Cartoon of a hacker stealing data from a shocked office worker's computer using phishing hook and safe door.

School’s Out. Your Workday Shifted—And So Did Your Risk

July 02, 2026

School's Out. Your Workday Shifted—And So Did Your Risk

Right now, your firm isn't operating under normal conditions.

Schedules are fluid.
Interruptions are constant.
Decisions are happening faster than usual.

And that's exactly when problems show up.

Not when someone is focused.
When something looks routine—and gets handled quickly.

That's where a single moment turns into exposure.

The Real Issue Isn't the Click—It's the Access Behind It

In most legal environments, one user account doesn't just do one thing.

It connects to:

  • Client communications
  • Shared case files
  • Financial systems
  • Internal discussions

Which means when one account is compromised, it isn't an isolated issue.

It's immediate access into the firm's core operations—where confidentiality, reputation, and liability are tied to everything.

Where This Actually Breaks (Real Example)

In an 18-user firm, one compromised login led to:

  • A forwarding rule sending emails externally
  • Access to multiple shared case folders
  • Internal messages sent from the account
  • Sensitive data exposure across active matters

All within minutes.

No one ignored a warning.
No one made a reckless decision.

Everything looked normal—at the wrong moment.

The "Blast Radius" Most Firms Underestimate

Think of your environment in levels:

Level 1: Email Only
Inbox, attachments, client conversations

Level 2: Email + Case Files
Shared drives, active matters, internal documents

Level 3: Email + Files + Systems
Billing, client records, internal tools, communications

Most firms assume they're at Level 1.

In reality, they're operating at Level 2 or 3—without realizing it.

That's why one compromised login spreads faster than expected.

Where to Check This (Specific, No Guesswork)

If you want clarity, here's exactly where to look.

Microsoft 365

  • Entra / Azure AD → Sign-in logs
  • Exchange Admin Center → Mail flow and rules
  • SharePoint / OneDrive → Folder permissions

Google Workspace

  • Admin Console → Security → Login audit
  • Gmail settings → Forwarding and POP/IMAP
  • Google Drive → Sharing permissions

If these haven't been reviewed recently, you're relying on assumption—not visibility.

The 15-Minute Containment Test (Step-by-Step)

Run this once. It tells you exactly how contained—or exposed—you are.

Step 1: Choose a real user account
Not an admin. A normal employee.

Step 2: Review login activity
Do all devices and locations make sense?

Step 3: Check email rules
Any forwarding? Any hidden filters?

Step 4: Map access
What can this account reach?

  • Case files
  • Shared drives
  • Financial tools

Step 5: Disable the account briefly
Then observe:

  • What stops immediately?
  • What still remains accessible?
  • What stays exposed elsewhere?

That final answer is your real blast radius.

If This, Then Fix This

Risk Observed

What It Means

Fix

MFA not enforced for all users

Stolen password = full access

Enforce MFA for every user

External email forwarding allowed

Data can leave unnoticed

Disable or monitor forwarding

Broad file access

One login exposes multiple matters

Restrict access by role

No login alerts

Suspicious activity goes unseen

Enable anomaly alerts

Legacy login methods enabled

MFA can be bypassed

Disable outdated protocols

Fix Priority Order (If You Only Do 3 Things This Week)

If your team is busy—and they are—start here:

  1. Enforce MFA across all users
  2. Disable external email forwarding
  3. Enable login anomaly alerts

These three changes reduce your exposure faster than anything else.

What Most Firms Get Wrong

From the outside, these environments look secure.

From the inside, they're quietly exposed:

  • MFA exists—but not for everyone
  • File access is too broad "for convenience"
  • Permissions build over time and never shrink
  • Login activity isn't actively reviewed
  • Email forwarding rules go unchecked

This isn't a tool problem.

It's a control problem.

What This Looks Like at Your Firm Size

10-20 Users

  • Shared access is common
  • One account touches multiple matters
  • Exposure spreads quickly

30-50 Users

  • Permissions become inconsistent
  • Old access remains in place
  • More systems tied to each login

In both cases, the issue isn't complexity.

It's containment.

The External Lens (How This Gets Judged After an Incident)

If something happens, no one asks:

"Why did someone click?"

They ask:

  • Why did one account have this level of access?
  • Why wasn't unusual activity flagged immediately?
  • Why could information move before containment?

Those are the questions tied directly to client trust and professional risk.

Your Next-Week Action

Pick one employee account.

Spend 15 minutes mapping:

  • What it can access
  • Where those permissions extend
  • What happens if that account is compromised

If the answer isn't clear—or feels uncomfortable—you've just found your biggest risk.

Before This Turns Into a Client Issue

Run the 15-minute containment test with one real account. That alone will show you exactly where exposure exists.

Schedule your 10 minute discovery call with 911 IT. We'll walk through that test together and map what a compromised account could actually reach in your environment. You'll leave knowing whether your risk is contained—or wider than it should be.