NW Ohio Security
← Back to site
Security Health Check — Report

Maple Street Dental

Findlay, OH · Prepared by NW Ohio Security · Sample dated for illustration

The short version

Maple Street Dental is in reasonable shape on the fundamentals — multi-factor authentication is on for email, and the team uses individual logins. Two issues stand out and are worth addressing soon: the domain has no protection against someone sending email in the practice's name, and two staff logins have appeared in known data breaches. Backups exist but have never been tested. None of this is unusual for a practice this size, and all of it is fixable.

2
Needs attention now
3
Worth fixing soon
6
Looking good

What we found

Findings are grouped by area and rated by risk. The items marked below as covered by the free check are the ones we can determine from public information alone, before any walkthrough.

AreaStatusWhat it means
Email spoofing
Free check		 FAIL The domain has no DMARC record, so anyone can send email that appears to come from the practice — a common route for fake invoices and payment-change requests. Highest-priority fix.
Breach exposure
Free check		 FAIL Two staff email addresses appear in known data breaches. Any passwords reused from those accounts should be changed and MFA confirmed.
Sender policy (SPF)
Free check		 WARN An SPF record exists but is set to "softfail," which is weaker than it should be. Tightening it strengthens the email fixes above.
Backups WARN Patient and business data is backed up to the cloud, but a restore has never been tested. A backup you haven't tested is a backup you can't count on.
Admin access WARN Three accounts have full administrator rights; only one person regularly needs that level. Reducing this limits the damage if an account is compromised.
Mail provider
Free check		 PASS Email is hosted on Microsoft 365, correctly configured to receive mail.
Multi-factor auth PASS MFA is enforced on email for all staff. This is the single most valuable control and it's in place.
Individual logins PASS Every staff member has their own account — no shared logins.
Device protection PASS Microsoft Defender is running and current on all reviewed computers.
Disk encryption PASS Laptops have BitLocker encryption enabled, protecting data if a device is lost or stolen.
Updates PASS Computers are set to install security updates automatically.

What to do, in order

A short, prioritized list. The first two close the highest-risk gaps and can be done quickly.

  1. DO NOW
    Add DMARC to stop email spoofing. Publish a DMARC record (starting in monitor mode, then tightening) so no one can impersonate the practice's email.
  2. DO NOW
    Reset the two exposed logins. Change passwords on the breached accounts, confirm MFA, and check those passwords aren't reused elsewhere.
  3. SOON
    Test a backup restore. Actually recover a file or two from backup to confirm the system works before you ever need it in an emergency.
  4. SOON
    Tighten the SPF record. Move SPF from softfail to a stricter setting alongside the DMARC work.
  5. SOON
    Reduce admin accounts. Drop from three full administrators to one, with others given only the access they need day to day.
  6. LATER
    Write a one-page incident plan. A simple "who to call and what to do first" document, useful for staff and increasingly asked for by cyber-insurers.

About this report

This health check reviews configuration and public information only — it is not a penetration test, and no systems were altered during the review. Findings are mapped to the CIS Critical Security Controls v8 (Implementation Group 1), a recognized baseline for small organizations. It reflects a point in time and is not a guarantee against future incidents.

Get your own free external check