From a phishing-incident scare to ASD Essential Eight Maturity Level 2 in 90 days

The Challenge

An Ipswich accounting practice came to us after one of their accountants nearly fell for a sophisticated invoice-redirection phishing email, which would have cost them roughly $48,000 in misdirected client trust funds. They had basic Microsoft 365 Business Standard, no MFA, no managed antivirus, and were running a 7-year-old on-premises file server that was their backup of last resort. Their professional indemnity insurer had recently sent a questionnaire asking about Essential Eight alignment — they couldn't answer most of it.

What We Did

We mapped their environment against the ASD Essential Eight, prioritised the strategies most relevant to a tax & advisory practice, and rolled them out in a phased 90-day plan. Conditional Access with phishing-resistant MFA on every account, application allowlisting on the partners' workstations, automated patching for Windows, Office, and key apps like Xero Tax, daily immutable cloud backups, and macros restricted to signed templates only. We also ran a tabletop ransomware exercise with the partners and built an incident response runbook tailored to their PII custody obligations.