A 35-person Calgary law firm handling real estate transactions and corporate M&A work was managing hundreds of millions in client assets. Their IT infrastructure? Break-fix support from a regional provider who responded in hours or days, no multi-factor authentication, shared admin accounts, and email security that relied entirely on a basic spam filter. They had never even heard of DMARC.
Then they nearly lost a client's wire transfer to a Business Email Compromise attack.
The attacker had compromised an email account and sent an instruction to the finance team redirecting a $1.2M wire transfer to an attacker-controlled account. A paralegal caught it — a second before the transfer was supposed to execute — because she recognized something felt slightly off about the tone. They called the sending partner directly on his personal cell phone. "Did you send this?" No. Crisis averted. But barely.
The firm realized they had a choice: hope it doesn't happen again, or rebuild their security posture from the ground up. They called IT Works MSP.
The Starting Point: What Wasn't Happening
The law firm had been operating under the assumption that bigger firms had "IT" and they would "figure it out later." That assumption almost cost them.
When we first assessed their environment, the gaps were substantial:
- No MFA. Not on email, not on file servers, not anywhere. If a password was stolen, an attacker had full access.
- Shared admin accounts. Multiple people knew the password to the firm's shared admin account. No audit trail of who did what.
- No email authentication. DMARC, DKIM, and SPF were not configured. An attacker could send emails that appeared to come from any partner at the firm.
- No EDR. If malware got onto a workstation, there was no way to detect it before it moved laterally across the network.
- No backup strategy. Important files were stored locally on file servers with no redundancy or off-site copies.
- No incident response plan. When they nearly lost that $1.2M transfer, they didn't have a playbook. They just got lucky.
The firm understood that legal work requires confidentiality and compliance, but they hadn't connected that requirement to security infrastructure. In their view, hiring a big law firm's IT consultants was expensive and only for firms with 200+ employees. They didn't realize that a managed IT services provider could build an enterprise-class security posture for their size and budget.
The Security Rebuild: What We Did
1. Multi-Factor Authentication Across the Board
We enabled MFA on every user account — email, file servers, VPN, everything. For lawyers who are often remote or working from client offices, we implemented Authenticator app-based MFA and device-trust policies so the authentication process wasn't burdensome but was unbreakable.
The result: even if an attacker steals a password through phishing or a data breach, they cannot access the account without the MFA token. This single control stopped the Business Email Compromise attack vector cold.
2. Conditional Access Policies
We configured Microsoft Entra ID conditional access policies that evaluate every login in context. Unusual location? Require additional verification. Login from a new device? Check. Unusual time of day? Check. These policies caught suspicious logins and either forced additional verification or blocked them outright.
For law firms handling sensitive M&A and real estate work, conditional access is the line between "someone got the password" and "someone got into the system."
3. Email Authentication: DMARC, DKIM, SPF
We configured DMARC set to "reject," DKIM for domain signing, and SPF records that list every legitimate mail server that sends email on behalf of the firm's domain. Now, if an attacker tries to send an email appearing to come from a partner's address, the receiving mail server will reject it or flag it as likely fraudulent.
This doesn't prevent all phishing — attackers can use lookalike domains — but it eliminates internal impersonation, which is the most convincing and dangerous phishing vector for law firms.
4. EDR on Every Endpoint
We deployed endpoint detection and response on every workstation and server. EDR monitors process creation, file operations, registry changes, and network connections in real time. If a piece of malware tries to execute or move laterally across the network, EDR detects and isolates the device before the malware spreads.
For a firm that handles confidential client data, EDR is the difference between a contained incident and a data breach that could end the firm.
5. Email Filtering and Threat Intelligence
We deployed advanced email filtering that uses machine learning and threat intelligence feeds to catch phishing emails, malware attachments, and suspicious sender behavior. It's not a magic bullet, but combined with MFA and user training, it reduces the number of phishing attempts that ever reach an inbox.
6. Incident Response Plan
The near-miss wire transfer taught the firm that hoping their employees catch attacks is not a security strategy. We developed a formal incident response plan: who to contact if a breach is suspected, how to isolate affected systems, how to preserve evidence, and how to notify clients and regulators if required.
This plan also serves as the basis for annual tabletop exercises where the firm walks through scenarios and ensures everyone knows their role.
Why this mattered for this firm: Law firms are high-value targets. They're trusted with assets, they handle sensitive client data, and they're under time pressure during closings and deals. An attacker who compromises a lawyer's email can convince clients to redirect wire transfers, change beneficiaries, or disclose confidential deal terms. The security posture has to reflect that reality.
The Results: What Changed
Twelve months post-implementation, the firm's security posture had been transformed.
- Zero security incidents. No breaches, no phishing success, no malware detections. The controls are working.
- First-time pass on vendor security questionnaires. The firm now meets the due diligence requirements that larger institutional clients and lenders require. This has opened up new business opportunities.
- 20% reduction in cyber insurance premiums. The insurance broker recognized the improved security posture and negotiated better rates. The improved controls paid for themselves in insurance savings in year one.
- Client confidence. Lawyers can now assure clients that their confidential data is protected by enterprise-class security controls. This is a competitive advantage in a market where other 35-person firms are still on break-fix support.
- Compliance and audit readiness. Law firms are audited. Regulators and clients ask questions. This firm now has documentation of controls, log retention, and incident response procedures that demonstrate due care.
What This Looks Like: The Real Cost of Inaction
The law firm was lucky. Their near-miss didn't become a loss. But the math is worth understanding:
The cost of the managed cybersecurity services we deployed was approximately $3,500 per month. Over a year, that's $42,000. The annual savings from the 20% insurance premium reduction alone was $30,000. The remaining $12,000 investment bought them:
- Zero risk of a Business Email Compromise attack succeeding
- Regulatory and insurance compliance
- Ability to win business from clients who require security certifications
- Peace of mind that their client data is protected
A single successful BEC attack targeting a wire transfer could have cost them $500K to $5M. From the firm's perspective, this security investment wasn't a cost — it was insurance and a competitive advantage.
Why This Applies to Your Firm
If you're a mid-sized professional services firm in Calgary — law, accounting, consulting — you likely share this firm's starting point. You have important client data, significant assets under management, and employees who are remote or traveling between client locations. Your current IT is probably reactive: break-fix support that responds in hours or days, no sophisticated security controls, and whoever is "good with computers" gets tasked with IT decisions.
The risk profile for a firm of your size is high. Your attackers are sophisticated — they're targeting your industry specifically. Your time to respond to an incident is short — a Business Email Compromise attack executes in minutes. Your liability if you fail is significant — you're responsible for client data.
The solution isn't expensive. It's not a months-long project. It's what this law firm did: define the security controls that matter (MFA, email authentication, EDR, incident response), deploy them systematically, and measure whether they're working.
Start here: Does every user at your firm have MFA enabled on their email? Is DMARC configured on your domain? Do you have EDR on your workstations? If the answer to any of these is no, you have gaps that attackers are specifically designed to exploit. Download our IT Security Checklist to assess where you stand.
The Bottom Line
A near-miss Business Email Compromise attack forced this Calgary law firm to take security seriously. They discovered that enterprise-class security wasn't out of reach for a 35-person firm. It cost them roughly the amount they were already spending on broken IT support, and it transformed their risk profile.
Twelve months later, they have zero incidents, better insurance rates, client confidence, and regulatory compliance. More importantly, they can focus on their practice instead of worrying about whether their email is going to be spoofed or their files are going to be encrypted.
That's what actual managed IT services for Calgary looks like: security by design, not security theater.
Is your firm protected against Business Email Compromise? Let's find out.
We review your email authentication, identity controls, endpoint protection, and incident response posture. We'll show you exactly where your gaps are and what it costs to fix them. No obligation, no sales pitch.
Book a Free IT AssessmentCybersecurity services · Microsoft 365 security · Managed IT Calgary