Wallace Plese + Dreher, a CPA firm serving the Arizona region, operates under stringent regulatory requirements. A data breach could lead to significant financial repercussions and even trigger FTC involvement, given the firm’s focus on Arizona-based businesses and high-net worth individuals. Ronald J. Llewellyn III, Manager of Information Technology, was acutely aware of these risks when he stepped into his role at Wallace Plese + Dreher, as well as the resource constraints on his two-person team.
“At any CPA firm, there's not enough people power to get that type of work done, yet it can have extreme implications,” Ronald says. “If a partner who has access to everything makes a mistake, it could be catastrophic for the firm.”
Ronald quickly realized he was missing key answers about the organization’s SaaS estate and identity infrastructure, such as which third-party apps had access to their environment and whether their accounts were protected by appropriate controls. The firm’s recent transition from an on-premises Microsoft Active Directory deployment to a hybrid environment complicated these concerns.
“Because we’re hybrid, Azure’s rules can get ignored. If the on-premises AD isn’t requiring password resets, for example, someone could have had ‘password123’ for the last 2 years. They might not have MFA enabled,” Ronald explains. “That was the immediate thing that was like, 'oh my God, I have to get a handle on this.'”
After hearing about Nudge Security at an industry event, Ronald decided to deploy a two-week trial to see if it could help him understand his organization’s SaaS attack surface. The results exceeded his expectations.
“Within just a few days, I was able to get up to speed on our SaaS security posture, audit our accounts for missing MFA, revoke risky OAuth grants, discover how many accounts for terminated users were still active, assess software platforms for compliance, identify rogue accounts for HR purposes, and 'nudge' users to get clarity on apps we were previously unaware of,” Ronald explains.
Most importantly, Ronald was able to achieve these results without a heavy lift from his lean team of two. As he explained, “I was so busy at the time. In the two weeks of the trial, I spent maybe six hours total in the product. Knowing everything that I needed to do, it would have been closer to a month of work to identify and address those same issues without Nudge.”
Ronald’s first priority was to understand the scope of his organization’s SaaS attack surface and address potential security risks.
“Initially I was just using the attack surface module,” Ronald says. “The external-facing attack surface mapping and software supply chain breaches within Nudge blew me away. Nobody on the planet does software supply chain breaches. They do company breaches, not software supply chain. That's freaking awesome.”
He also quickly dove into Nudge Security’s OAuth risk scores to understand the third-party apps with overly permissive access to his organization’s environment. “I didn't know about the 42 enterprise applications that were linked up, some of which had basically God rights to people's accounts. That was a big deal."
Overall, Nudge Security’s automations, notifications, and nudges have enabled Ronald’s small team to manage their SaaS identities and security posture at scale. “I'm so used to it being an army of one or two, and I need to delegate. Having nudges and alerts to help somebody understand what to do is super-duper helpful.”
“I will say I was skeptical of the nudge concept,” Ronald admits. “I didn’t think anybody was going to respond to me in any capacity, and I was pleasantly surprised that a lot of people did. Some of these people don't respond to emails, or they'll put in a ticket and never respond to it, but they responded to the damn nudge! They were sending the answers to all my questions. You designed it in such a way that it's pleasant and people want to actually engage with it. It just works.”
Now, Ronald has fully bought into the role nudges can play for his team. “I love the ‘clarification of use’ nudge, I use it all the time. Let’s say Nudge alerts me to a new app that seems to be legit, but I don’t know why the user added it. Literally hours after I send the nudge to clarify, I get a response saying, ‘Oh a client sent that app to me, I was checking it out, I don't really use it.’ Okay cool. I follow up with a nudge asking, ‘Can you delete it?’ ‘Ok yeah I’ll delete it.’ Boom, done! That's that. In seconds!”
“In the two weeks of the trial, I spent maybe six hours total in the product. Knowing everything that I needed to do, it would have been closer to a month of work to identify and address those same issues without Nudge.”
Nudge Security helps Ronald stay on top of his organization’s SaaS security posture, including Microsoft controls that are difficult to find and easy to miss or misconfigure.
“A huge value Nudge provides is taking the mountain of data in Azure and turning it into something that's more tangible,” says Ronald. “I don't have to worry about it anymore. So that's the first line for me of why this is a must-have.”
Even before the release of new security posture management capabilities, Nudge Security enabled Ronald to take concrete steps to harden his identity infrastructure. “Once Nudge Security released the posture dashboard, I was like, sweet! I am only 0.721% failing right now, so I'm feeling pretty good about that. The posture dashboard sells itself—just go look at it. The findings portion is fantastic.”
Ronald points to the posture dashboard as an example of Nudge Security’s continual improvement. “The other thing that's been really rad is that I've seen Nudge nearly double the value and availability of items in the product since we signed on. You update so frequently, which is fantastic.”
Within the two-week trial, Nudge Security’s employee offboarding capabilities delivered immediate value to an unexpected internal client: Human Resources. A recently departed employee had sidestepped the firm’s protocol for creating and managing client accounts for services like online banking or Quickbooks, making it difficult for the firm to ensure continuity for those clients.
“Without Nudge, it would become extremely difficult for us to know where those accounts were going,” Ronald explains. “If the accounts were to be lost, we would lose that access and it would probably become a customer relations issue. Thankfully, I was able to use Nudge to provide HR with a list and we were able to rectify the whole thing. That was the slam dunk that convinced the powers that be that this was good for us.”
As a bonus, Nudge Security surfaced multiple paid licenses associated with departed users, helping Ronald reduce SaaS spend and risk. “As CPAs, we’re pretty diligent, but we were still able to drop a hundred and some dollars a month just by culling licenses that we didn’t need. The fewer licensed accounts that can be accessed in any capacity, the safer we are.”
During the free trial, Ronald was delighted to find that Nudge Security helps him keep tabs on which of his employees’ accounts were missing critical identity controls like multi-factor authentication. Without Nudge Security, that process would be manual and time-consuming.
“It takes a gnarly PowerShell command to get data about which accounts are missing MFA and actually get that into something that's usable,” Ronald explains. “I had run that command and I had that messy list. It took me forever to not only get, but then deciphering it is another challenge. With Nudge, it was just all right here. I cross-referenced it and they were all the same. That probably would have taken me about 40 hours to do manually.”
Another time-saving benefit of Nudge Security has been reducing the time it takes to assess vendor risk and review new apps to ensure they align with the firm’s security and compliance requirements.
“This would have been amazing to have when I worked on the MSSP side,” says Ronald. “It used to take me two or three days to really assess a new app. The security profile Nudge provides for individual apps tells me 90% of the stuff I need to know right out of the gate, or at least points me in the right direction of the more specific questions I need to ask.”
“Nudge has paid for itself in the time that it has given me back. And to be frank, I wouldn't have found a lot of the things that Nudge identified—things like supply chain breaches that companies often keep quiet about.”
