In early 2023, Mastagni Holstedt, a well-known Sacramento law firm, suffered a devastating ransomware attack by the Black Basta group.
Despite hiring a managed IT provider for cybersecurity and backups, attackers still infiltrated their systems and deleted the cloud-based backups. With no way to recover, the firm paid a ransom and is now suing their provider for over $1 million in damages.
The takeaway: Having IT support isn’t enough. You need a second opinion to ensure your firm’s defenses are truly in place — and that they’ll hold up in the event of a real attack.
Most law firms, accountants, and health clinics assume “we’re covered” because they have an IT provider or some backups.
But the Mastagni case proves the risk:
IT providers may not be testing what matters most.
Insurance carriers may deny coverage if you can’t show proof of security controls.
Clients and regulators won’t care who was responsible — only that their data was exposed.
What business leaders really need is clarity: Are we secure, or just hoping we’re secure?
That’s where the right type of security review makes all the difference. Here’s how they differ:
| Type | What It Does | Best For | When to Use |
|---|---|---|---|
| IT Security Audit | Reviews policies, compliance, and controls. Ensures you’re “following the rules.” | Law firms, clinics, accountants subject to HIPAA, ABA, FTC, SOX. | Annually, or when renewing insurance/regulatory review. |
| Cybersecurity Risk Assessment | Identifies vulnerabilities, ranks risks, and creates a remediation roadmap. | Small firms that want to understand real risk exposure. | At least annually, and whenever scaling, adopting new tech, or facing new compliance rules. |
| Penetration Test (pen test) | Simulates a real attack to test whether hackers could get in. | Firms needing to validate defenses and meet client/insurance demands. | After major changes (cloud migration, new apps) or every 1–2 years. |
👉 Think of it like healthcare:
The audit is your annual physical.
The risk assessment is your bloodwork.
The pen test is your stress test.
Each serves a purpose. Together, they’re your best defense.
At eSudo, we’ve seen how devastating the wrong assumptions can be. Over the last 24 years, we’ve helped law firms, accounting firms, and clinics prevent the very failures that happened to Mastagni.
According to the ABA, 29% of law firms experienced a breach in 2024.
Healthcare breaches cost an average of $10.93M per incident (IBM, 2024).
Firms with documented audits, risk assessments, and penetration testing are far more likely to stay operational — and covered by insurance — after an incident.
That’s why most of our clients have stayed with us for 10+ years: they know we don’t just check boxes, we validate their defenses.
“The real question isn’t whether you have an IT provider. The question is: If attackers tested your defenses tomorrow, would your firm survive — or end up paying the ransom?”
FAQ for IT Security Audit, Cybersecurity Risk Assessment, and Pen-Test
Yes. Hackers go after small firms because they’re easier targets. A single breach could cost you your reputation — and malpractice insurance won’t cover negligence.
Less than the deductible on most cyber insurance policies. And far less than the cost of downtime, fines, or lost clients.
Not always. It depends on your size, industry, and compliance requirements. We’ll recommend the right level of protection for you.
No. Most of the work is invisible to your staff. We schedule anything disruptive after hours.
Schedule your Cybersecurity Risk Assessment today and get a clear picture of your risks before hackers, regulators, or insurers expose them.
“After performing an assessment, eSudo provided me with multiple options to resolve my issue – all within budget.
eSudo Technology is a one-stop shop for all your IT needs including projects, technical issues and even back-filling when you are short.”
Rudy M, Director of Information Technology, BioForm Medical
