Sample Cyber Risk Snapshot
Example Med Spa
A plain-English sample report showing how a small business owner can prioritize practical security fixes.
Overall risk score
Elevated risk
- Business reviewed
- Example Med Spa
- Website reviewed
- examplemedspa.com
- Business type
- Local med spa
- Report type
- Sample snapshot
Executive summary
Example Med Spa has several common small-business security gaps that are fixable without a large project. The most important items are protecting email from impersonation, requiring stronger sign-in controls for high-value accounts, and creating a clear process for payment-change requests.
The goal is not to make the business perfect overnight. The best next step is to close the issues that could lead to account takeover, client confusion, or preventable payment mistakes.
Owner takeaway
This is an elevated but manageable risk profile. Most fixes can be assigned to the email provider, website provider, office manager, or owner within 30 days.
Website reviewed
The sample review focuses on public-facing website basics for examplemedspa.com. It does not include admin access, code review, vulnerability exploitation, or aggressive scanning.
Email and business process
The highest-value improvements are email authentication, stronger sign-in protection, and a simple rule for verifying payment or vendor changes.
Top 5 findings
Finding 1 - Email
Email protection is not strong enough to discourage impersonation
The public email setup appears to allow monitoring, but it does not clearly tell mail providers to block spoofed messages.
- Why this matters
- Med spas often send appointment, deposit, financing, and treatment messages by email. A convincing fake email can lead to payment mistakes, gift-card scams, or clients sharing personal information with the wrong party.
- Recommended fix
- Ask the email provider to confirm SPF, DKIM, and DMARC are aligned, then move DMARC toward a stronger protection setting after legitimate senders are confirmed.
Finding 2 - Access
Multi-factor authentication is not confirmed for high-value accounts
The business could not confirm that email, booking, payment, website, and social media admin accounts all require a second sign-in step.
- Why this matters
- A single stolen password can give an attacker access to client conversations, appointment schedules, payment requests, or public social media posts.
- Recommended fix
- Require multi-factor authentication for every account that can access client information, change payment details, send email, or publish on behalf of the business.
Finding 3 - Website
Website browser protections are incomplete
The public website does not show a complete set of basic browser protection headers in this sample review.
- Why this matters
- These settings help browsers handle the website more safely. They are not a cure-all, but they reduce avoidable risk and show that the website is being maintained with care.
- Recommended fix
- Ask the web developer or hosting provider to add common security headers, test the site for broken pages, and confirm the appointment and contact forms still work.
Finding 4 - Payments
Payment-change requests rely too much on email
Vendor payment changes and unusual refund requests are handled by email unless a staff member decides to verify them.
- Why this matters
- Invoice fraud usually works because the request looks routine and urgent. A fake vendor or compromised email account can redirect money before anyone realizes something changed.
- Recommended fix
- Require a phone call to a known number before changing vendor bank details, refund destinations, financing instructions, or deposit procedures.
Finding 5 - Operations
Backups exist, but recovery has not been tested recently
The business believes important files are backed up, but there is no recent proof that the right records can be restored quickly.
- Why this matters
- Backups matter most after a device failure, ransomware event, accidental deletion, or vendor outage. Untested backups can create a false sense of safety.
- Recommended fix
- Perform a small restore test for appointment exports, key documents, website content, and shared business files. Record what was restored and how long it took.
Example Priority Action Plan
This sample action plan is generic. Paid snapshots include a customized action plan based on the business website, domain, email setup, and intake answers.
First 7 days
- Turn on multi-factor authentication for email, booking, payment, website, and social accounts.
- Ask the email provider to review SPF, DKIM, and DMARC for the business domain.
First 14 days
- Have the website provider add basic browser protection headers and retest key forms.
- Move shared passwords into a password manager and remove old staff or vendor access.
First 30 days
- Run a small backup restore test and keep the result with the office procedure notes.
- Give staff a short briefing on fake invoices, gift-card scams, payment changes, and suspicious login prompts.
Optional next step
Security Hardening Sprint starting at $950
For owners who want help making the first fixes, the sprint can coordinate with your email provider, website provider, and office team to close the highest-priority gaps from this snapshot.
The $199 snapshot comes first. The sprint is optional implementation help after the report.
Sample report limits
This page is an example only, not a full customized review. A paid Cyber Risk Snapshot is based on the specific business website, domain, email setup, and intake answers. It is not a penetration test, compliance audit, guarantee of security, exploit attempt, or aggressive scan.