Posts

Just Wait for the Cavity: Dental Cyber Security

Dental Cyber Security is kind of like, well, being a dentist. You’re in your patient’s mouth. The red flags are clear as day: calculus buildup going back to pre-fluoride Woodstock days. Severe dentin erosion, onset of gingivitis, gums retreating like Arctic glaciers. But there is no actual decay yet. No cavities to drill or crowns to fill, no stains to cap or roots to tap. Absolutely. Nothing. Profitable!

So what do you tell the patient? That’s easy…

“Looks good! Come see me when that molar finally cracks.”

Of course that’s not what you say, but that is roughly how it sounds to me when a practice director tells me that they invest minimally in ongoing preventative cyber security because nothing truly bad has happened yet with their practice data. In other words, Just Wait for the Cybercrime Cavity and spend ten times as much recovering.

But I would never advise you to wait for the cyber decay, and you would never advise your patients to hold off on brushing, flossing and regular dental checkups. Nor should you wait to implement regular dental cyber security. We are both in the prevention business and we are building long-term relationships that have a great LTV. There are enough patients to keep us both in business with bad hygiene, so we can focus on doing our job well and stopping the problem before it takes root. That preventative mindset will save you approximately $380 per patient record, which is the average cost of breach recovery in the health industry (excluding reputation damage and customer attrition).

Here are what I consider to be the 5 Most Pressing Cybersecurity Vulnerabilities in Dentistry:

  1. Outdated operating systems (Windows XP/2000) and unpatched operating systems, software and apps
  2. Weak spam filtration and barely-existent employee training that leads to email-based phishing attacks
  3. Poor data backup and recovery planning that allows ransomware to lock and destroy patient and financial data
  4. Lack of solid encryption on data at rest (on servers), in transit (to patients, vendors) and in the cloud (practiced management software) that allows easy access to hackers
  5. Credential hacking of cloud data due to lack of 2-factor authentication and password managers

When your practice begins to protect patient data in the same way that you ask patients to protect the health of their mouth, you have just discovered a critical competitive advantage for patient acquisition and retention. Your patients want to know that their data is safe in your hands. Here are some additional resources to help you take the next steps in protecting your practice data:

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings and in industry study clubs. He specializes in making security fun, so that it sticks. His clients include the Seattle Study Club, the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Security Awareness Programs Like Mushy Overnight Oats?

To diagnose your under-performing cyber security awareness programs, all you need to do is look at my breakfast today. My daughter introduced me to overnight oats. “It’s the perfect breakfast, Dad – full of energy, takes no time at all, packed with simple, healthy ingredients like oatmeal, almond milk and peanut butter”, she said. “That’s what I need!”, I said, “All of the power with none of the fuss”. So I took her recipe and promptly ignored it. I added cottage cheese, chia and some lemon – because if it was already good, I was going to  make it even better.

What I got was curdled mush that crawled out of the bowl like John Cusack’s dinner in Better off Dead. The theory of overnight oats was brilliant. It was my execution that made me gag.

Many security awareness programs choke on their own ingredients because, like my overnight oats, they don’t follow a recipe when they plan the program. The have no overarching security “end” in mind at the beginning, to paraphrase Stephen Covey. Empowering the human element of cyber security is the cultural ingredient that many organizations overlook. Think about tweaking your recipe a bit to make it more than palatable.

A Recipe for Effective Security Awareness Programs

One byproduct of serving as the opening keynote speaker for hundreds of security awareness programs around the world (in addition to the bottomless pit of mileage points I’ve earned), is that I have dined amidst training programs, OVER and OVER again, that leave me hungering for more substance and lots more flavor. Here is my simple recipe for a filling, enjoyable and effective Security Awareness Program:

Ingredients (For a Culture of Security that Cooks):

  • (1-3) C-Level Executive(s) who “Believe” (Ownership)
  • (1) Cross-Functional Business Case w/ Compelling ROI (Strategy)
  • High-Engagement Content Rooted in Personal Security (Methodology)
  • (6-12) Regular, Engaging Follow-on “Snacks” (Sustenance)
  • (1) Feedback Dashboard to Measure “Diner” Response (Metrics)

Ownership. Failing to have a highly-communicative Chief Executive leading your initiative is like expecting a 3-Star Michelin rating from a fast-food cook. You must have high-level “buy-in” for your program to work. I’m not talking about the CISO, CRO, CIO or CTO here – that would just be preaching to the choir. The missing cook in awareness programs tends to be a security “believer” from the executive team. Successful security awareness programs are clearly led, repeatedly broadcast and constantly emphasized from the top of the organization, all with an attitude of authenticity and immediacy. Whether served up by your CEO at an annual gathering or by your Board of Directors to kick off National Cyber Security Awareness Month, your security champion must become an evangelist for defending your data.

Strategy. Don’t expect to randomly add security ingredients to the bowl and blindly hope they mix well together. You’ll just end up with curdled oatmeal. Approach your program strategically, and devise a recipe to protect your intellectual property, critical data and return on information assets. You are competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in techno-babble. What did it cost your competitor when ransomware froze their operation for a week? How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company $47 million? What do the owners of  compliance, HR and I.T. have to add to the meal? The most successful security awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology. Here is a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings and they want to know how this affects them personally before they willingly invest time to protect the corporate coffers. Excellent security awareness kicks off by making data protection personal – by building ownership before education. From there, the training must be engaging (dare I say fun!?) and interactive (live social-engineering) so that your audience members pay attention and apply what they learn. Death-By-PowerPoint slides will permanently put behavioral change to sleep. Highly-effective programs build a foundational security reflex (proactive skepticism), and are interesting enough to compete against cute puppy videos, smartphone farm games and our undying desire for a conference-room cat nap.

Sustenance. Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss. But that is only the beginning of the meal. From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we have found short, funny, casual video tips on the latest cyber threats to be highly effective. And lunch workshops on protecting personal devices. And incentive programs for safe behavior. And so on. Culture matures by feeding it consistently.

Measurement.If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s dining budget. What are your Security Awareness Training KPIs, your key metrics? How did successful phishing attacks decline as a byproduct of your program? Has user awareness of threats, policy and solutions increased? How many employees showed up for the Cyber Security Awareness Month keynote and fair? How department-specific are your training modules – or does one size fit all? When you can show quantitative progress, you will have the backing to continue building your qualitative culture of security.

And now, back to the meal. In spite of the lemon juice that further curdled the cottage cheese and ruined my oats, I was still hungry, so I ended up choking them down, vowing to listen to my daughter next time. And I hope you will listen to me this time: Approach your security awareness program like you are planning a feast for guests who matter a great deal to you. Because your uneducated employees, unprotected customer data, and invaluable intellectual capital are exactly what cybercriminals are eating for breakfast.

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as a keynote “energizer” for Cyber Security Awareness Programs. He specializes in making security fun, so that it sticks. His clients include the Pentagon, Schwab and some organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime.

Congress Fails to Limit NSA Surveillance Using Patriot Act Loophole

NSA Surveillance includes the collection of your phone and email records for the sake of detecting and disrupting terrorism. The practice has proven effective, but the scope of the data collected (every phone call and email available, even if you are innocent) has raised eyebrows.

Congress, in a rare show of bipartisan agreement, may be leaning toward limiting the amount of data the NSA can collect.

Rep. Justin Amash, R-Mich., backed by Rep. John Conyers, D-Mich., put forth an amendment that would restrict the NSA’s ability to collect data under the Patriot Act on people not connected to an ongoing investigation.  The action was initiated after Edward Snowden, a government contract worker, leaked highly classified data to the media, revealing that the NSA has secretly collected phone and email records on millions of Americans without their knowledge or consent.

The bipartisan support was counterbalanced by a bipartisan effort to defeat it, with both House Speaker John Boehner and House Democratic Leader Nancy Pelosi opposing it.  In the end, the amendment to a defense spending bill was narrowly defeated by a vote of 217-205.

Still, the close vote may be indicative of a changing viewpoint in Washington: that NSA Surveillance should have oversight.  As Rep. Jim Himes, D-Conn., an Intelligence Committee member stated, “I think as more and more people come to understand the breadth of the authorizations that the NSA and other intelligence agencies have, they start to get a little worried about the encroachment on their privacy, and that’s absolutely fair.”

Himes stressed that the NSA is not out of bounds with their actions. “They are acting pursuant to very clear authority under Section 215 of the Patriot Act,” Himes said.   (215 provides authority for the surveillance programs.) But, he said, “that law is too broadly worded and being interpreted a little broadly.”

When the Patriot Act was introduced, there was an implicit understanding that the bill would come with a sunset period. In other words, the Act would be rolled back as the threat diminished. That rollback has never really taken place, and the NSA continues to exploit our short term memories by utilizing 215 to gather more information than the average American, heck, the average Congressperson, would be comfortable with. Once power is given, it’s exceptionally difficult to take it back. But Congress may be moving in the right direction.

Will Adams, Amash’s press secretary pointed out, “It was the first time that either house of Congress has gone on the record concerning NSA’s blanket surveillance since the NSA leaks started coming out.” He continued, “We got 205 votes despite the fact that we were up against the entire establishment in Washington…The civil liberties of Americans is not a partisan issue.”

Bill sponsor Conyers said in a statement to reporters, “This discussion is going to be examined continually … as long as we have this many members in the House of Representatives that are saying it’s ok to collect all the records you want just as long as you make sure you don’t let it go anywhere else. That is the beginning of the wrong direction in a democratic society.”

Despite the defeat, the debate has led to talk of cutting funding and denying the NSA the authority to continue its data collection. Talk in Washington, however, seems to be fairly cheap. Rep. James Sensenbrenner, R-Wis., cautioned the administration that if it “continues to turn a deaf ear to the American public’s outcry, Section 215 will not have the necessary support to be reauthorized in 2015.”  He further stated, “The proper balance between privacy and security has been lost.”

I’m not suggesting that the entire NSA program be scrapped, I’m simply asking for more transparency as to what is being gathered, and a certain assurance that private data is only being collected and retained on suspects actually under suspicion, not on every American citizen.

John Sileo is a cyber security keynote speaker and CEO of The Sileo Group, a privacy think tank that trains organizations to harness the power of their digital footprint. Sileo’s clients include the Pentagon, Visa, Homeland Security and businesses looking to protect the information that makes them profitable.

2 Truths & a Lie: Venture Capital Frenzy Misses Cyber Security Mark

Cyber Security Venture CapitalUSA Today recently opined that the venture capital flooding into the cyber security marketplace is justified. Unlike the dotcom boom and bust cycle of the late 90s, it says, the current spending on securing information capital is justified, as the Internet and corporate networks are in dire need of better protection. Without even a moment’s hiccough, this is undeniably true.

Take some recent cases in point: China hacking into the New York Times and Wall Street Journal, or the Syrian Electronic Army cracking into the Associated Press and 60 Minutes. If you’re looking for corporate examples, look no further than the $45 million stolen by cyber thieves via MasterCard pre-paid debit cards. Cyber security is the new darling of the Obama administration, the media and Sandhill Road because all three are finally learning how much they have to lose (or in the case of VCs, gain) by ignoring cyber security.

To the venture capitalists’ credit, many of the newly minted information security startups in Silicon Valley, the DC Beltway and elsewhere will in fact make huge profits. After all, nothing sells like fear. The mission of a venture capitalist is almost soley to make money. Acknowledged and forgiven. But making money doesn’t solve cyber crime. So what does? That’s where we encounter the lie. So far we have two truths: 1. spending on cybersecurity is justified and 2. VCs aim to make money. Now for the lie. 

The Lie: Technology is the Rosetta-Stone-Solution that solves cyber security threats.

If you look at the recent funding frenzy described in the USA Today article, a majority of the VC investments target hardware and software companies that solve one (or maybe several aspects) of our new cyber reality. Some make firewalls, other protect the cloud. This one targets malware and that one WiFi encryption. These are all important pieces of the virtual puzzle. And yet, none of the startups I have seen incorporate solutions for the common denominator of nearly all cyber security breaches: we humans.

Behind every great firewall is an employee who brings their own unauthorized device into the company network (ever emailed a business file using your personal account?). At the heart of many a great hack are usernames and passwords that are identical for a user’s Facbook account, bank account and workplace login. Steal the Facebook login and voila, you are into the corporate network as a privileged user.

Security does not exist in a technological vacuum. It lives in the gaps between innovative tools like firewalls and the humans that configure, update and utilize them. If you don’t properly train the humans on cyber security, identity protection, fraud prevention, social engineering and the like, the technology becomes useless.

And the company that finds a solution to the human problem and incorporates it into the technology won’t just make a load of profits, they will make a world of difference.

John Sileo is the CEO of The Sileo Group and an advisor on the human element of cyber security, social engineering and fraud prevention. His body of work includes engagements with the Department of Defense, Visa, Homeland Security and hundreds of businesses of all sizes. View John’s client testimony, interactive keynotes & national media coverage.