IronSights
Case studyFinancial Services

Credential hygiene, access controls and data classification for a Sydney mortgage broking firm

A twelve-broker practice engaged IronSights ahead of a planned expansion. Microsoft 365 had grown without governance, credentials for eight aggregator portals were stored in a shared spreadsheet, and client documents moved through unmanaged shared inboxes. Within eight weeks, Secure Score reached 79, individual credentials replaced shared access, and Microsoft Purview data classification was deployed.

Client

Sydney Mortgage Broking Firm

Sector

Financial Services

Services

Microsoft 365Microsoft Purview

34 → 79

Microsoft Secure Score

8

Aggregator portals secured

8 wks

Engagement duration

0 min

To remove departing broker's access

The challenge

The firm's tenant had grown organically over several years. Legacy authentication was still enabled, was not enforced across all accounts, and several administrator accounts were being used for everyday email and document work alongside their admin functions. A formal review had never been done.

Access to eight aggregator portals — AFG, Connective, Finsure and five others — was managed through a shared password spreadsheet. When brokers left the firm, their portal access was removed manually and inconsistently. Some departed brokers still had active credentials to portals containing current client data.

Client documents — tax returns, payslips, bank statements, passport copies, credit reports — moved through email, and Teams without classification or controls on external sharing. The firm had no systematic way to demonstrate to regulators or insurers how client data was handled.

The solution

The engagement ran across three parallel workstreams.

Getting Microsoft Secure Score to a defensible position

We disabled legacy authentication, configured to enforce on every sign-in, separated administrator accounts from standard user accounts, and deployed Defender for Business across all devices. Six weeks later the moved from 34 to 79. The firm had a documented baseline to share with their PI insurer and reference in future compliance reviews.

Sorting out aggregator portal access

We implemented a business password manager and enrolled every broker individually. Each portal received unique credentials stored against that broker's account rather than floating in a shared document. The practice manager can now onboard a new broker or remove a departing one from a single admin console. Access removal across all eight portals takes a couple of minutes and leaves a complete audit trail.

Classifying client documents with Microsoft Purview

We deployed with matched to how the firm actually handles documents. Client financial and identity records are now automatically detected and labelled Highly Confidential. Those labels restrict printing, external forwarding and unapproved sharing without requiring staff to make manual decisions on every file. The firm now has documented evidence of their data handling practices.

The results

The engagement took eight weeks. At the end of it the firm had a of 79, up from 34. They had individual portal credentials for every broker across every aggregator, a full audit trail, and a documented deprovisioning process that takes minutes rather than days.

When the firm's PI insurer asked about their security controls at renewal, they could point to a documented baseline rather than reassemble an answer from memory. When Privacy Act questions came up with clients or in compliance conversations, they had evidence of how client data was handled.

The next step was Fortify, using the review findings as the foundation for ongoing monitoring and maturity uplift.

Want results like these?

Start with a free security review.

We'll assess your current posture and show you a clear path forward.

Book a reviewAll case studies →