Back to Blog
Cybersecurity8 min read

Privileged Access Management for Canadian SMBs: How to Stop Attackers Who Already Have a Foothold

By Anton Kuznetsov

Most cyberattacks do not begin with administrator access. They begin with a phishing email, a stolen password harvested from a data breach, or a compromised employee account — and then they escalate. The attacker's goal, within hours or days of gaining that initial foothold, is to find and compromise your most privileged accounts: the ones with Global Administrator rights in Microsoft 365, Domain Administrator access on your on-premises server, or root credentials in your cloud environment. Once they have those, they have everything.

Privileged Access Management (PAM) is the set of controls that governs who holds elevated accounts, how those accounts are used, and for how long. It is explicitly part of the 13-control baseline the Canadian Centre for Cyber Security expects small and medium organizations to implement — and it is consistently one of the least-applied controls in a typical Canadian SMB environment.

Why Attackers Escalate to Administrator Accounts

An attacker with a regular employee's credentials can read email and access shared drives. An attacker with an administrator's credentials can disable your security software, destroy your backups, encrypt your entire environment, and exfiltrate your data with no one able to stop them.

The 2026 Verizon Data Breach Investigations Report — drawing on more than 22,000 confirmed breaches across 145 countries — found that credential abuse appeared in 39% of all breach chains. It was the single most pervasive technique across the full sequence of a typical breach, even after vulnerability exploitation overtook stolen credentials as the most common initial access method. Attackers get in through one vector and then use credential abuse to move laterally and escalate privileges.

The scale of the raw material available to attackers is significant: 5.3 billion credential pairs are circulating in criminal marketplaces, and 4 in 10 corporate users have reused an exposed password across business accounts, according to the same report. Your employees' reused passwords — from a social media breach, a retail site, a gaming platform — may be the key that opens your Microsoft 365 tenant.

What attackers do with a compromised account depends entirely on what privileges that account holds. That is the problem PAM is designed to solve.

The Cost Difference Between a Regular Account and an Admin Account

The IBM 2025 Cost of a Data Breach Report measured breach costs by initial attack vector across hundreds of organizations globally. Breaches that began with stolen credentials averaged USD $4.67 million in total cost — above the global average of USD $4.44 million. Breaches attributed to insider privilege abuse averaged USD $4.92 million — the highest average cost of any attack vector measured in the report.

For Canada specifically, the average breach cost reached CA$6.98 million in 2025, up 10.4% from CA$6.32 million the previous year. That figure includes data loss, remediation, regulatory and legal costs, business disruption, and reputational damage.

The 2026 Verizon DBIR adds a statistic that connects credential theft directly to ransomware: 73% of ransomware victims had an associated infostealer infection or credential leak event in the year before their ransomware attack. Credential theft and ransomware deployment are not separate incidents — they are stages in the same campaign. Attackers harvest credentials, identify which accounts hold elevated access, and return months later to deploy ransomware using those privileged credentials.

What the CCCS Requires for Small and Medium Organizations

The Canadian Centre for Cyber Security addresses privileged access in two directly relevant publications.

[ITSAP.10.094 — Managing and Controlling Administrative Privileges](https://www.cyber.gc.ca/en/guidance/managing-and-controlling-administrative-privileges-itsap10094) (updated January 2025) is the SMB-facing guidance. It establishes the core expectations: least privilege — granting users only the access their specific role requires; administrative accounts that are separate from daily-use accounts and not used for browsing the web or reading email; and a documented process to revoke access promptly when it is no longer required. Managing administrative privileges is listed as one of the 13 security control categories the CCCS expects small and medium organizations to implement as part of their baseline security posture.

[ITSM.10.094 — Top 10 IT Security Actions: #3 Managing and Controlling Administrative Privileges](https://www.cyber.gc.ca/en/guidance/top-10-it-security-actions-no3-managing-controlling-administrative-privileges-itsm10094) provides more detailed technical guidance. It calls explicitly for admin accounts that cannot access the Internet or email — removing elevated accounts from the daily communications stream that phishing and malware target.

Both documents are part of the baseline that underpins the federal CyberSecure Canada certification program, a voluntary mark increasingly required for government and enterprise supplier contracts.

The Four Admin Account Mistakes Most Canadian SMBs Make

Understanding the gap between the CCCS guidance and typical small business practice clarifies where the risk concentrates.

Permanent standing admin access is the default. Most Microsoft 365 and Entra ID tenants are provisioned with one or more Global Administrators whose elevated rights are active 24 hours a day — including every hour when no administrative work is being done. If any of those accounts is compromised, the attacker holds permanent Global Admin access from the moment of compromise.

Admin and daily-use accounts are the same account. Administrators frequently use their primary account — the one that receives email, opens attachments, and browses the web — to manage their Microsoft 365 environment. A phishing email in the inbox of a Global Admin is a direct path to tenant compromise.

Service accounts hold more access than they need. Application integrations, automation workflows, and API connections are often provisioned with Global Admin rights because scoping permissions precisely takes more setup time. Those accounts are rarely reviewed after initial configuration. Attackers who enumerate a compromised environment find them immediately.

Access is not revoked when people leave. The CCCS ITSAP.10.094 guidance explicitly identifies failure to revoke accounts on departure as a control gap. Former employees, contractors, and IT vendors frequently retain access weeks or months after their engagement ends.

Five Practical PAM Controls Canadian SMBs Can Implement Now

1. Separate administrator accounts from daily-use accounts. Create a distinct account for any person who performs administrative tasks — with a different username, a strong unique password, and MFA enforced. Use that account only for administrative actions. Use your standard account for email, Teams, and all other daily work. The separation limits phishing exposure to an account that cannot perform administrative actions.

2. Apply least privilege to every account. Conduct an inventory of all user accounts and the permissions they hold. Remove any access not required for the person's current role. Document what each service account accesses and why. This inventory is the prerequisite for every downstream privilege management practice.

3. Enforce multi-factor authentication on all admin accounts. The Microsoft Digital Defense Report 2025 found that more than 97% of identity attacks are password-based. MFA blocks the overwhelming majority of credential attacks before they progress to privilege escalation. The CCCS baseline explicitly requires MFA for system administrators and cloud administration roles. Phishing-resistant MFA — hardware keys or passkeys — is the strongest option for accounts with elevated rights.

4. Enable just-in-time access for privileged roles. Administrators should hold elevated rights only during the time window when they are actively performing administrative work — not continuously. Microsoft Entra Privileged Identity Management (PIM), available in Microsoft 365 Business Premium plans, enables this without meaningful operational overhead. See the section below.

5. Conduct quarterly access reviews. Privilege accumulates over time as roles change, people leave, and integrations multiply. Schedule a quarterly review of all admin accounts: confirm each is still needed, verify the person still requires that access level, and revoke accounts for anyone who has left. A quarterly review takes under an hour and closes one of the most persistent privilege management gaps.

Microsoft Entra PIM: Just-in-Time Access for M365 Shops

Microsoft Entra Privileged Identity Management is widely perceived as an enterprise product — too complex and too expensive for a 25-seat business. That perception is wrong.

PIM is included in Microsoft Entra ID P2, which is bundled with Microsoft 365 Business Premium — the licence tier many Canadian SMBs already hold for its integrated Defender for Business and Microsoft Intune capabilities. If your organization is already on Business Premium, PIM is available at no additional licence cost.

In practice, PIM changes how administrators hold their privileges. Instead of being a permanent Global Administrator, a person becomes eligible for the role. When administrative work is required, they activate the role for a defined time window — typically one to four hours — with a business justification that is automatically logged. When the window closes, elevated access expires. Every activation, justification, and action is recorded in an audit trail available for security reviews, insurance documentation, and CyberSecure Canada certification assessments.

For a small organization with two or three administrators, activation takes under two minutes. The operational overhead is negligible. The security benefit — eliminating permanent standing admin access — is substantial. As the Microsoft Entra PIM documentation explains, the goal is to stop giving administrators standing access to the roles that are most dangerous when compromised, and instead require them to justify and request that access each time they need it.

PIPEDA and Provincial Privacy Obligations

When administrative credentials are compromised, the incident almost certainly constitutes a breach of security safeguards under PIPEDA if personal information held in the environment was accessed or placed at risk. That triggers notification obligations to the Office of the Privacy Commissioner of Canada and, where there is real risk of significant harm, to affected individuals. Quebec's Law 25 imposes parallel obligations for Quebec-based organizations.

The OPC's assessment of whether an organization maintained "appropriate safeguards" will consider the controls that were in place before the breach. Documented least-privilege controls, MFA enforcement on admin accounts, and a verifiable quarterly access review history are concrete evidence of appropriate safeguards — controls that reduce both the probability of a breach and the regulatory exposure when one occurs.


Sources


Cloud Forces helps Canadian SMBs implement CCCS-aligned privilege management controls — from account audits and admin account restructuring to Microsoft Entra PIM configuration and quarterly access reviews built into a managed security program. Explore our Cybersecurity services or book a free security posture review to find out where your privileged access gaps are.

Anton Kuznetsov
Founder & Principal Engineer

Anton Kuznetsov is the founder and principal engineer of Cloud Forces, the Toronto firm he started in 2018 to make custom software and AI practical and affordable for Canadian SMEs. He works hands-on across application development, cloud architecture, and the production systems Cloud Forces runs for its clients.

Ready to bring AI to your business?

Book a free AI Readiness Consultation — no commitment required.

Book Free Consultation