When a boutique consulting firm handling highly confidential client engagements came to Teclara, they had a single question: "What are we actually paying for?" The answer was troubling. Their previous IT provider had left behind an unmanaged environment riddled with security gaps, orphaned configurations, and zero visibility into what was protecting their business.
This is the story of how Teclara took them from uncertainty to a fully secured, continuously monitored IT environment with quarterly technology reviews.
The Client
This firm is small by design. They serve a select number of enterprise clients on engagements that demand absolute discretion. This is the kind of work where a leaked document or a compromised inbox could unravel a deal, damage a reputation, or trigger regulatory consequences. Client data, strategic recommendations, and proprietary frameworks flow through their systems daily. The expectation from their clients is simple: keep it confidential, keep it safe.
Despite those stakes, the firm had never received a security report from their IT provider. They had no dashboard, no documentation, and no way to verify whether the tools they were paying for were actually configured, active, or doing anything at all. They knew something was off. They just did not know how far the problem went.
The Challenge
Teclara's initial assessment revealed an environment that had been neglected for years. The problems were not isolated. They were systemic.
The firm was paying monthly IT fees, but there was no accountability behind those invoices. No reporting had ever been delivered. Security policies existed in name only. They were written into a proposal at some point but never enforced in practice. The firm's leadership had no visibility into their own security posture, and their previous provider offered no mechanism to change that.
One of the more concerning findings involved email routing rules. The previous provider had configured transport rules within the Microsoft 365 environment that were still active but completely unmanaged. No one was monitoring them. No one had reviewed them in years. Orphaned mail flow rules like these are a well-known attack vector. They can be exploited to silently redirect, copy, or intercept email communications without anyone noticing. For a firm whose entire value proposition depends on confidentiality, this was an unacceptable risk hiding in plain sight.
Microsoft Defender was technically deployed, but that word, deployed, was doing a lot of heavy lifting. The policies were either sitting at their out-of-the-box defaults or had been partially configured and then abandoned. Anti-phishing protections were not tuned for impersonation attacks targeting key personnel. Safe Attachments were not sandboxing inbound files. Safe Links were not rewriting URLs in email or Teams. In short, the firm had the licensing for enterprise-grade protection but none of the configuration work required to make it effective.
Beyond Defender, there was no detection and response capability whatsoever. No managed detection and response (MDR) service. No security operations centre (SOC) watching for threats. No incident response plan. If a threat actor had gained access to an account or endpoint, there was nothing in place to detect the intrusion, contain it, or alert anyone. The firm would have found out about a breach the same way most unprotected organizations do: when the damage was already done.
The backup situation was equally stark. Email, contacts, calendars, and Entra ID (Azure Active Directory) had no backup coverage at all. Many organizations assume Microsoft handles this, but Microsoft's native retention policies are not a substitute for a true backup solution. A ransomware event, an accidental bulk deletion, or a compromised admin account could have resulted in permanent, irrecoverable data loss.
Finally, there was no patching or vulnerability management program. Endpoints and cloud services were not being systematically updated. Known vulnerabilities sat unaddressed month after month, quietly expanding the firm's attack surface.
The Solution
Teclara designed a structured remediation and hardening program that addressed every gap identified during the assessment. The work was not a single project with a finish line. It was the beginning of a managed security relationship.
Cleaning Up Microsoft 365
The first step was getting the Microsoft 365 environment to a clean, documented baseline. Teclara performed a full tenant audit, identifying unused licenses, removing orphaned accounts, tightening administrative access, and documenting the entire configuration. The goal was simple: know exactly what exists, who has access to it, and why.
The orphaned email routing rules left by the previous provider were reviewed one by one. Every legacy transport rule was evaluated for its original purpose, its current relevance, and its risk. All unmanaged rules were removed. Going forward, mail flow is actively monitored and any new transport rules require documented change approval before they are implemented.
Aligning Microsoft Defender to the Firm's Risk Profile
Teclara reconfigured Defender for Office 365 from the ground up. Anti-phishing policies were tuned with impersonation protection for the firm's partners and senior consultants, the individuals most likely to be targeted in a spear-phishing or business email compromise attack. Safe Attachments was enabled with dynamic delivery, meaning inbound attachments are detonated in a sandbox environment before they reach the recipient's inbox. Safe Links was rolled out across both email and Microsoft Teams to rewrite and scan URLs at the time of click. Anti-malware policies were configured with zero-hour auto purge, which allows Microsoft to retroactively remove threats from mailboxes even after delivery if new intelligence identifies them as malicious.
The difference is not just technical. It is operational. The firm now has protection that actively adapts to the threat landscape, rather than static policies that were set once and forgotten.
Deploying MDR and SOC Monitoring
With the environment cleaned up and hardened, Teclara deployed a fully managed detection and response service backed by a 24/7 security operations centre. Endpoints and cloud workloads are now continuously monitored. Threat detection runs on behavioural analytics and threat intelligence feeds, identifying anomalous activity that signature-based tools would miss. When a confirmed threat is detected, automated containment isolates the affected endpoint or account within seconds. For more complex incidents, human analysts investigate, escalate, and coordinate the response.
This is the layer that was entirely absent before. The firm now has eyes on their environment around the clock. A team whose job it is to watch, investigate, and act, supported by software running in the background.
Business Email Compromise Protection
Given the firm's exposure to confidential client communications, Teclara deployed a dedicated business email compromise (BEC) protection capability with a built-in incident response workflow. Business email compromise is one of the most financially damaging attack types. It does not rely on malware but on social engineering and credential theft to hijack legitimate accounts.
If a user account is compromised through credential theft, token replay, or a phishing attack, the system triggers automated containment. Sessions are revoked. Passwords are reset. But the response does not stop there. A forensic review of the mailbox activity during the compromise window determines exactly what the attacker accessed, whether any data was exfiltrated, and whether any inbox rules or forwarding were created to maintain persistent access. Any attacker-created rules are removed, affected parties are notified, and remediation guidance is provided to ensure no residual access remains.
For a firm where a single compromised email thread could expose a confidential engagement, this capability is not a nice-to-have. It is essential.
Patching and Vulnerability Management
Teclara established a patching program covering operating systems, applications, and firmware across the firm's endpoints. Updates are deployed on a defined schedule, with critical patches expedited based on threat severity. Vulnerability scanning runs regularly, and findings are triaged by risk. High-severity vulnerabilities are remediated within defined SLAs, while lower-severity items are tracked and addressed in the normal maintenance cycle.
The result is a shrinking attack surface rather than an expanding one. Known vulnerabilities no longer sit open for months waiting for someone to notice.
Full Microsoft 365 Backup with 10-Year Retention
Teclara deployed a comprehensive backup solution covering the firm's entire Microsoft 365 environment. Outlook mailboxes, including sent items, drafts, and archives, are backed up continuously. Contacts and calendars are protected. And critically, Entra ID is backed up as well, preserving user objects, group memberships, role assignments, and directory configuration.
All backup data is retained for 10 years. This was a deliberate decision driven by the firm's need to meet long-term compliance and regulatory retention requirements. If a client engagement from seven years ago requires retrieval of email correspondence, it is there. If a ransomware event encrypts the production environment, a full restore is possible. Restores can be performed at the granular level, down to a single email or a single contact, or at the full account level for disaster recovery.
The firm went from having no safety net to having one of the most robust backup configurations available for a Microsoft 365 environment.
Quarterly Technology Reviews
Perhaps the most meaningful change has nothing to do with technology. It is a process. The firm now receives structured quarterly technology reviews with Teclara. Each session covers the security posture over the previous quarter, including incident and alert trends, patching compliance, vulnerability status, and backup health. Restore tests are reviewed to confirm that backups are not just running but recoverable. Teclara presents recommendations for upcoming improvements and works with the firm's leadership on budget planning for technology investments.
These reviews give the firm something they never had before: a seat at the table in their own IT strategy. They are no longer passive consumers of an opaque service. They understand what they have, why they have it, and what comes next.
The Transformation
The contrast between where this firm started and where they are today is stark.
Before Teclara, the firm had no visibility into their IT security. They were paying monthly fees for services they could not verify. Email routing rules left by their previous provider sat unmanaged and unmonitored. Microsoft Defender was running on default settings with no tuning for the firm's specific risks. There was no endpoint monitoring, no SOC, and no plan for what to do if something went wrong. Microsoft 365 data, including email, contacts, calendars, and their entire identity directory, had no backup. Patching was not happening. And no one was sitting down with them to talk about any of it.
Today, the firm operates in a fully audited and hardened Microsoft 365 environment. Legacy email rules have been removed and mail flow is monitored. Defender policies are aligned to their risk profile. A 24/7 MDR and SOC service watches their environment continuously. Business email compromise protection stands ready with incident response if a login is ever compromised. Patching and vulnerability management run on a defined cadence. Every piece of Microsoft 365 data is backed up with a 10-year retention policy. And every quarter, the firm sits down with Teclara to review it all, ask questions, and plan ahead.
"We went from not knowing what we were paying for to having complete confidence in our security. Teclara gave us the visibility and protection our clients expect from us."
- Managing Partner
Why It Matters
For firms handling confidential engagements, security is not optional. It is a professional obligation. Clients trust their consultants with sensitive strategies, financials, and proprietary information. A breach does not just affect the firm; it affects every client whose data was in their care.
Teclara's approach treats security as a continuously managed program, monitored, measured, and improved every quarter. The technology matters, but what matters more is the discipline behind it: the reviews, the reporting, the accountability, and the confidence that comes from knowing exactly what you are paying for and exactly what it is doing.
If your firm handles confidential client work and you are unsure whether your IT environment is properly secured, contact Teclara for a confidential assessment.