The Challenge
When we first engaged with this client, their IT environment had grown organically over the years — and the security gaps had grown with it. Like many small businesses, they had prioritized getting work done over building a secure foundation. The risks they were unknowingly carrying were significant.
Here's what we found at the time of engagement:
Residential-grade firewall running outdated firmware — the front door was wide open to modern threats
Entire
C:\ drive shared to "Everyone" with full read/write — any user or malware could read, modify, or delete company data20+ workstations on local accounts with no central management, policy enforcement, or visibility
Remote access via TeamViewer — ungoverned, unaudited, and a well-known target for credential attacks
No MFA anywhere in the environment — every account a single password away from compromise
Flat network topology — a single compromised device could reach every other device on the network
No password management — credentials managed ad hoc across the organization
No email domain protection — the company domain was vulnerable to spoofing and phishing impersonation
No workstation backup — a failed drive or ransomware attack meant permanent data loss
No Microsoft 365 backup — cloud is not a backup; tenant data was completely unprotected
The Solution
We designed and executed a phased security transformation — modernizing the infrastructure, eliminating critical exposures, and building a foundation the business can grow on securely.
1
Network Infrastructure
- Deployed a Ubiquiti UniFi Dream Machine Pro (UDM-Pro) enterprise firewall, replacing the end-of-life residential unit
- Implemented network segmentation — staff, servers, and IoT/guest devices now operate on isolated segments, limiting lateral movement in the event of a breach
- Replaced TeamViewer with a hardened VPN solution, providing governed, auditable remote connectivity
2
File Storage & Data Protection
- Deployed a Synology NAS with redundant HDDs, establishing a purpose-built, resilient file server
- Configured secure, permission-controlled file shares — eliminating the "Everyone / Full Access" exposure entirely
- Migrated all data from the old desktop PC and decommissioned the machine
- Configured automated Microsoft 365 backup to the Synology NAS — ensuring cloud data is independently protected
- Deployed Synology Active Backup across all 20 workstations — automated, centrally managed PC backup with fast recovery
3
Identity & Access Management
- Stood up an Active Directory domain and joined all workstations — enabling centralized identity management, group policy enforcement, and role-based access control
- Deployed Cisco Duo MFA across all workstations, adding a critical second layer of authentication to every login
- Rolled out Bitwarden as the organization's password manager — replacing ad hoc credential practices with a secure, auditable vault
4
Email Security & Microsoft 365 Hardening
- Conducted a full Microsoft 365 security audit, identifying and closing misconfigurations across the tenant
- Configured DMARC for the company's email domain, protecting against spoofing and impersonation attacks
- Tightened spam filtering and mail flow controls, reducing malicious and junk mail reaching employee inboxes
- Deployed encrypted email, ensuring sensitive communications are protected in transit
5
Custom Workstation Builds & Hardware Support
- Custom-built 14 workstations spec'd to each role's requirements — right-sized hardware from day one, not generic off-the-shelf machines
- Provide ongoing desktop hardware servicing — a single point of contact for hardware issues, handled by engineers who know the environment
6
Visibility & Patch Management
- Deployed centralized patch and software management across all workstations — full visibility into update status, software inventory, and compliance posture from a single pane of glass
Before & After
| Area | Before | After |
|---|---|---|
| Firewall | Residential-grade, years out of date | Ubiquiti UDM-Pro enterprise firewall |
| File Storage | C:\ shared to Everyone — full read/write | Synology NAS with hardened, permission-controlled shares |
| User Accounts | Local accounts, no central management | Active Directory — centralized identity & policy |
| Remote Access | TeamViewer (unmanaged, ungoverned) | Secure VPN with Cisco Duo MFA enforcement |
| MFA | None | Cisco Duo deployed across all workstations |
| Network | Flat — all devices on one segment | Segmented — IoT, staff, servers isolated |
| Passwords | Unknown / unmanaged | Bitwarden deployed org-wide |
| Email Security | No DMARC, no spam controls, no encryption | DMARC + hardened spam controls + encrypted email |
| M365 Tenant | Unaudited, default configuration | Full audit complete, misconfigurations resolved |
| M365 Backup | No backup of cloud data | Automated M365 backup to Synology NAS |
| PC Backup | No backup solution | Synology Active Backup on all workstations |
| Patch Management | Ad hoc, no visibility | Centralized management — single pane of glass |
| Workstations | Generic/aging hardware, local accounts | 20 domain-joined machines — 14 custom-built, all role-spec'd |
| Hardware Support | No dedicated support | Ongoing servicing by engineers who know the environment |
The Outcome
This client went from one of the most exposed small-business environments we've encountered to a genuinely hardened, enterprise-grade security posture — all without disrupting day-to-day operations during the transition.
- A network their firewall can actually defend
- File data that is protected, backed up, and only accessible to those who need it
- Every workstation backed up automatically — ransomware or hardware failure no longer means permanent loss
- Every employee identity verified with MFA at every login
- Remote workers connecting securely through VPN instead of a vulnerable remote-access tool
- A domain they own that can't be spoofed to attack their clients or vendors
- Sensitive communications protected with encrypted email
- Microsoft 365 tenant audited and hardened — not running on default settings
- Cloud backup strategy that covers Microsoft 365 — not just local data
- Full patch visibility so nothing falls through the cracks
- Passwords managed in a secure vault — not sticky notes or browser saves
- 20 workstations domain-joined and secured — 14 custom-built, all right-sized for each role
- Hardware support from engineers who already know the environment, minimizing downtime
Is your business carrying similar risks?
We help small and mid-sized businesses find and fix the gaps before attackers do. Most of what we found here is common — and fixable.
Schedule a Free Assessment