Building a cyber resilience posture with limited resources
Why think about resilience and not just protection?
- Most SMEs don’t think they should aim for resilience because they believe it’s reserved for strategic organizations such as banks, hospitals, telecommunications companies, etc.
- According to the figures, nearly 60% of cyberattacks in Canada target SMEs, and 40% of them never fully recover.
Cyber Resilience and the interplay between issues: not only prevent the attack, but
continue to function despite it.
Definition of cyber resilience
Cyber resilience is the ability to:
- Prevent incidents (protection)
- React effectively when they occur (detection and response)
- Recover quickly with minimal impact (continuity, backup, learning)
*In short: it’s not “zero cyberattacks,” but “zero panic.”
Canadian SMEs in 2025: The Importance of Resilience
- Increase in targeted attacks against SMEs due to their limited resources
- Increased regulatory requirements (Bill 25, Bill C-26, GDPR for European customers)
- Growing reliance on digital technology (CRM, invoicing, customer data)
- Access to cyber insurance increasingly dependent on resilience
Real case: An SME that held on
A company with 25 employees in the Laurentians, north of Montreal, was the victim of ransomware in 2023.
Thanks to:
- An active backup plan
- Regular employee training
- Rapid collaboration with an external expert
The company resumed operations within 36 hours without paying any ransom with zero customer losses.
Key recommendations: Concrete pillars of cyber resilience for an SME
- Basic but solid prevention
- Firewall, managed antivirus, MFA activity
- Automatic updates on all devices
- Training and awareness for all staff
- Rapid detection
- Configured alerts (unusual logins, modified files)
- Easily report phishing emails (button or dedicated address)
- Logging enabled on critical servers and applications
- Reliable backups
- Automatic, frequent, and offline backups
- Regularly tested: an unusable backup = no backup
- Encrypted copies located in Canada (compliance)
- Business Continuity Plan (BCP)
- Simple, readable plan tailored to your business
- Who does what in the event of an incident? Who is responsible?
- Scenarios tested: cyberattack, internet outage, server loss
- Partners and suppliers ready to intervene
- Cybersecurity expert providing rapid support (internal or external)
- Contact with the hosting provider, insurer, and IT provider
- Clear procedure for alerting and documenting
Procedure for starting Cyber Resilience
- Evaluate critical assets: what can never fall (compatibility, orders, emails)
- Identify specific threats: ransomware, data theft, outages
- Create a mini-PCA: even a one-page version is better than nothing
- Choose an internal cybersecurity advisor (or seek support from, for example, Octosafes Inc. or an expert)
- Test processes every 6 months
NB: To be resilient, it’s better to be moderately prepared than completely unprepared. It’s up to SMEs to invest wisely and build cyber resilience appropriate to their size.
Building Cyber Resilience in 5 Days: SMART / Simple-Practical-Realistic
Day 1: Identify what is essential
- Make a quick list of critical digital assets:
- Customer data – Emails – Billing – EERP – Servers
- Classify these assets by impact: “critical,” “important,” “secondary.”
- Ask the right questions: What happens if the asset fails for 1 day? 1 week? Etc.
- Tool: “Asset Priority” Excel spreadsheet
Day 2: Know the main risks
- Objectives: Identify the most likely incident scenarios
- Malicious download (phishing)
- Ransom blocking access to files
- Loss or theft of an unencrypted laptop
- Server outage or internet outage
- For each risk:
- Rate the likelihood (low/medium/high)
- Rate the impact (minor, moderate, critical)
Day 3: Prepare a mini-response plan
- Objective: React quickly and avoid panic
- Contact in case of an incident?
- (Internal IT, external expert, insurance, police, clients?)
- Where are the backups located? Who has access to them?
- What to say (and not say) to clients
- Contact in case of an incident?
Included: “Quick Response Sheet” template to complete
Day 4: Test the backups
Objective: To ensure that data can be recovered in the event of attacks
- Check if there is:
- Automatic backups
- Offline (not just in the cloud)
- Quickly recoverable
- Perform a restoration test: to assess the amount of time elapsed
Day 5: Raising employee awareness
- Objective: Reduce human errors (phishing, mishandling, etc.)
- Organize a cybersecurity coffee break (20 min)
- Send a simple fact sheet to employees: “Anti-phishing reflexes”
- Demonstrate how to report a suspicious email
Summary
| Day | Key action | Result |
| 1 | List of critical assets | Prioritization |
| 2 | Risk identification | Clear mapping |
| 3 | Mini response plan | Less stress in the event of an incident |
| 4 | Checking Backups | Faster recovery |
| 5 | Internal Training | Better prepared team |
Example of an Excel table showing the priorities of the assets
| Digital Asset | Criticality | Impact in the event of an incident | Existing protective measures |
| Billing system | Critical | Loss of revenue, interruption of operations | Daily backup, restricted access |
| Customer database | Critical | Violation of privacy, legal sanctions | Encryption, double authentication |
| Internal file servers | Average | Moderate internal disturbance | Weekly backup |
| Messaging system | Critical | Loss of essential communication | Anti-spam filtering, cloud backup |
| Website/Online store | Average | Loss of sales, bad image | Uptime monitoring, web application firewall (WAF) |
Cybersecurity Incident Rapid Response Sheet
Organization Name: __________________
Senior Manager (Cybersecurity or IT):__________________
Phone (mobile and office): __________________
E-mail: __________________
1.Incident detection
- Ok Date and time of detection: ________________
- Ok Alert Trigger:
- Employee
- IT Vendor
- Security Tool
- Client
- Other: ___
- Ok Quick description of the incident:
- (Example: “A ransom message appeared on several workstations”, “email leak detected”, etc.)
2.First immediate actions
| Urgent Action | Done? (Ok/No) | By who? | Hour |
| Disconnect the affected workstation or server from the network | |||
| Inform the IT / Cybersecurity manager | |||
| Change critical access passwords | |||
| Identify affected systems | |||
| Block suspicious external connections |
3.Contact to call
| Contact | Role | Contact details |
| Internal cyber security manager | ||
| IT supplier | ||
| External cybersecurity expert | ||
| Cyber risk insurance | ||
| Authorities (Example: OPC, Police, CNIL) |
4.Documentation and follow up
- Screenshot / Evidence retained: Yes / No
- Incident report opened: Yes / No
- Complete report start date: __________
5.Communication
- Customers to the informant? Yes/No
- Suppliers to the informant? Yes/No
- Planned communication plan? Yes/No
Communications manager: ____________________________
TO DO AFTER THE INCIDENT
- Post-mortem analysis and lessons learned
- Updates to the response plan
- Employee awareness
- Report to authorities if required (Act 25, Act 5, GDPR, etc.)
