Example only. This is a fictional sample report for Northfield Accountancy Ltd (invented business). It illustrates the format and approach of the Baseline Cyber Review service. To print or save as PDF: use your browser's File → Print function.

Example Report

Baseline Cyber Review

Prepared for Northfield Accountancy Ltd

Report date April 2026

Prepared by Revela Tech | Cyber

Classification Confidential

This report has been prepared exclusively for Northfield Accountancy Ltd. Please do not share or distribute outside authorised personnel without permission.

How to Read This Report

This report is written for a business owner, not a security specialist. You do not need technical knowledge to understand the findings or act on the recommendations.

Start with the executive summary. It gives you the overall picture and the three most important things to address first.

The findings sections go deeper. Each finding follows the same format: what we found, why it matters, what we suggest you do, and how much effort it takes. You do not need to read every finding in depth immediately — use the action plan to sequence your work.

The action plan is the output. Everything in this report flows toward a practical list of actions, ordered by priority.

A few things this report is not: a compliance audit, the output of active penetration testing, or legal advice. Everything here is advisory, based on a point-in-time assessment.

Executive Summary

Northfield Accountancy Ltd has a number of sensible security practices in place. You are using Microsoft 365 across the team, you have backup arrangements, and there is some awareness among staff that security matters. That is a reasonable foundation.

However, this review identified several meaningful gaps that, taken together, leave the business more exposed than it needs to be. None of the issues found are unusual for a business of your size and sector — and none of them require significant investment to address.

The three most important issues are:

Multi-factor authentication is not consistently enabled across Microsoft 365. This is the single most impactful change you can make. Without it, a stolen or guessed password is all an attacker needs to access your email, files, and client data.
Your backups have not been tested. Backups that have not been restored are not confirmed backups — they are assumptions. In the event of ransomware or significant data loss, untested backups are an unreliable safety net.
Staff have no clear guidance on what to do if something goes wrong. If a member of staff clicks a suspicious link or notices unusual account activity, there is currently no agreed first step.

Overall Posture Rating

Needs Improvement

Several meaningful gaps are present across access controls, backup assurance, and staff-facing processes. These gaps are addressable, and the business is in a good position to make structured progress.

Business Context

Northfield Accountancy Ltd is a UK-based accountancy practice with 12 staff operating from a single office, with some staff working from home on a hybrid basis. The business uses Microsoft 365 for email, documents, and collaboration. There is no dedicated IT or security resource.

Accountancy practices handle significant volumes of sensitive client data — personal financial records, tax information, company accounts, and payroll data. A security incident that resulted in the loss or exposure of client financial data would carry meaningful reputational and regulatory consequences, in addition to direct operational disruption.

As a business handling personal data under UK GDPR, Northfield has obligations around data protection and must be able to demonstrate reasonable security measures are in place.

Review Scope

This review covered the following areas:

Access Management and Authentication
Device and Endpoint Security
Network and Connectivity
Email and Communication Security
Data Management and Backup
Software and System Patching
Staff Awareness and Processes
Third-Party and Supplier Access
Physical and Environmental Security

The review was conducted based on information provided through the onboarding intake form, with limited review of publicly available information. No intrusive technical testing, penetration testing, or active scanning was carried out.

Key Findings Overview

#	Finding	Area	Priority
1	MFA not enforced for all Microsoft 365 accounts	Access Management	High
2	Admin access informal and not clearly defined	Access Management	High
3	Backups in place but not tested for recovery	Data and Backup	High
4	No documented incident reporting process for staff	Staff Awareness	Medium
5	Policies exist but inconsistent and not current	Processes	Medium

Findings

Issue / Observation: MFA is enabled for some Microsoft 365 accounts but has not been rolled out consistently. Several standard user accounts and at least one administrator account do not have MFA active.
Why It Matters: Microsoft 365 accounts are the single most targeted entry point for attacks on small businesses. Business email compromise — where an attacker intercepts payment instructions or impersonates staff — is the most common and costly attack type in this sector. MFA stops the vast majority of these attacks even if a password is stolen. Without it, one compromised credential is enough.
Business Impact: Unauthorised access to email, documents, and client files. Risk of financial fraud via payment instruction interception. Potential regulatory exposure under UK GDPR. Reputational damage to client trust.
Risk Reduced: Unauthorised account access / business email compromise
Suggested Action: Enable MFA for all Microsoft 365 accounts, starting with administrator accounts and any accounts with access to client data. Use Microsoft Authenticator. Microsoft's Security Defaults setting is a useful starting point if Conditional Access is not yet configured.
Guidance Alignment: Cyber Essentials — User Access Control. NCSC guidance on MFA. ICO guidance on appropriate technical security measures.
Assumptions / Limitations: Based on information provided during intake. If MFA is managed through a separate identity provider not disclosed, this finding may be partially addressed.

Issue / Observation: Global administrator access to the Microsoft 365 tenant is currently used for day-to-day work by at least one person. There is no documented list of who holds admin access or what level of access each person has.
Why It Matters: Administrator accounts have the highest level of access to your systems. If an admin account is compromised, the attacker has control over all email, all user accounts, all files, and potentially connected systems. Using an admin account for routine tasks increases the exposure of that account significantly.
Business Impact: If an admin account is compromised, an attacker could create new accounts, access all email and files, delete data, or lock the legitimate business out of its own systems. Recovery from a full admin account compromise is time-consuming and often requires Microsoft support.
Risk Reduced: Privilege escalation / full-tenant compromise
Suggested Action: Create a dedicated admin account used only for administration tasks. Standard daily work should use a standard user account. Produce a simple internal list of who holds admin access and what level they need. Remove admin access from anyone who does not require it. Review the list every 6 months and when staff leave.
Guidance Alignment: Cyber Essentials — User Access Control. NCSC guidance on privileged access management.
Assumptions / Limitations: Based on information provided during intake. If admin access is managed through a third-party IT provider, confirm what access they hold and whether it is documented on their side.

Issue / Observation: Backup processes are in place for the business's key data. However, a restore test has not been performed — there is no recent evidence that data backed up can be successfully recovered in a usable form.
Why It Matters: A backup that has not been tested is an assumption, not a confirmed safety net. Backup processes can fail silently: files may be excluded, backup jobs may have stopped running, or the recovery process itself may encounter errors only discovered during an actual incident.
Business Impact: In a data loss event — ransomware, accidental deletion, hardware failure — an untested backup may not recover the data needed. For an accountancy practice with time-sensitive client obligations, extended data unavailability carries both operational and reputational cost.
Risk Reduced: Data loss / business continuity failure
Suggested Action: Carry out a test restore as soon as practical. Choose a representative sample of data and attempt to restore it in full. Confirm the restored data is complete and usable. Document what was tested, the date, and who confirmed the result. Repeat this test at least every 6 months.
Guidance Alignment: NCSC guidance on backups. Cyber Essentials — Data Recovery. ICO guidance on data protection by design.
Assumptions / Limitations: The backup platform and scope were not fully specified during intake. If backup is managed through a third-party IT provider, ask them to demonstrate a test restore and provide written confirmation of the result.

Issue / Observation: There is no documented process telling staff what to do if they suspect a security incident — receiving a phishing email, clicking a suspicious link, noticing unusual account activity, or receiving an unexpected payment request. Staff awareness relies on individuals knowing who to tell.
Why It Matters: The speed of response to a security incident matters enormously. Many incidents are significantly worsened by delayed reporting — often because the person who noticed was unsure whether it was serious enough to escalate. A simple, visible process removes that uncertainty and creates an audit trail if a UK GDPR breach notification becomes necessary.
Business Impact: Delayed or absent incident reporting leads to longer exposure, more extensive damage, and greater difficulty demonstrating a proportionate response. Under UK GDPR, certain personal data breaches must be reported to the ICO within 72 hours of becoming aware.
Risk Reduced: Incident escalation delays / regulatory breach reporting failure
Suggested Action: Write a one-page incident response guide for staff. Cover: what counts as a security incident (with examples), who to contact immediately, what not to do, and reassurance that reporting is always the right thing to do. Keep it somewhere easy to find — not buried in a policy folder.
Guidance Alignment: NCSC 10 Steps to Cyber Security — Incident Management. ICO guidance on personal data breach reporting.
Assumptions / Limitations: This finding is based on absence of documented process. If a process exists informally and is well understood by all staff, the priority reduces to creating a formal written version.

Issue / Observation: The business has some written security and acceptable use policies in place, but they are inconsistent in scope, not regularly reviewed, and not consistently used. In some cases the documents pre-date current working practices, notably hybrid working and the shift to cloud-based tools.
Why It Matters: Policies serve two purposes: they set expectations for staff, and they demonstrate that the business has a considered approach to security. Outdated policies that do not reflect current working practices are not just ineffective — they can undermine credibility if questioned by a client, insurer, or regulator.
Business Impact: Without current, coherent policies: staff are unclear on expectations; the business is harder to defend in the event of an incident; cyber insurance claims may be complicated if required controls cannot be evidenced.
Risk Reduced: Policy gaps / regulatory exposure / staff behaviour drift
Suggested Action: Identify the two or three most important policies: an acceptable use policy, a data handling and retention policy, and a remote working / BYOD policy if relevant. Update or rewrite them to reflect how the business works today. Keep them short — one page each is better than a 20-page document no one reads. Set a calendar reminder to review annually.
Guidance Alignment: NCSC 10 Steps — Policies and Procedures. ICO accountability framework.
Assumptions / Limitations: The content and date of existing policies was not reviewed in full. This finding is based on the description provided during intake.

Prioritised Action Plan

All recommended actions in priority order. Address the High-priority items first.

Effort: Low = a few hours, no specialist required. Medium = some planning or coordination. High = likely to require external support or budget.

#	Priority	Action	Area	Effort	Timeframe
1	High	Enable MFA on all Microsoft 365 accounts. Start with admin and client-data accounts.	Access Management	Low	1–2 weeks
2	High	Create a dedicated admin account used only for admin tasks. Remove admin access from standard accounts.	Access Management	Low	1–2 weeks
3	High	Perform a backup test restore. Document the result. Schedule repeat every 6 months.	Data and Backup	Low	1 week
4	Medium	Write a one-page incident reporting guide for staff. Share with the team.	Staff Awareness	Low	1–2 weeks
5	Medium	Review and update key policies to reflect current working practices.	Processes	Medium	4–6 weeks
6	Low	Document who holds what level of Microsoft 365 access. Review every 6 months.	Access Management	Low	1 week
7	Low	Confirm patching responsibility with IT provider or assign internally. Monthly check.	Devices	Low	1–2 weeks
8	Low	Review third-party application permissions in Microsoft 365. Remove any not actively used.	Third-Party Access	Low	Within 3 months

30 / 60 / 90 Day Next Steps

Suggested sequencing. The goal is structured progress, not a sprint.

First 30 days

Access controls and backup

Enable MFA across all M365 accounts
Create dedicated admin account
Perform backup test restore
Write and share incident reporting guide

31–60 days

Process and policy

Update acceptable use policy
Update data handling policy
Add remote working guidance
Document M365 access levels

61–90 days

Review and remaining items

Confirm patching schedule
Review third-party permissions
Review incident guide for accuracy
Consider ongoing oversight

A Note on Ongoing Oversight

The Baseline Review gives you a clear picture of where you stand today and a structured plan for moving forward. For many businesses, the action plan is the right next step, and a one-off review is all they need for now.

If you find it useful to have continued structure — someone checking in on progress, helping you stay on top of things as the business changes — Monthly Oversight is available when and if it would add value. Essential Oversight (£199 + VAT/month) or Guided Oversight (£349 + VAT/month). Both can be cancelled with 30 days' notice.

Scope and Disclaimer

What was assessed

Microsoft 365 account security and access configuration
Device and endpoint practices across the 12-person team
Backup arrangements and recovery confidence
Email and communication security practices
Staff awareness and incident response processes
Existing policies and their current applicability
Third-party tools and connected application access

What was not assessed

Active penetration testing or exploit-based technical testing
Automated active vulnerability scanning
Legal, contractual, or HR advice
Incident response or forensic investigation
Regulated sector compliance assessment

This report is advisory in nature. It is not legal advice, a compliance certification, or a regulated audit opinion. References to NCSC guidance, Cyber Essentials, or ICO frameworks indicate alignment with recognised good practice only — not a formal compliance determination. Responsibility for implementation decisions remains with Northfield Accountancy Ltd. This report is confidential to Northfield Accountancy Ltd.