1
Context and constraints
- A 30-person professional services firm with no formal security controls beyond antivirus.
- Staff used personal devices, shared passwords via email, and had no incident response plan.
- The business needed to demonstrate security posture to win contracts but could not afford a full security team.
2
Approach and delivery
- Ran a lightweight security assessment to identify the highest-risk gaps in identity, devices, and data.
- Deployed MFA across all business accounts, rolled out a password manager, and enabled full-disk encryption.
- Created a one-page incident response checklist and ran a tabletop exercise with leadership.
3
Operational handover
- Delivered staff cyber awareness training covering phishing, password hygiene, and reporting procedures.
- Documented all security controls and configurations for ongoing maintenance by internal staff.
- Set up quarterly access reviews and annual security assessment as a lightweight governance rhythm.