Security assessment

What is a security assessment — and what it is not

A security assessment (also called a cybersecurity risk assessment or security audit) is a structured review of the technical and administrative controls your organization has in place to protect its data, systems, and operations. The assessor works through a defined control framework, collects evidence — interviews, document reviews, configuration exports, scanning output — scores each control area against a maturity model, and identifies gaps between where you are and where you need to be.

What it is not: a penetration test (no active exploitation of vulnerabilities), a compliance certification (it does not award a certificate), or a vulnerability scan alone (a scanner finds known CVEs on your network; an assessment evaluates your entire security program). These distinctions matter because organizations regularly confuse them and spend budget on the wrong engagement at the wrong time.

For the majority of Canadian SMBs — law firms in Toronto, dental groups in Calgary, accounting practices in Montreal, distributors in Vancouver — a risk assessment is the right starting point. It surfaces the broadest picture of your exposure with the least disruption to operations. You find out whether your biggest risks are a weak identity posture, unencrypted laptops, no incident response plan, or a supplier holding your customer data with no security agreement in place.

The Canadian Centre for Cyber Security (CCCS), part of the Communications Security Establishment, publishes a baseline security control set at cyber.gc.ca specifically calibrated for Canadian organizations. A credible assessor maps findings to that baseline, making your report directly relevant to federal government contract requirements, cyber insurance applications, and responses to regulatory inquiries from the Office of the Privacy Commissioner (OPC) or Quebec's Commission d'accès à l'information (CAI).

Why Canadian SMBs can no longer treat this as optional

The CIRA (Canadian Internet Registration Authority) Cybersecurity Survey 2024 found that 46% of Canadian organizations reported a cyber incident in the prior twelve months — and small businesses were disproportionately targeted because attackers perceive them as having weaker defences than large enterprises while still holding valuable data: customer payment information, employee social insurance numbers, patient records, client legal files. The same survey found that fewer than half of Canadian SMBs had conducted any form of security assessment in the preceding year.

Two regulatory pressures are adding real teeth to that gap:

• PIPEDA (federal — all provinces except Quebec for provincially regulated organizations): Requires organizations to implement safeguards appropriate to the sensitivity of the personal information they hold. The OPC at priv.gc.ca has consistently found, in complaint investigations and breach reports, that organizations which had never assessed their security posture were unable to demonstrate that their safeguards were proportionate to risk. PIPEDA's Breach of Security Safeguards Regulations also mandate notification to the OPC for material breaches — and that notification must account for what safeguards were (or were not) in place. A business that cannot point to an assessment when the OPC asks "what did you do to protect this data?" is in a poor position.
• Quebec Law 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels): Fully in force since September 2024, Law 25 requires private-sector organizations to conduct a Privacy Impact Assessment (PIA) for projects involving personal information and to implement security measures proportionate to the sensitivity of data held. The security section of any PIA maps directly to what a cybersecurity assessment evaluates. The CAI has authority to order audits and levy administrative penalties of up to CA$10 million or 2% of global turnover. See our full Law 25 guide for the complete obligation set by business type.

Cyber insurance is a third driver. Canadian insurers — including Intact, Aviva, Northbridge, and others — increasingly require evidence of baseline controls (MFA, endpoint detection and response, tested backups, documented incident response plan) before issuing or renewing commercial cyber policies. An assessment report is often accepted as evidence of due diligence. Without it, underwriters may exclude specific attack vectors from coverage, add large self-insured retentions, or decline to quote at competitive rates.

The cost asymmetry makes the decision straightforward. IBM's Cost of a Data Breach Report 2024 found the average Canadian breach cost CA$6.3 million across all sizes. For a small business, even a modest ransomware incident typically costs CA$50,000–$250,000 in downtime, recovery services, legal fees, client notifications, and reputational loss. A CA$2,500 assessment that surfaces and prioritizes your critical gaps — and prevents or accelerates response to one incident — pays for itself many times over.

The seven control domains every assessment must evaluate

A properly scoped security assessment evaluates controls across seven domains. Assessors may use different naming conventions depending on whether they are following CIS Controls v8, NIST CSF, or the CSE baseline, but the substance is consistent across frameworks:

1. Identity and access management (IAM): Are accounts protected with multi-factor authentication (MFA)? Is privileged access restricted to those who genuinely need it? Are ex-employee accounts de-provisioned promptly? Is there an enforced password policy and an organization-wide password manager? Weak identity controls cause the majority of Canadian SMB breaches — credential stuffing, phishing-harvested passwords, and unrevoked access by former staff are recurring themes in OPC breach reports.
2. Endpoint protection: Do all workstations and mobile devices run business-grade endpoint detection and response (EDR), not just consumer-grade legacy antivirus? Is operating system and application patching enforced and monitored centrally? Are personal devices accessing corporate email or files — and if so, is a mobile device management (MDM) solution in place to enforce minimum security standards on those devices?
3. Network security: Is the perimeter firewall configured beyond factory defaults? Are remote access tools (VPN, RDP) properly restricted, using MFA, and monitored for anomalous connections? Is the guest Wi-Fi network separated from the corporate network by VLAN or separate SSID? Are network logs retained for at least 90 days — a common requirement in cyber insurance policies?
4. Data protection: Is sensitive data (client files, payment records, employee SINs, health information) encrypted at rest on workstations and servers, and in transit between sites and to cloud storage? Is there a data inventory — required under Quebec Law 25 and recommended under PIPEDA? Are USB drives and external media controlled? Does the organization know where its highest-value data lives and who can access it?
5. Email and cloud security: Are DKIM, DMARC, and SPF records properly configured on your domain to reduce spoofing and phishing? For Microsoft 365 or Google Workspace users: are the built-in security defaults actually enabled (many SMBs have these disabled from a legacy troubleshooting session and never re-enabled them)? Are third-party SaaS applications reviewed for the scope of data access permissions they have been granted?
6. Backup and disaster recovery: Are backups automated, verified on completion, and stored offline or in an air-gapped cloud environment inaccessible to a ransomware process running on the primary systems? Can the business restore within its target recovery time objective (RTO) and recovery point objective (RPO)? Has a restore test been completed in the last six months? Many Canadian SMBs discover their backup was silently failing only after a ransomware attack. See our Backup & DR guide for the full backup control checklist.
7. Physical security and supplier controls: Are server rooms and communications closets locked with access limited to authorized staff? Are supplier and cloud vendor contracts reviewed for security clauses — specifically, where data is hosted (Canadian data residency vs US servers), what security standards the vendor holds (SOC 2, ISO 27001), and what their obligation is to notify you of a breach affecting your data? This domain is frequently skipped in self-assessments and is a growing source of third-party supply-chain incidents in Canada.

An assessment that omits any of these seven domains is incomplete. Before signing a statement of work, confirm in writing which domains are in scope and request an explicit reason for any exclusions. A complete scope protects you legally and operationally — a partial assessment creates documented gaps that a sophisticated attacker or regulator can exploit.

The assessment process: from kickoff to final report

A professional engagement follows a consistent sequence. Here is what to expect at each stage:

1. Scoping call (typically 30–60 minutes, usually at no charge): The assessor confirms your environment size (number of users, physical locations, cloud vs on-premises infrastructure, industry vertical), identifies applicable regulatory overlays (PIPEDA, Law 25, PHIPA for healthcare, PCI-DSS for payment processors), and agrees on the control framework to be used. You receive a written scope of work and a fixed-price quote before any work begins.
2. Kickoff and document collection (1–2 days, mostly async): You share network diagrams, IT asset inventories, existing policies (acceptable use policy, password policy, incident response plan if one exists), and any recent audit or vulnerability scan reports. The assessor reviews these before the on-site or remote interview phase.
3. Interviews (half to one full day, on-site or remote): The assessor interviews the IT manager or MSP, the business owner or operations manager, and optionally a sample of end users to validate whether written policy matches actual practice. Interview questions map directly to the seven control domains. The gap between "we have a password policy" and "staff actually use the password manager" often only surfaces in user interviews.
4. Technical scanning (half day): A lightweight, non-destructive network scan identifies open ports, unpatched services, misconfigured firewall rules, and devices not visible in the asset inventory. For Microsoft 365 or Google Workspace environments, configuration baselines are reviewed via read-only administrative access — checking which security defaults are enabled, which legacy protocols are allowed, and what external app permissions exist.
5. Gap analysis and scoring (assessor-side work, 1–2 days): The assessor maps evidence collected at each step to individual controls, assigns a maturity score (typically 0–3 or 0–5, or RAG — Red/Amber/Green), and calculates a weighted risk score per domain based on likelihood and business impact. This is the analytical core of the engagement.
6. Draft report (assessor-side, 2–3 days): The report is drafted, reviewed internally, and formatted. It includes the executive summary, domain scorecards, and the prioritized remediation roadmap. A credible firm will have a second reviewer check the report before delivery.
7. Debrief and final report delivery: A 60–90 minute verbal debrief walks the owner through findings, answers questions, and validates the remediation plan priorities against your budget and operational constraints. The final written report is delivered as a PDF with an editable remediation tracker in spreadsheet or task-management format.

Total elapsed time from kickoff to final report: typically 7–14 business days for a standard SMB engagement. Rush engagements (5 business days) are available at a 20–30% premium and require faster document delivery on the client side.

How assessors score your controls

Scoring methodology varies by assessor and engagement but consistently aligns to one of three frameworks — often used in combination:

CIS Controls v8 (most common for Canadian SMBs): The Center for Internet Security organizes 18 control groups into three Implementation Groups (IG). IG1 is the cyber hygiene baseline — 56 safeguards that every organization should implement regardless of size or industry. IG2 adds 74 safeguards for organizations with moderate risk exposure and dedicated IT resources. Most Canadian SMBs should be targeting full IG1 coverage before addressing IG2 controls. Assessors score each safeguard as Implemented, Partially Implemented, Not Implemented, or Not Applicable, then calculate percentage coverage per implementation group. This gives you a concrete progress metric for your next annual reassessment.

NIST Cybersecurity Framework (CSF 2.0): Published by the US National Institute of Standards and Technology and widely adopted in Canada — particularly by technology companies, professional services firms, and organizations with US customers — the CSF 2.0 organizes controls under six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each function is scored on a 0.0–4.0 Tier maturity scale. NIST CSF is more strategic and narrative; CIS Controls is more operational and prescriptive. Many assessors use both: NIST CSF for the executive-level risk conversation, CIS Controls for the technical remediation task list.

Canadian Centre for Cyber Security (CCCS) baseline: The Communications Security Establishment publishes Baseline Cyber Security Controls for Small and Medium Organizations at cyber.gc.ca, organized across three priority levels. This framework is particularly relevant for businesses pursuing federal government contracts, PSPC supplier prequalification, or Department of National Defence supply chain requirements — where baseline cyber hygiene is an increasingly explicit prerequisite.

The risk score assigned to each finding must reflect both the likelihood of exploitation in your specific environment and the business impact if exploited — data sensitivity, operational dependency, regulatory exposure, reputational risk. A critical finding on a high-likelihood, high-impact gap belongs at the top of your remediation roadmap regardless of the effort required to fix it. Assessors who rank findings only by remediation effort (easiest to fix = highest priority) are optimizing the wrong variable.

Ask your assessor to include the raw scoring matrix in the technical appendix, not just the domain summaries. A report that tells you only that "your network security is a 6/10" without the underlying control-by-control evidence is not useful for allocating your remediation budget or defending your security posture to a regulator or insurer.

Deliverables: what a proper assessment report contains

A credible security assessment report contains five to seven core sections. If any are missing, ask your assessor why — or reconsider whether you have the right firm.

• Executive summary (1–2 pages): Written for the business owner or board — not the IT team. Summarizes the overall risk score, the top three to five critical findings, and the headline cost and timeline of the remediation program. If you cannot read this section and immediately understand where you stand and what it costs to improve, the assessment has failed its first test.
• Domain scorecards: One page per domain covering the score for each evaluated control, the evidence reviewed, and specific gaps with plain-language descriptions. Traffic-light (Red/Amber/Green) colour coding makes the gap picture immediately scannable without technical expertise.
• Prioritized remediation roadmap: A table with columns for: finding, risk level (Critical / High / Medium / Low), recommended action, estimated effort in hours or days, estimated cost in Canadian dollars, responsible party (internal IT, MSP, or specific vendor), and target completion date. This is the most operationally useful section — it should be directly importable into your project tracker or the task system your MSP uses.
• PIPEDA and Law 25 readiness status: A brief section mapping technical findings to the privacy law obligations applicable to your province and industry. Particularly important for organizations handling health data (PHIPA in Ontario), employee records containing SINs, payment card data, or legal files subject to solicitor-client privilege obligations.
• Technical appendix: Raw scan output, configuration screenshots, interview notes, and evidence of each finding. Most owners will never open this section, but it is the evidentiary base that makes every finding defensible. In the event of an OPC investigation, a CAI inquiry, or insurance coverage dispute, this documentation is what your legal counsel will want.
• Remediation tracker (editable format): A spreadsheet or importable list of findings with status columns — Not Started, In Progress, Complete — so you can track remediation progress between now and your next annual assessment without relying on the assessor to manage it for you.
• Verbal debrief (mandatory, not optional): A written report without a debrief session leaves findings open to misinterpretation. Insist on at least 60 minutes with the assessor post-delivery to walk through findings, ask clarifying questions, and confirm remediation priorities against your actual budget and staffing constraints.

Security assessment pricing in Canada (2026)

Pricing varies significantly by scope, number of users, number of physical locations, depth of regulatory overlay review, and whether the assessor works independently or through a security-focused MSP. The table below covers typical market rates for professional, evidence-based assessments from qualified IT security consultants in Canada. All figures are in Canadian dollars and exclude HST/GST.

The wide price range exists because "security assessment" is not a standardized service. A CA$499 questionnaire report and a CA$4,000 evidence-based engagement are not equivalent. A tool cannot validate whether your backup actually restores, whether access reviews are followed, or whether supplier contracts include meaningful security obligations. Pay for evidence-based work proportionate to the sensitivity of your data.

Many managed IT service providers in Canada include an annual security assessment in their managed services agreement at no additional charge for clients on comprehensive plans. If you have an MSP relationship and have never received a written, evidence-based assessment report, that is a signal worth investigating. See our Managed IT Services guide for what a well-structured MSP agreement should include.

Security assessment vs vulnerability scan vs penetration test: choosing the right engagement

Canadian SMBs frequently confuse these three services. Here is the precise distinction and practical guidance on sequencing:

The practical guidance for most Canadian SMBs: start with a security assessment. It reveals process and policy gaps that a scanner never surfaces — a scanner cannot detect that your IT administrator left six months ago and their VPN account is still active with full access to the file server, or that your three office partners share one admin account password. Once you have addressed the assessment findings and established a solid control baseline, add a quarterly automated vulnerability scan and a penetration test every two to three years or after any major infrastructure change.

PIPEDA and Quebec Law 25 readiness: the privacy-security overlap

Security and privacy compliance are different disciplines, but they overlap significantly at the technical control level. A security assessment should include a PIPEDA readiness check for all Canadian organizations and, for Quebec-based businesses, an explicit Law 25 readiness review. Here is what that means in practice:

PIPEDA (federal, outside Quebec): Principle 7 of PIPEDA requires safeguards appropriate to the sensitivity of personal information held. The OPC at priv.gc.ca interprets this using internationally recognized frameworks — the same CIS Controls and NIST CSF assessors use. Under PIPEDA's Breach of Security Safeguards Regulations, you must maintain a record of every security breach and report material ones to the OPC and affected individuals. Your assessment becomes the baseline evidence for whether your safeguards were reasonable — a business without it is in a weak position in any OPC investigation.

Quebec Law 25 (Loi 25): Requires a designated person responsible for privacy, a personal data inventory, security safeguards proportionate to sensitivity, Privacy Impact Assessments for new projects involving personal data, and a breach notification process. The PIA's security section requires documented technical safeguard evidence — a security assessment is the most efficient way to generate it. Specify in your SOW that an explicit Law 25 mapping is required, since not all assessors include it by default. Our Law 25 for Small Business guide covers the full obligation set by deadline.

Health-sector overlay (PHIPA — Ontario; HIPA — Alberta): Healthcare practices collecting electronic health records face provincial health information legislation in addition to PIPEDA. PHIPA in Ontario requires health information custodians to implement administrative, technical, and physical safeguards. An assessment for a dental practice, physiotherapy clinic, or specialist office should include a PHIPA readiness check mapped to the Information and Privacy Commissioner of Ontario (IPC) guidance. For organizations that need assessment and immediate technical remediation in a single engagement, IT Cares bundles technical remediation with every security assessment engagement across Canada — valuable for healthcare practices that cannot afford a gap between assessment delivery and fixes starting.

Building your gap-to-fix roadmap

An assessment report is only valuable if it drives action. The gap-to-fix roadmap converts findings into a project plan with named owners, timelines, and realistic cost estimates. Here is how to structure one that actually gets executed:

Step 1 — Classify every finding by risk level. Use a four-tier classification: Critical (exploit likely within weeks if unaddressed, business-critical impact), High (significant risk, remediation required within 30 days), Medium (moderate risk, address within 60–90 days), Low (marginal risk, plan for next quarter or next cycle). Critical and High findings go on your immediate sprint list.

Step 2 — Estimate remediation cost and effort for each finding. The assessor should provide rough estimates. For example: "Enable MFA on all Microsoft 365 accounts — 3 hours IT effort, zero additional licensing cost." Or: "Deploy endpoint detection and response (EDR) across 22 workstations — CA$8–15 per user per month, 1 day deployment effort, CA$2,100–$3,960 annually." This lets you build an accurate budget for the remediation program and prioritize based on cost-to-risk ratio.

Step 3 — Assign a named owner to every action. Each item in the roadmap needs a specific person accountable for completion — the IT manager, the MSP account manager, or the business owner directly. Items with no named owner do not get completed. If you work with an MSP, build the remediation items directly into your next QBR (quarterly business review) agenda.

Step 4 — Run a 90-day sprint, then a 12-month plan. The 90-day sprint addresses all Critical and High findings — MFA rollout, patching of exposed systems, elimination of active ex-employee accounts, firewall rule cleanup. The 12-month plan addresses Medium and Low findings plus structural improvements: policy rewrites, staff phishing training program, supplier security contract reviews, backup test schedule. Schedule a reassessment at the 12-month mark to measure progress against the baseline.

Step 5 — Collect and retain evidence of completion. For each remediation action, capture screenshots, configuration exports, or policy sign-off records. This evidence file is what you present to your cyber insurer at renewal, to the OPC or CAI in the event of a complaint, or to an enterprise customer requesting security due diligence. Without documentation, completed remediation is indistinguishable from no remediation.

The roadmap is not a one-time list. Your environment changes, your threat landscape changes, and regulations evolve. Plan a new assessment annually — the second is significantly faster and cheaper because you start with a baseline and most prior-year findings will be resolved.

What to look for in a security assessor

Not all Canadian security assessors are equivalent. The market includes certified cybersecurity consultants with mature evidence-based methodologies alongside firms that produce boilerplate scan reports with no real evidence behind each finding. Use this checklist when evaluating proposals:

• Relevant certifications: CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CompTIA CASP+ for the assessor lead. For Law 25 and PIPEDA readiness work, a CIPP/C (Certified Information Privacy Professional — Canada) credential from the IAPP is valuable. Certifications are not a guarantee of quality but confirm a minimum baseline of structured training.
• Canadian regulatory fluency: Does the assessor know PIPEDA's breach notification threshold and the Law 25 CAI penalty structure? Can they name the CCCS baseline controls at cyber.gc.ca by priority level? Can they explain how PHIPA overlaps with PIPEDA for an Ontario healthcare client? If not, your report will lack the regulatory context needed to use it with the OPC, CAI, or a cyber insurer.
• Evidence-based methodology, not questionnaire-only: Ask specifically whether findings are supported by configuration evidence (exported firewall rules, Microsoft 365 Secure Score screenshots, backup log exports) or whether they rely solely on what you tell them in an interview. Evidence-based assessments produce defensible reports. Questionnaire-only reports may be challenged by a regulator or insurer.
• Remediation roadmap included in base scope: Some assessors deliver findings only and charge separately for remediation guidance — a model that encourages incomplete follow-through. Insist that a prioritized, cost-estimated, owner-assigned roadmap is included in the fixed price, not offered as an add-on.
• Canadian business references at similar scale and industry: Ask for two or three references from clients of comparable size in Canada, ideally in your industry vertical. An assessor with deep experience in Toronto professional services may not understand the nuances of a BC construction company's supply-chain risk or a Nova Scotia manufacturing firm's OT/IT convergence exposure.
• Transparent conflict-of-interest management: An assessor who also sells the remediation products they recommend has a potential conflict. This does not disqualify them — many MSPs with strong security practices do both — but ask how they manage it. The report should specify control categories without mandating a specific vendor unless there is a documented technical reason.
• Fixed-price scope of work before any work begins: The SOW must specify the control framework, domains in scope, deliverables (report sections, tracker, debrief), timeline, and a fixed price. A firm unwilling to commit to a written fixed scope is a red flag.

Industry-specific considerations for Canadian SMBs

While the seven control domains apply universally, certain Canadian industries have specific risk profiles, regulatory overlays, and attack patterns that a good assessor will address directly:

Legal practices (Toronto, Vancouver, Calgary, Montreal): Law firms hold privileged client communications, financial transaction records, and personal information for litigation clients. The Law Society of Ontario's Technology Requirements for lawyers includes cybersecurity as part of competency obligations. A legal practice assessment should specifically evaluate business email compromise (BEC) controls — BEC targeting law firms (fraudulent wire redirection on real estate transactions, settlement funds) is the highest-value attack vector — along with matter management system access controls and supplier security for cloud-based practice management platforms such as Clio, MyCase, and PCLaw.

Dental, physiotherapy, and medical clinics: Healthcare practices face PHIPA (Ontario) or equivalent provincial health information legislation, plus PIPEDA. The primary attack vectors targeting Canadian healthcare SMBs are ransomware encrypting patient record systems (Dentrix, Tracker, practice management software), unencrypted patient data on portable devices used by clinicians, and insecure medical device connections (CBCT/X-ray systems, diagnostic equipment) on the same network as office computers. A healthcare assessment must include a medical device and clinical network segmentation review.

Accounting and financial advisory firms: CPA Canada's cybersecurity guidance identifies phishing, ransomware, and supply-chain compromise via accounting software vendors as primary risks. An accounting firm assessment should cover tax software supply-chain security (can a compromised update to your tax preparation software exfiltrate client SINs or T4 data?), access controls on cloud-hosted client file repositories, and CRA (Canada Revenue Agency) My Account credential management — CRA portal takeover enables fraudulent tax filings and intercepts client refunds.

Construction and real estate: High exposure to BEC targeting large wire transfers at key transaction points. An assessment for a construction firm should evaluate wire-transfer authorization processes (is a phone callback verification step required for all payment instruction changes?), email security configuration (DMARC enforcement, anti-spoofing), and mobile and remote device security for field supervisors accessing corporate systems over personal mobile hotspots with no MDM.

Retail and e-commerce processing payments: If you accept credit cards and process more than 20,000 card-not-present transactions per year, PCI-DSS applies as a contractual obligation with your payment processor. A PCI-scoped assessment requires an Approved Scanning Vendor (ASV) and potentially a Qualified Security Assessor (QSA) — distinct from a standard SMB assessment. Confirm PCI scope in your SOW if it applies.

Case study: 28-person professional services firm in Calgary

The following composite is anonymized from real Canadian SMB assessments.

A 28-employee engineering consulting firm with offices in Calgary and Edmonton had never had a formal security assessment. Their environment included Microsoft 365 Business Standard, a Windows Server 2016 file server, VPN for the Edmonton team, and three project-management and CAD systems. Their MSP had not raised security concerns in three years, and the owners assumed their M365 subscription meant they were covered.

The assessment (CA$3,200, three-day engagement, all seven domains in scope with PIPEDA readiness) surfaced the following Critical and High findings:

• MFA was enabled on Microsoft 365 but only for the two owner accounts — 26 employee accounts had no MFA. Four accounts belonging to former employees were still active with valid Microsoft 365 licences and full mailbox access.
• Security defaults in Microsoft 365 had been disabled by the previous MSP during a troubleshooting session 23 months earlier and never re-enabled. Legacy authentication protocols (Basic Auth) were still permitted on the tenant, enabling password-spray attacks.
• The Windows Server 2016 file server was 18 months past Microsoft's mainstream support end date, had not received security patches in 14 months, and was directly accessible from the internet via RDP on port 3389 with no MFA or IP restriction.
• No EDR was deployed — all workstations ran Windows Defender with default settings and no centralized management console. Three laptops had not received any Windows updates in over six months.
• Backup was configured (Acronis, local + cloud tier) but had not been test-restored in 22 months. The local backup drive had failed silently and gone unnoticed; only the cloud backup was active, and its retention window was set to 30 days — insufficient for ransomware that can remain latent for six to twelve weeks before triggering.
• None of the three business-critical software vendors (CAD platform, project management system, structural analysis tool) had supplier security documentation or data processing agreements in place — no confirmation of where client project data was stored or what breach notification obligations the vendors held.

The remediation roadmap prioritized the exposed RDP server and MFA rollout as a 10-business-day sprint (estimated CA$1,800 in MSP implementation effort). Server migration to Azure Virtual Desktop was planned for Q3 (estimated CA$4,500 in migration effort, plus CA$380/month ongoing). Total 12-month remediation budget: CA$8,500. The firm's commercial cyber insurer also reduced their annual premium by 18% upon receiving a copy of the assessment report and evidence of the completed MFA rollout — partially offsetting the assessment cost in year one alone.

Five mistakes that undermine an assessment's value

Even with a qualified assessor and a complete scope, poor preparation or follow-through can negate the value of the engagement:

1. Scoping it too narrowly to save money. Excluding a domain — "we don't need the supplier security review because we only use big cloud providers" — creates a false sense of assurance. Cloud misconfiguration and third-party vendor breaches are among the top three sources of Canadian SMB incidents in recent years. Scope all seven domains unless there is a documented and accepted risk decision to exclude one. The cost difference between a five-domain and seven-domain scope is typically CA$300–$500 — not worth the blind spot.
2. Treating the report as a compliance checkbox. A report filed in a drawer and never acted on is worse than no assessment at all. It creates a documented record that you knew about specific gaps and chose not to remediate them — a damaging exhibit in an OPC investigation, a CAI audit, or litigation following a breach. The report is the start of a process, not the end of one.
3. Accepting product recommendations without scrutiny. If the assessor's remediation roadmap recommends only one specific vendor's firewall or EDR without acknowledging alternatives, ask whether other options were evaluated. A credible assessor specifies control categories and, where they have implementation partnerships, discloses them explicitly. Vendor-agnostic assessors are not always available, but bias should be disclosed, not hidden.
4. Limiting interviews to IT staff only. The most damaging security gaps often live in process — how you onboard and offboard employees, how you handle contractor access, how managers approve payment instruction changes, how staff share passwords "just this once." These gaps are invisible to a purely technical scanner. Insist the assessor conduct at least two interviews with non-IT staff — a manager, an office coordinator, or a field team member.
5. Skipping the annual reassessment. A 2024 assessment reflects your security posture as of that moment. By 2026, if you have migrated to a new cloud platform, opened a new office, added a remote team, or experienced a cyber incident, the baseline is outdated. Annual reassessments — faster and cheaper the second time because findings are tracked from the prior-year baseline — are the only way to maintain warranted confidence in your security posture.

Related guides

Continue building your security program with these TechCare Canada resources:

• Small Business Cybersecurity hub — the full guide to cybersecurity controls for Canadian SMBs
• Cybersecurity incident response checklist — what to do in the first hours when a breach happens
• Quebec Law 25 & PIPEDA compliance — privacy obligations for Canadian businesses by province
• Backup & disaster recovery — tested backup is the single highest-impact control for ransomware survival
• Managed IT services Canada — what a quality MSP agreement should include for security

Frequently asked questions