Strengthening security controls for a professional services firm
A 35-person accountancy and advisory firm needed stronger protection for client data after a phishing attempt exposed gaps in access controls. We ran a structured security review, closed critical risks and put a practical incident response plan in place.
Project Overview
Industry
Professional services
Duration
15 weeks
Team Size
2 security specialists
Client context
The firm handles confidential financial records for SME clients across London and the South East. Most staff work hybrid, using Microsoft 365, a practice-management platform and cloud file storage. A successful phishing email on a shared mailbox prompted partners to ask for an independent review — not a full enterprise programme, but proportionate controls that staff would actually follow.
The Challenge
Legacy practices had grown organically: shared credentials on a few systems, inconsistent MFA, no central device policy and backup assumptions that had never been tested. Partners understood regulatory expectations but lacked a prioritised remediation list. They needed improvements that would not disrupt client deadlines or require a dedicated IT headcount.
Our Solution
We delivered a focused security uplift aligned to Cyber Essentials principles: identity and access hardening, endpoint protection, email security review, backup verification and a tabletop-tested incident response plan. Work was sequenced so critical access risks were addressed in the first month, with policy and training following once core controls were stable.
Our approach
- 1
Conducted interviews with partners, operations and admin staff to map data flows, third-party tools and current access patterns.
- 2
Ran a controls assessment against identity, devices, email, backups and supplier access — scoring gaps by likelihood and client impact.
- 3
Remediated shared accounts, enforced MFA on Microsoft 365 and tightened admin roles within the first three weeks.
- 4
Reviewed backup retention and performed a restore test on a non-production dataset to confirm recoverability.
- 5
Drafted a one-page incident response playbook with named roles, escalation paths and client communication templates.
- 6
Delivered short staff briefings on phishing recognition and tested the response plan with a simulated mailbox compromise scenario.
Security posture score
Repeatable access risks
Recovery planning clarity
Results achieved
- Raised internal security posture score from 65% to 95% against the agreed control framework
- Eliminated 12 repeatable access risks including shared logins and excessive admin permissions
- Reduced incident response decision time from an ad-hoc 15+ minutes to under 3 minutes in tabletop exercises
- Gave partners a board-ready summary of residual risks and a 12-month improvement roadmap
Technologies Used
Project Timeline
Security Assessment
Mapped systems and data flows, assessed controls against Cyber Essentials themes and produced a prioritised risk register.
Implementation
Hardened identities, endpoints and email; verified backups; documented supplier and remote-access rules.
Training & Testing
Ran staff awareness sessions and a tabletop incident exercise with partners and operations leads.
Key takeaways for SMEs
- For professional services firms, identity and email are usually the highest-return starting points.
- Backup confidence requires a tested restore — not just a scheduled job in the admin console.
- A one-page incident playbook beats a lengthy policy document nobody reads under pressure.
Related service
This case study reflects the kind of outcomes we pursue through our cybersecurity & resilience work for UK SMEs.
Explore Cybersecurity & ResilienceBook an AI & Technology Review
Not sure where to start? Tell us your main business challenge and we will recommend the most practical next step.
