Skip to main content
CyberSmart

Regional financial services firm

The tool they almost didn't buy

A long-time client had been incrementally adding to their security stack. One of the last pieces they approved was productivity monitoring software. A few weeks later, it caught an attacker mid-exfiltration.

30 seconds

from detection to lockout

A regional financial services firm had been a CyberSmart client for years. Prudent with their technology budget — good business sense, but it meant they often implemented a subset of what we recommended rather than the full picture. No single gap was catastrophic. Each one seemed acceptable in isolation.

A few weeks before this story begins, they agreed to add one piece of software we’d been recommending for a while: productivity monitoring that takes periodic screenshots of employee workstations. Its purpose was mundane — understanding time utilization, identifying workflow bottlenecks. It wasn’t positioned as security software. It cost a fraction of what they were spending on everything else.

The attack in progress

An external attacker — using credentials stolen from one of their employees — had installed a remote access tool on that employee’s machine and was logged in after hours. His objective was exfiltration: move thousands of sensitive client financial records off the network, use them to demand a ransom, and sell copies on the dark web. He had already opened a cloud storage account on an external provider to serve as his drop point.

While he sat at the keyboard setting up that account, the productivity monitoring software did what it does every few minutes — captured a screenshot.

The screenshot showed a browser window, a login form, and the attacker’s own email address and password being typed into a cloud storage provider the employee had no business reason to use, at a time the employee was not working. Our team reviewed the screenshot. We knew within seconds what we were looking at.

Thirty seconds

From the moment we identified the compromise to the moment we locked the attacker out of the network: thirty seconds. Account disabled. Session terminated. Credentials rotated. Access revoked.

Understanding the full scope of what had already happened — how the attacker got in, what they had touched, what forensic evidence to preserve — took hours of review across our tooling. The containment itself took thirty seconds.

What was prevented

  • The ransomware demand that would have followed once the exfiltration completed.
  • The data loss itself — thousands of sensitive client records that would otherwise have been on a dark-web marketplace by the end of the week.
  • The regulatory reporting burden that comes with any confirmed breach of client financial data. Because nothing actually left the environment, there was nothing to report.

Two years later

The client still brings this incident up in conversation. Not in a panicked way — in a grateful, slightly disbelieving way. They have never pushed back on a security recommendation since. When we suggest something, they approve it.

The tool that caught everything was the one they almost didn’t buy.

Don't find out how good your security is the hard way.

A short conversation about your environment. No pitch deck, no pressure — just an honest look at where you stand and whether we're a fit.

Get a Free Assessment

Or call us directly: 702-293-2864