Skip to main content

Case Study

Cybersecurity Audit for a Melbourne Law Firm

How a 25-person Melbourne CBD law firm achieved Essential Eight Maturity Level One, passed cyber insurance renewal, and eliminated critical security gaps.

Industry

Legal

Size

25 staff

Location

Melbourne CBD

The problem

The firm had no multi-factor authentication, unpatched operating systems and applications, no documented incident response plan, and had just failed their cyber insurance renewal. The insurer cited MFA gaps, missing endpoint detection, and no evidence of a patching schedule. Without insurance, the firm faced client contract breaches and professional indemnity exposure.

Our solution

Prexiam conducted an Essential Eight assessment to establish a baseline maturity level across all eight strategies. We then implemented MFA on all accounts including email, VPN, and administrative access. Automated patch management was deployed for operating systems and third-party applications. An incident response plan was documented with runbooks for ransomware, data breach, and business email compromise scenarios, then validated through a tabletop exercise with the partners. Endpoint detection and response was deployed across all workstations and the server environment. Email authentication (SPF, DKIM, DMARC) was configured to reduce phishing and spoofing risk.

The outcome

The firm achieved Essential Eight Maturity Level One within eight weeks. They passed their cyber insurance renewal with no exclusions and a 15% premium reduction compared to the previous year's quote. In the twelve months since implementation, the firm has experienced zero security incidents. The partners now have a clear security baseline and a documented plan for progressing to Maturity Level Two.

This case study represents a typical engagement scenario based on common challenges we address for Melbourne legal firms. Client details have been generalised to protect confidentiality.

What was the situation?

A 25-person law firm in Melbourne’s CBD contacted Prexiam after their cyber insurance renewal was declined. The insurer’s questionnaire had exposed critical gaps: no multi-factor authentication on email or remote access, no documented patching schedule, no endpoint detection beyond basic antivirus, and no incident response plan.

The firm handled sensitive client matters including property conveyancing, commercial litigation, and family law. A data breach would trigger mandatory notification under the Notifiable Data Breaches scheme and could result in disciplinary action from the Victorian Legal Services Board.

The partners understood the risk but had no internal IT expertise to address it. Their previous IT provider had been operating in a break-fix model with no proactive security management.

What did we find during the assessment?

Our Essential Eight assessment revealed Maturity Level Zero across most strategies:

  • MFA was not enabled on any accounts, including the practice management system
  • Patching was months behind on both Windows and third-party applications like Adobe and Chrome
  • Administrative privileges were granted to all staff accounts — every user could install software and modify system settings
  • Backups existed but had never been tested with a full restore
  • Application control was not implemented
  • Microsoft Office macros were unrestricted

The firm was running an on-premises Exchange server with no email authentication configured, meaning their domain could be spoofed in phishing attacks against their clients.

How did we remediate the gaps?

We prioritised remediation based on the cyber insurer’s specific requirements and the ACSC’s recommended implementation order:

Week one — MFA deployed on Microsoft 365, VPN, and the practice management system. All staff accounts had administrative privileges removed and replaced with standard user accounts.

Weeks two to three — Automated patch management deployed for Windows, Office, browsers, and PDF readers. The on-premises Exchange server was migrated to Exchange Online within M365. SPF, DKIM, and DMARC were configured on the firm’s domain.

Week four — Endpoint detection and response agents deployed across all workstations and the remaining server. Backup procedures reviewed and a full restore test completed successfully.

Weeks five to six — Incident response plan documented covering ransomware, data breach, BEC, and system outage scenarios. A tabletop exercise was conducted with the three partners and the office manager.

Weeks seven to eight — Final maturity assessment confirmed Level One across all applicable strategies. Documentation package prepared for the insurance broker.

What were the results?

The firm submitted their cyber insurance application with comprehensive evidence of security controls. The insurer approved the policy with no exclusions and offered a 15% premium reduction.

Twelve months on, the firm has experienced zero security incidents. Staff report that MFA is now routine, and the restricted admin privileges have eliminated the accidental software installations that previously caused support tickets.

The partners now receive quarterly maturity reports and have a roadmap to reach Essential Eight Maturity Level Two over the next twelve months.

Services used

Essential Eight Compliance Cyber Insurance Readiness

Ready to get started?

Book a free IT assessment and find out how Prexiam can improve your security, productivity, and IT costs.

Book Free Assessment View our services