Is your business compliant with Law 25? Learn more →
Blog Cybersecurity
Cybersecurity Quebec SMEs

The 7 cybersecurity mistakes
most commonly seen in
Quebec SMEs

By Michel Monette, Synéra February 20, 2026 · 8 min read

67% of SMEs that suffer a cyberattack go bankrupt within 6 months. Yet most successful attacks exploit basic mistakes — easily avoidable ones. Here are the 7 we see most often during our IT audits.

#1 — No MFA (multi-factor authentication)

This is the most critical mistake. Without MFA, a stolen password — through phishing, a data breach or brute force — gives direct access to all your systems. Microsoft estimates that MFA blocks 99.9% of account-compromise attacks.

Fix: Enable MFA on every Microsoft 365, RDP, VPN and critical-application account. Use Microsoft Authenticator or a physical FIDO2 key.
#2 — Administrator accounts used for everyday work

Using an admin account to read your email or browse the web is like driving with a detonator on the passenger seat. A single phishing click from an admin account hands the attacker full control of your environment.

Fix: Create standard user accounts for everyday work. Administrator accounts should only be used for administration, with mandatory MFA and access logging.
#3 — Untested (or non-existent) backups

"We have backups" — but when were they last tested? Most SMEs discover their backups are corrupted or incomplete... during a ransomware incident. An untested backup is not a backup.

Fix: Apply the 3-2-1 rule (3 copies, 2 different media, 1 off-site). Test a full restore at least once per quarter. Use immutable backups to protect against ransomware.
#4 — Unpatched software and operating systems

Windows 7, Windows Server 2012, old versions of Office... Unsupported systems are riddled with known vulnerabilities that cybercriminals actively exploit. Most ransomware exploits flaws for which patches had been available for months.

Fix: Maintain an inventory of software versions. Automate updates with Microsoft Intune or Windows Update for Business. Plan the replacement of end-of-support systems.
#5 — Passwords shared between employees

"The server password is 'company2023'" — known to 8 people, 3 of whom have left the company. Shared passwords make access auditing impossible and turn every employee departure into a potential security incident.

Fix: One named account per person, no exceptions. Use an enterprise password manager (Bitwarden, 1Password Teams). Revoke access immediately when employees leave.
#6 — No phishing-awareness training

95% of cybersecurity incidents start with a phishing email. A single employee who clicks a malicious link can compromise the entire organisation. Technology alone cannot stop everything — human training is essential.

Fix: Run regular phishing simulations (KnowBe4, Microsoft Attack Simulator). Train every employee — including management. Establish a clear process for reporting suspicious emails.
#7 — No incident response plan

When an attack happens — and it's a "when," not an "if" — the first 30 minutes are critical. Without a documented plan, businesses waste precious time deciding what to do, making the situation worse. Panic is expensive.

Fix: Write an incident response plan: who to call, what to isolate, how to communicate (including the Law 25 obligation to notify the CAI within 72 hours). Test the plan annually.

How many of these mistakes does your organisation have?

A Synéra cybersecurity audit gives you a complete view of your vulnerabilities with a prioritised remediation plan. No jargon, no scaremongering — just the facts.

See our cybersecurity services

Related articles

Law 25
Law 25 in Quebec: a complete guide for SMEs
Read the article →
Service
Managed cybersecurity for SMEs — EDR, SIEM, Zero Trust
See the service →
IT audit
Request a security audit for your SME
Learn more →