Your Year-End Security Audit: A Straightforward Checklist Before You Close the Books

StatsCan's 2024 report on cyber incidents landed quietly, but the numbers matter: in 2023, 16% of Canadian businesses reported being impacted by cyber incidents. That's lower than in 2019—but identity theft and scams are climbing inside that 16%.

At the same time, law firms and insurers have been telling small organizations to tighten up their basics: clear policies, regular backups, MFA, vendor management, and a written incident plan.

So as you're wrapping up the year in Hamilton, Burlington, Oakville, or Stoney Creek, it makes sense to do a year-end security audit—not a 90-page report, just a practical review.

Here's how I'd structure it.

Part 1 – People and Training

Grab your coffee and ask:

• Did we do any formal cyber training this year?
• Did we talk about phishing and scams, passwords and MFA, how to report suspicious stuff?

Cross-check against realistic guidance from Get Cyber Safe and the Canadian Bankers Association's small-business toolkit, which both stress awareness and basic procedures.

If "no" or "not really":

• Plan one short session in January
• Use real examples from Canadian resources
• Make it part of onboarding going forward

Part 2 – Accounts, Access, and MFA

Threat assessments and small-org guidance keep hammering identity and access as core issues.

Year-end checklist:

Orphaned accounts:

• Any staff who left this year still have accounts?
• Any generic logins (reception, warehouse) with more access than they need?

MFA coverage:

• Do all email accounts use MFA?
• Do remote access tools (VPN, RDP gateways) use MFA?
• Do admin accounts always require MFA?

Password reset processes:

• Are reset emails going to personal addresses?
• Are "security questions" still weak and guessable?

If you find gaps, prioritize fixing email and remote access first—those are the front doors.

Part 3 – Backups and Restore Tests

The Cyber Centre, SMB guides, and bank toolkits all treat backups as non-negotiable.

Year-end you should be able to answer:

• What systems are backed up? (servers, cloud apps, endpoints)
• How often? (hourly, daily, weekly)
• Where are the backups stored? (local only, off-site, cloud)
• When was the last test restore?

If you can't remember the last restore test, schedule one before year-end:

• Restore a sample of files or a mailbox
• Time how long it takes
• Confirm you could live with that in a real incident

Document what you tested and the results. Insurers and auditors love seeing that.

Part 4 – Patching and Endpoint Protection

Basic, but still neglected.

Use guidance aimed at small orgs (Cyber Centre baseline controls, SMB courses, etc.) as your reference.

Check:

• Are all supported Windows/macOS systems getting updates automatically?
• Are any machines still on end-of-life operating systems?
• Is your security software centrally managed, reporting in, and actually running on all devices?

For any out-of-support machines, decide:

• Replace in Q1
• Isolate and strictly limit access
• Or retire them completely

Part 5 – Vendors, Insurers, and Contracts

This is where the business side kicks in.

Vendors with access to your data or systems:

• Do you know who they are?
• Do contracts say anything about security or breach notification?

Cyber insurance:

• Did you renew or apply this year?
• Did you answer security questions honestly?
• Did anything change since then (MFA rollout, new backups, etc.)?

A 2024 Auditor General report slammed federal capacity to handle cybercrime and highlighted how costly under-reporting and weak controls can be.

You don't control Ottawa, but you do control whether your own story (to insurers and clients) lines up with reality.

If your security posture improved this year, tell your broker. If it didn't, don't wait until the next renewal to start fixing gaps.

Part 6 – Incident Log and Lessons Learned

Even if you never called it an "incident," you probably had:

• Weird emails
• Suspicious login alerts
• Small outages or misconfigurations

Year-end is a good time to:

• Write down anything notable that happened
• Note how long it took to respond
• Capture what you'd do differently next time

Law firms and cyber-guidance docs for small organizations keep stressing the importance of learning from each incident—even near-misses.

Part 7 – Pick Three Priorities for Next Year

Don't try to fix everything. Use your year-end audit to choose three concrete security improvements for next year, such as:

• Roll out MFA to all staff
• Move to a proper 3-2-1 backup setup
• Run quarterly phishing simulations
• Document and test an incident response plan

Tie those to real guidance (Cyber Centre, Get Cyber Safe, your bank's toolkit) so you're not reinventing the wheel.

You already sit down once a year to look at your books, talk to your accountant, and make decisions. Treat your systems the same way. A couple of focused hours now, before the snow hits the Mountain and everyone disappears for the holidays, can save you weeks of chaos next year.