The challenge
Casemates Legal had grown from three to fifteen partners over four years. Their IT had grown by accretion — a freelance technician, a cloud backup someone had set up in 2019, a mix of personal and corporate Microsoft accounts, and a managing partner who had reluctantly become the de-facto helpdesk.
The breaking point was a regulatory visit that asked for documented access controls, evidence of patch management, and a recovery plan. None of it existed.
What we did
We started with a four-week onboarding programme:
- Migrated all users onto a single managed M365 tenant with conditional access
- Deployed Sophos EDR and Duo MFA on every device and account
- Built an immutable Veeam backup with quarterly restore tests
- Documented the architecture, patching cadence, and access reviews
- Trained the team and ran the first phishing simulation
The outcome
Eighteen months in, Casemates passed their next regulatory review with no findings. The managing partner has stopped being the helpdesk. IT spend is fixed and predictable. And when a partner's laptop was lost in transit last spring, the device was wiped remotely and a replacement was on their desk by lunchtime.
"They quietly took on our entire IT operation, fixed the things we knew were broken, and the things we didn't. We finally get to focus on the law."
SBSarah BennettOperations Director · Casemates Legal
