Skip to main content
CCSBook a call

Independent Technology Consulting · Louisville, Kentucky

Every account challenges an attacker. Every device can be wiped. Last Friday's files can be restored. And you can prove it.

I'm Cole Flanders, an independent technology consultant in Louisville, Kentucky. I set up, secure, and manage Microsoft 365 for small firms and owner-operated businesses — so “are we actually secure?” has a written answer instead of a hopeful shrug.

No pitch, no pressure. If you don't need me, I'll tell you — and tell you what to do instead.

Cole Flanders, independent technology consultant in Louisville, Kentucky

Cole Flanders

Founder, Cole Christopher Solutions

Independent on purpose

I don't resell licenses and I don't earn a commission on anything I recommend. My only incentive is that the advice turns out to be right.

Security you can demonstrate

Not a feeling of safety — evidence of it. Every engagement ends with plain-English documentation of what's configured, why, and how to show it.

A real person in Louisville

One consultant, fully accountable — no ticket queue, no account manager, no “let me escalate that,” no junior tech learning on your tenant. Based in Kentucky, working with clients anywhere; on-site when it makes sense.

An Honest Question

If your insurance carrier — or your biggest client — asked you tomorrow to demonstrate reasonable security, could you?

Most owners can't answer with confidence. Here are three places I'd check first.

Someone who left can probably still sign in. Most compromises start with a working password, not a broken window. Former employees, old vendors, a contractor from two years ago — if offboarding was ever informal, some of those accounts still work. Access rarely gets removed on its own; someone has to go looking.

If everything was encrypted on a Friday, what's back by Monday? Microsoft 365 retains your data — it does not back it up the way most owners assume. If files are deleted or encrypted, recovery through Microsoft alone may already be out of reach by the time anyone notices. Real backup is a separate, deliberate decision — and it should be tested, not trusted.

Your insurance application says yes. Does your tenant? Cyber policies now ask pointed questions: MFA on every account, managed devices, a written incident plan. Somebody at your firm checked “yes.” If the configuration doesn't match the application, you may find out at the worst possible moment — during a claim.

None of this means anyone failed. It means the ground shifted faster than a busy firm could reasonably keep up with — and it's exactly what the assessment was built to check.

What I Do

Five doors into the same underlying work.

Clients come to me for one of these five reasons — a migration, a security scare, an insurance form, a device question, an AI policy. Whichever door you walk through, the work behind it is the same: a Microsoft 365 environment that's configured deliberately, governed clearly, and provable on demand.

Identity & access

MFA on every account — including the shared mailboxes and service accounts everyone forgets. Conditional Access that reflects how your firm works. And clean offboarding, because the former employee or vendor who can still sign in is the risk nobody's watching.

Every device, accounted for

If a device touches company email — laptop, desktop, or someone's personal phone — it should be enrolled, encrypted, kept updated, and wipeable the day it's lost or its owner leaves. Intune makes that real without making anyone's life miserable.

Security & backup that holds up

Tenant hardening, cleanup of years of accumulated external sharing, data loss prevention, audit logging, and true third-party backup — because Microsoft's built-in retention won't save you from ransomware or a bad delete. All of it aligned to what your cyber-insurance policy requires, before you need to file a claim.

Microsoft 365, set up right

New tenant builds, migrations from wherever you are now, and rescues of tenants that were stood up hastily and never revisited. Before you spend anything new, I'll give you a clear read on what you already have — including licenses you're paying for and not using.

AI, governed — not feared

AI comes up in every conversation now, so let's put it in its place: it's one door of five. I handle Copilot readiness, a written AI Authorized Use Policy your staff actually signs, the consumer-AI vs. enterprise-AI distinction most teams have never been taught, and the training that makes safe use a habit instead of a rule. The most urgent risk usually isn't the AI you're thinking of buying — it's the free one your staff is already using.

For Law Firms

If a court, a client, or an auditor asked you today to demonstrate reasonable security of client data — could you?

If you found your way here from a talk about AI in law practice — welcome. Here's the honest framing: AI is the newest question, but it's one of five. It's usually the door a firm walks through; the other four are why they stay. The firms that handle AI well are the ones that already know where client data lives, who can reach it, and how they'd prove both. That's the actual work, and it's what I do.

Small firms carry the same confidentiality duties as the largest — with none of the IT department. Attackers know that. So do insurers, and increasingly, so do clients. Five themes cover nearly everything a small firm needs to get right:

Identity

Attackers don't break in; they sign in. Stolen or guessed passwords are the entry point in most professional-services compromises. Does every account — partners, associates, staff, contract attorneys, shared mailboxes — require more than a password? Could a former employee or vendor still sign in tomorrow if they wanted to?

Sensitivity

Every firm classifies data informally — everyone knows the Henderson file is sensitive. The question is whether that classification is consistent and applied. Sensitivity labels make the protection travel with the file, so a privileged document stays protected even after it leaves the building.

Sharing

Matters close; access does not. Years of shared links, guest accounts, and co-counsel access accumulate — and almost none of it gets reviewed after the work ends. Do your “anyone with the link” shares expire? Would you know if a privileged file were shared outside the firm — and how quickly?

AI

The highest immediate risk is not Copilot; it's the paralegal pasting a privileged email into ChatGPT. Consumer AI tools may train on what's submitted; enterprise AI under contractual protections does not — and most staff have never been told the difference. A written, signed AI Authorized Use Policy plus one training session closes most of that gap. Copilot deserves care for a subtler reason: it exercises your existing permissions at a speed humans never did.

Records, retention & recovery

Most firms discover their retention policy the week they receive a subpoena. And Microsoft's retention windows are not the same thing as a backup. Are firm files backed up by a third-party service — and has a recovery ever actually been tested?

Why this is a professional obligation, not just good hygiene

KBA Ethics Opinion E-457 and the Kentucky Rules of Professional Conduct put technology squarely inside your duties: competence (SCR 3.130-1.1), confidentiality (1.6), communication (1.4), candor to the tribunal (3.3 — the duty at the center of Mata v. Avianca, where lawyers filed AI-invented citations), and supervision of staff and vendors (5.1, 5.3). Each duty maps to a configuration your firm should be able to demonstrate, on demand, in plain English. That's the standard I build to.

The work is not buying more licenses. It's configuration, governance, and the training that holds them together.

Book a call about your firm

Start Here

The Security & Configuration Assessment

A flat-fee, fixed-scope review of the Microsoft 365 environment you already have. Nothing new to buy, no commitment beyond the assessment itself. You get a document. What you do with it is entirely up to you.

The report is yours to keep. Bring it back to me, hand it to your current IT provider, or work through it yourself — it's written so all three work.

What you walk away with

  • A plain-English findings report. What's solid, what's exposed, and the order to fix it in — written for the owner, not the IT department.

  • An identity review, account by account. MFA coverage everywhere, including shared mailboxes and service accounts, plus who holds admin access — and any account that should have been shut off long ago.

  • A device reality check. Every phone and laptop that touches company email: is it encrypted, kept updated, and wipeable the day it goes missing?

  • A sharing exposure map. The external links, guest accounts, and “anyone with the link” shares that accumulated over the years — and which of them should have expired long ago.

  • A backup and recovery verdict. What you could actually restore today, versus what you've been assuming Microsoft keeps for you.

  • A license fit check. What you're paying for, what you're using, and where the two don't match.

  • A cyber-insurance compliance map. Your policy's real requirements — MFA on every account, endpoint protection, incident response — lined up against your real configuration, so renewal forms stop being guesswork.

How It Works

Start small. Fix what matters. Keep it that way.

Each step stands on its own. You can stop after any of them and keep everything you've gained.

  1. Step 1

    A free 30-minute discovery call

    We talk about your business, your current setup, and what prompted the call. If we're not a fit, I'll tell you and point you somewhere better.

  2. Step 2

    The assessment

    The flat-fee security & configuration review described above: clear findings, ranked by risk, that you can act on with me or without me. For nearly everyone, this is the natural first step — small commitment, concrete deliverable.

  3. Step 3

    Fix what matters

    Flat-fee projects, scoped in writing before we start: identity, devices, sharing, backup, migration — in the order the assessment says they matter, not the order a vendor wants to sell them.

  4. Step 4

    Ongoing partnership

    A monthly retainer where I stay on as your technology partner: watching the environment, handling changes, doing onboarding and offboarding right, and answering the phone before you sign anything. Optional — some clients need a project and a handshake, and that's fine.

Who You're Calling

A person, not a provider.

I'm Cole Flanders, founder of Cole Christopher Solutions. I've spent about five years deep in Microsoft 365 and cloud productivity work — the identity, security, device, and governance layers most businesses are standing on without ever having looked down. I kept watching the same story: small organizations paying for serious tools, set up in an afternoon, never governed, and quietly exposed for years.

I started this practice on a simple conviction: small firms deserve the same deliberate, well-governed technology that big companies pay entire departments for — delivered by one accountable person who knows their environment personally, instead of a rotating cast reading from a ticket history.

I'm independent by choice. I don't resell licenses, and nothing I recommend pays me a commission — I make nothing when you buy more, and I'll happily tell you to buy less. That's not a gap in the résumé; it's the point. It also means I'll tell you when you don't need me: a real share of my discovery calls end with “you don't need to hire me — here's what to do instead.” Independence is meaningless if it doesn't sometimes mean talking you out of a project.

I live and work in Louisville, Kentucky. Kentucky firms get someone who can be in the room when it matters — a migration weekend, a training session, a room full of skeptical partners. Clients elsewhere get the same person, the same accountability, over a screen. Either way: when you call, it's me.

— Cole

Questions

Things people ask on the first call.

It's the most natural assumption — and a costly one. Attacks on small organizations aren't personal — they're automated, and they land wherever defenses are thinnest. Attackers count on small firms having no MFA, no device management, and no tested backup. Being small doesn't make you invisible; it makes you exactly the profile the automation is looking for.

Still have questions?

Book a free call

Get Started

Thirty minutes. Clarity, not a quote.

Pick a time below. We'll talk through your setup, your worries, and whether I'm the right person to help — and you'll leave with something useful either way.

What you'll get from the call

  • An honest read on where your setup stands today.
  • At least one specific, actionable recommendation you can use — whether or not we work together.
  • A straight answer on whether I'm the right person for what you actually need — and a pointer to someone better if I'm not.

Prefer email? cole@colecsolutions.com — I read and answer everything myself.