Case Studies

Securing a Charity With No IT Department

A Lincolnshire-based charity with 30 staff and no dedicated IT resource came to us after a phishing attack compromised a senior staff member's email account. The attacker had been inside the mailbox for three weeks before anyone noticed, reading donor correspondence and financial reports.

We contained the breach, reset credentials and assessed what had been accessed. The technical fixes were straightforward: proper cloud security controls, geographic lockdown of access, device encryption and trusted device registration. But the real problem was people, not systems.

We delivered an initial half day in-person workshop topped up with 30-minute masterclasses every six months as the threats changed. Nine months later, a staff member flagged a sophisticated spear-phishing attempt that would almost certainly have succeeded before the training.

We also turned a 200 page "Operations Manual" into a realistic set of policies the team could actually follow coupled with a security principles document that occupied a single side of A4 paper.

Compliance and Culture Change at a tech-led fleet insurance company

A growing business with 15 staff was winning larger corporate contracts but kept hitting the same wall: prospective clients were asking for complex evidence of data protection compliance, and the company had nobody onboard who could answer the incoming queries with confidence. They had a privacy policy on the website, but boilerplate internal policies, no staff training records, and no formal understanding of their GDPR obligations.

We conducted a full compliance audit, identified the gaps, and built a tailored policy pack covering data protection, acceptable use, data retention, and remote working. Each policy came with a single-page guidance note so staff could understand their responsibilities without reading a 30-page document.

We then ran a series of training sessions, starting with a company-wide overview of data protection, followed by targeted sessions for the customer service team (who handled the most sensitive data) and the marketing department (who needed to understand consent and legitimate interest for their campaigns).

Complex data protection questionnaires now come to us first if they can't be handled in house and the company has grown to a £17M+ turnover with 45 staff who are onboarded with training in their first week.

Six months in, staff were spotting data protection questions in planning meetings and reaching for the policy first. The culture had shifted from "we should probably hire a lawyer" to "let me check the policy first."

Building Resilience for a SaaS Company

A software-as-a-service company with 60 staff and customers across the UK had grown quickly but without a formal approach to business continuity. Their entire operation depended on a single cloud provider, a single office, and a handful of people who understood how everything fit together. They knew they were vulnerable but did not know where to start.

We began with a business impact analysis, mapping every critical system, identifying single points of failure, and working out what would actually happen to the business if each one failed. The results were sobering: the loss of two specific employees would have left the company unable to deploy or maintain their own product.

We built a continuity plan around the real risks. Key person documentation so critical knowledge was no longer locked inside individual heads. A secondary cloud environment for failover. Communication plans so everyone would know what was happening.

We then layered in managed security (intrusion detection, credential rotation and endpoint protection) because resilience means nothing if an attacker can walk through the front door while you are busy planning for someone being off long term sick.

Disaster Recovery for an Accountancy Practice

A chartered accountancy practice with 15 staff was hit by ransomware that encrypted their Windows servers. Their I.T. supplier's cloud backup had been silently copying the encrypted files over the good ones, because nobody had ever checked the configuration. The supplier had no option but to deploy new servers. All the data was lost.

The client had taken our "critical third copy" disaster recovery service a few months earlier. Midnight and Midday backups of their servers, Microsoft 365 environment (SharePoint, OneDrive, Exchange), and their TaxCalc data were collected, scanned for malware, encrypted, and stored in our offline vaults. Two copies in two separate locations, neither of which has any connection to the practice's network.

We had the practice running again the next morning. Clean data was restored to an isolated server we brought to their office. Staff worked from the clean environment while we rebuilt and hardened their network. The total data loss was four hours of work from the afternoon of the attack. The practice was fully operational within 36 hours.