Cybersecurity, in plain language
The terms that show up in quotes, security questionnaires, insurance policies and compliance requirements — explained simply, without the jargon, for SMB decision-makers.
Privacy & compliance
- Law 25 (Quebec)
-
Quebec's private-sector privacy law, formerly Bill 64, rolled out in stages from 2022 to 2024 and applies to virtually every business that collects or holds personal information in the province — there is no small-business exemption. A named privacy officer and the reporting of confidentiality incidents that pose a risk of serious injury have been required since September 2022; written governance, privacy impact assessments and stricter consent rules followed in September 2023. Penalties are among the toughest in Canada: fines can reach $25 million or 4% of worldwide turnover for the most serious offences, and the law also created a private right of action for damages.
- Privacy impact assessment (PIA / EFVP)
-
A structured review of the privacy risks of a project — what Quebec's Law 25 calls an évaluation des facteurs relatifs à la vie privée. The law requires one before you acquire, develop or overhaul an information system that handles personal information, and before you transfer personal information outside Quebec. For a smaller business, the assessment is scaled to the project: a small initiative calls for a proportionate, documented review, not a heavy report.
- Privacy officer (RPRP)
-
Under Law 25, the person your business must formally name as accountable for protecting personal information, with their title and contact details published so the public can reach them. Day to day, the RPRP handles access requests, assesses confidentiality incidents, keeps the incident register and oversees privacy governance. A small business that would rather not assign the role internally can outsource it.
- PIPEDA
-
Short for the Personal Information Protection and Electronic Documents Act, Canada's federal privacy law for the private sector. It governs how businesses collect, use and disclose personal information in the course of commercial activity, and like Law 25 it's a legal obligation rather than an optional framework. If you serve clients outside Quebec or move personal information across provincial or national borders, expect PIPEDA to apply alongside Quebec's rules.
- SOC 2
-
An attestation rather than a certification: a licensed CPA examines your controls against the Trust Services Criteria (security, availability, processing integrity, confidentiality and privacy) and issues an independent report you can hand to clients. A Type I report covers how your controls are designed at a point in time; a Type II, harder to earn but more persuasive, shows they operated consistently over a period. When a North American client sends a security questionnaire before signing, a SOC 2 report is usually what they're after.
- ISO 27001
-
The international standard for an information security management system (ISMS), and unlike SOC 2 a true certification: an accredited body audits your ISMS and issues a globally recognized certificate, typically valid for three years with annual surveillance audits. Getting there means scoping the ISMS, assessing and treating risks, and building a Statement of Applicability against the standard's Annex A. It tends to carry more weight with enterprise and international buyers, so it's worth pursuing when a contract or a key buyer specifically calls for it rather than by default.
- NIST CSF 2.0
-
Neither an attestation nor a certification, the NIST Cybersecurity Framework is a control baseline and a common security language organized around six functions: Govern, Identify, Protect, Detect, Respond and Recover. You don't pass it; you use it to measure and improve your security posture and to report on it to leadership in terms everyone understands. Its controls overlap heavily with SOC 2 and ISO 27001, so a NIST CSF maturity assessment is often an economical first step before pursuing either.
Testing & assessments
- Penetration testing (pen test)
-
An authorized, simulated attack on your systems, applications or networks, carried out by a specialist who works the way a real attacker would. Unlike an automated scan, a proper pen test involves manual exploitation, so it proves what an intruder could actually do with your data rather than what might be possible in theory. You come away with a prioritized report your team can act on — the kind of evidence insurers, client contracts and compliance frameworks ask for, often on an annual cadence.
- Vulnerability scan
-
Automated software combs through your servers, workstations, applications and cloud environments looking for known weaknesses: outdated software, missing patches, risky configurations. A scan is quick and easy to repeat (monthly is a solid baseline for most SMBs), but it only lists potential problems; it doesn't confirm what an attacker could actually do with them. That's why it complements a penetration test instead of replacing it.
- Vulnerability management
-
The ongoing discipline of finding, ranking and fixing the security weaknesses in your systems: a cycle of discover, prioritize, remediate, verify, repeat, rather than a one-time event. New flaws are disclosed every week, so the real work is sorting out the small number that genuinely put you at risk and confirming they get fixed, instead of drowning your team in a raw list of thousands. Insurers and frameworks like SOC 2 increasingly require proof that this process is actually running.
- Cybersecurity assessment
-
This is the wide-angle exercise: a review of your whole security posture — identities, devices, network, cloud, backups and policies — done through interviews and a read-only look at your configurations, ending in a plain-language plan ranked by real impact. Nothing gets exploited and nothing goes down, which makes it the least disruptive place to start. Where a penetration test proves in depth what's exploitable on specific targets, the assessment shows where the gaps are across the board and what to fix first, so you don't spend money on the wrong problems.
- Cyber-insurance readiness
-
How well your organization stacks up against the security controls cyber insurers now require before they'll cover you: MFA on email and remote access, EDR on your devices, tested backups and an incident-response plan, among others. Missing MFA is by far the most common reason an application gets declined. The requirement doesn't end at signing, either: if you attested to a control on the application and it wasn't actually in place at the time of an incident, the insurer can reduce or deny the claim, so controls need to be real and provable rather than boxes checked once.
Defence & operations
- Multi-factor authentication (MFA)
-
Your password alone shouldn't be enough to get in. MFA adds a second proof of identity, usually a code or an approval on your phone, so a stolen or reused password isn't enough for an attacker either. Most breaches that hit small businesses start exactly there: a phishing email, a reused password, an account with no second factor. In Microsoft 365 the capability is often already in your licence; it just has to be turned on and enforced.
- Conditional access
-
Rules in Microsoft 365 (Entra ID) that decide whether a sign-in is allowed based on who is asking, from which device, from where, and how risky the attempt looks. Instead of treating every login the same, you can block a connection from an unmanaged laptop or require extra proof for an unusual sign-in. It comes with Entra ID P1, included in plans like Microsoft 365 Business Premium, but it does nothing until someone actually configures the policies.
- Zero Trust
-
A security model that stops assuming anything inside your network is safe: every user and every device has to be verified, access is limited to what each person actually needs, and you plan as if a breach will happen. For an SMB this mostly means practical steps like MFA, conditional access and least-privilege permissions, not a big product purchase. Fewer ways in for attackers, and the ones who do get in are easier to spot.
- EDR / XDR
-
Endpoint detection and response (EDR) watches the behaviour on your computers and servers to catch what traditional antivirus misses, and can isolate a compromised machine. XDR (extended detection and response) widens that view beyond endpoints to identities, email and cloud, correlating the signals so a real attack stands out from the noise. For businesses already on Microsoft 365, Microsoft Defender XDR is the common example, and it's included in many of the plans you may already pay for.
- Managed detection and response (MDR)
-
Continuous monitoring of your endpoints, identities, email and cloud, delivered as a service, with real response when something goes wrong: isolating a compromised device, disabling a hijacked account. The around-the-clock watching is done by a managed SOC platform built on Microsoft Sentinel and Defender, while a security expert investigates the alerts that actually matter. For most SMBs it's the realistic alternative to building an in-house security team, which can easily cost a multiple of a senior salary before it detects a single threat.
- SIEM
-
Short for security information and event management: the platform where logs from your computers, servers, firewalls, Microsoft 365 and cloud services come together to be analyzed as one. That's what lets you spot that a string of harmless-looking events is actually an attack, and it keeps the record of what happened — retention that frameworks like SOC 2 and NIST CSF, and many cyber insurers, expect from you. The SIEM provides the visibility; pairing it with MDR adds the watching and the response through a managed SOC. For organizations already on Microsoft 365, Microsoft Sentinel is a natural cloud SIEM.
- Incident response plan
-
A written plan, prepared before anything happens, that spells out who does what during a breach or ransomware attack: who decides, who communicates, who to call first, and what the technical steps are. The worst time to design one is in the middle of a crisis; organizations that have rehearsed in advance contain incidents faster and get back to business sooner, and cyber insurers increasingly require a plan. In Quebec, Law 25 adds obligations the plan should cover: assessing any confidentiality incident, keeping a register, and notifying the Commission d'accès à l'information and affected individuals when there's a risk of serious injury.
- Immutable backup
-
A backup copy that's locked for a set period so no one can change, encrypt or delete it, not even someone holding administrator access. Many businesses only discover on restore day that their backups were encrypted along with everything else; an immutable or offline copy stays out of ransomware's reach, so you can restore instead of paying. It has also become a common requirement from cyber insurers.
- RTO / RPO
-
The two numbers that define your recovery plan. RTO, the recovery time objective, answers "how fast do we need to be running again?"; RPO, the recovery point objective, answers "how much data can we afford to lose?". Setting them deliberately keeps you from overpaying for instant recovery you don't need, or discovering after an outage that a week of work is gone. Your backup design should follow from these targets, not the other way around.
Threats, data & email
- Phishing
-
Fraudulent emails or messages crafted to trick someone into clicking a link, opening an attachment or handing over a password. The large majority of breaches that hit small and mid-sized organizations start exactly this way — with a person, not a firewall failure. Since one click is all an attacker needs, regular training and simulated phishing campaigns are the most practical defence.
- Ransomware
-
Malicious software that encrypts your files and systems, then demands payment to unlock them. For an SMB, the real question is whether you could restore operations without paying — which is why cyber insurers now require immutable or offline backups with a tested restore. It's also the kind of incident where a documented, tested response plan earns its keep.
- Security awareness training
-
A recurring program that teaches employees to recognize and report phishing, social engineering and risky data handling — short, practical modules plus realistic simulated phishing, not a once-a-year video. Results are measurable: you baseline a click rate, then track how it improves across campaigns. Documented training also supports Law 25 and PIPEDA expectations around staff awareness, and it's one of the controls cyber insurers look for.
- Data residency
-
Where your data is physically stored — for example, in Canadian cloud regions like Azure Canada Central (Toronto), Azure Canada East (Quebec City) or AWS ca-central-1 (Montreal). It's concrete and verifiable: you can name the region, document it and prove it. But residency only answers part of the question: it tells you where your data sits, not who can legally compel access to it.
- Data sovereignty
-
A question of control and jurisdiction: whose laws govern your data and who can be compelled to hand it over. Data can reside in Canada and still fall within reach of a foreign law if the company that controls it answers to a foreign jurisdiction — the US CLOUD Act, for instance, compels disclosure based on who controls the data, not where the servers sit. For a Canadian SMB, sovereignty is what decides whether keeping data in Canada actually protects it.
- CLOUD Act
-
A US law that can compel a company under US jurisdiction to disclose data it holds, regardless of the country where that data is stored. It applies based on who controls the data, not where the servers are located — so a US-owned provider hosting in a Canadian data centre can still be ordered to hand your data over. Working with a Canadian-owned provider is how you reduce that exposure.
- Email authentication (SPF, DKIM, DMARC)
-
Three standards — SPF, DKIM and DMARC — set up on your domain so that receiving mail servers can verify a message claiming to come from you actually did. Without them, it's easier for attackers to spoof your domain and phish your clients, suppliers and staff in your name. They're also among the controls cyber insurers commonly require, alongside advanced email filtering.
Did one of these terms land close to home?
Let's talk about what it means for your organization in practice — in English or French.
Get in touch
The family of attacks that manipulate people rather than technology — phishing is the best-known example, but a convincing phone call that talks an employee into giving out a password counts too. Attackers lean on urgency, authority or familiarity to get someone to do what they shouldn't. Penetration tests often include a social-engineering component precisely because it measures how your team actually holds up against a real attempt.
Security awareness training →