School's Out. Your Workday Shifted—And So Did Your Risk
Right now, your firm isn't operating under normal conditions.
Schedules are fluid.
Interruptions are constant.
Decisions are happening faster than usual.
And that's exactly when problems show up.
Not when someone is focused.
When something looks routine—and gets handled quickly.
That's where a single moment turns into exposure.
The Real Issue Isn't the Click—It's the Access Behind It
In most legal environments, one user account doesn't just do one thing.
It connects to:
- Client
communications
- Shared case
files
- Financial
systems
- Internal
discussions
Which means when one account is compromised, it isn't an isolated issue.
It's immediate access into the firm's core operations—where
confidentiality, reputation, and liability are tied to everything.
Where This Actually Breaks (Real Example)
In an 18-user firm, one compromised login led to:
- A forwarding
rule sending emails externally
- Access to
multiple shared case folders
- Internal
messages sent from the account
- Sensitive data
exposure across active matters
All within minutes.
No one ignored a warning.
No one made a reckless decision.
Everything looked normal—at the wrong moment.
The "Blast Radius" Most Firms Underestimate
Think of your environment in levels:
Level 1: Email Only
Inbox, attachments, client conversations
Level 2: Email + Case Files
Shared drives, active matters, internal documents
Level 3: Email + Files + Systems
Billing, client records, internal tools, communications
Most firms assume they're at Level 1.
In reality, they're operating at Level 2 or 3—without realizing it.
That's why one compromised login spreads faster than expected.
Where to Check This (Specific, No Guesswork)
If you want clarity, here's exactly where to look.
Microsoft 365
- Entra / Azure
AD → Sign-in logs
- Exchange Admin
Center → Mail flow and rules
- SharePoint /
OneDrive → Folder permissions
Google Workspace
- Admin Console →
Security → Login audit
- Gmail settings
→ Forwarding and POP/IMAP
- Google Drive →
Sharing permissions
If these haven't been reviewed recently, you're relying on assumption—not
visibility.
The 15-Minute Containment Test (Step-by-Step)
Run this once. It tells you exactly how contained—or exposed—you are.
Step 1: Choose a real user account
Not an admin. A normal employee.
Step 2: Review login activity
Do all devices and locations make sense?
Step 3: Check email rules
Any forwarding? Any hidden filters?
Step 4: Map access
What can this account reach?
- Case files
- Shared drives
- Financial tools
Step 5: Disable the account briefly
Then observe:
- What stops
immediately?
- What still
remains accessible?
- What stays
exposed elsewhere?
That final answer is your real blast radius.
If This, Then Fix This
|
Risk Observed |
What It Means |
Fix |
|
MFA not enforced for all users |
Stolen password = full access |
Enforce MFA for every user |
|
External email forwarding allowed |
Data can leave unnoticed |
Disable or monitor forwarding |
|
Broad file access |
One login exposes multiple matters |
Restrict access by role |
|
No login alerts |
Suspicious activity goes unseen |
Enable anomaly alerts |
|
Legacy login methods enabled |
MFA can be bypassed |
Disable outdated protocols |
Fix Priority Order (If You Only Do 3 Things This Week)
If your team is busy—and they are—start here:
- Enforce MFA
across all users
- Disable
external email forwarding
- Enable login
anomaly alerts
These three changes reduce your exposure faster than anything else.
What Most Firms Get Wrong
From the outside, these environments look secure.
From the inside, they're quietly exposed:
- MFA exists—but
not for everyone
- File access is
too broad "for convenience"
- Permissions
build over time and never shrink
- Login activity
isn't actively reviewed
- Email
forwarding rules go unchecked
This isn't a tool problem.
It's a control problem.
What This Looks Like at Your Firm Size
10-20 Users
- Shared access
is common
- One account
touches multiple matters
- Exposure
spreads quickly
30-50 Users
- Permissions
become inconsistent
- Old access
remains in place
- More systems
tied to each login
In both cases, the issue isn't complexity.
It's containment.
The External Lens (How This Gets Judged After an Incident)
If something happens, no one asks:
"Why did someone click?"
They ask:
- Why did one
account have this level of access?
- Why wasn't
unusual activity flagged immediately?
- Why could
information move before containment?
Those are the questions tied directly to client trust and professional
risk.
Your Next-Week Action
Pick one employee account.
Spend 15 minutes mapping:
- What it can
access
- Where those
permissions extend
- What happens if
that account is compromised
If the answer isn't clear—or feels uncomfortable—you've just found your
biggest risk.
Before This Turns Into a Client Issue
Run the 15-minute containment test with one real account. That alone will
show you exactly where exposure exists.
Schedule your 10 minute discovery call with 911 IT. We'll walk through
that test together and map what a compromised account could actually reach in
your environment. You'll leave knowing whether your risk is contained—or wider
than it should be.
