This is designed for owner-managed SMEs with 10-25 staff in Sussex or Kent who:
Use Microsoft 365.
Haven’t had a structured security review.
Have unmanaged or partly managed devices.
Aren’t sure where they’d pass or fail a Cyber Essentials (CE) check.
Inherit tools and processes from previous managed service providers (MSPs).
Want clarity before investing further in IT.
If you're asking "Are we actually secure?" - this is where you begin.
Most SMEs operate on assumptions:
"Microsoft 365 already backs us up."
"Our antivirus must be up-to-date."
"Our MSP handles our security."
"We're too small to be a target."
The National Cyber Security Centre (NCSC) data shows the opposite:
SMEs are now being targeted as stepping-stones to their larger suppliers and customers.
The majority have no enforceable security baseline.
Incidents often expose flaws nobody checked - identity, device management, patching, backup…
Before changing MSPs, before buying new tools, before renewing insurance - you need a clear view of where you stand. The Triage Call gives you that clarity at a high level. The Baseline Review gives you the evidence.
What you get:
A verbal red/amber/green (RAG) rating across key areas: identity, devices, patching, malware protection, backup.
A plain-English view of any obvious risks.
Insight into whether anything is critical, or urgent.
Guidance on whether a deeper assessment is warranted.
A check on whether your IT environment is suitable for our operating model.
What it is not:
Not a written report.
Not a detailed remediation plan.
Not a certification service.
It's a simple, structured "reality check" for SMEs who want to know where they stand.
What you receive:
A written baseline report mapped to CE-style domains: identity & access, devices, malware/endpoint protection, patching, backup, shadow IT.
The top 5-10 risks, ranked by severity and business impact.
A practical remediation roadmap split into Now/Next/Later.
A readout session with your leadership team.
Clear alignment with Cyber Essentials controls.
100% of the review fee credited if you proceed with our all-inclusive managed service.
Purpose:
To give SMEs a practical, actionable understanding of where security efforts should go - not a generic "audit".
Not a detailed remediation plan.
Not a certification service.
If you recognise that picture, you’re the exact audience this operating model was built for.
1
Identity & Access
Multi-factor Authentication (MFA).
Admin account separation.
Password policies.
Guest access.
Single sign-on (SSO0.
2
Devices
Managed vs unmanaged.
Encryption.
Compliance policies.
Standardisation.
Inventory accuracy.
3
Malware Protection
Endpoint Detection & Response (EDR) deployment.
24/7 Security Operations Centre (SOC) coverage.
Legacy or conflicting antivirus.
4
Patching & Updates
Operating system updates.
App patching.
Monitoring.
Missed updates.
5
Backup & Recovery
Third-party Microsoft 365 backup.
Server backup coverage.
Retention & restore testing.
Practical recovery expectations.
6
SaaS & Shadow IT
Unapproved software.
Data sprawl.
Access risks.
By the end, you know exactly how your business compares to a CE-style baseline.
Typical SME approach:
Rely on an MSP that vaguely reviews security.
Assumes that tools are configured correctly.
Fix symptoms instead of causes.
Discovers gaps only after an incident.
Structured pathway:
Clear, high-level triage.
Evidence-based review.
Practical roadmap.
No assumptions.
No guesswork.
Decisions made with clarity.
This is the diagnostic step most SMEs skip - and the one that prevents unnecessary spending and unnecessary risk.
Our entire operating model is built on:
A Cyber Essentials-aligned baseline.
Standardised device management via Microsoft Intune.
Automated onboarding/offboarding.
SentinelOne endpoint protection monitored by a 24/7 SOC.
Third-party Microsoft 365 (and server) backup.
One opinionated, all-inclusive managed service.
