The Challenge
When we first engaged with this client — an independent insurance agency in northeastern Ohio — their IT environment had grown organically over the years and the security gaps had grown with it. For an agency handling sensitive client financial and personal data, the exposure was especially significant. Like many small businesses, they had prioritized getting work done over building a secure foundation.
Here's what we found at the time of engagement:
C:\ drive shared to "Everyone" with full read/write — any user or malware could read, modify, or delete company dataThe Solution
We designed and executed a phased security transformation — modernizing the infrastructure, eliminating critical exposures, and building a foundation the business can grow on securely.
- Deployed a Ubiquiti UniFi Dream Machine Pro (UDM-Pro) enterprise firewall, replacing the end-of-life residential unit
- Implemented network segmentation — staff, servers, and IoT/guest devices now operate on isolated segments, limiting lateral movement in the event of a breach
- Replaced TeamViewer with a hardened VPN solution, providing governed, auditable remote connectivity
- Deployed a Synology NAS with redundant HDDs, establishing a purpose-built, resilient file server
- Configured secure, permission-controlled file shares — eliminating the "Everyone / Full Access" exposure entirely
- Migrated all data from the old desktop PC and decommissioned the machine
- Configured automated Microsoft 365 backup to the Synology NAS — ensuring cloud data is independently protected
- Deployed Synology Active Backup across all 20 workstations — automated, centrally managed PC backup with fast recovery
- Stood up an Active Directory domain and joined all workstations — enabling centralized identity management, group policy enforcement, and role-based access control
- Deployed Cisco Duo MFA across all workstations, adding a critical second layer of authentication to every login
- Rolled out Bitwarden as the organization's password manager — replacing ad hoc credential practices with a secure, auditable vault
- Conducted a full Microsoft 365 security audit, identifying and closing misconfigurations across the tenant
- Configured DMARC for the company's email domain, protecting against spoofing and impersonation attacks
- Tightened spam filtering and mail flow controls, reducing malicious and junk mail reaching employee inboxes
- Deployed encrypted email, ensuring sensitive communications are protected in transit
- Custom-built 14 workstations spec'd to each role's requirements — right-sized hardware from day one, not generic off-the-shelf machines
- Provide ongoing desktop hardware servicing — a single point of contact for hardware issues, handled by engineers who know the environment
- Deployed centralized patch and software management across all workstations — full visibility into update status, software inventory, and compliance posture from a single pane of glass
Before & After
| Area | Before | After |
|---|---|---|
| Firewall | Residential-grade, years out of date | Ubiquiti UDM-Pro enterprise firewall |
| File Storage | C:\ shared to Everyone — full read/write | Synology NAS with hardened, permission-controlled shares |
| User Accounts | Local accounts, no central management | Active Directory — centralized identity & policy |
| Remote Access | TeamViewer (unmanaged, ungoverned) | Secure VPN with Cisco Duo MFA enforcement |
| MFA | None | Cisco Duo deployed across all workstations |
| Network | Flat — all devices on one segment | Segmented — IoT, staff, servers isolated |
| Passwords | Unknown / unmanaged | Bitwarden deployed org-wide |
| Email Security | No DMARC, no spam controls, no encryption | DMARC + hardened spam controls + encrypted email |
| M365 Tenant | Unaudited, default configuration | Full audit complete, misconfigurations resolved |
| M365 Backup | No backup of cloud data | Automated M365 backup to Synology NAS |
| PC Backup | No backup solution | Synology Active Backup on all workstations |
| Patch Management | Ad hoc, no visibility | Centralized management — single pane of glass |
| Workstations | Generic/aging hardware, local accounts | 20 domain-joined machines — 14 custom-built, all role-spec'd |
| Hardware Support | No dedicated support | Ongoing servicing by engineers who know the environment |
The Outcome
This client went from one of the most exposed small-business environments we've encountered to a genuinely hardened, enterprise-grade security posture — all without disrupting day-to-day operations during the transition.
- A network their firewall can actually defend
- File data that is protected, backed up, and only accessible to those who need it
- Every workstation backed up automatically — ransomware or hardware failure no longer means permanent loss
- Every employee identity verified with MFA at every login
- Remote workers connecting securely through VPN instead of a vulnerable remote-access tool
- A domain they own that can't be spoofed to attack their clients or vendors
- Sensitive communications protected with encrypted email
- Microsoft 365 tenant audited and hardened — not running on default settings
- Cloud backup strategy that covers Microsoft 365 — not just local data
- Full patch visibility so nothing falls through the cracks
- Passwords managed in a secure vault — not sticky notes or browser saves
- 20 workstations domain-joined and secured — 14 custom-built, all right-sized for each role
- Hardware support from engineers who already know the environment, minimizing downtime
Is your business carrying similar risks?
We help small and mid-sized businesses find and fix the gaps before attackers do. Most of what we found here is common — and fixable.
Schedule a Free Assessment