Overview
Etico was engaged by a mid-sized professional-services firm — a practice of a few dozen staff handling sensitive financial and client data every day — to move its security posture from assumption to evidence. Like many small and mid-sized firms, the client outsourced day-to-day IT to a managed provider who kept systems running, but no one inside the firm actually owned security. The prevailing assumption was that the firm was “too small” to be a target — a belief shared by roughly 60% of Canadian SMBs, even though 73% have already experienced a cyber attack. Etico combined a free internal Security & Privacy Assessment with Recon Citadel external attack-surface monitoring to give the firm a complete, defensible picture of its risk — inside and out — at a fraction of the cost of a one-time penetration test.
The Business Problem
The engagement was triggered by a cyber-insurance renewal. The carrier’s questionnaire now asked whether the firm had MFA on every external login, whether it knew its full internet-facing footprint, and whether its security posture mapped to a recognized framework. Firm leadership could not answer any of these questions with confidence. A traditional one-time penetration test was quoted at $15K–$40K and would only provide a single point-in-time snapshot. The firm needed:
- Visibility: A clear understanding of both its internal controls and its externally exposed attack surface, without standing up an in-house security team.
- Prioritization: Findings framed for a business owner — what matters most, what each gap means for the firm and its clients, and what to fix first.
- Evidence: Defensible documentation it could use to answer insurers, clients, and regulators with confidence.
- Continuity: Ongoing assurance that kept pace with a changing environment, rather than a snapshot that would be stale within months.
The Assessment: Internal Posture
The firm began with Etico’s free ~20-minute Security & Privacy Assessment, completed by staff themselves with no IT team required. The assessment used plain-English questions about how data is managed, who has access, and what controls are in place. On completion, the firm received an instant scored report that mapped its internal gaps against CCCS Baseline Controls and laid out, in priority order, what to address first and what each gap meant for the firm and its clients.
Recon Citadel: External Exposure
To see what an attacker would see, the firm handed Etico a single input — its domain. The engagement required no agents and no installed software; it was entirely external. The first Recon Citadel scan ran the same kind of reconnaissance an attacker would perform and surfaced the issues SMBs most commonly do not know about:
- Forgotten subdomains: Old staging sites, dev environments, and expired microsites still live, often running outdated software no one was monitoring.
- Exposed login portals: Client portals and admin panels open to the internet, flagged where MFA could not be detected.
- Unpatched services on non-standard ports: Admin surfaces and legacy services advertising themselves to the internet.
- Email and transport weaknesses: Issues such as outdated TLS and a permissive DMARC policy that left the firm’s domain spoofable to its own clients.
None of these findings required internal access — all of them were already visible to anyone scanning the internet.
Reporting & Remediation
Rather than a raw data dump, the firm received a prioritized, severity-rated report written for a business owner rather than a security engineer: what was found, what it meant, and what to fix first. An Etico advisor walked firm leadership through the findings and coordinated remediation with the firm’s existing IT provider — the provider built and fixed, and Etico verified the results.
Ongoing Assurance
Because a firm’s attack surface changes every time someone spins up a subdomain or adds a SaaS tool, Recon Citadel continued scanning on a schedule and flagged the drift — new hosts, newly opened ports, and newly discovered vulnerabilities. Emerging problems now surface in the next monthly report instead of as a breach discovered two years later.
Conclusion
When the insurance questionnaire came back around, the firm was able to answer every question with evidence behind it — without buying a one-time penetration test or standing up a dedicated security team. The Security & Privacy Assessment covered what was happening inside the firm, and Recon Citadel covered what was exposed outside. Together they gave the firm the full risk picture and the defensible evidence that insurers, clients, and regulators increasingly require, at a fraction of enterprise cost.
Key Takeaways
- Inside and Out: A complete risk picture requires both an internal controls assessment and an external attack-surface view; either one alone leaves a blind spot.
- Evidence Over Assumption: Mapping internal gaps to CCCS Baseline Controls and documenting external exposure replaced “we think we’re fine” with answers the firm could defend.
- Business-Ready Reporting: Prioritized, severity-rated findings written for an owner — not a security engineer — made remediation actionable for a firm with no security team.
- Continuous, Not One-Time: Scheduled scanning catches drift as the attack surface changes, surfacing issues in the next report instead of as a future breach.
This case study highlights how Etico equips professional-services SMBs with enterprise-grade visibility and defensible evidence — without the cost or overhead of a dedicated security team.