires every user, including small business owners filing under their own CRA business account, to register a backup MFA method or risk account lockout during tax season. If you have not set this up on your own CRA login yet, do it in the same sitting as your business rollout. Budget CA$1-5 per user per month if you layer on a managed identity service rather than relying on the free tier alone; a 6-person shop is looking at roughly CA$72-360 a year for this phase — not the tens of thousands quoted in enterprise zero-trust proposals.

Weeks 3-6: Move From MFA to Phishing-Resistant Passkeys

Basic MFA is not immune to attack, and attackers have caught up. Gamtech.ca's research names the specific techniques now bypassing push-based MFA at Canadian businesses: MFA fatigue attacks (spamming an employee with approval requests until they tap accept out of annoyance), adversary-in-the-middle phishing kits like Evilginx that proxy a real login page and steal the session token in real time, SIM swapping to intercept SMS codes, and straight token theft from an already-compromised device. The fix is phishing-resistant authentication — hardware security keys and passkeys that cryptographically bind the login to the specific website, so a fake login page simply cannot complete the handshake. Real hardware, not a hypothetical: YubiKey, Feitian, and Google Titan keys run CA$40-70 each, a one-time cost per employee, not a subscription. Roll these out to your highest-risk accounts first — anyone with admin rights, anyone with banking or payroll access, anyone who handles client data — before extending to the full team. A realistic phased sequence for a small shop is 4-6 weeks: order keys in week 3, pilot with the owner and one admin account in week 4, register keys for the rest of the team in week 5, and disable SMS/push fallback for privileged accounts in week 6 once everyone is confirmed working. For a 10-employee business prioritizing the 3-4 highest-risk logins first, that's CA$120-280 in hardware, plus the labor to walk each person through registration — realistically an afternoon, not a project.

Weeks 7-10: Conditional Access, Least Privilege, and the Licensing Trap Nobody Mentions

This is where every competitor's pricing goes quiet, and it is the single most expensive gap in this whole checklist if you get it wrong. Conditional Access — the ability to require MFA only from unrecognized devices, block logins from outside Canada, or force re-authentication for sensitive actions — is the mechanism that turns MFA into actual least-privilege access control. The trap: Conditional Access requires Microsoft Entra ID P1, which is not included in Microsoft 365 Business Basic or Business Standard, the two tiers most 1-20 employee Canadian businesses are actually on. CybersecurityCanada.ca's own control page says MFA is free and stops there, which is true for basic MFA and false for anything resembling real zero-trust identity policy. Entra ID P1 is a separate add-on, or you upgrade the whole tenant to Microsoft 365 Business Premium, which bundles it along with Defender for Business endpoint protection. Budget the difference honestly: Business Premium runs meaningfully more per user per month than Business Standard, and for a 15-person shop that gap is real money you need to plan for, not discover on an invoice. Once you have P1, the actual work in this phase is narrow and specific: require MFA re-verification for any login from a new device or country, restrict admin role access to the two people who actually need it (not the four who have it because nobody cleaned it up), and set session timeout on shared or POS-adjacent devices. This is also where non-Microsoft line-of-business apps — your POS system, your industry-specific scheduling tool — need their own review, since Conditional Access only governs what's connected to your identity provider.

Weeks 11-12: Align to PIPEDA, Quebec's Law 25, and the Frameworks Your Insurer Will Ask About

None of the identity work above satisfies a regulator on its own — it has to map to an actual safeguard obligation. PIPEDA Principle 7 requires that personal information be protected by safeguards appropriate to its sensitivity, and MFA plus access controls are the documented baseline evidence most privacy counsel point to when demonstrating compliance after an incident. If you operate in or serve customers in Quebec, Law 25 goes further, with explicit breach-notification timelines and a requirement to designate a privacy officer by name — a business with even one Quebec client needs this documented, not assumed. Two frameworks apply more narrowly but catch businesses that don't expect it: Bill C-8 extends security expectations to critical infrastructure operators and, increasingly, to the smaller suppliers those operators pull into their compliance chain — if you service a utility, a hospital network, or a federally regulated client, ask whether you've been named in their vendor security requirements. OSFI Guideline E-21 governs operational resilience at federally regulated financial entities directly, but IT service providers to credit unions, insurers, or trust companies should expect E-21 language to show up in client contracts even though it doesn't apply to you directly. The action item for this phase is document creation, not new technical work: write down what MFA and Conditional Access policies you have in place, when they were enabled, and who has admin access, in a single page. This document is what you hand to a privacy lawyer after an incident, and it's the same document your cyber insurer's underwriter will ask for in the next phase.

What Your Cyber Insurer Actually Checks Before Renewal

Cyber insurance underwriting has quietly become the most concrete enforcement mechanism most small Canadian businesses will encounter for any of this — more concrete than any regulator visit, because it happens every single renewal cycle. Canadian insurers now routinely require a signed attestation confirming MFA is enabled on email and remote access before binding or renewing a policy, and several have started asking specifically whether that MFA is phishing-resistant for privileged accounts, not just present. A business that cannot answer these questions accurately, or that attests to controls it doesn't actually have enabled, risks a denied claim after a breach — insurers have successfully voided claims on exactly this basis when the attestation didn't match reality. The practical move is to complete the 90-day sequence above before your next renewal application, then use the one-page control document from phase four as your answer sheet: which MFA method, which accounts have Conditional Access, who holds admin rights, and when passkeys were deployed for privileged users. Businesses that can show phishing-resistant authentication on admin and financial accounts are increasingly seeing this reflected in premium quotes, since it directly reduces the underwriter's modeled loss probability for the single most common claim trigger — credential-based account takeover. If you've never been asked these questions on a renewal application, ask your broker directly whether your current policy actually covers a breach that started with a compromised login, since some older policies were written before insurers started underwriting identity controls this specifically.

What This Actually Costs a 1-20 Employee Business, in Real Canadian Dollars

FusionComputing's widely cited zero-trust pricing — CA$25,000-45,000 for a first-year build plus CA$90-180 per user per month managed — is real, sourced, and completely wrong for the business this checklist is written for. That figure is scoped to a 50-150 user organization with a dedicated IT budget line; applying it to a 6-person shop is the reason most small business owners read one zero-trust article and close the tab. Here is the honest tiered breakdown for 1-20 employees: Tier 1, MFA-only using your existing Microsoft 365 or Google Workspace license, costs CA$1-5 per user per month if you add a managed identity layer, or effectively CA$0 in software if you self-manage the free built-in MFA. Tier 2, adding phishing-resistant hardware keys for privileged accounts, is a one-time CA$40-70 per key for the 2-4 people who need one — call it CA$160-280 total for most shops, not recurring. Tier 3, full managed security covering MFA, endpoint protection, backups, and staff security-awareness training together, runs CA$15-50 per user per month for most Canadian SMBs, which for a 10-person business is roughly CA$1,800-6,000 a year — not CA$90,000. The Entra ID P1 or Business Premium upgrade from phase three is the one line item worth budgeting separately, since it's a real per-user monthly add-on rather than a one-time cost. A realistic total first-year number for a 10-employee business doing all four phases properly, hardware included, sits in the CA$3,000-8,000 range — a fraction of the enterprise figures dominating this search term, and an actual number an owner-operator can put in a spreadsheet this week.

FAQ

Does a business with 5-10 employees actually need zero trust security, or is that just for large enterprises?

Yes — the identity pillar of zero trust (MFA, phishing-resistant authentication, least-privilege access) applies at any size and is what the CCCS's Baseline Control BC.5 is built around; the enterprise pricing you may have seen quoted (CA$25,000-45,000 builds) reflects a 50-150 user rollout, not the CA$3,000-8,000 first-year range realistic for a 1-20 employee shop doing the same identity controls.

How much does zero trust identity security actually cost a small Canadian business?

Basic MFA runs CA$1-5 per user per month if layered onto existing Microsoft 365 or Google Workspace licensing, phishing-resistant hardware keys are a one-time CA$40-70 per key for privileged accounts, and full managed security (MFA, endpoint protection, backups, training combined) runs CA$15-50 per user per month for most Canadian SMBs.

Is Microsoft 365 MFA really free, or is there a hidden cost?

Basic MFA is genuinely included free in every Microsoft 365 tier including Business Basic, but Conditional Access — the policy engine that makes MFA enforceable by device, location, and risk level — requires Microsoft Entra ID P1, which is not included in Business Basic or Business Standard and must be added separately or via a Business Premium upgrade.

What is the CRA's new MFA requirement starting February 2026?

Starting February 2026, the Canada Revenue Agency requires every user, including small business owners accessing their CRA business account, to register a backup multi-factor authentication method or risk being locked out of their account during tax season.

Does Quebec's Law 25 apply to my business if we're not based in Quebec?

Law 25 applies based on whether you collect or process personal information of Quebec residents, not where your business is headquartered, so a business anywhere in Canada with even one Quebec-based client or employee should treat its breach-notification and privacy-officer requirements as applicable and document compliance alongside PIPEDA Principle 7.

Want this set up for you?

Get a free IT & security assessment — no payment, just a clear plan.

Get a free assessment →