Ransomware Recovery Playbook for Canadian SMBs (Free 12-Page PDF)
No form to fill, no email required.
The five-phase playbook a CISSP-led MSP runs when ransomware lands at 4 PM on a Friday. Built from a real Fusion engagement where a 45-employee Canadian SMB was back online by Monday morning. Zero ransom paid. Zero data lost.
Mapped to CIS Controls v8.1, NIST CSF 2.0, PIPEDA Schedule 4 breach reporting, and the cyber-insurance baseline-controls questionnaire your carrier will ask about at renewal. Built and reviewed by Fusion Computing’s CISSP-led team.
24/7 SOC monitoring
Friday-to-Monday recovery, documented
PIPEDA Schedule 4 aware
Cyber-insurance carrier liaison
When ransomware lands at 4 PM on a Friday
A Friday-afternoon ransom note on every screen is the worst phone call a Canadian SMB owner ever takes. The difference between Monday-morning recovery and three weeks of downtime is not the tool, the vendor, or luck. It is the playbook the IT partner runs in the first sixty minutes, and the readiness work done in the ninety days before.
This 12-page PDF is the playbook Fusion Computing’s CISSP-led team ran when a 45-employee Canadian industrial supplier was hit on a Friday evening. By Monday at 8 AM, every employee walked back to a working desk. Zero ransom paid. Zero data lost. The case is documented at the Monday-morning recovery case study.
The regulatory floor for Canadian SMBs handling personal information: Under PIPEDA, organizations must implement reasonable security safeguards and must report breaches of security safeguards to the Office of the Privacy Commissioner and affected individuals where there is a real risk of significant harm. Schedule 4 imposes a 24-month record-keeping obligation on all breaches whether reportable or not. Provincial regimes (Quebec Law 25, Alberta PIPA, British Columbia PIPA) and sectoral regimes (PHIPA, MFIPPA, FIPPA) add additional obligations. Sources: priv.gc.ca, parl.ca, cisecurity.org.
What’s inside the 12-page playbook
Twelve pages. Five phases. Ten pre-incident questions. Three case-study sidebars. Built for a managing partner, an in-house IT lead, or a board member with cyber oversight to read in twenty minutes and act on the same week.
Pages 1–2 — The Friday-at-4-PM scenario
- The real opening minutes of a documented Fusion engagement — what the CEO saw, what the EDR did, what the on-call CISSP did first.
- Why the recovery succeeded: the ninety days of readiness work done before the incident, not the ninety minutes during it.
Page 3 — The 5-phase recovery model
- Contain — first 4 hours. Isolate, snapshot, notify, identify.
- Triage — hours 4–12. Blast-radius scoping, backup validation, decision tree.
- Restore — hours 12–72. Clean rebuild in order: identity, endpoints, data, applications.
- Harden — week 1–2. MFA enforcement, conditional access, EDR everywhere, immutable backups, KeeperSec.
- Report — week 2–4. Carrier evidence package, board memo, regulatory notification calculus, lessons learned.
Pages 4–8 — Each phase, page by page
- What to do, what not to do, what to document — for every phase.
- Specific procedures: forensic snapshot before unplugging, identity tenant before endpoints, backup mount-and-scan before restore.
- The decision factors for rebuild versus decrypt, with counsel in the room.
Page 9 — The 10 pre-incident questions
- Immutable backups. Tested restores. MFA on every account. EDR coverage. The 5:47-PM-on-a-Friday phone number.
- Asset inventory, cyber-insurance baseline, written runbook, tabletop exercise, post-6-PM contact list.
- If your leadership cannot answer all ten with a documented control, an owner, and a date, that gap is the ninety-day work plan.
Page 10 — Three case-study sidebars
- Industrial supplier — the lead Friday-to-Monday case.
- Marketing agency — how a documented recovery became a client-trust asset.
- Cannabis retail — readiness work that satisfied provincial regulators and the board cyber oversight.
Page 11 — Pitfalls and what NOT to do
- Don’t pay the ransom without panel counsel. Don’t unplug before the forensic snapshot. Don’t restore from an unvalidated backup.
- Don’t communicate over the compromised tenant. Don’t skip the carrier notification. Don’t skip Phase 5.
- Don’t accept “we’re fine” from an IT provider who can’t walk you through the ten pre-incident questions with evidence.
Page 12 — Next steps and CTA
- Two paths forward: use the playbook as a self-audit, or engage Fusion for a CISSP-led Cybersecurity Assessment.
- What a Fusion incident-response engagement actually includes — and what we don’t do.
- A direct line to book a 30-minute Ransomware Readiness walk-through.
Why this playbook exists
Canadian SMBs operating between 10 and 150 employees are the sweet spot for ransomware operators. Large enough to have payable balance sheets and cyber-insurance policies. Small enough that a single phished credential reaches a domain administrator in under a minute. Often serviced by IT providers whose incident-response capability is a Saturday morning call to a Microsoft partner portal, not a documented runbook signed by a named director.
The technical procedures in this playbook are not exotic. The hardening list on page 7 maps to CIS Controls v8.1 and to your cyber-insurance carrier’s baseline-controls questionnaire. The five-phase model maps to NIST CSF 2.0 (Identify, Protect, Detect, Respond, Recover). The PIPEDA Schedule 4 framing is taken directly from the Office of the Privacy Commissioner’s published guidance.
What this playbook adds is the operational sequencing — the order in which a CISSP-led MSP runs the steps when the call comes in on a real Friday, with a real CEO, a real cyber-insurance carrier on the bridge, and real payroll running on Monday. The pattern that ran successfully in the documented Monday-morning recovery is the pattern in these pages.
Who should download this
For CEOs and managing partners of 10–150-employee Canadian SMBs
You are the person who takes the 4:47-PM Friday call. The playbook is what you hand to your IT lead to confirm they can run, and what you read into the board minutes when the cyber-oversight director asks.
For in-house IT leads at Canadian SMBs
You probably already know most of the technical procedures. The playbook is the documentation framework around them — the runbook, the decision tree, the report templates, the readiness questions — in a single file you can tailor and sign.
For board members with cyber oversight responsibility
The ten pre-incident questions on page 9 are the diligence questions for the next risk-committee meeting. The Phase 5 report framing on page 8 is the format the board minutes should reflect when an incident happens.
For finance and privacy officers
The PIPEDA Schedule 4 framing, the cyber-insurance carrier evidence package, and the regulatory notification calculus on page 8 are the pieces the privacy officer and the CFO will be asked about within thirty days of any incident.
Related Fusion case studies
The playbook references three real Fusion engagements. Each is documented in full at the case-study pages below.
- Friday-to-Monday ransomware recovery — 45-employee industrial supplier →
The lead case for the playbook. EDR-isolated containment within 3 minutes, immutable backup restore, Monday-morning production, zero ransom paid. - Cyber crisis to recovery success — Canadian marketing agency →
How a documented recovery, a clean Phase 5 report, and a client-communication template converted an incident into a client-trust asset. - Securing growth in cannabis retail — regulated multi-province retailer →
Readiness work that satisfied provincial regulators, payment processors, and the company’s board cyber oversight before any incident ever occurred. - Ransomware playbook for an FHO clinic under Ontario PHIPA →
Health-sector parallel — the PHIPA notification path and the IPC reporting trigger applied to a primary-care clinic environment.
Frequently asked questions
Is this a substitute for an incident-response retainer or legal counsel?
No. The playbook is the operational pattern a CISSP-led MSP runs. It is not legal advice, not a cyber-insurance policy interpretation, and not a regulatory determination under PIPEDA, Quebec Law 25, PHIPA, or sector-specific regimes. During an active incident, you want panel counsel, your cyber-insurance carrier’s incident hotline, and a CISSP-led IR team on the bridge together. The playbook is what the IR team runs once the bridge is up.
Does this only apply to Fusion clients?
No. The playbook is freely usable as a self-audit framework, a board memo template, and an IT-provider diligence question set. The ten pre-incident questions on page 9 are the diligence questions you should ask your current IT provider whether they are Fusion or not. If they cannot answer all ten with a documented control, an owner, and a date, the gap is the work plan — with whatever provider you choose.
How does this map to CIS Controls, NIST CSF, and ISO 27001?
The five-phase model in the playbook maps directly to NIST CSF 2.0 functions (Identify, Protect, Detect, Respond, Recover). The hardening list on page 7 maps to CIS Controls v8.1 Implementation Group 1 and 2, which is the appropriate floor for 10–150-employee Canadian SMBs. ISO 27001 is a more comprehensive information-security management system framework typically suited to larger organizations; many of its Annex A controls overlap with the hardening list but the playbook does not constitute an ISO-27001-aligned ISMS on its own.
Does Bill C-8 apply to my Canadian SMB?
Bill C-8 — the framework that includes the Critical Cyber Systems Protection Act — passed third reading in the House of Commons on 2026-03-26. It applies to designated operators in federally regulated critical sectors (banking, telecommunications, energy pipelines, federally regulated transportation, the federal nuclear sector). It is not a general SMB obligation. For most Canadian SMBs in the 10–150-employee band, the operative regimes are PIPEDA, provincial private-sector privacy laws, and any sector-specific obligations (PHIPA, MFIPPA, FIPPA). The playbook is written for that majority case. Federally-regulated critical-sector operators should treat the playbook as a baseline and layer the CCSPA-specific obligations on top.
What does Fusion charge to run this for our business?
Fusion’s Cybersecurity Assessment is a fixed-fee, two-week engagement that answers the ten pre-incident questions with documented evidence and produces a ninety-day remediation roadmap. The ongoing managed-cybersecurity engagement — CISSP-led on-call, 24/7 SOC, EDR everywhere, immutable backups with quarterly restore tests, written runbook, annual tabletop — is a per-user monthly subscription that scales with headcount. Pricing is discussed during the 30-minute walk-through. Book the walk-through here and we will send the PDF playbook and a high-level pricing range after the call.
What happens after I download? Will I be cold-called?
No. After the 30-minute walk-through, we send the PDF and a short follow-up email with the most relevant Fusion resources for your sector and size. If you ask for a pricing range or a scoping conversation, we provide it. If you don’t, the next email comes a month later with the most relevant new content we’ve published. You can unsubscribe at any time. Fusion does not buy or sell contact data and does not run high-frequency sales sequences.
Get the 12-page PDF playbook
Book a 30-minute Ransomware Readiness walk-through with Fusion’s CISSP-led team. We send the PDF playbook after the call along with a quick benchmark of your current posture against the ten pre-incident questions on page 9. No cold calls. No spam. No contract conversation unless you ask for one.
