The challenge
A firm handling confidential legal matters with no security baseline in place
The firm had grown steadily over 15 years, adding staff and systems without ever formalising a security programme. Attorneys accessed client files from personal devices, shared drives had no folder-level permissions, and no one had ever reviewed what former staff still had access to. A client's request for a basic security questionnaire: standard for enterprise legal engagements: triggered the realisation that the firm couldn't answer it.
The managing partner understood the firm held privileged communications, litigation strategy, M&A documents, and personal client information. The risk wasn't theoretical: it was a question of when, not if, something would go wrong without a clear picture of their exposure. They engaged garrisonOne for a no-jargon assessment that could tell them exactly where they stood and what to fix first.
No written security policies
No acceptable use policy, incident response plan, or data handling guidelines of any kind
Personal devices accessing client files
Attorneys working from unmanaged personal devices with no MDM or security baseline enforced
Email with no DMARC, SPF, or DKIM
Firm's email domain could be spoofed: impersonation attacks were trivially possible
Shared drives with no segmentation
All staff had read and edit access to all client matters: no folder-level permissions in place
No MFA on any system
Email, practice management, and file storage all accessible with username and password alone
Backup never tested
Backups were running but had never been restored: actual recoverability was unknown
Our findings
What the assessment uncovered across people, process, and technology
garrisonOne conducted structured interviews with the managing partner, office manager, and two associates, followed by a technical review of all systems: email infrastructure, shared drives, identity management, endpoint posture, and backup configuration.
23
Total security gaps identified across people, process, and technology layers
8
Critical and high severity findings requiring immediate attention
0
Email authentication controls in place: domain fully spoofable at time of assessment
100%
Of client file drives accessible to all staff with no permission segmentation
The most significant risk wasn't technical: it was procedural. Staff had no guidance on what to do if they received a suspicious email, no process for offboarding departing employees, and no one with a defined responsibility for security decisions. The firm's exposure to a business email compromise or ransomware incident was high, and recovery capability was untested.
What we did
A structured four-week assessment with a clear remediation path
Designed to be minimally disruptive to a working law firm: interviews conducted around billing hours, no system downtime required.
Phase 1
Scoping & Stakeholder Interviews
Conducted structured interviews with the managing partner, office manager, and representative associates to map existing practices, understand the systems in use, and identify any previous security incidents or near-misses. Established the full scope of client data held and how it was accessed across the firm.
Phase 2
Technical Environment Review
Reviewed email infrastructure (DNS records, SPF/DKIM/DMARC configuration), Microsoft 365 tenant settings, SharePoint and OneDrive permission structures, Azure AD user accounts and MFA status, endpoint management configuration, and backup settings. Identified all inactive accounts, over-privileged users, and missing security controls.
Phase 3
Risk Scoring & Prioritisation
Scored all 23 findings by likelihood and impact in the context of a law firm's specific risk profile: phishing, BEC, ransomware, and data exfiltration. Mapped each finding to a remediation effort level (quick win, short-term project, or longer-term programme) so the firm could make informed resource decisions.
Phase 4
Roadmap Delivery & Leadership Briefing
Delivered a written assessment report and a 90-day remediation roadmap structured in three phases: immediate actions, 30-day quick wins, and 60 to 90 day programme items. Presented findings to the managing partner and office manager in plain language, with no technical jargon, and answered questions on implementation approach and cost implications.
Key deliverables
-
Security assessment report covering all 23 findings with severity ratings, evidence, and plain-language remediation guidance
-
90-day remediation roadmap with phased priorities: immediate, 30-day, and 60 to 90 day actions: mapped to staff capacity
-
MFA deployment plan for Microsoft 365: step-by-step rollout guide covering all 32 accounts without disrupting active users
-
Email authentication configuration guide: SPF, DKIM, and DMARC records ready for implementation with the firm's DNS provider
-
Security policy templates: acceptable use, data handling, remote working, and incident reporting policies for firm adoption
-
Backup recovery test procedure and SharePoint permissions remediation plan addressing client file drive segmentation
Outcomes
From no security baseline to a documented, functioning programme in 90 days
The firm implemented all eight critical and high findings within the first 30 days: MFA firm-wide, email authentication configured, and the admin account review completed. The 90-day roadmap gave the managing partner a clear, affordable path to a functional security programme without requiring a dedicated IT resource.
8 / 8
Critical & high findings closed in 30 days
All immediate-priority gaps resolved within the first month: no external incidents during remediation.
100%
MFA deployed firm-wide
All 32 staff accounts on Microsoft 365 protected with multi-factor authentication.
Closed
Email domain spoofing risk
SPF, DKIM, and DMARC configured: domain no longer impersonatable by external attackers.
Active
Security policies in place
Acceptable use, data handling, and incident reporting policies adopted and signed by all staff.
Verified
Backup recovery tested and confirmed
First-ever restore test completed successfully: recovery time documented and understood.
90-day
Roadmap delivered and in progress
Firm executing the remaining 15 findings on a structured plan with no external consultant dependency.
"We had no idea our email could be spoofed by anyone until garrisonOne showed us. The report was written in plain English: no acronyms, no scare tactics. We knew exactly what to fix and in what order. Within a month we'd handled the most important things ourselves."
: Managing Partner, Regional Law Firm
