Someone said to me recently, "but dental practices aren't really targets, are they?" The image at the top of this article is my answer. It is our live endpoint protection feed, covering the practices we look after, from just the last few days. Names anonymised, everything else real: trojans, malicious scripts and phishing payloads, caught and quarantined at ordinary UK dental practices.
Here is the bit worth letting sink in. It is now unusual for there to be a single day when at least one of our sites does not log at least one virus or malware detection. Every day. Yes, we look after thousands of endpoints, but not tens of thousands. This is not a big-corporate problem arriving occasionally. It is a constant, background drumbeat, and that feed shows over 250 events in the last 30 days alone.
Nobody is picking on dentists, and that is the point
The uncomfortable truth is that almost none of this is someone deciding to attack your practice specifically. Modern attacks are automated and indiscriminate. Scripts scan the whole internet for open doors, phishing emails go out in the millions, and malware rides in on dodgy attachments and compromised websites without caring whose machine it lands on.
That is exactly why "we're just a dental practice" is no defence. The attacks do not check who you are first. Every business is a target, because every business is in the same firing line. The difference between a non-event and a very bad month is purely what is standing in the way when one of those attempts lands on a machine in your practice, holding, as it happens, some of the most sensitive personal data there is.
What you see in our feed is the system working: each of those entries is a threat that was caught and quarantined before it could do anything. The practices involved mostly never knew anything had happened. That is what good looks like.
The layers that make it a non-event
There is no single magic product here, and anyone who promises you one is selling something. What works is layers, each catching what the previous one misses.
The minimum: proper commercial antivirus on every machine
The baseline is our managed, commercial cloud antivirus (ESC) on every single machine in the practice. Not a free consumer product, not "it came with the laptop", and not most-machines-but-not-the-old-one-in-the-back. Every endpoint, centrally managed, so it is always on, always updated, and we can see the alerts, which is exactly how that feed above exists.
Better: EDR and MDR
Antivirus recognises and blocks known bad software. EDR (endpoint detection and response) goes further: it watches how machines actually behave, so it can spot the suspicious activity of an attack in progress, things like a normal-looking process suddenly encrypting files or trying to spread, and shut it down. MDR (managed detection and response) adds human specialists watching those signals around the clock, investigating and responding, not just software raising a flag. For the cost involved, the step up in protection is substantial, and it is what we recommend for any practice that takes this seriously.
Further still: stop it at the door
The best place to deal with an attack is before it reaches a machine at all. Two things do most of that work: a properly managed firewall at the edge of your network, kept patched and configured by people who know what they are looking at, and Microsoft 365 Defender on your Microsoft tenant, filtering the phishing and malicious attachments out of your email and protecting the accounts themselves. Since email is how most of this arrives, defending the tenant is defending the front door. It pairs naturally with the basics we have written about before, like multi-factor authentication and closing the security holes that cost nothing to fix.
Twenty years, and a record we are proud of
Here is the claim I can actually stand behind, and notice it is not "nothing bad can ever happen", because nobody honest can promise that.
In 20 years of business, not a single site that has taken our advice has had ransomware or a serious infection that broke their network or caused them financial, reputational or other real damage.
Some sites have been badly hit in that time. Without exception, they were the ones that did not take the advice: the ones running on the free antivirus, the unmanaged firewall, the "we'll sort it later", and the belief that it would not happen to them. It does happen. The feed above shows the attempts arriving daily. The only question is what they hit when they arrive.
What to do with this
If you are one of our practices on the full stack, you can read that feed the way we do: as reassurance. It is the sound of things bouncing off.
If you are not sure what is on your machines right now, whether every endpoint is covered, what your firewall is doing, or whether your Microsoft tenant has Defender properly configured, those are exactly the questions worth an hour of someone's time. We wrote a plain-English overview in our guide to cybersecurity for smaller businesses, and locking down admin rights with privileged access management belongs in the same conversation.
Or just get in touch and we will review where you stand, layer by layer, in plain English. No scare tactics needed. The feed speaks for itself.