Question 1

What is the difference between an Antivirus and EDR?

Accepted Answer

A traditional antivirus relies on signatures: it compares files to a database of known threats and blocks the ones it recognizes. While effective against known threats, it is blind to new and sophisticated attacks. EDR (Endpoint Detection and Response) is a next-generation security technology that continuously monitors the behavior of every process on your computers and servers. It detects abnormal behaviors—even from unknown software or a zero-day threat—and can automatically isolate a compromised endpoint to prevent the attack from spreading. In 2025, any SMB handling sensitive data or relying on IT systems to operate should use an EDR instead of a basic antivirus. The cost difference is minimal; the protection difference is massive.

Question 2

Is phishing really a risk for a small business?

Accepted Answer

It is actually the number one attack vector against SMBs. According to the Canadian Centre for Cyber Security, over 91% of successful cyberattacks start with a phishing email. Attackers craft emails that perfectly mimic Microsoft, your bank, a vendor, or even a colleague (spear phishing). An employee who clicks on a malicious link can unwittingly grant access to your entire network in seconds. SMBs are heavily targeted because their employees are less trained and their systems are often less secure. Running a phishing simulation in your company typically reveals that 20% to 35% of untrained employees click the malicious link. This rate drops below 5% after proper training and regular simulations.

Question 3

What is MFA and why is it so important?

Accepted Answer

MFA (Multi-Factor Authentication) is a security mechanism that requires two or more proofs of identity to access an account: something you know (a password), something you have (a smartphone, a security key), or something you are (biometrics). Microsoft reports that MFA blocks 99.9% of automated account attacks, even if the password has been compromised. For an SMB using Microsoft 365, not enforcing MFA is like leaving the front door of your office unlocked at night. Additionally, MFA is mandatory under Quebec Law 25 for systems containing personal information. ABCnumérique enables and configures MFA on all your Microsoft 365 accounts, including admin portals, emails, SharePoint, and Teams.

Question 4

What does dark web monitoring for a business entail?

Accepted Answer

The dark web is an unindexed part of the internet where cybercriminals buy and sell stolen data, particularly lists of passwords compromised during data breaches. Every year, billions of credentials are listed for sale on these marketplaces. Dark web monitoring for your business consists of continuously checking whether email addresses linked to your domain (e.g., @yourcompany.ca) appear in these breaches. If an employee's corporate password is compromised—often because they reused their work email/password combo on a third-party site that was hacked—we alert you immediately so you can reset their access before an attacker logs in. This service is included in our SMB Cybersecurity package and generates real-time alerts.

Question 5

What should we do if we get hit by ransomware?

Accepted Answer

A ransomware is malicious software that encrypts your files and demands a ransom payment to decrypt them. It is one of the most devastating threats for SMBs. If you are hit, the first few minutes are critical: quickly isolate the infected systems from the network (unplug network cables or turn off Wi-Fi), do not pay the ransom without expert advice (paying does not guarantee data recovery), and immediately call your IT security team. ABCnumérique prepares your organization beforehand with a documented incident response plan, backups tested monthly according to the 3-2-1 rule, and an emergency recovery protocol with a defined RTO. As per Law 25, if the security incident involves personal information, you are required to report it to the CAI and the affected individuals.

Question 6

Is cybersecurity mandatory for NPOs and nonprofits?

Accepted Answer

Although there isn't a law explicitly dictating a precise list of cybersecurity software NPOs must buy, Law 25 legally requires any organization to implement adequate security measures to protect the personal information it collects—and this definitely includes NPOs. In practice, "adequate measures" means your security level must be proportionate to the sensitivity of the data you handle and the risks you face. A community health center dealing with medical data has higher security needs than a local sports league. Furthermore, NPOs are increasingly targeted by cybercriminals precisely because they are perceived as poorly protected and often harbor sensitive data (health, personal finances, youth records). Our Comprehensive NPO Package integrates a base layer of cybersecurity tailored to the budget realities of non-profit organizations.

Question 7

How much does a cyberattack cost an SMB?

Accepted Answer

The average cost of a data breach for a Canadian SMB is estimated at 4.87 million CAD (IBM Cost of a Data Breach Report, 2024), encompassing all expenditures: system recovery time, lost productivity, legal and notification fees, reputational harm, regulatory fines (Law 25), and customer churn. For smaller businesses, even a minor attack can result in tens of thousands of dollars in damage: a week of complete operational downtime (yielding $30k in lost revenue), $15k in emergency IT recovery fees, and $10k in legal fees to navigate Law 25 notifications, without even factoring in the loss of trust from clients. The cost of managed cybersecurity protection—which starts at $800/month for our SMB Cybersecurity Package—is merely a fraction of the cost of a successful attack.

Question 8

Is Microsoft 365 enough to protect my business by itself?

Accepted Answer

Microsoft 365 includes built-in security features that are vastly superior to many standalone tools. However, these protections are not activated by default and require expert configuration to be effective. Advanced security features—such as Defender for Endpoint (full EDR), Defender for Office 365 Plan 2 (advanced anti-phishing), Microsoft Purview (data governance), and Conditional Access—require Microsoft 365 Business Premium licenses or higher, along with specialized setup. In addition, M365 does not protect non-Microsoft equipment (NAS drives, network printers, IP cameras, routers), does not monitor the dark web, does not conduct targeted phishing simulations, and does not provide an incident response plan. ABCnumérique configures M365 to maximize native protections and bridges the gaps with complementary tools.

SMB Cybersecurity - 360° Managed Protection 24/7

Your SMB is a target. Not because it is big. Because it is vulnerable.

Defense in depth. Not just an antivirus.

Vulnerability Assessment (Week 1)

Protection Deployment (Weeks 2–3)

Training & Simulation (Week 4)

Continuous Monitoring & Improvement

What you get

Deployed Technical Protection

Processes and Documentation

Training and Security Culture

Questions fréquentes

This service pairs perfectly with

Law 25 Data Protection & Compliance

Backup & Business Continuity

Microsoft 365 & Cloud Infrastructure

Prêt à passer à l'action avec ABCnumérique ?