![](https://www.groupdentistrynow.com/wp-content/uploads/2025/05/728x90_DirectToYou.jpg")
Ranked the #1 DSO Podcast!
Welcome to The Group Dentistry Now Show: The Voice of the DSO Industry!
In this episode returning guest Gary Salman, CEO of Black Talon Security, and special guest Evelyn Lahiji, COO of Children’s Dental FunZone discuss the current state of cybersecurity.
Join us as we learn more about Evelyn and Children’s Dental FunZone and their partnership with Black Talon.
The duo discuss:
- The difference between IT and cybersecurity
- The importance of training & education
- Current real-world examples of cyber incidents
- Introduction to the EAGLEi dashboard for cybersecurity management
To learn more about Children’s Dental FunZone you can visit https://www.childrensdentalfunzone.com/
You can contact Evelyn Lahiji at evelyn@cdfzone.com
If you would like to learn more about Black Talon Security and how you can protect your dental group practice or DSO you can visit https://www.blacktalonsecurity.com/ or schedule a consult at https://www.blacktalonsecurity.com/demo-black-talon-security
If you like our podcast, please give us a ⭐⭐⭐⭐⭐ review on iTunes https://apple.co/2Nejsfa and a Thumbs Up on YouTube.
Choose your favorite listening app below and subscribe today so you don’t miss an episode! Full transcript is also provided below. See all of our podcasts HERE.
 |
 |
 |
 |
 |
 |
 |
 |
Children’s Dental FunZone & Black Talon Cybersecurity DSO podcast transcript:
Bill Neumann: Welcome, everyone, to the Group Dentistry Now show. I’m Bill Neumann. And as always, we appreciate you listening in, or hopefully you’re watching. You can watch this. We have a YouTube channel. You’ll see the video on our Group Dentistry Now website as well. So you can listen if you want, but you’re going to miss these beautiful faces here. We actually have a returning guest. dare I say, a regular to the podcast, Gary Salmon, who is the CEO of Black Talent Security. Gary, welcome back.
Gary Salman: Hey, always an honor. Thank you.
Bill Neumann: Yeah, it’s good to have you back. And we’re trying to figure this out. This is the first time this year. But I bet you this is fourth or fifth time, I’m guessing. Does that sound about right?
Gary Salman: Yeah, I would say at least that for sure.
Bill Neumann: always something new when it comes to cybersecurity. And we’re going to talk about all sorts of new things today. And we have someone that if you’re part of Women in DSO, maybe you’ve seen Evelyn speak before. I think she was up on stage at one of the Women in DSO events, and certainly part of that. And Henry Schein I, I believe, too, you I spoke at one of their events, but we have Evelyn Lahigi. She is the COO of Children’s Dental Fun Zone. They are a pediatric and orthodontic group on the West Coast in California. Thanks for being here, Evelyn.
Evelyn Lahiji: Thank you so much for having me.
Bill Neumann: So why don’t we start with you, Evelyn, a little bit about your background. You’ve been in the industry a while, and actually you have a long history at Children’s Dental Fun Zone. You’ve been there since 2005.
Evelyn Lahiji: Correct. So I’ve been in dentistry for over 30 years. And my experience comes from the back office, coming to the front office, managing dental offices, doing years of consulting, billing. And now I’ve been with Children’s Dental Fund Zone for about 17 years, and we have 17 locations. We’re going to be in 20 locations by end of the year. As you mentioned, we are pediatric. and orthodontic dental offices. And one of the big things that we’re proud of is that we are so big that we basically see over 30,000 patients a month. We’re one of the biggest pediatric dental office in Southern California. We’re proud to say that we use the top of the line equipment throughout the offices, and we love taking care of our patients. And one of our slogans is, we treat your kids as our own.
Bill Neumann: Very nice. That’s great. And you’re using a top-of-the-line cybersecurity company with BlackTalent. So, Gary, again, for maybe the people that have missed the podcast that you’ve been on before, a little bit about your background and a little bit on BlackTalent security.
Gary Salman: Yeah, thanks, Bill. And, Evelyn, thank you for being here with me today. I appreciate that. Yeah, I’ve been in the dental technology space since 1992, a long time. Each year is just like, wow, I can’t believe I’m still here. But yeah, I started my career building practice management software for the oral and maxillofacial surgery space back in the early 90s. Then in the late 90s, I kind of had this vision of, why am I selling servers and workstations? And there’s this thing called the internet. Can we put our software up in the cloud and just have practices access it that way? And by 2002, I had thousands of users running our practice management software over the internet. or the word cloud even existed. No one was calling it cloud back then. That was really my first entry into the security world because ransomware didn’t exist back then, but there were definitely network intrusions and servers were being used to attack other servers. So we quickly realized, hey, we have millions of patient records in our database. And if this network gets breached and our servers get taken down or our data gets stolen, like this is going to be a catastrophic event. So in 02, I started investing heavily in cybersecurity solutions. Obviously, they’re nothing like we have today, with the understanding if we don’t protect this data and our clients get hit, it will absolutely be a train wreck for all parties involved. I also have over 20 years of law enforcement experience, working part-time there. So in my world, I do a couple of really cool things. I help protect practices of all types and sizes. We have about 2000 dental offices across the US, everything from a mom and pop practice with six computers up to some of the largest DSOs and everything in between. But I also unfortunately get involved with incident response. So we have law firms, insurance carriers, victims themselves hire us and say, hey, we got hit with ransomware. We’ve been down. We need you to help us recover and negotiate with the hackers to get all of our data back and make sure it doesn’t get published on the dark web. So I definitely see both sides of the cyber world, the good stuff, the preventative, and then unfortunately, the negative aspect of it, which is watching practices, for instance, get taken down by these hackers and their entire operation come to a halt, you know, sometimes for weeks or longer. But I love what I do. I mean, every day I wake up, I love helping people and taking care of people and making sure that their practice continue. And then God forbid they are a victim. I like telling them, hey, there’s light at the end of this tunnel. We’ll get you there. Like, we’ll get you back on your feet and your practice back.
Bill Neumann: And Gary and his team at Blacktown Security have done several of these tabletop exercises where they simulate some type of breach or hack or ransomware attack and kind of take you through as a participant, like kind of going through this scenario. And it’s, pretty scary. And it’s amazing how people that are in the audience that have practices, definitely not on the same page when it comes to strategy. So I think it’s a great, if you get the opportunity to be part of one of these tabletop exercises, it really gives you a lot of perspective into what what can go wrong? And then, do you really know what to do? And just seeing the reactions from others, including myself, it’s really kind of hard to figure it out if you don’t have a plan or you don’t have somebody like Blacktalon or a cybersecurity partner to really help you along. I guess we’ll start off with this question here because it’s kind of really leading from what I was just sharing. A lot of companies have IT departments or they have people that handle their IT. What’s the difference? Like why can’t my IT company just handle the cybersecurity for me? Is there a reason we should be segregating cybersecurity and IT? And maybe I’ll start with you, Evelyn. What led you to partner with Blacktalent?
Evelyn Lahiji: So great question, Bill. I appreciate that. I’m glad you’re asking this question because I, for being such a huge company with having 17 locations, opening another three, I have a big group that comes in and opens our dental offices and do all the wiring. And that’s our main IT company. And then I have one person that works full time to go from office to office, making sure all the servers, all the computers, everything in every office is functioning and there’s no problems. But Either of the two groups have no idea or don’t have as much experience of black talent. With black talent, when I was looking for someone to help me, I searched every company that is out there and I compare them to black talent to see what is it that they offer. The beauty part of it is that they are always in touch with us, letting us know if there is any differences or anything happening in our company. If there’s any bridges, if we get an email, we make sure we reach out to them and ask them if we should be opening it or not. The beauty part of it was three years ago when I launched with Black Talent is every person in our company got training online and also every person, and we’ve got over 560 staff members, that gets hired with our company has to get the training with Black Talent online. And that right there is a security that I know they got trained to know what to do in order not to click on the right wrong button for us to be one of the people that are getting hacked. And it is coming so close to home. I think there is out of the hundreds of dental offices that I work with and I know my friends that are dentists five people very close to me have gotten hacked and their information was taken out of their server or they had no security thinking that having a simple protection on their computer can protect them from all the people that are trying to hack their software and take information and just the lawsuits that come after it. Multiple issues and loss of production that they have to go through to contact every one of the people in their software, letting them know that their information is out there now and they need to take it to the next level to protect themselves further. So it is definitely something that makes a difference for me to know that I am protecting not only the company, also the thousands of patients that are in my software. And I could sleep better at night. This is another way of having a very solid shield to protect ourselves so we don’t get hacked.
Bill Neumann: Some great points. And you know, you brought up something about, you know, you’ve got something on your computer and that should be enough. So there’s the, we talked about the difference between IT and cybersecurity, but then there’s also the assumption that, you know, off the shelf or something that’s included on your computer is going to be enough to protect you from some cybersecurity issue. Gary, what do you see with the DSOs and the groups that you work with? Are more partnering with cybersecurity companies? There’s still a lot that are just saying, hey, we’ve got an IT person that comes in and that’s enough or whatever came on the computer is enough.
Gary Salman: Yeah, I think for most of the DSOs that we are bringing on board, typically they have something very similar to what Evelyn has, a hybrid environment where they may have one or two individuals within the DSO that is helping with IT. And then a lot of the kind of like boots on the ground is being handled by IT companies or also known as managed service providers. And what we typically see is we’ll start chatting with an executive from the DSO and they’ll say something like, oh no, my IT company or my managed service provider is doing our cybersecurity. And then I’ll start asking some probing questions. And then typically what happens next is the, say the CEO or the COO is, you know, starting to second guess what he or she thinks they know. And then they’ll make a statement like, Well, I actually don’t really know what we’re doing for security. My IT company does all that. And that’s when typically we start seeing the wheels falling off per se. Because once we start asking more detailed questions like, okay, how are you actually identifying where you have risk on your network. Do you know if your firewalls are properly secure? Well, the answer is, well, I’m sure they are. Like that’s what I hire someone to do. And then I’ll say, well, do you have data to back that up? How often are they being tested to ensure that they are secure? Are your computers being patched? Oh no, we pay for that for all of our computers, our IT company patches. Well, how do you know they’re being patched? And then I’ll say, where is the data that’s showing you when the security vulnerability was detected and when it was patched? And then typically the executive team member will say, you know what? I don’t know the answers to any of these questions. And that’s when they’ll admit they’re like, all right, I’ve got a problem here. I realize that I’m probably paying for something and I don’t know whether or not I’m getting it. And one of the things that I’ve seen over and over again in all of these incident response cases, and keep in mind, I’ve done incident response cases with some very large healthcare institutions as well as small ones. There’s a couple of common denominators, Bill. One is that the executive team had no visibility into their risk. They just assumed that someone was taking care of it, either internal and or external. The second issue I typically see is that there are significant defects or vulnerabilities in their environment. So unpatched software like the Windows operating system, Google Chrome, Adobe Acrobat, firewalls are misconfigured, and no one at the executive level has any visibility into it. And then what happens is things go boom at night, you know, Saturday morning at 2 a.m. and Monday morning, everyone walks in and they find, you know, 500 computers fully encrypted with ransomware. And all of a sudden, you know, the famous Spider-Man meme comes into play, which is everyone’s pointing fingers at everyone else, right? And blaming everyone, and it turns into a train wreck. For the executive team, for the private equity company, for the board, for the IT resources, and everyone’s saying, well, I didn’t know and I thought you were doing this. And I think what we can really help do is bring this true third party perspective into this and say, hey, we’re not your IT resources. We have no skin in the game here from an IT perspective, but we are experts at what we do. We use enterprise tools that Fortune 100 companies are using, and we’re going to identify where you have risk. so that an individual like Evelyn who’s in the COO role or CEO role can say, OK, thanks for identifying this risk. Now I can act on it. Or you may say, listen, I’m OK with accepting this risk. You know, thanks for that information. But this is an ongoing engagement. Literally, we are testing the firewalls in the environment. We’re testing the computers every four hours every day to make sure there’s not a misconfiguration. And the reality is a lot of people that I talk to say, well, we do a lot of cyber training, so we’re not going to get hit because everyone can identify a phishing email. The reality is about 60% of attacks do come from humans, right? Humans making a mistake, Stacy at the front desk, a CFO falling for a invoice or a wire fraud scam, things like that. And then 40% come from exploitation of vulnerabilities in the environment. And hackers are preying on that. And the other thing we know for a fact is that hackers are extremely agile and adapt their tactics quickly. So if all of a sudden, you know what, phishing and spear phishing isn’t working as well as it used to because people are coming, becoming smarter and more aware. All right, we’re going to shift our tactics now and we’re going to go after, you know, the vulnerabilities and maybe we’re going to use AI to make phone calls to the practices and things like that. So the hackers are very adaptable. And I think working with a security company that does this literally 24 seven, and you know, it’s not a secondary thought. There’s a tremendous advantage that we provide to our DSO clients. I mean, you know, a lot of the private equity companies and And boards are now demanding that the DSOs up their security game. And a lot of law firms are now suggesting that there’s a division of labor, right? You should have an IT company do IT and you should have cyber do cyber. So you’re getting a true third party or kind of a true audit of your security versus your IT resources telling the CEO, you’re good. We got you totally covered. You know, I can’t tell you how many times we’ve seen ransomware attacks where, you know, just weeks before an IT company told the executive team that everything’s good.
Bill Neumann: Probably. I don’t want to wait till the end because I think this is important. I also don’t want this to be just to scare everybody. That’s not the idea of this podcast. It’s to inform. However, let’s take someone similar to a group, similar to the size of Evelyn’s group, 20 some odd locations. Do you have an idea of what an average loss would be, Gary, for someone like that if there was a, and I know it’s a combination of things, right? It’s downtime, which is one of the things, right? You may have to shut down the practice or all of the locations for certain. There’s a lot of things to go into that. But do you have any ideas on average loss of a hack or some type of phishing that goes on? Here’s me in the millions.
Gary Salman: Absolutely in the millions. I mean, if you’re 20 locations and the hackers get your data, I would expect the ransom demand to be in excess of $2 million alone.
Bill Neumann: And that doesn’t include the downtime potentially, right?
Gary Salman: No. Operational loss, reputational loss. you know, patients moving to other providers because they need the treatment. So look, if you’re depends on the type of practice you have also, you know, if you’re more, say, of a surgical group and a patient needs, you know, a complex extraction, you know, or they’re in tremendous pain or they have trauma, they’re just going to go to the next group. Maybe if you’re, you know, a GP practice and your patients are really committed to you, they may be OK with being rescheduled a couple of weeks down the road. But at some point, people really get frustrated when their data gets taken and is compromised, and there’s a chance that they’re a victim of a fraud, you know, identity theft against them. So yeah, look, I think when you add it all up, it becomes extremely expensive. I’m sure Evelyn can imagine, like, hey, if your group went down without having to tell us numbers, but if your group went down for three weeks because every machine is hit with ransomware, I can’t, you know, I can’t imagine because I’ve done it, but, you know, I, I can imagine the number of your CDF again.
Evelyn Lahiji: It’s going to, you know, we have a goal to hit every single month. And if we’re closed one day, it makes such a huge difference, let alone be after weeks. We had one of our offices that the restaurant next door was on fire. So our office got smoke damage and we had to close for three weeks to clean it up and rebuild it. And it just shows such a big dip in it. So I cannot imagine sitting around looking at screens, but we cannot use it. And, you know, when Bill, when Gary was speaking and he was talking about making sure that you use black talent and why you should go with someone that’s specialty in security is because of the fact that if you want to get an implant or you want to get a root canal, we know better not to go to a general dentist. We would make an effort for us for sure to go up. to a specialist to make sure we get that done. And we need to make sure that we are for sure going to an oral surgeon or someone that is actually an expert. So if we are doing that for ourselves and for our friends and family, why are we doing this with our software or with other people’s information? Why would we just stand around and let this just be open to the world and not have a problem? So I make sure that we are definitely covering ourself, making that security for our company. That makes me feel much better knowing that I have a specialist taking care of this.
Bill Neumann: Well, let’s talk a little bit about the benefits of engaging with a cybersecurity company. I mean, there’s the expected benefits, but Evelyn, are there any things maybe that you didn’t expect that have, it’s just, it’s something that kind of comes up and goes, well, this is great that I’m partnered with Blacktalent.
Evelyn Lahiji: So one of the biggest things that we’re working on the most is for us to make sure that we are getting everything done and being able to get back at the same time. So one of the things that we love the most is being able to be in close contact with black talent. We have constant back and forth with them on a regular basis.
Bill Neumann: Yeah, I think that the communication is certainly important. And I think that’s another thing, Gary, maybe you can touch on this. It’s a huge concern, I think, in the industry, and it’s not just related to cybersecurity, it’s vendors in general. And you could have a great solution, but are you able to onboard and train and educate? And I know when Evelyn kind of brought this up at the beginning, it’s like, You got everybody trained right away, which is not an easy thing. And I don’t think all vendors are up to the task. You may be able to train one office, but when it comes to multiple locations, that’s where it can be really challenging. So maybe take us through that, Neville, and feel free to share, too, the process of educating someone when you bring in a cybersecurity company and then what kind of what to look out for because also it’s not just having black talent security, it’s you also have the staff needs to be aware of what emails to click on and what emails to avoid. And it changes.
Gary Salman: For sure, right? It’s extremely dynamic. I mean, if you look at how threats have evolved even over the last year, I mean, it’s almost shocking and we can kind of walk through that. But in terms of cybersecurity awareness training, it is an ongoing training, right? It’s not so much a one and done. I think it’s really important that the cybersecurity awareness training mirrors the type of business, right? So obviously, if you’re a dental practice or group, taking general business training that doesn’t really relate to Stacey or Dave at the front desk, the engagement’s low, they’re not that interested. But when the training revolves around, hey, you know, you just received an email from the oral surgeon down the street and there’s a panorex, is it okay to just click on it and open it? Right, all of a sudden, that really changes, you know, a person’s perspective, like, oh, my God, I get those all day long. That was a risk. I didn’t even know that. So, you know, what we do is we try and really make the training relatable to the dental space. And we use, you know, terminology and we use imagery that is something that is part of what they do all day long. And look, the doctors are high risk too. Sometimes we see doctors targeted and they don’t realize, hey, I could bring my entire group down by clicking on something. So we try and help the doctors to understand this isn’t just about your staff. This is about you too. And the same thing for executives. We’ve absolutely seen numerous cases where executive teams at DSOs have been specifically targeted by hackers. So creating awareness around that’s really important. And then ongoing updates. So one of the things that we do, actually we have one coming up here in a couple of days, is we host monthly to sometimes every other month webinars, live webinars for our clients, just to make them aware of the latest trends and the latest threats, because things that you were educated on two months ago may be very different from today. The other thing that’s important with training is email alerts. Hey, this is a new type of attack that we are seeing. Here’s a video of the attack actually being executed, and here’s how you defend against it. And these are all non-technical. I think that’s really important. And then simulated phishing, right? Evelyn as the COO needs to test her employees to see if they are in fact following protocol. Are they clicking on links that they shouldn’t be clicking on? Are they opening attachments that they shouldn’t be clicking on? So by running these simulations against all the doctors and employees, we can grab KPIs and Evelyn can look at them and be like, wow, we’re doing really good. 98% of our staff did not click anything, but these two, you know, this two percentage points of individuals, they clicked on things, but they got retrained already by black talent. So we will be better next month. So I think these types of things are so important. And here’s the reality of all of this. Everyone’s going to have some type of cyber event. That’s the bottom line. You talk to anyone kind of like at the federal law enforcement level that specializes in this, the law firms, incident response companies like us, we will say pretty much the exact same thing. You will have a cyber event in the next couple of years if you haven’t had one already. And if you’re in a highly regulated industry, like we are in healthcare, one of the things you’re going to need to show the state and the government is what did you do to mitigate the risk? And if an organization like Evelyn’s can can say to an auditor or an investigator, hey, look, We hired a dedicated cyber company. Here’s all my training documentation. Here’s my phishing documentation. Here’s how I’ve reduced risk over the last 12 months, you know, through vulnerability management and pen testing and patching. it very much changes the direction of that audit, right? Because when auditors look at you and they know, hey, you’ve tried to do the right thing, you’ve done everything we’ve asked for, they may say, you know what? Unfortunately, things happen. Maybe make a couple changes here. Have a good day, thank you. Versus the audit that goes something like this. Evelyn, can you provide me with all your training documentation? And she’s like, yeah, I don’t know anything about training. What do you mean training? Right? Do you have results from your latest penetration test you can provide to us? I’m just the COO. I don’t know what a pen test is. I’m sorry. Right. So without going into any more detail, you can understand how those two scenarios have very significant, um, uh, or very different outcomes from an auditor’s perspective. There may be a $0 fine levied in the first scenario. And then in the second scenario, that could be hundreds of thousands of dollars or more fines levied. Right. Once again, not to scare you, but this is how this actually works, right? This is how the government looks at things when, when things go boom at
Bill Neumann: I think all really valid points you talked about. There’s, it’s not, you know, if, it’s when or there will be an event. So it’s good, very good to be prepared. You know, we’ve run into things here. You know, we run a website. It’s not, it may be a little bit different than, you know, what you do at a dental practice, but You know, we’re all vulnerable. You know, we all have sensitive data, some more sensitive than others. And there are vulnerability points. Since we’re on the topic and you talked about that webinar that you do for your customers, whether it’s monthly or every other month, where you kind of keep people up to date on threats and what’s just right now or in the middle of 2025, what are some of the newer threats or what are you seeing right now, Gary?
Gary Salman: Yeah, I’m seeing a couple of things. Email intrusions are skyrocketing. We are seeing sometimes multiple phone calls per week from victims who have had their emails hacked, right? The hackers phish an individual within the organization. That person gives up their username and password. And unfortunately, even though this is a tough pill to swallow, they’re giving up their MFA code to the hackers. The hackers gain a footprint into their, say, Microsoft 365 environment. And then, you know, within a short order, the hackers are installing applications and downloading everyone’s, you know, in and out box and basically compromising the entire environment. And what I always say to people that are evaluating security is this. what if I was a hacker and took every single one of your emails what would the damage be and and I will argue that sometimes An email intrusion could be worse than a ransomware attack because the hackers don’t just steal all of your emails and your data. They then use your email accounts to contact other people that you interact with. And then they use your real email account to attack your accountant, to your supplier, to other vendors, to your patients. And now all of those individuals fall victim to the attack And guess where all the fingers are going to get pointed back to very quickly? You. Right. And they’re going to say, well, you know, because your security wasn’t good, our accounting firm got hit with an attack also. And now we’re having to notify thousands of our clients. This is ending up in legal battles and is a problem, but this stuff’s preventable, right? And I think that’s the message that has to be had here. As much as what we’re talking about, Bill, for lack of a better word, just sucks. Like no one wants to be on the bad end of this or the receiving end of this. What I’ve seen and what my experience has been over many, many years is that 99% of these events were preventable. With the proper implementation of knowledgeable people, of proper security measures and proper tools, these things can actually be stopped or, better said, is prevented. And then if that fails, hopefully there’s tools in place that will minimize the damage. So I’m seeing that. In the last… call it two months, we are now starting to see the hackers moving away from ransomware and strictly moving towards the theft of all the patient data or confidential data. And this has been predicted for about a year. I’ve actually talked about it on previous podcasts. back in like 2023, 2024. And the reason that hackers are moving to strictly data theft, whether it’s from your own server or from your cloud environment, it’s because the hackers know the second they start deploying malicious code, they start doing malicious things on your network. There’s a higher likelihood that the tools that are in place are going to detect them. And then, you know, the good guys are going to come running to try and fend off the attack. So what we’re seeing now is them pivot, kind of like what I was talking about before, and now they’re moving strictly to data theft. So they get into the network, they install screen sharing apps, and they literally just download all of your patient records, whether it’s from the cloud, potentially, or from your server. And then you have no indication that this happened to you, right? Everyone’s like, well, my firewall is going to warn me. Never seen that in my career, right? Oh, my antivirus is going to warn me. Never seen that in my career, right? And then your first indication is going to be on a Monday morning, the phone is going to ring and it’s going to be someone talking in a foreign accent saying, we hacked your system and we have your patient records. or a note’s going to pop up on your screen saying that, you know, all your data has been stolen. And then we start digging into it. You know, for instance, you know, we get contacted by the insurance carrier. We start digging into it. We go to the hackers dark web website and we’ll see 20 patient records posted on the dark website. And we’ll come back to the victim and be like, are these your patient records? And they’ll say, yes, they are. And then we’ll say, we have a problem. You know, there’s an issue here. So what’s the challenge with this? Well, it goes back to kind of the question you asked before, which is. These these applications that we’re relying on, like these antivirus applications and these other things that are designed to trigger when something bad is happening are not going to trigger with these types of exfiltration events where they’re stealing. So I think a lot of DSOs say, well, we have the best alarm system in the world. And if someone puts ransomware on it, it’s going to stop it. I’m like, that is amazing. But when I get on your network and navigate your server and download all of your data for your server, your antivirus software is still going to be asleep. And that’s the reality of it. So we need to think very differently in how we are defending networks. And it starts with, we’re not going to let anyone get into our network to begin with, right? Through vulnerability management and pen testing and training and some other technologies versus, hey, I have the most aggressive, you know, German shepherd in the world. And if someone steps into my house, you know, he’s going to eat them, right? The second they step in the door. Well, that’s not good because, you know, I’m just going to throw that guy a hot dog and he’s going to go and walk off into the corner and eat the hot dog while I steal everything. Conceptually, that’s what the hackers are doing now, right there. They’re getting around the antivirus software and these defensive mechanisms that everyone believes is going to save the day. So we have to think differently. We have to act differently. And if we don’t adapt as executive teams, right, running these DSOs, the ramifications can be significant. So between email intrusions and strictly moving towards data theft, we have to adapt to the hacker’s new tactics. And if we don’t, we will fail our organization. One of the best lectures I ever heard came from the chief information security officer of a Fortune 100 company. And he said to the audience, there were hundreds of network defenders in this audience, and he said, if you’re not changing or evaluating your tactics every three months, you will fail. And this was a couple of years ago, and he was 100% spot on.
Bill Neumann: Well, Evelyn, you must have a little bit of peace of mind now that you’ve been working with BlackTalent Security for three years and hearing what Gary just said. They’re very sophisticated and it’s hard to keep up with them. But can you talk a little bit about that peace of mind? And you’ve got a lot going on. You’re the COO. You do pretty much everything. So it’s nice to at least not have to worry so much about cybersecurity.
Evelyn Lahiji: I’m so glad he explains it in so detailed. I mean, he could have been said it better of the way of how many different ways you could get hacked. And every one of the examples that he gave, I’ve heard of it. I mean, he’s talking on the other side and there’s always two sides to a story. And I’ve heard of it from this part of the dentist that calls me at night just crying her eyes out because all of her data from all of her patients have been stolen. and there’s nothing that we could do. So I’m like, okay, call Black talent and try to see if they could help you. But it’s already too late. And it’s, you know, you have to have that security. You have to have that shield. You have to have that confidence to know that you’re taking care of these things. This is nothing that you want to take care of after the math. And some people truly are thinking that they have something that’s protecting them, something that they downloaded for 20 bucks a month online. But those things are just a band-aid on such a huge wound that needs to be protected. And if you are just looking into being able to put a band-aid on something and worrying about it later, oh, if it happens, I’ll figure it out. I even had another friend that when he got hacked, he actually started working on charts. And he’s like, maybe I’ll just start going back and being on charts because it was safer that way. But that’s not, you know, you can’t go backwards and work like the way my grandpa used to do it. You need to be up to date with everything you can and also be able to have that confidence that you are protected. I wanted to bring up the subject about how we did the training with 500 people. I think it’s so important because there’s no question that you need to have security. One way or another, you need to protect yourself. But I think the transition of starting and going to it is also very important. You don’t want to pay for something and not utilize it at at least 95% or else you’re wasting your money. So once you do sign up, you need to make sure you follow all the instructions. put a good rollout for the whole company. We actually celebrated and we let every one of our staff members know what we’re doing because this is not only protecting our software with the patients, it’s also making sure that the 550 staff members that we have, it’s also protecting them. it’s everybody and their they come to our dental them comfort also to know that an office that has securi that we talk about and ev hired goes through the tr that they understand what how many different ways we are making sure that they are protected. And that’s, we’re proud of it. We constantly talk about it. We bring it up in regular meetings and our IT guy is all over it, making sure that he is checking and being informed that if there are any new information that comes in. We share it in our weekly meetings for the managers to know what has happened and what could happen so we are protected.
Gary Salman: Evelyn, I mean, it says something really important, Evelyn, right? And it’s getting the staff involved. That is so critical and doing it in a positive way. We have practices that do things like If you detect a phishing email and it’s legit, we’ll put $5 in a virtual cookie jar, right? And at the end of the day, we’ll do a fun party because that $5 that goes into that cookie jar is nothing compared to an actual event. And doing positive reinforcement is always better than negative. And the other thing that I’ve heard from a lot of executives and even the end users is, you know what? I worried about this all the time and I didn’t know what to do. And now they have the confidence that when they look at an email, they can dissect that email and know with a high likelihood or a high certainty that what they’re about to do is safe. That’s a lot less stress for individuals, including executives, right? I mean, we all know we’re being targeted. That’s the reality of it. You go to social media and you can find the executives from basically any company you want, figure out their email address and target them very simply. So I think there is comfort here, right? Because a lot of things that cyber companies do is in the background, no one really sees it per se, but this is something that is very employee facing. And then Evelyn, you said something that I’ve never really heard anyone talk about before, which is amazing. We share this with our patients, right, through our staff or other methodologies. And you know what? I think a lot of people, especially in ortho and pediatrics, where their kid’s information’s in there, all right, you can mess with me. You mess with my kid, we got a different discussion, or we’re gonna have a different discussion very quickly. So, you know, I think that’s extremely eye-opening. I never thought of it that way either.
Bill Neumann: I’m gonna have a couple minutes left. Gary, would you talk a little bit about EagleEye? That’s something that I think relatively new to some listeners. And just touch on that briefly, if you don’t mind.
Gary Salman: Yeah, so a couple of years ago, some of our very large DSOs that have 5,000 plus computers came to us and basically said, look, we love what you guys do for us, but handing us a 5,000 page PDF file or, you know, a 100,000 line spreadsheet with all the problems with our network, like this is not even manageable anymore. So can’t you present this in a different way? And we’re like, yeah, we can probably do that. So over the last couple of years, we’ve been evolving a product called EagleEye, which basically is a dashboard for individuals just like Evelyn, where Evelyn can go to this dashboard and literally within one minute, know the entire health of our organization from a cybersecurity perspective. where she has problems, where she doesn’t have problems, where she needs to bring attention to. And this is all done in a non-technical way. Then her IT person who can follow her direction can say, OK, yeah, look, I agree with you, Evelyn. We got some problems at Office 7. You know, he or she can start honing in on Office 7 and through our dashboard, we can tell them exactly what is wrong on those firewalls, on those computers and servers from a security perspective, how hackers could potentially break in, but most importantly, how to fix it. The same thing with training. Who has trained? Who hasn’t trained? Who’s failed training? Things like that. That’s another key performance indicator that someone like Evelyn or CIO, CTO or CEO would want to see. How’s my team doing from a training perspective? Because it’s high risk if they’re not doing well. We enrolled 500 people in the online training and only 20 people have taken it. We have a rollout failure to Evelyn’s point, like have a plan. So all of this data was being presented back to our clients. And then about a year ago, a little more now, a little over a year ago, we had this idea of, hey, how do we take all of this data, all of these KPIs and roll it into a single risk score? So we came up with a concept of a cyber risk rating, which basically takes all of this telemetry and all of this data and presents it back to the end user on a scale of 1 to 100, 1 being very low risk, 100 being extremely high risk. So you can now look at your cyber risk globally for like Evelyn’s all of her 17 locations, or she can look at it at a location level, she can look at it at a personnel level, or even at a workstation level. So you have the ability to be kind of looking at it from the 50,000 foot view all the way down to like, hey, what’s wrong with this actual computer? And this has been an absolute game changer. And we’ve received such tremendous feedback from executives because they can say, I can now roll into a C-suite meeting and within five minutes present all of the security data to the C-suite, to the private equity company, to my board. And we had just recently, just kind of as a side note, we had a CTO literally tell us that he used to spend five days preparing for his security meetings with his private equity company. And he knocked that down to minutes because of the way we were analyzing and consolidating data. And he said the private equity company and the board said they’ve never seen data presented. in a positive way. So I think what’s happening is because there is so much information going into these security analysis reports, people were becoming overwhelmed and had no way of taking all of these different pieces of kind of telemetry and bringing it into one score. So I always say it’s kind of like a FICO score for your credit. You got a 400, probably not getting that loan, or it’s 40% interest per year, right? Or you have that 800 score, hey, whatever money you want, you can have. So same thing with the cyber risk rating. And it is absolutely a game changer. And I had the honor of presenting to some of the largest healthcare institutions. We’re talking to hospitals and medical groups in the world over the last couple of months. And I had so many CTOs and CSOs walk up to me. It’s like, you guys are the first ones that figured this out. You know, you’re presenting data in an entirely new way. And these are health care systems with 120, 150,000 computers that are sharing this with us. So I think we’ve really hit the mark with being able to analyze this data, because in the end, I tell everyone, Security is about data. And if you have good data, you can also have good security and you know where you have weaknesses and where you have strengths.
Bill Neumann: Excellent. I think on that note, we’ll just say goodbye. Evelyn, thank you for being on. I hope you’ll come back to the show. It was great. It was really good to get your perspective on things. Evelyn, if people want to find out more about Children’s Dental Fun Zone, or if they want to contact you, what’s the best way to do that?
Evelyn Lahiji: The 1-800 number online, you could always reach me on my email, Evelyn at Children’s Dental Fund Zone. I am always here for anybody that needs any questions, any feedback, anything that I could help with. I’ve been in dentistry for so long that my biggest and most excitement part of life is training, teaching, and helping people grow because their win is my win.
Bill Neumann: Excellent. Thanks so much. Thanks, Evelyn. Gary, if people want to find out more about BlackTalent, you have the monthly CyberWatch article, so they can read that. You keep everybody up to date on all the crazy things that are going on. And there are a lot of things. We try to track all the breaches. And there are a lot of them. So that’s another eye opener just to see how many not just, you know, it’s not health care. I mean, we look at dental too. So it’s sometimes you see two or three dental breaches in a month. And you just scratch your head and you’re like, OK, this is it’s crazy. It’s it’s prevalent now. So again, back to what you said earlier, it’s not if it’s when and how prepared you are, I guess. Add that on, too. So, Gary, if people want to reach out to you or find out more about black talent security, how do they do so?
Gary Salman: BlackTalentSecurity.com. Click the contact us there, that’d be great. Me personally, definitely look me up on LinkedIn. I have about 6,000 folks in the healthcare space that follow me. I try and post some really good articles from various sources regarding the latest trends in security. I post security alerts often, stuff coming from the FBI and Homeland Security. And I think that for anyone that has a business that’s something they need to definitely keep an eye on. And then Gary at BlackTownSecurity.com.
Bill Neumann: Excellent. And Evelyn, she’s got a great LinkedIn profile too, so you can find Evelyn there as well. And we’ll keep our eyes open, Evelyn. You said you’re going to add three more practices this year, right? Yes, sir. That’s a big deal. 17 to 20. All right. Well, thank you both. And thanks, everybody, for listening. Again, like I said, you should be watching us. It’s better to watch than listen. But we are on groupdentistrynow.com. This is the Group Dentistry Now show. And thank you so much.
