Example Report

This is what you get.

A realistic sample Baseline Cyber Review, based on a fictional 12-person UK business. Same format, same depth, same tone as a real report.

What this shows

Exactly what a real report looks like

The most common question before buying is: "What do I actually get?" The sample below answers that directly. It is a complete Baseline Cyber Review, written for a fictional accountancy practice called Northfield Accountancy Ltd.

Your report will cover your actual tools, setup, and findings. The format, the depth, and the tone will be the same.

  • How findings are written. Each issue in plain English: what was found, why it matters, what to do.
  • The overall structure. Executive summary, findings by area, prioritised action plan.
  • The tone. Calm and practical. No alarmism, no jargon without explanation.
  • The level of detail. Specific to the client's tools and situation, not generic advice.
  • The action plan. Prioritised, sequenced, and effort-rated.
This is a fictional example. Northfield Accountancy Ltd does not exist. All findings and details are invented to illustrate the format. Your report will be based entirely on your actual business.
Open print version Or scroll to read inline below.
Sample only. This report is based on a fictional business and invented findings. It illustrates the format and approach — not a real security assessment.
Example Report

Baseline Cyber Review

Northfield Accountancy Ltd
April 2026
Revela Tech | Cyber
Confidential

This report has been prepared exclusively for Northfield Accountancy Ltd. Please do not share or distribute outside authorised personnel without permission.

How to Read This Report

This report is written for a business owner, not a security specialist. You do not need technical knowledge to understand the findings or act on the recommendations.

Start with the executive summary. It gives you the overall picture and the three most important things to address first.

The findings sections go deeper. Each finding follows the same format: what we found, why it matters, what we suggest you do, and how much effort it is likely to take. You do not need to read every finding in depth immediately — use the action plan to sequence your work.

The action plan is the output. Everything in this report flows toward a practical list of actions, ordered by priority.

A few things this report is not: a compliance audit, the output of active penetration testing, or legal advice. Everything here is advisory, based on a point-in-time assessment.

Executive Summary

Northfield Accountancy Ltd has a number of sensible security practices in place. You are using Microsoft 365 across the team, you have backup arrangements, and there is some awareness among staff that security matters. That is a reasonable foundation.

However, this review identified several meaningful gaps that, taken together, leave the business more exposed than it needs to be. None of the issues found are unusual for a business of your size and sector — and none of them require significant investment to address. The concern is that they have not yet been addressed in a structured way.

The three most important issues are:

  1. Multi-factor authentication is not consistently enabled across Microsoft 365. This is the single most impactful change you can make. Without it, a stolen or guessed password is all an attacker needs to access your email, files, and client data.
  2. Your backups have not been tested. Backups that have not been restored are not confirmed backups — they are assumptions. In the event of ransomware or significant data loss, untested backups are an unreliable safety net.
  3. Staff have no clear guidance on what to do if something goes wrong. If a member of staff clicks a suspicious link or notices something unusual, there is currently no agreed first step.

Addressing these three issues — in roughly that order — will meaningfully reduce your exposure without requiring specialist resource or significant budget.

Overall Posture Rating

Needs Improvement

Northfield Accountancy Ltd has some security practices in place, but several meaningful gaps are present across access controls, backup assurance, and staff-facing processes. These gaps are addressable, and the business is in a good position to make structured progress.

Business Context

Northfield Accountancy Ltd is a UK-based accountancy practice with 12 staff operating from a single office, with some staff working from home on a hybrid basis. The business uses Microsoft 365 for email, documents, and collaboration. There is no dedicated IT or security resource.

Accountancy practices handle significant volumes of sensitive client data — personal financial records, tax information, company accounts, and payroll data. Clients place considerable trust in the business to handle that information responsibly. A security incident that resulted in the loss or exposure of client financial data would carry meaningful reputational and regulatory consequences, in addition to direct operational disruption.

The regulatory context is also relevant. As a business handling personal data under UK GDPR, Northfield has obligations around data protection and must be able to demonstrate reasonable security measures are in place.

Review Scope

This review covered the following areas:

  1. Access Management and Authentication
  2. Device and Endpoint Security
  3. Network and Connectivity
  4. Email and Communication Security
  5. Data Management and Backup
  6. Software and System Patching
  7. Staff Awareness and Processes
  8. Third-Party and Supplier Access
  9. Physical and Environmental Security

The review was conducted based on information provided through the onboarding intake form, with limited review of publicly available information. No intrusive technical testing, penetration testing, or active scanning was carried out.

Key Findings Overview

# Finding Area Priority
1 Multi-factor authentication not enforced for all Microsoft 365 accounts Access Management High
2 Admin access informal and not clearly defined Access Management High
3 Backups in place but not tested for recovery Data and Backup High
4 No documented incident reporting process for staff Staff Awareness Medium
5 Policies exist but are inconsistent and not current Processes Medium

Findings

Finding 1 — MFA Not Enforced for All Microsoft 365 Accounts
Access Management High Priority
Issue / Observation
Multi-factor authentication (MFA) is enabled for some Microsoft 365 accounts but has not been rolled out consistently across the organisation. Several standard user accounts and at least one administrator account do not have MFA active.
Why It Matters
Microsoft 365 accounts are the single most targeted entry point for attacks on small businesses. Business email compromise — where an attacker gains access to email to intercept payment instructions or impersonate staff — is the most common and costly attack type in this sector. MFA stops the vast majority of these attacks even if a password is stolen or guessed. Without it, one compromised credential is enough.
Business Impact
Unauthorised access to email, documents, and client files. Risk of financial fraud via payment instruction interception. Potential regulatory exposure under UK GDPR. Reputational damage to client trust.
Risk Reduced
Unauthorised account access / business email compromise
Suggested Action
Enable MFA for all Microsoft 365 accounts, starting with administrator accounts and any accounts with access to client data. Use Microsoft Authenticator (the recommended method). Microsoft's Security Defaults setting is a useful starting point if Conditional Access is not yet configured.
Guidance Alignment
Cyber Essentials — User Access Control. NCSC guidance on multi-factor authentication. ICO guidance on appropriate technical security measures.
Assumptions / Limitations
Based on information provided during intake. If MFA is managed through a separate identity provider not disclosed, this finding may be partially addressed.
Finding 2 — Admin Access Informal and Not Clearly Defined
Access Management High Priority
Issue / Observation
Global administrator access to the Microsoft 365 tenant is currently used for day-to-day work by at least one person. There is no documented list of who holds admin access or what level of access each person has.
Why It Matters
Administrator accounts have the highest level of access to your systems. If an admin account is compromised through phishing, credential stuffing, or malware, the attacker has control over all email, all user accounts, all files, and potentially connected systems. Using an admin account for routine tasks increases the exposure of that account significantly.
Business Impact
If an admin account is compromised, an attacker could create new accounts, access all email and files, delete data, or lock the legitimate business out of its own systems. Recovery from a full admin account compromise is time-consuming and often requires Microsoft support.
Risk Reduced
Privilege escalation / full-tenant compromise
Suggested Action
Create a dedicated admin account used only for administration tasks — not for day-to-day email or file work. Standard daily work should use a standard user account. Produce a simple internal list of who holds admin access and what level they need. Remove admin access from anyone who does not require it. Review the list every 6 months or when staff leave or change role.
Guidance Alignment
Cyber Essentials — User Access Control. NCSC guidance on privileged access management.
Assumptions / Limitations
Based on information provided during intake. If admin access is managed through a third-party IT support provider, confirm what access they hold and whether it is documented on their side.
Finding 3 — Backups Not Tested for Recovery
Data and Backup High Priority
Issue / Observation
Backup processes are in place for the business's key data. However, a restore test has not been performed — there is no recent evidence that data backed up can be successfully recovered in a usable form.
Why It Matters
A backup that has not been tested is an assumption, not a confirmed safety net. Backup processes can fail silently: files may be excluded, backup jobs may have stopped running, or the recovery process itself may encounter errors that are only discovered during an actual incident.
Business Impact
In a data loss event — ransomware, accidental deletion, hardware failure — an untested backup may not recover the data needed, or may recover an older version than expected. For an accountancy practice with time-sensitive client obligations, extended data unavailability carries both operational and reputational cost.
Risk Reduced
Data loss / business continuity failure
Suggested Action
Carry out a test restore as soon as practical. Choose a representative sample — a folder of client documents, a period of email — and attempt to restore it in full. Confirm the restored data is complete and usable. Document what was tested, the date, and who confirmed the result. Repeat this test at least every 6 months.
Guidance Alignment
NCSC guidance on backups. Cyber Essentials — Data Recovery. ICO guidance on data protection by design.
Assumptions / Limitations
The backup platform and scope were not fully specified during intake. If backup is managed through a third-party IT provider, ask them to demonstrate a test restore and provide written confirmation of the result.
Finding 4 — No Documented Incident Reporting Process for Staff
Staff Awareness Medium Priority
Issue / Observation
There is no documented process telling staff what to do if they suspect a security incident — for example, receiving a phishing email, clicking a suspicious link, or noticing unusual account activity. Staff awareness is informal and relies on individuals knowing who to tell.
Why It Matters
The speed of response to a security incident matters enormously. Many incidents are significantly worsened by delayed reporting — often because the person who noticed the issue was unsure whether it was serious enough to escalate. A simple, visible process removes that uncertainty and creates an audit trail if a UK GDPR breach notification becomes necessary.
Business Impact
Delayed or absent incident reporting leads to longer exposure, more extensive damage, and greater difficulty demonstrating a proportionate response. Under UK GDPR, certain personal data breaches must be reported to the ICO within 72 hours of becoming aware.
Risk Reduced
Incident escalation delays / regulatory breach reporting failure
Suggested Action
Write a one-page incident response guide for staff. Cover: what counts as a security incident (with examples), who to contact immediately, what not to do (don't forward suspicious emails, don't click further), and an assurance that reporting is always the right thing to do. Share it with all staff and keep it somewhere easy to find.
Guidance Alignment
NCSC 10 Steps to Cyber Security — Incident Management. ICO guidance on personal data breach reporting.
Assumptions / Limitations
This finding is based on absence of documented process. If a process exists informally and is well understood by all staff, the priority reduces to creating a formal written version.
Finding 5 — Policies Exist But Are Inconsistent and Not Current
Processes Medium Priority
Issue / Observation
The business has some written security and acceptable use policies in place, but they are inconsistent in scope, not regularly reviewed, and not consistently used. In some cases the documents pre-date current working practices, notably hybrid working and the shift to cloud-based tools.
Why It Matters
Policies serve two purposes: they set expectations for staff, and they demonstrate that the business has a considered approach to security. Outdated policies that do not reflect current working practices are not just ineffective — they can undermine credibility if questioned by a client, insurer, or regulator.
Business Impact
Without current, coherent policies: staff are unclear on what is and is not acceptable; the business is harder to defend in the event of an incident; cyber insurance claims may be complicated if required controls cannot be evidenced.
Risk Reduced
Policy gaps / regulatory exposure / staff behaviour drift
Suggested Action
Identify the two or three most important policies for the business: an acceptable use policy covering devices and email, a data handling and retention policy, and a remote working or BYOD policy. Update or rewrite them to reflect how the business actually works today. Keep them short — one page each is better than a 20-page document no one reads. Set a calendar reminder to review annually.
Guidance Alignment
NCSC 10 Steps — Policies and Procedures. ICO accountability framework.
Assumptions / Limitations
The content and date of existing policies was not reviewed in full. This finding is based on the description provided during intake.

Prioritised Action Plan

All recommended actions in priority order. Address the High-priority items first.

Effort guide: Low = a few hours, no specialist required. Medium = some planning or coordination across systems. High = likely to require external support.

# Priority Action Area Effort Timeframe
1 High Enable MFA on all Microsoft 365 accounts. Start with admin and client-data accounts. Access Management Low 1–2 weeks
2 High Create a dedicated admin account used only for admin tasks. Remove admin access from standard accounts. Access Management Low 1–2 weeks
3 High Perform a backup test restore. Document the result. Schedule repeat tests every 6 months. Data and Backup Low 1 week
4 Medium Write a one-page incident reporting guide for staff. Share with the team. Staff Awareness Low 1–2 weeks
5 Medium Review and update key policies to reflect current working practices. One page each. Processes Medium 4–6 weeks
6 Low Document who holds what level of Microsoft 365 access. Review every 6 months and when staff leave. Access Management Low 1 week
7 Low Confirm patching responsibility with IT provider or assign internally. Set a monthly check. Devices Low 1–2 weeks
8 Low Review third-party application permissions connected to Microsoft 365. Remove any not actively used. Third-Party Access Low Within 3 months

30 / 60 / 90 Day Next Steps

Suggested sequencing. The goal is structured progress, not a sprint.

First 30 days

Access controls and backup

  • Enable MFA across all Microsoft 365 accounts
  • Create a dedicated admin account; remove admin from standard accounts
  • Perform a backup test restore; document the outcome
  • Write and share the staff incident reporting guide
31–60 days

Process and policy

  • Update the acceptable use policy
  • Update or create a data handling policy
  • Add remote working / BYOD guidance
  • Document who has what access to Microsoft 365
61–90 days

Review and lower-priority items

  • Confirm patching responsibility and schedule
  • Review third-party app permissions
  • Review the incident guide for accuracy
  • Consider whether ongoing oversight would be useful

A Note on Ongoing Oversight

The Baseline Review gives you a clear picture of where you stand today and a structured plan for moving forward. For many businesses, the action plan is the right next step, and a one-off review is all they need for now.

If you find it useful to have continued structure — someone checking in on progress, keeping an eye on new developments, and helping you stay on top of things as the business changes — that is what Monthly Oversight is designed for. It is not a requirement. It is available when and if it would add value.

Essential Oversight (£199 + VAT per month) includes a monthly check-in, a written update, and up to three written questions answered. Guided Oversight (£349 + VAT per month) includes more advisory depth, policy review support, and a quarterly posture summary. Both can be cancelled with 30 days' notice.

Scope and Disclaimer

What was assessed

  • Microsoft 365 account security and access configuration
  • Device and endpoint practices across the 12-person team
  • Backup arrangements and recovery confidence
  • Email and communication security practices
  • Staff awareness and incident response processes
  • Existing policies and their current applicability
  • Third-party tools and connected application access

What was not assessed

  • Active penetration testing or exploit-based technical testing
  • Automated active vulnerability scanning
  • Legal, contractual, or HR advice
  • Incident response or forensic investigation
  • Regulated sector compliance assessment

This report is advisory in nature. It is not legal advice, a compliance certification, or a regulated audit opinion. References to NCSC guidance, Cyber Essentials, or ICO frameworks indicate alignment with recognised good practice only. Responsibility for implementation decisions remains with Northfield Accountancy Ltd.

Ready to get a report for your business?

Fill in the Start Here form. About 2 minutes. We'll confirm the fit and send next steps by email.

Start Here See what's included

No commitment or payment at the Start Here stage.