Back to Home
Security baseline for small businesses
Security Baseline Assessment for Small Businesses
A practical review of Microsoft 365 identity, endpoints, backups, firewall and remote access, and email security for small offices in the GTA. You get a plain-English findings summary and a prioritized action plan you can act on with us, your existing IT provider, or on your own.
Built for businesses with roughly 5–50 staff that want to understand their security gaps before committing to managed IT, renewing cyber insurance, or hardening Microsoft 365.
- Microsoft 365 Security
- Endpoint Protection
- Backup Readiness
- Firewall & Remote Access
- Cyber-Insurance Readiness
Assessment scope
What we analyze during the assessment
Five areas where small business security usually breaks down. We look at how each is configured today, what risk it carries, and what the practical next step looks like.
- Review
Identity protection
MFA coverage, admin role separation, conditional access, legacy authentication, and guest/external access in Microsoft 365.
- Coverage
Endpoint protection
EDR / antivirus coverage, patch level, disk encryption, local admin rights, and how alerts are actually handled.
- Exposure
Email security
SPF, DKIM, DMARC alignment, anti-impersonation, attachment and link policies, and how staff report suspicious mail.
- Restore
Backup readiness
What is backed up (M365, file server, SaaS), how often, and whether anyone has tested a real restore in the last year.
- Control
Access & remote work
Firewall rules, VPN/remote access, exposed services, shared accounts, onboarding/offboarding, and Wi-Fi exposure.
Checklist review
What we review
Concrete configuration checks across the controls that matter most for small offices and that show up most often on cyber insurance questionnaires.
When this makes sense
Practical triggers for a baseline assessment
Most assessments we run are kicked off by one of these moments. If any of them sound familiar, this is usually the right time.
Before a cyber insurance renewal
You have a renewal coming up and want to know which questionnaire controls (MFA, EDR, backups, admin separation) you can honestly tick.
After a phishing attempt
Someone clicked a link, paid a fake invoice, or had their account taken over — and you want a structured second look at identity and email security.
Before hiring (or replacing) an MSP
You want an independent baseline of where things stand today before signing a managed IT contract or transitioning IT providers.
After staff turnover
Senior staff or technical contacts have left and nobody is fully sure which Microsoft 365, SaaS, or VPN accounts and admin rights are still active.
Before moving offices
An office move is a natural time to clean up firewall rules, network exposure, Wi-Fi configuration, and remote access before everything gets reconnected.
After adding remote / hybrid staff
Remote work changed how people access systems and where data lives. The original security baseline likely no longer matches the way the team actually works.
Backups have never been restore-tested
You believe you have backups, but no one has ever performed a real restore — so it isn't clear whether recovery would actually work.
Microsoft 365 permissions have drifted
SharePoint sites, OneDrive sharing, and Teams memberships have grown organically over years and nobody is sure who can see what.
Baseline control map
The control map we walk through with you
The visual centerpiece of every assessment. For each area we look at the common risk, the specific things CtrlShift checks, and the typical next step. No vendor pitch — just a practical reference.
Area reviewed
Common risk
What CtrlShift checks
Typical next step
Area
Microsoft 365 identity
Common risk
MFA gaps, drifted admin roles, legacy auth still enabled.
What we check
MFA coverage, conditional access, admin separation, guest access.
Typical next step
Harden tenant
Area
Endpoint protection
Common risk
Unmanaged laptops, missing EDR, patch drift across devices.
What we check
EDR coverage, alert handling, encryption, patch level, local admin.
Typical next step
Deploy / standardize EDR
Area
Backups
Common risk
Backup is configured, but restore has never been tested.
What we check
Backup scope, retention, evidence, and SaaS coverage (M365 / Workspace).
Typical next step
Run restore test
Area
Firewall & remote access
Common risk
Exposed services, weak VPN, leftover rules from prior IT.
What we check
Firewall rules, VPN/RDP exposure, admin credentials, Wi-Fi setup.
Typical next step
Close risky paths
Area
Email security
Common risk
Spoofing, phishing, brand impersonation, invoice fraud.
What we check
SPF / DKIM / DMARC, anti-impersonation, link & attachment policies.
Typical next step
Tighten mail security
Area
Cyber insurance readiness
Common risk
Questionnaire answers don't match what is actually configured.
What we check
Map current controls to common insurer questions and required evidence.
Typical next step
Document evidence
Process
How the assessment works
Six steps designed to be light on your team — most of the time is configuration review on our side, not interviews.
- 01
Intake & goals
Short scoping call to understand the business, what is keeping the owner up at night, and what triggered the assessment.
- 02
Access & scope review
Confirm which Microsoft 365 tenant, endpoints, backup tool, and firewall we will review, and how access will work.
- 03
Microsoft 365 & identity checks
Tenant review: admin roles, MFA, conditional access, mail flow, sharing, and licensing fit.
- 04
Endpoint, backup & firewall review
Inventory device coverage, validate backups and restore evidence, and walk through firewall and remote access exposure.
- 05
Findings summary & action plan
A short, plain-English document grouping issues as fix-now / soon / later — mapped to risk, not vendor stack.
- 06
Optional managed IT / security handoff
You can implement the plan yourself, hand it to your existing IT provider, or move to one of our managed IT plans.
Deliverables
What you receive
Concrete artifacts you can keep, share with insurers, or hand to any IT provider — not a verbal walkthrough.
Plain-English findings summary
What was reviewed and what we found, written for an owner or office manager.
Prioritized remediation checklist
Issues grouped as fix-now, soon, and later — each with the risk it reduces.
Microsoft 365 hardening notes
Specific tenant changes for identity, mail flow, sharing, and admin roles.
Endpoint protection gap list
Devices missing EDR, encryption, or current patches, and how to close the gap.
Backup & restore readiness notes
What is currently protected, what is not, and how a real restore would play out.
Firewall & remote access observations
Findings on firewall rules, VPN, exposed services, and Wi-Fi configuration.
Cyber-insurance readiness notes
Where current controls map to common insurer questionnaires and required evidence.
Next-step roadmap
A short, prioritized roadmap an owner can use to plan the next quarter of IT work.
Readiness review
Common cyber-insurance blockers we look for
We do not promise coverage or compliance. We help you identify technical gaps that often create friction during cyber-insurance applications, renewals, or claim reviews. If your assessment is for an insurance renewal, see our cyber insurance readiness review for Vaughan businesses.
- MFA not enforced for all usersWarning
- Shared admin accountsWarning
- No tested backup restoreEvidence needed
- No endpoint detection coverageCoverage check
- No conditional access baselineRoadmap item
What this assessment is — and isn't
Honest scope, no overpromising
- Not
legal advice, regulatory opinion, or a substitute for counsel on PIPEDA, PHIPA, or industry rules.
- Not
compliance certification or attestation against any specific framework or audit standard.
- Not
a guarantee of cyber insurance coverage, premium reduction, or claim approval.
- Not
a guarantee that breaches, ransomware, or phishing incidents will be prevented.
- Is
a practical, plain-English review of small business IT and security controls, with prioritized next steps you can act on.
Built for
Who this is for
Small businesses with roughly 5–50 staff that handle sensitive data and want a practical, no-nonsense view of where their security stands today.
Medical & dental clinics
Clinics handling PHIPA-sensitive workflows and practice-management systems.
Accounting firms
Accounting and bookkeeping firms managing CRA-sensitive client documents.
Law firms
Law firms protecting confidential client records and matter files.
Engineering & consulting
Engineering and consulting teams with project, IP, and client data on the line.
FAQ
Common questions about the assessment
Is a security baseline assessment the same as a penetration test?
No. A penetration test actively tries to exploit a system. A security baseline assessment is a structured review of practical IT and security controls — Microsoft 365 identity, endpoints, backups, firewall and remote access, and cyber insurance readiness — and produces a plain-English findings summary and prioritized action plan.
Can this assessment help with our cyber insurance application or renewal?
It can help you identify the technical controls insurers commonly ask about — MFA, EDR, backups, admin separation, incident response — and document where you stand today. It does not guarantee coverage, premium reduction, or claim approval. Underwriting decisions are made by the insurer, not by us.
Do you need admin access to our systems to do the assessment?
For most reviews we need read-level visibility into your Microsoft 365 tenant, endpoint protection console, backup tool, and firewall. Where read-only access is not possible, we walk through configuration with your team on a screen-share. We never install persistent tooling without explicit written approval.
How long does the assessment take?
A typical small-business security baseline assessment runs over a few business days end-to-end, depending on scope and how quickly we can get the access we need. Most of that time is configuration review on our side, not interviews with your team.
What do we receive at the end?
You receive a plain-English findings summary, a prioritized remediation checklist (fix-now / soon / later), Microsoft 365 hardening notes, an endpoint protection gap list, backup and restore readiness notes, firewall and remote access observations, optional cyber insurance readiness notes, and a short next-step roadmap.
Can you also fix the issues you find?
Yes. We can implement remediations directly, hand the plan to your existing IT provider, or fold the work into one of our managed IT plans. The assessment is useful on its own — there is no requirement to engage us for ongoing services.
Is this only for Vaughan businesses?
No. We are based in the GTA and primarily work with small businesses in Vaughan, Toronto, Mississauga, Thornhill, and Richmond Hill, but the assessment runs remotely and is suitable for small offices anywhere in Ontario.
Practical baseline review
Request a Security Baseline Assessment Understand your security gaps before they become incidents
Get a structured small-business security baseline review — Microsoft 365, endpoints, backups, firewall, email, and cyber insurance readiness — written in plain English you can actually act on.