Tag Archive for: Cyber Security

A Wildly UN-BORING Cybersecurity Awareness Month: How to Make Security Training People Actually Want to Attend

When most employees see Cybersecurity Training pop up on their calendars, their first instinct is to feign a mysterious illness. It’s no wonder: Cybersecurity Awareness Month (CSAM) has earned a reputation for being the corporate equivalent of watching paint dry. But in a world where cybercriminals are evolving into full-fledged criminal enterprises—complete with HR departments and holiday parties—it’s time we gave security training the glow-up it desperately needs.

Here’s how to make this October’s CSAM wildly un-boring—and, more importantly, wildly effective.

1. Make the Fundamentals Feel Like Insider Intel

You lose your audience the moment you start with “password hygiene.” Instead, open with urgency: “Here’s how hackers used A.I. to steal $1.7 billion in crypto and hijack patient health records.” That’s when eyes open and pens come out.

While the fundamentals are still the most critical defense (hello, multi-factor authentication), don’t present them as basics. Frame them as the “stuff hackers don’t want you to know”—because that’s exactly what they are. Dress up the content in compelling narratives and real-world stakes.

Even better? Gamify it. Turn MFA adoption into a “Least Hackable Department” contest. Security becomes a game. Engagement goes through the roof.

2. Make AI the Villain—With a Plot Twist

If you want to grip your audience, give them a good villain. In 2025, that villain is AI. Show how it’s being used to craft eerily convincing phishing emails, generate ransomware code, and create deepfakes that could fool a world leader.

But don’t just lecture—show it. Host an internal “phishing competition” where teams use AI to create their own deceptive emails (with ethical guardrails). This type of hands-on learning sparks lasting behavior change.

Then flip the script. Reveal how AI can also be a defender—spotting malicious links, identifying deepfakes, and analyzing unusual activity. That’s your plot twist: AI is both the villain and the superhero.

3. Turn Humans Into Heroes, Not Punchlines

Yes, most breaches begin with human error—but beating people over the head with that doesn’t help. Instead, reframe employees as your “human firewall.” Share stories of real workers who spotted scams and thwarted attacks by trusting their gut.

Create a “Security Champion of the Month” program. Recognize vigilance with visibility and rewards. People want to be heroes, not the next cautionary tale in a team meeting.

You can even run security-themed escape rooms, scavenger hunts, or “spot the phish” challenges. When people are engaged, they’re more likely to remember—and apply—what they’ve learned.

4. Say Goodbye to Digital NyQuil

The fastest way to destroy security culture? Slap together a generic slideshow and a monotone narrator. Instead, embrace “edutainment.” Bring in a social engineering expert. Run live hacking demos. Host casual AMAs with your security team.

And above all, make it personal. Show how these principles protect not just the company, but employees’ private photos, banking info, and digital identities. When people see the personal value, professional compliance follows naturally.

Serve content in bite-sized portions—a weekly 5-minute tip beats a two-hour snooze-fest every time.

Final Thought: Don’t Be Boring

Cybercriminals are dynamic, creative, and relentless. If your defense strategy is static, dull, and forgettable… they’ve already won.

Cybersecurity Awareness Month is your moment to flip the script—transforming training from something employees dread into something they remember, apply, and maybe even enjoy.

Because when it comes to cybersecurity, boring is the biggest risk of all.

John Sileo is a high-energy cybersecurity keynote speaker and award-winning author who turns boring security training into unforgettable, action-inspiring experiences. If you’re ready to make security awareness stick—and actually get people to care—reach out and start the conversation: sileo.com/contact-us 

When Encryption Isn’t Enough: How Human Error Undermines Even the Best Security Tools

In the realm of cybersecurity, we often focus intensely on technical solutions—better encryption, stronger firewalls, and more sophisticated intrusion detection. Yet, time and again, the most significant security breaches don’t come from technical failures but from something far more difficult to patch: human behavior.

The Signal Incident: A Case Study in Human Error

The Trump administration recently provided a perfect example. Top officials, including Vice President JD Vance and Defense Secretary Pete Hegseth, used Signal—an encrypted messaging app widely considered highly secure—to discuss detailed plans for airstrikes against Yemen’s Houthi militants. Then, they accidentally added a journalist from The Atlantic to the chat.

These weren’t junior staff discussing lunch plans. These were high-ranking officials planning military operations using an app on their personal devices—compromising that information through a simple mistake. President Trump later acknowledged the issue, stating, “Generally speaking, I think we probably won’t be using it very much.” An understatement, to say the least.

Encryption ≠ Security

Signal was doing exactly what it was designed to do—providing end-to-end encryption that ensures messages are scrambled on one device and can only be unscrambled by the recipient. However, as this incident highlights, encryption alone does not equal security.

National security experts pointed out that discussing classified information on consumer apps is a major security breach, regardless of how secure the app is. Conversations about military operations should take place in Secure Compartmented Information Facilities (SCIFs), where cell phones are banned. The government’s secure communication tools have strict access controls, preventing unauthorized users from being added to conversations.

The Convenience vs. Security Tradeoff

Why would top officials bypass these secure systems in favor of a consumer app? The answer lies in a challenge familiar to every security professional: secure solutions are often less convenient. Government-approved communication tools are likely clunkier and more restrictive than sleek consumer apps like Signal. However, that inconvenience is often the price of true security.

Shadow IT: A Persistent Risk

The Signal incident highlights a broader problem in organizations: shadow IT. Employees often turn to unauthorized tools because official solutions feel cumbersome. This creates significant security vulnerabilities, regardless of how secure these shadow tools claim to be.

Building a Culture of Security

Technical solutions alone won’t fix human error. Organizations must:

  1. Make security personal—showing employees how breaches affect them directly.
  2. Design for human behavior—implementing user-friendly security measures.
  3. Train on real scenarios—using case studies and hands-on exercises.
  4. Make security visible—rewarding security-conscious behavior.
  5. Lead by example—ensuring executives follow security protocols.

At the end of the day, even the best encryption can’t protect against human mistakes. True security requires a cultural shift—one where individuals take personal responsibility for safeguarding sensitive information.

With two decades of experience helping organizations build security-focused cultures, John Sileo is passionate about empowering people to take ownership of data security, both personally and professionally. His approach bridges the gap between technical controls and human behavior to create security systems that actually work in the real world. Call 303.777.3222 or contact us to inquire about booking John for your next meeting or event.

Dear Daughter, Here’s Why I Can Crack Your Passcode (And How to Avoid Her Mistake)

There are two things I’ve learned from live-hacking an audience member’s smartphone during my keynotes:

1️⃣ Most of our passwords are terrible.
2️⃣ One simple change can make hacking your phone as hard as scoring Taylor Swift tickets.

The Sleepover That Changed Everything

I didn’t set out to become that dad—you know, the one who freaks out teenagers by hacking their phones at sleepovers. But one night, when my daughter and her friends were busy scrolling and texting, I pulled out a little party trick that I spent hundreds of hours developing: cracking one of their smartphone passcodes.

Cue the gasps. The wide eyes. The sudden clutching of phones like they were life support.

Why? Because I showed them in real-time that once I was in, I could do everything—bank as them, text as them, be them. And that hit different.

The same thing happens during my keynote when I “hack” an audience member’s smartphone. It’s one thing to hear about security threats; it’s another to feel how vulnerable you really are. But here’s the good news: fixing this is easier than you think.

Upgrade Your Passcode to a Passphrase

Instead of a weak four-digit PIN (which, let’s be honest, is probably your birth year backwards), switch to a passphrase—something longer, easy to remember, and way harder to crack.

Example:
🚫 1234 → 10,000 possible combinations (AI can crack this in seconds)
✅ ! L0v3 D@d → Over 60 quadrillion combinations (Good luck, hackers!)

How to Set It Up

🔹 iPhone Users: Here’s how to create a stronger passcode
🔹 Android Users: Check with your phone manufacturer for instructions

And don’t forget: Make sure someone you trust knows your passphrase in case of an emergency—store it securely in your password manager so you don’t forget it either!

Bonus: Lock Down Your Online Accounts

Your phone’s passphrase is just the start. For online accounts, ditch passwords entirely and switch to passkeys—they’re easier and more secure. Check out our video on passkeys here.

Because keeping your data safe shouldn’t be harder than getting into a Taylor Swift concert. 😉

Sleep tight, and stay secure! 🔐

DOGE’s Disastrous Cybersecurity Slashes: An Open Bar for Nation-State Hackers

The Department of Government Efficiency (DOGE) has made a catastrophic decision—one that isn’t just political but a direct threat to national security. Without conducting a single interview, DOGE and the new administration fired hundreds of cybersecurity experts from key agencies, including:

  • The Department of Homeland Security (DHS)
  • The Cybersecurity and Infrastructure Security Agency (CISA)
  • The National Institute of Standards and Technology (NIST)
  • The National Science Foundation (NSF)

By gutting these critical roles, DOGE has rolled out the red carpet for cybercriminals, giving hackers from Russia, China, North Korea, Iran—and anyone with a laptop and bad intentions—free rein to attack America’s most sensitive systems.

DOGE is intoxicated with power it should not have, but it’s every American that is going to suffer the hangover.

A National Security Disaster

The agencies responsible for protecting Social Security benefits, tax returns, healthcare records, and even nuclear codes are now severely understaffed. This means:

  • Longer detection times – Breaches could go unnoticed for months or even years.
  • Weaker defenses – Cyberattacks will be harder to prevent and contain.
  • Increased financial and personal risk – Both individuals and businesses will be more vulnerable to cybercrime.

And this isn’t just hypothetical. China successfully hacked the U.S. Treasury Department, major telecom companies, and even former President Trump’s phone calls—for years—without being detected. That happened before these mass firings. Now? The situation is far worse.

Businesses Are in the Crosshairs Too

The private sector won’t be spared either. With fewer cybersecurity experts:

  • No coordinated threat-sharing – Attacks will spread unchecked between companies.
  • No elite response teams – Breaches will cause more damage and take longer to fix.
  • More ransomware attacks – Businesses will be forced to pay millions to cybercriminals.

Who exactly will stop the next Colonial Pipeline attack? The next United Health breach? The experts who saved those companies no longer work for the U.S. government.

What Can Be Done?

While DOGE continues its reckless power grab, Americans still have a voice. Here’s what can be done now:

If nothing is done, the next cyberattack won’t just be an inconvenience—it will be a full-scale crisis.

The warning signs are clear. The only question now is whether action will be taken before it’s too late.

If your organization needs help navigating the chaos, let’s talk

 

 

The Largest Hack in American Telecom History: What You Need to Know

We’ve just witnessed the largest hack of American telecom companies in history. If you’re a customer of Verizon, AT&T, T-Mobile, or any other major provider, your personal data may have been exposed. Hackers can intercept your texts, record your phone calls, and potentially steal sensitive information. The FBI has even issued an emergency alert in response to this unprecedented breach.

The culprit? A group known as Salt Typhoon, backed by the Chinese Ministry of State Security. These hackers managed to infiltrate the backbone of America’s telecom infrastructure, making this the worst infrastructure intrusion ever. Alarmingly, this breach went undetected for years. American telecom companies were unaware of the lurking danger until Microsoft first uncovered the intrusion.

A Scary New Reality

Here’s where it gets even more concerning:

  • Salt Typhoon gained access to lawful wiretap systems used by the U.S. government.
  • They can see which phone numbers are being tapped and identify Chinese spies under surveillance.
  • They know which spies aren’t being watched, giving them a critical intelligence advantage.

For individuals, the implications are equally alarming:

  • Unencrypted texts and calls can be intercepted.
  • Plain-text messages, like those sent via SMS between iPhones and Android devices, are particularly vulnerable.
  • Hackers can intercept unencrypted two-factor authentication (2FA) codes, compromising account security.

The Organizational Impact

For organizations, the problem lies in the telecom infrastructure itself:

  • Many systems were built decades ago, long before cyberattacks became a widespread threat.
  • These outdated systems remain deeply embedded in modern telecom networks, making them prime targets for intrusion.
  • Once inside, hackers like Salt Typhoon can exploit master passwords to navigate systems undetected.

How to Protect Yourself

To safeguard your communications, consider these steps:

  • Switch to apps with end-to-end encryption, such as Signal, WhatsApp, and FaceTime.
  • Use Apple Messages for encrypted conversations if communicating between two Apple devices.
  • Avoid sharing sensitive information over unencrypted calls or texts.

Before sharing sensitive information over a call or text, think twice. Use encrypted communication tools to protect your privacy and secure your data in this new era of heightened cyber threats.

In today’s rapidly evolving threat landscape, staying ahead of cybercriminals is no longer optional—it’s essential. Equip your team with the skills and knowledge they need to defend against increasingly sophisticated attacks. Let’s collaborate on a dynamic presentation tailored to empower your organization with actionable strategies to outsmart even the most intelligent cybercriminals. Reach out today to strengthen your first line of defense!

 

Cybersecurity Alert: UnitedHealth’s Billion Dollar Data Breach

One in three Americans recently had their healthcare data hacked from UnitedHealth – TWICE. The stolen data likely includes medical and dental records, insurance details, Social Security numbers, email addresses and patient payment information.

UnitedHealth Group’s subsidiary, Change Healthcare (which processes an estimated 50% of all health insurance transactions in the U.S.), fell victim to a ransomware attack that thrust the U.S. healthcare system into chaos as pharmacies, doctor’s offices, hospitals and other medical facilities were forced to move some operations to pen and paper.

Behind the scenes, UnitedHealth Group chose to pay the BlackCat ransomware gang (aka ALPHV) an estimated $22 million in blackmail ransom to restore system functionality and minimize any further leakage of patient data.

Problem (expensively) solved, right? Not even close. After UnitedHealth paid the initial ransom, the company (or quite possibly BlackCat itself being hacked by hackers) reportedly experienced a second attack at the hands of RansomHub, which allegedly stole 4TB of related information, including financial data and healthcare data on active-duty U.S. military personnel.

To take the breach and ransom to an entirely new level, RansomHub is now blackmailing individual companies who have worked with Change Healthcare to keep their portion of the breached data from being exposed publicly. For many small providers, the ransom is far beyond what they can afford, threatening the viability of their business. Some of the larger individual providers being blackmailed are CVS Caremark, MetLife, Davis Vision, Health Net, and Teachers Health Trust.

As of today, even with millions of dollars collected by the hackers, all systems are not up and running.

There are three critical business lessons to take from the UnitedHealth breach:

  1. Ransom payments do not equal the cost of breach. The ransom amount companies pay is a fraction of the total cost of breach. In UnitedHealth’s case, they paid a first ransom of $22 million, but only months into the breach have reported more than $872 million in losses. Operational downtime, stock depreciation, reputational damage, systems disinfection, customer identity monitoring, class action lawsuits, and legal fees will move the needle well beyond $1 billion within the fiscal quarter. Risk instruments like cyber liability insurance can balance the losses, but prevention is far more cost-effective.
  2. There is no honor among thieves. Even when organizations pay the ransom demanded, (and in the rare case that they get their data back fully intact), there is no guarantee that the cybercriminals won’t subsequently expose samples of the data to extort a second ransom. In this case of Double-Dip Ransomware (as I call it), a dispute among partnering ransomware gangs meant that multiple crime rings possessed the same patient data, leaving UnitedHealth open to multiple cases of extortion. Paying the ransom instead of having preventative recovery tools places a larger target on your back for future attacks. If you haven’t implemented AND tested a 3-2-1 data backup plan and a Ransomware Response Plan, do so immediately.
  1. The Human Hypothesis on the Source of Breach. There has been no disclosure to date on exactly how the hackers got into Choice Health’s systems, but my highly educated guess (from seeing so many similar breaches) is that an employee of, or third-party vendor to, UnitedHealth was socially engineered (scammed) to share access into one of their business IT systems. The company will generally report this human oversight and poor training as “compromised credentials” which tries to make it look like a technological failure rather than a human decision. From there, the hackers “island hopped” laterally to increasingly critical servers on the network. It’s likely that the cyber criminals are still inside of key systems, hiding behind sophisticated invisibility cloaks.

The solution here is to make sure that the heroes in your organization, the human employees who are your first and best line of defense, are properly trained on how to detect and repeal the latest social engineering attacks. Over 90% of all successful attacks we see are due to a human decision that leads to malicious access.

All organizations and leadership teams must ensure your Security Awareness Training addresses all the changes that artificial intelligence brings to the cyberthreat sphere. To ignore the alarm bells set off by UnitedHealth Group’s disastrous breach is to risk your organization falling ill to a similar fate.

Anyone in your organization can be the unfortunate catalyst that triggers a disastrous data breach similar to UnitedHealth’s. My latest keynote, Savvy Cybersecurity in a World of Weaponized A.I., teaches the root cause of successful social engineering scams and necessary technological preparation for ransomware attacks. REACH OUT TO MY TEAM TODAY to discuss this vital topic at your next meeting or event.

  1. If you are a patient of UnitedHealth, Change Healthcare, OptumRx or any of their subsidiaries, take the following steps immediately:
  2. Visit the Cyberattack Support Website that UnitedHealth Group established for affected customers.
  3. Make sure that you have a Credit Freeze on your Social Security Number.
  4. If you are an OptumRX customer, call them directly (1-800-356-3477) to make sure that your prescriptions haven’t been affected and that they will ship on time.
  5. Monitor all of your health and financial accounts closely for any changes or transactions. Create automatic account alerts to make this easier.

 

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

A.I. Deepfake Posing as the CFO Scams $25 Million: How to Protect Your Organization from the Exploding Deepfake AI Cyber Scam

Deepfakes use Artificial Intelligence (A.I) to create fake, hyper-realistic audio and video that is generally used to manipulate the viewer’s perception of reality. In most deepfakes, the legitimate person’s face or body has been digitally altered to appear to be someone else’s. Well known deepfakes have been created using movie stars and even poorly produced videos of world leaders.

Removing the malicious part of the definition, deepfakes have been used in the film industry for quite some time to de-age actors (think Luke Skywalker in The Mandalorian) or resurrect deceased actors for roles or voiceovers (think Carey Fisher in Rogue One – okay, can you tell I’m a Star Wars geek?). Cybercriminals have latched on to the technology, using AI-generated deepfakes in conjunction with business email compromise (also known as whaling and CEO fraud) to scam organizations out of massive amounts of money.

Just recently, a finance worker at an international firm was tricked into wrongly paying out $25 million to cybercriminals using deepfake technology to pose as the company’s Chief Financial Officer during a video conference. And it wasn’t just one deepfake! The fraudsters generated deepfakes of several other members of the staff, removing any red flags that it wasn’t a legitimate virtual meeting. As a subordinate, would you refuse a request from your boss that is made face-to-face (albeit virtually)? You might be savvy enough, but most employees aren’t willing to risk upsetting their boss.

The days of just sending suspicious emails to spam is no longer adequate. Our Spidey Sense (the B.S. Reflex I talk about in my keynotes) must be attuned to more than business email and phone compromise. We have entered the age of Business Communication Compromise, which encompasses email, video conferences, phone calls, FaceTime, texts, Slack, WhatsApp, Instagram, Snap and all other forms of communication. It takes a rewiring of the brain; TO NOT BELIEVE WHAT YOU SEE. AI is so effective and believable that workers may even feel like they are being silly or paranoid for questioning a video’s validity. But I’m sure as the employee who lost their organization $25M can attest, it’s way less expensive to be safe than sorry.

The solution to not falling prey to deepfake scams is similar to the tools used to detect and deter any type of social engineering or human manipulation. Empowering your employees, executives and customers with a sophisticated but simple reflex is the most powerful way to avoid huge losses to fraud. When you build such a fraud reflex, people will be less likely to ignore their gut feeling when something is “off.” And that moment of pause, that willingness to verify before sharing information or sending money, is like gold. These are the skills that I emphasize and flesh out in my newly-crafted keynote speech, Savvy Cybersecurity in a World of Weaponized A.I.

Get in touch if you’d like to learn more about how I will customize a keynote for your organization to prepare your people for the whole new world of AI cybercrime. Contact Us or call 303.777.3221.

Small Business Cybersecurity: 5 Steps to Stop Cybercrime 

Small Business Cybersecurity Gone Terribly Wrong 

On August 12, 2003, as I was just sitting down to a tea party with my daughters and their stuffed animals, the doorbell rang. Standing there when I opened the door was a special agent from the economic crimes unit at the district attorney’s office—ready to charge me for electronically embezzling (hacking) $298,000 from my small business customers. The DA’s office had enough digital DNA to put me in jail for a decade. 

I was the victim of cybercrime, and I should have known better. You see, earlier that year my personal identity was stolen by cybercriminals out of my trash and sold to a woman in Florida. This woman purchased a home, committed a number of crimes, drained my bank accounts and filed for bankruptcy—all in my name. I learned all of this one day at the bank, right before I was escorted out by security guards.

The experience of losing my money, time and dignity motivated me to protect my personal information assets with a vengeance. Unfortunately, I didn’t apply my newfound cyber vigilance to my small business, which is how I ended up losing it. 

Like a lot of small business owners, it never occurred to me that my $2 million company would be targeted by cyber criminals. I figured we weren’t worth the effort, especially compared to large multinational companies like Target, Marriott, Google and Facebook. My naivete cost me my family’s business and two years fighting to stay out of jail. 

The fact is, cyber criminals are increasingly going after small and midsize businesses (SMBs) precisely because they are easier targets than larger organizations. According to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, 76 percent of  small and midsize businesses experienced a cyber attack in the past 12 months. The same report found that only 28 percent of companies characterize their ability to mitigate threats, vulnerabilities and attacks as “highly effective.” 

Not all hacking results in criminal charges being filed against the victim, as in my case, but that doesn’t mean there aren’t significant costs involved. According to last year’s Ponemon Institute study, companies spent an average of $1.43 million due to damage or theft of IT assets. On top of that, the disruption to their normal operations cost companies $1.56 million on average. 

In other words, your organization’s chances are greater than 50/50 that it will suffer a serious cyber attack in the next year or so and that the attack will have a significant negative impact on profitability. The good news is that you can eliminate much of the risk with a reasonable budget and some good leadership.

5 Small Business Cybersecurity Strategies

In my experience, good entrepreneurs begin with the following steps:

Identify All data is not created equal. Bring together the key players in your business and identify the specific pieces of data, if lost or stolen, that would make a significant impact on your operation, reputation and profitability. This could be everything from customer credit card, bank account or Social Security numbers to valuable intellectual property.

Evaluate Understand your business’ current cyber security readiness. During this step, I recommend bringing in an external security firm to conduct a systems penetration test. A good Pen Test will give you a heatmap of your greatest weaknesses as well as a prioritized attack plan. Have a separate IT provider implement the remediation plan, if possible, to provide an objective check on the security firm’s work. 

Assign Engage stakeholders from across your organization, not just those within IT. Assign a detail-oriented, tech-savvy leader other than yourself (if feasible) to oversee the analysis and implementation of your cyber strategy. Other players essential to this conversation are your lawyer and your accountant/auditor, who can help you build a breach response plan for when data is compromised. In today’s digital economy, theft and loss are part of business as usual and they should be planned for—like any other risk to your organization.

Measure Just as with any other business function, cyber security needs to be measured. Your security or IT provider should be able to suggest simple metrics—number of blocked hacking attempts (in your firewall), failed phishing attacks, days without a breach, etcetera—with which to keep a pulse on your data defense. 

Repeat Each one of these steps should be re-evaluated and updated on a regular basis. I recommend taking a look at your security during your slowest season annually. Strong cyber security thrives in the details, and the details in this realm change every year. 

The bottom line is that SMBs can no longer ignore the very real threat of cyber crime, including crime perpetrated by an insider (in 2018, 34 percent of data breaches involved internal actors and 2 percent involved partners). I learned both of these lessons the hard way. It takes an average of 73 days for organizations to contain an insider-related incident; my case dragged on for two years, during which I spent every day fighting to keep myself out of jail. 

In the end, I found out the cyber criminal was my business partner. A man I loved and trusted like a brother stole and used my banking login credentials to embezzle from our clients; he used my identity to commit his cyber crimes. He exploited my trust and then he cut the rope and let me take the fall. 

And I should have known better. So if you think your company is too small to be targeted or you’re too smart to be victimized, think again. 


About Cyber security Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training to small businesses as well as large organizations. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University. 

 

Just Wait for the Cavity: Dental Cyber Security

Dental Cyber Security is kind of like, well, being a dentist. You’re in your patient’s mouth. The red flags are clear as day: calculus buildup going back to pre-fluoride Woodstock days. Severe dentin erosion, onset of gingivitis, gums retreating like Arctic glaciers. But there is no actual decay yet. No cavities to drill or crowns to fill, no stains to cap or roots to tap. Absolutely. Nothing. Profitable!

So what do you tell the patient? That’s easy…

“Looks good! Come see me when that molar finally cracks.”

Of course that’s not what you say, but that is roughly how it sounds to me when a practice director tells me that they invest minimally in ongoing preventative cyber security because nothing truly bad has happened yet with their practice data. In other words, Just Wait for the Cybercrime Cavity and spend ten times as much recovering.

But I would never advise you to wait for the cyber decay, and you would never advise your patients to hold off on brushing, flossing and regular dental checkups. Nor should you wait to implement regular dental cyber security. We are both in the prevention business and we are building long-term relationships that have a great LTV. There are enough patients to keep us both in business with bad hygiene, so we can focus on doing our job well and stopping the problem before it takes root. That preventative mindset will save you approximately $380 per patient record, which is the average cost of breach recovery in the health industry (excluding reputation damage and customer attrition).

Here are what I consider to be the 5 Most Pressing Cybersecurity Vulnerabilities in Dentistry:

  1. Outdated operating systems (Windows XP/2000) and unpatched operating systems, software and apps
  2. Weak spam filtration and barely-existent employee training that leads to email-based phishing attacks
  3. Poor data backup and recovery planning that allows ransomware to lock and destroy patient and financial data
  4. Lack of solid encryption on data at rest (on servers), in transit (to patients, vendors) and in the cloud (practiced management software) that allows easy access to hackers
  5. Credential hacking of cloud data due to lack of 2-factor authentication and password managers

When your practice begins to protect patient data in the same way that you ask patients to protect the health of their mouth, you have just discovered a critical competitive advantage for patient acquisition and retention. Your patients want to know that their data is safe in your hands. Here are some additional resources to help you take the next steps in protecting your practice data:

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings and in industry study clubs. He specializes in making security fun, so that it sticks. His clients include the Seattle Study Club, the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Local Government Cyber Security: Our Next Big Threat