Illustrative scenario. This is a composite example built from common engagement patterns we expect to encounter — not a real client. The business name, people, dollar amounts, percentages, and timelines are fictional and presented for educational purposes. Actual results vary based on environment, scope, and risk profile.
How a Near-Miss Ransomware Attack Turned Into HIPAA-Aligned Defence in 90 Days
A 12-person, two-location dental practice came within minutes of losing every file on its front-desk PC. Eight months later, they have measurable protection, measurable savings, and one less thing to lie awake about.
Outcomes after 90 days
Successful ransomware attempts since onboarding
Cyber insurance premium reduction at renewal
Staff phishing simulation click rate
Open HIPAA high-risk register items
The Wake-up Call
"It was a Tuesday afternoon."
A hygienist clicked what looked like a routine insurance link — the kind that lands in their inbox a dozen times a week. Within minutes, file names on the front-desk PC began changing. The owner happened to be at the front desk, noticed something was wrong, and yanked the network cable.
The damage that afternoon was minimal. The damage the practice could have suffered — full EHR encryption, patient appointments cancelled for days, a HIPAA breach-notification obligation, potentially the end of the business — was catastrophic. The owner spent that night searching for someone who could help.
Before · What Our Initial Audit Found
A typical SMB security posture — which means significant exposure.
- 3 Windows machines still running unsupported operating-system builds
- No multi-factor authentication on email, EHR, or any admin account
- Backups stored on the same office network as the EHR system
- HIPAA risk assessment was more than four years out of date
- Standard antivirus only — no endpoint detection & response (EDR)
- No documented security awareness training programme
- The practice owner was the de facto IT support
Bottom line: The owner wasn't negligent. They were running a busy practice with no time to learn cybersecurity — exactly the situation most SMBs are in.
The Engagement · 90-Day Plan
Stabilise first. Harden second. Then run quietly.
We don't try to fix everything in week one. We stop the bleeding, then build proper defences, then operate them around the clock.
Week 1
Emergency Stabilisation
- Deployed enterprise EDR on every device across both locations
- MFA enforced on email, EHR, and all admin accounts within 72 hours
- Patched every device to the latest supported OS build
- Disconnected legacy network shares housing backup files
Weeks 2–4
Build the Walls
- Cloud-based, immutable backups deployed for EHR and M365 data
- Conditional access policies applied to M365 (location + device trust)
- Email security tuned for healthcare-specific phishing patterns
- Security awareness training rolled out to all 12 staff
Month 2
Compliance & Hardening
- Full HIPAA Security Rule risk assessment completed
- Documented incident response playbook tailored to breach-notification timelines
- First quarterly phishing simulation run as a baseline (41% click rate)
- Shared-device policies and short auto-lock timers configured
Month 3+
Ongoing Operations
- 24/7 monitoring with rapid containment of suspicious activity
- Plain-English monthly security reports delivered to the partners
- Quarterly partner review calls covering risks, incidents, and roadmap
- Ongoing security awareness training plus monthly phishing simulations
After · 90 Days In
The numbers — and the things you can't put a number on.
- 6 phishing attempts blocked at the email gateway within the first 90 days
- EDR auto-contained 2 suspicious processes before they could reach any real damage
- HIPAA risk register went from 14 high-risk items to 1 (a software vendor migration still in progress)
- Cyber insurance underwriter moved them to a lower risk tier — 22% premium reduction at renewal
- Staff phishing-simulation click rate dropped from 41% to 7% within two training cycles
- Full onboarding completed in 18 days against a 21-day target
The intangible win: Front-of-house staff stopped seeing security as a burden and started treating it as part of the practice's standard of care.
"The peace of mind alone is worth what we pay. The monthly reports tell me what's been happening in a way I actually understand — not a wall of jargon. And when I'm with a patient, I'm not also worrying about whether our front desk just got phished."
Dr. M.
Owner · Brightwell Family Dental (illustrative)
Illustrative scenario. Quote, names, and figures are fictional and presented to show the kind of engagement we're built for.
Want a story like this for your business?
Most businesses come to us after a close call. You don't have to wait for yours. Book a free 30-minute assessment and we'll show you exactly where you stand — and what a 90-day path forward would look like.