Blog

By Virtually Pro

This cloud security assessment Edinburgh guide covers the essentials for your business. A cloud security assessment identifies what data you hold in the cloud, who can access it, and what is actually protecting it. For Edinburgh SMEs, it is the foundation for Cyber Essentials Plus certification, FCA PS24/16 operational resilience compliance, and NHS Digital Data Security and Protection Toolkit cloud controls. Most organisations that conduct their first assessment find at least three critical issues they did not know existed (NCSC Cloud Security Guidance).

TL;DR: 73% of cloud deployments have at least one critical misconfiguration, according to Palo Alto Unit 42 research (2025). A cloud security assessment covers five domains: access control, data protection, network security, compliance posture, and shadow IT. This guide walks Edinburgh SMEs through the process, including a 10-question board briefing checklist you can use immediately.

What Does a Cloud Security Assessment Cover?

A cloud security assessment is not a vulnerability scan, according to Netskope’s Cloud (2025). It is a structured review of your cloud environment across five domains, producing a findings report with a risk-rated action list (ICO Data Protection Guidance).

Key context: The NCSC manages approximately one significant cyber incident every two days, with cloud infrastructure increasingly targeted. 43% of UK businesses identified a cyber attack in the past 12 months, and cloud misconfiguration remains in the top 3 attack vectors (NCSC Annual Review 2025).

Domain 1: Identity and Access Control. Who has access to what, and can they prove they are who they say they are? This covers admin account permissions, multi-factor authentication enforcement, guest user access, and stale accounts belonging to former employees.

Domain 2: Data Protection and Encryption. Where is your sensitive data, and is it encrypted at rest and in transit? Under UK GDPR Article 32, encryption is one of the “appropriate technical measures” the ICO expects. Edinburgh legal, financial, and healthcare firms processing personal data must document their encryption posture.

Domain 3: Network Security and Perimeter Controls. Are storage services exposed to the internet without authentication? Are legacy protocols still enabled in your M365 tenant? Are conditional access policies restricting access to corporate-managed devices?

Domain 4: Compliance and Regulatory Posture. Are you meeting the cloud security requirements of your specific framework – Cyber Essentials, FCA PS24/16, NHS DSPT, or ICO Accountability Framework? Each has distinct technical requirements a generic review won’t check automatically.

Domain 5: Shadow IT and Unsanctioned Applications. What cloud applications are staff using outside your approved software list? Shadow IT creates data processing relationships with unvetted third parties – a direct UK GDPR Article 28 compliance risk.

Shadow it Risks

Step-by-Step: Running Your Own Initial Assessment

Microsoft adoption data (2025) found that Before engaging a specialist, Edinburgh business owners can run a preliminary review using tools already in their Microsoft 365 environment (Gartner).

Step 1: Run the Microsoft Secure Score review. Log in to security.microsoft.com and check your Secure Score. This gives a percentage rating of your M365 security configuration versus Microsoft’s recommended baseline. Scores below 40% indicate significant gaps. Most Edinburgh SMEs score 25-45% before any active configuration work.

Step 2: Audit your admin accounts. In Microsoft Entra ID (Azure AD), filter users by “Global Administrator” role. Every account with global admin access that is not actively used by a named administrator is a risk. Former employees, test accounts, and vendor accounts frequently appear here.

Step 3: Check MFA coverage. In Entra ID, check which users have MFA registered. Under UK GDPR and Cyber Essentials, MFA is a baseline control. Any account without MFA – especially admin accounts – should be flagged as critical.

Step 4: Run a shadow IT discovery report. If you have Microsoft 365 Business Premium, Defender for Cloud Apps includes a 30-day shadow IT discovery report. Enable it under Cloud Discovery in the Defender for Cloud Apps portal.

Step 5: Review SharePoint and OneDrive sharing settings. Check your SharePoint admin centre for any sites or files shared with “Anyone with the link” (anonymous sharing). Anonymous sharing of sensitive documents is one of the most common critical findings in Edinburgh SME assessments.

Our finding: When we conduct cloud security assessments for Edinburgh professional services firms, Steps 2 and 5 consistently produce the highest-severity findings. In a recent assessment of a 30-person Edinburgh solicitor’s practice, we found four admin accounts belonging to former employees and 47 SharePoint documents shared via anonymous links – including two containing client medical records.

Cloud Data Encryption UK GDPR

The 10-Question Board Briefing Checklist

Netskope’s Cloud Report (2025) shows that If you are preparing to brief your board or partners on cloud security posture, these 10 questions provide a defensible baseline for Edinburgh professional services firms:

1. Do we have a list of every cloud application our staff use?
2. Is multi-factor authentication enforced for all staff accounts, including admin accounts?
3. Do we know where our client data is stored – which cloud services and which countries?
4. Have we removed access for all former staff members within 24 hours of departure?
5. Are our cloud storage services configured to prevent anonymous sharing?
6. Do our cloud contracts include data processing agreements meeting UK GDPR Article 28?
7. Is sensitive client data encrypted at rest in our cloud systems?
8. Have we reviewed our Microsoft 365 Secure Score in the last 90 days?
9. Do we have an incident response plan covering cloud-specific breach scenarios?
10. When did we last test whether we could recover from a cloud data loss event?

A “no” or “don’t know” answer to any of these represents a compliance gap that regulated Edinburgh firms must address.

When to Hire a Specialist

Self-assessment using Microsoft’s built-in tools takes 4-8 hours and covers M365 security posture well (Microsoft adoption, 2025). What it misses:

• Third-party SaaS application configuration (case management, accounting, HR systems)
• Network-level controls (firewall rules, VPN configuration, split tunnelling)
• Technical evidence suitable for FCA PS24/16, NHS DSPT, or Cyber Essentials Plus submissions
• Attack simulation to validate that controls actually prevent lateral movement

A specialist assessment from an Edinburgh MSP typically takes 2-3 days and produces a findings report with risk-rated recommendations, a compliance mapping to your applicable framework, and a remediation roadmap with estimated costs.

The key question when choosing an assessment provider is whether they can map findings to your specific regulatory framework. A generic cloud audit that does not produce FCA PS24/16-compatible evidence is useful but incomplete for Edinburgh financial services firms. Ask any prospective provider to show you a sample report with regulatory mapping before you engage.

Citation capsule: A structured cloud security assessment examines five domains: identity and access control, data protection and encryption, network security, compliance posture, and shadow IT. Palo Alto Unit 42 research (2025) found that 73% of cloud deployments contain at least one critical misconfiguration. For Edinburgh SMEs, the most common critical findings are stale admin accounts, anonymous SharePoint sharing, and absent multi-factor authentication on privileged accounts.

What Virtually Pro’s Cloud Security Assessment Covers

Netskope’s Cloud Report (2025) reports that Our standard cloud security assessment for Edinburgh SMEs includes:

• Microsoft 365 configuration review – Secure Score analysis, admin account audit, MFA coverage, conditional access policies, SharePoint sharing settings
• Shadow IT discovery – 30-day Defender for Cloud Apps scan identifying all unsanctioned applications
• Data mapping – Where is sensitive data stored, who can access it, and is it encrypted?
• Compliance mapping – Findings mapped to Cyber Essentials, FCA PS24/16, NHS DSPT, or ICO accountability
• Risk-rated findings report – Critical, High, Medium, Low with estimated remediation cost per finding
• Remediation roadmap – Prioritised action plan with recommended next steps

Assessments complete within 5-7 working days.

Related Articles

• Cloud Security Guide for Edinburgh Businesses
• Cyber Security guide for Edinburgh businesses
• Cloud Data Encryption and UK GDPR

What a Cloud Security Assessment Actually Involves

When an Edinburgh MSP like Virtually Pro conducts a cloud security assessment, there are several distinct workstreams that run in parallel. Here’s what happens in practice:

Configuration review: This is the technical core of the assessment. Using read-only API access to your Microsoft 365 or Azure tenant, we pull your current configuration and compare it against the CIS Microsoft 365 Foundations Benchmark and Microsoft Secure Score recommendations. This covers authentication policies, sharing settings, data loss prevention rules, mailbox permissions, conditional access policies, and more. The review is non-intrusive – nothing is changed during this phase.

Identity and access audit: We examine your user accounts, admin roles, service accounts, and guest accounts. Common issues we find include: admin accounts without MFA, former employees still with active accounts, service accounts with excessive permissions, and guest accounts that have accumulated access to sensitive SharePoint sites over months or years.

Data classification and exposure review: We look at what data exists in your environment and who has access to it. This includes checking for SharePoint sites or OneDrive folders shared with “Everyone” or “Anyone with the link,” and reviewing external sharing settings at the tenant level. For Edinburgh businesses handling client or patient data, this stage often surfaces the highest-risk findings.

Endpoint and device posture: If you use Microsoft Intune or another MDM solution, we review device compliance policies and which devices have access to corporate data. Unmanaged personal devices with access to company email or SharePoint are a common finding.

Security tooling review: We assess what security tools are licensed and whether they’re fully configured and operational. Many businesses pay for Microsoft Defender for Endpoint or Microsoft Defender for Cloud Apps as part of their licensing but haven’t completed the deployment. Licensed-but-inactive security tools are a frequent finding in Edinburgh businesses that have grown quickly or changed IT providers.

What the Assessment Report Looks Like

A well-structured cloud security assessment report should be useful to two audiences: the business owner or senior leadership, and the technical team responsible for implementing changes. A typical report from Virtually Pro is structured as follows:

Executive summary (1-2 pages): A plain-language summary of the overall security posture, the most critical findings, and the recommended priority actions. No jargon. Suitable for sharing with your board or senior management team.

Risk register: A table of all findings, each assigned a risk rating (Critical, High, Medium, Low) based on likelihood and impact. Each finding includes a description, the evidence we observed, the relevant compliance or best practice framework, and a recommended remediation action. Critical and High findings are flagged for immediate attention.

Technical annexes: Detailed configuration screenshots and evidence for each finding. This gives your technical team the specifics they need to implement changes without needing to re-investigate the issue.

Remediation roadmap: A phased action plan, typically organised into immediate actions (within 2 weeks), short-term actions (within 30 days), and medium-term improvements (60-90 days). Each action is time-estimated so you can plan resource accordingly.

Benchmark scoring: Where applicable, we include your Microsoft Secure Score before and after remediation, and your CIS Benchmark compliance percentage. This gives you a measurable baseline and a way to demonstrate improvement over time.

The Most Common Findings in Edinburgh Business Cloud Assessments

After conducting assessments for Edinburgh businesses across legal, professional services, healthcare, and technology sectors, a pattern of common findings emerges. None of these should be embarrassing – they’re the product of organic IT growth rather than negligence. But they do need fixing:

MFA not enforced across all accounts: Almost universally, we find at least some accounts without MFA – often admin accounts, shared mailboxes set up for specific purposes, or legacy accounts that predate MFA being available. Given that credential stuffing and phishing are the most common initial access vectors for cloud breaches, this is always a Critical finding.

Legacy authentication protocols still enabled: Older email clients and applications use basic authentication (SMTP AUTH, POP, IMAP) rather than modern OAuth. These protocols bypass MFA entirely. Microsoft has been deprecating these protocols, but they may still be enabled in your tenant if you haven’t taken deliberate steps to block them.

Over-privileged admin accounts: Global Administrator in Microsoft 365 is the highest-privilege role. We regularly find Edinburgh businesses where most IT contacts have Global Admin, when more limited roles (Exchange Administrator, SharePoint Administrator) would be sufficient for their day-to-day tasks. The principle of least privilege is widely understood but inconsistently applied.

No conditional access policies: Conditional Access in Entra ID allows you to require MFA only in specific circumstances (such as when signing in from outside the UK, or from an unmanaged device). Without Conditional Access, you have no way to enforce different requirements based on risk context. This feature requires at least Microsoft 365 Business Premium or Entra ID P1 licensing.

External sharing too permissive: SharePoint and OneDrive sharing settings default to relatively open configurations. We commonly find tenant-level settings that allow users to share files with anyone with a link (no authentication required), which means a link forwarded in a personal email could expose client documents to unintended recipients.

Typical Remediation Timelines for Edinburgh Businesses

One of the most common questions we hear from Edinburgh business owners is: “How long will it take to fix everything?” The honest answer depends on your team’s capacity, your licensing, and the complexity of your environment. Here’s a realistic guide:

Quick wins (1-5 days): Enforcing MFA for all accounts, blocking legacy authentication, reviewing and removing unnecessary guest accounts, tightening SharePoint external sharing settings. These changes are configuration-based and don’t require new software purchases or infrastructure changes.

Short-term fixes (1-4 weeks): Implementing Conditional Access policies, deploying Microsoft Defender for Endpoint on all Windows devices, activating Microsoft Defender for Cloud Apps and running an initial cloud app discovery. These require more planning and testing to avoid disrupting legitimate workflows.

Medium-term improvements (1-3 months): Deploying Microsoft Purview Information Protection with sensitivity labels, implementing a full device management policy in Intune, rolling out Microsoft Purview DLP rules for data classification. These involve change management and staff training as well as technical deployment.

Ongoing programme (3-12 months): Achieving and maintaining Cyber Essentials Plus certification, implementing a formal identity governance process for regular access reviews, and building toward ISO 27001 alignment if your business or client contracts require it.

Virtually Pro typically supports Edinburgh businesses through the quick wins and short-term fixes as part of the assessment engagement, then works through the medium and long-term improvements as part of an ongoing managed service relationship. This means you see tangible security improvements within the first week, not months down the line.

Frequently Asked Questions

How long does a cloud security assessment take for an Edinburgh SME?

A self-assessment using Microsoft 365 built-in tools takes 4-8 hours for a competent administrator. A professional assessment covering five domains with regulatory mapping takes 2-3 days of active review, with the report delivered within 5-7 working days. Scope scales with the number of cloud applications and data volumes under review.

How much does a cloud security assessment cost for an Edinburgh business?

Professional cloud security assessments for Edinburgh SMEs typically cost £2,500-6,000 depending on scope and the number of cloud platforms reviewed. Virtually Pro’s standard M365 assessment is priced for SME budgets. DSIT Cyber Essentials vouchers may offset part of the cost for eligible firms.

What happens if the assessment finds critical issues?

Critical findings require immediate attention. Your assessment report will include a recommended remediation sequence prioritised by risk. Virtually Pro can remediate critical findings as a follow-on engagement, typically within 30 days of the assessment report delivery.

Does a cloud security assessment cover our case management software?

A standard M365 assessment covers Microsoft cloud services. Coverage of third-party SaaS applications requires the provider to share their security configuration details. We include a third-party SaaS questionnaire in our assessment process – Edinburgh firms should send this to each major SaaS vendor before the assessment starts.

Do we need to do a cloud security assessment every year?

A full assessment annually is best practice for regulated Edinburgh firms. Between assessments, continuous monitoring via Microsoft Secure Score and a quarterly review of admin accounts and sharing settings provides an effective interim posture check.

Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.