Group Dentistry Now is the #1 Ranked DSO Podcast
Gary Salman, CEO and Paul Murphy, Chief Sales Director of Black Talon Security sit down with Group Dentistry Now to discuss:
- Proactive vs. reactive cyber strategies
- Tabletop exercises – preparation
- Eagle Eye technology – predicting breaches
- The rising threat of AI in cyber attacks
To read all of the Cyber Watch articles on Group Dentistry Now visit – https://dso.pub/3V02rEu
You can also find out more about Black Talon Security by visiting their website – https://www.blacktalonsecurity.com/
If you like our podcast, please give us a ⭐⭐⭐⭐⭐ review on iTunes https://apple.co/2Nejsfa and a Thumbs Up on YouTube.
Choose your favorite listening app below and subscribe today so you don’t miss an episode! Full transcript is also provided below. See all of our podcasts HERE.
DSO Cybersecurity Podcast
Welcome to the Group Dentistry Now Show, the voice of the DSO industry. Kim Larson and Bill Neumann talk to industry leaders about their challenges, successes, and the future of group dentistry. Visit groupdentistrynow.com for more DSO analysis, news, and events. Looking for a job or have a job to fill? Visit joindso.com. We hope you enjoy today’s show.
Bill Neumann: Hey, welcome everyone to the Group Dentistry Now Show. Setup looks a little bit different today. So we are excited to be on site at the ADSO Next Level event. We are in Austin, Texas at the JW Marriott. And yeah, this is our first time with the new setup. We’re loving it and have the opportunity to have I spent some time this morning actually learning about cybersecurity. We’re going to talk a little bit about, you know, the event that BlackTalent put on here at the ADSO event. Welcome back to the podcast. We have Gary Salmon, who is the CEO of BlackTalent Security. Good to see you again. Yeah, great to see you as always. in person versus via Zoom. And then for the first time, and a lot of folks that are watching, you may have seen Paul Murphy at a lot of the different DSL events, but Paul is the Chief Sales Officer of BlackTalent. So good to see you.
Paul Murphy: Thanks for being here. Thanks for the invitation.
Bill Neumann: Yeah, this is going to be fun. How about we start real quick with you? Just a brief intro to the folks that might not know who you are.
Paul Murphy: Sure. So my name is Paul Murphy, Chief Sales Officer with BlackTalent Security. I’ve been in the dental industry for almost 25 years. So I have a long background in the dental technology space. Uh, and about seven and a half years ago, um, I ended up speaking with Gary Salmon, who had just launched BlackTalent Security. Uh, you know, I could tell how passionate he was about wanting to start this new type of company. designed to protect the dental community from the rise in cyber attacks and ransomware attacks that were targeting them. It was Gary’s passion that, for me, made it a no-brainer, right? So, I was very passionate about dental technology, but the chance to join Gary and join this company and contribute to protecting the dental community was an exciting opportunity for me. So, of course, I jumped at it when given the opportunity. And, Gary, a little bit about your background.
Gary Salman: Yeah, so I’ve actually been in the dental technology space for 32 years, almost 33. I started my career writing practice management software for the oral maxillofacial surgery community, literally from the dorm room of my college. Built that to a pretty sizable company. And then in 1999, I built the very first dental cloud technology. before we even knew the word cloud, right? It’s all server-based computing. I had thousands of users across the country leveraging this internet-based technology and running their OMS practices through that. So I always felt kind of like a visionary. I mean, I was using wireless devices back in the 90s and wireless tablets before people even knew what these things were. And we had oral surgery practices using it. And then kind of fast forward to seven or eight years ago, I started to receive phone calls from practices of all types and sizes saying, hey, we got hit with ransomware. What can you do to get us back online? And the company I was working at, that just wasn’t what they did. And eventually it got to the point where I realized, we got a systemic problem here. There’s an issue. And the issue is that these practices are not being properly protected. The hackers are getting in, they’re stealing their data, they’re encrypting it with ransomware, demanding hundreds of thousands of dollars. These practices get shut down for weeks, like we have to do something here. And that’s just been how I’ve been my whole life, you know, from like Boy Scouts and giving back. I’m like, if I have a skill and I feel like I can do something to help these people, I don’t want them to be victims either. So we spun up Black Talent. You know, we got together with a lot of really smart people, folks from Wall Street that were doing security for banks, Fortune 500 companies, brought them into Black Talent and basically customized the solution. And now we can provide very, very high-end cybersecurity solutions way above and beyond what they’re getting from their IT vendors.
Bill Neumann: And Paul talks a little bit about your passion. And I think the entire team is passionate and the team’s growing as well, too. You’ve added some people. So, you know, we’ve talked and have had you on several podcasts and kind of go back a couple of years and think about the conversations we were having about the industry being very reactive versus proactive. But I would say the past year, there’s been some recent events that have hit very close to home in the industry. And I think, and you’re going to, we’re going to discuss this, industry is becoming more proactive now. And that is a good thing. So why was, is black talent here at the ADSO next level? What are y’all doing here?
Gary Salman: So today we kicked it off with a tabletop exercise. So we have a lot of DSO clients and some of these DSOs are 10, 15 locations and the others are some of the largest DSOs of the country and everything in between. And one of the things we do for these clients is what’s called the tabletop exercise, where we bring in the entire executive team from the DSO. We literally say you’re going to be locked in a room for three hours. No email, no phone calls, no text messages. And we’re going to bring a scenario to the table. And your entire team is going to have to work through the scenario. So we do ransomware events, you know, email compromises, wire fraud, like all these big events that DSOs are dealing with. And what happens is organizations often feel like, oh, if we have a problem, we’ll just work through it. We’ll figure it out kind of in real time. But what we do is we bring the scenario to the organization and basically step them through the event, right? Hey, you walk into the office and you get a phone call that there appears to be a ransomware on the screen. What do you do? How do you handle it? Who in your organization is best tasked to do this? And what we get out of this is training, right? It really brings to light the strengths and weaknesses that you may or may not have in order to deal with these types of situations. It’s like practicing for an anesthesia emergency. You can’t just tell a staff like, oh, if there’s an anesthesia emergency, just someone call 911. Like, that’s never going to fly. You have to actually have your staff, you know, simulate the event with the patient, getting vitals, you know, contacting. 9-1-1, and how do you try and potentially protect that patient from further damage? The same thing applies with these tabletop exercises. It really helps the entire executive team understand their strengths and weaknesses, and then areas that they may need to put some focus on. We’re like, oh, we thought you were doing this. And that department’s like, oh, we thought you were doing this. And well, we have a written document on how to handle this. And everyone’s like, well, where is that document? We don’t even know where it is. We didn’t even know it existed. And then there’s a lot of positive things. And the biggest thing that I get from this is it’s a team building effort, right? Event, I should say. And almost every executive team is like, you’re coming back again, and we’re doing this in six months from now, right? Different topic. But they love it because it really helps everyone understand where they’re going and the types of things that they could come across. that they never even thought of or never anticipated. They’re like, oh, well, if we have a cyber event, we’ll just restore data from a backup. Doesn’t quite work that way, right? And we bring that front and center for the organization.
Bill Neumann: And I, this is second opportunity I had to sit in on a tabletop exercise. So it’s, it’s exciting to, you know, just, just as somebody there that’s participating and kind of going through the event as it is occurring and listening to other people and then trying to, you know, envision how, you know, I would handle it. It’s pretty scary, actually. I mean, it does get you in a position where you’re like, OK, there’s a number of things that we can do here. And if any one of them is wrong, you could be in a situation where, you know, there’s the data gets is on the dark web and it gets out there and then you’re in a lot of trouble. And then the other is, do I want to pay $2 million in ransom? So you’re kind of balancing things out. But it’s a lot of fun. You did a DSO leadership summit. I’m sure you’ve done it at other events. We did it here at ADSO Next Level. So if anybody is at a DSO event and you see black talent and they’re doing a tabletop, I would say, hey, You know, get in there and check it out. And like you said, you even do this for executive teams at DSO. So, you’ll come in to the corporate office and work with them.
Gary Salman: And the entire… Yeah, they bring their team in and we all go get at it for three hours. Yes.
Paul Murphy: And one thing I’ll add too, Bill, I think that an important thing to note is that the lessons learned when going through these exercises are applicable across multiple situations. Right. So typically, obviously, we’ll always lead with a cyber attack. Right. But going through an exercise like this, you can apply what’s learned to civil unrest situation, a national pandemic. right, a natural disaster of some sort. We’re four years removed from certain areas of the country experiencing three and four of these things all at the same time, right, where you had situations where there was civil unrest during a pandemic with an increase in cyber attacks, and you had organizations going through all three at the same time. And these lessons learned during these tabletops you can apply in any of those situations.
Bill Neumann: Yeah, that is a great point. Okay, so kind of on that topic, like let’s talk about new threats. Is there anything that you’ve seen recently or anything that maybe coming down the 2025 you think there may be an increase? What should DSOs be paying attention to? Either one of you.
Gary Salman: Yeah, so I think the two-letter word that everyone talks about probably every five minutes, AI. And if you think about it, we are leveraging AI heavily in our business to try and protect DSOs and other large medical groups. So AI can be used for good reasons, good purposes. But unfortunately, like anything good, the criminals figure out how to take something good and make it bad. So if you think about where most of these cyber attacks are originating from, Eastern Bloc countries, you know, Russia, and often these hackers don’t have good use of our language, they write poorly. And what everyone keeps telling me is, well, I can identify a phishing email, because there’ll be spelling mistakes, and there’ll be grammatical errors, and it won’t be like the correct use of our language. That’s all gone. Right? And we’re seeing it today. You know, we’re seeing phishing mails that have caught you know, dental groups and DSOs in pretty bad situations because you read the email. It’s a perfectly crafted email and it makes sense. They understand how these businesses operate because they ask AI, which companies do dental groups buy supplies from? Oh, in two seconds, chat GPT will rattle off the two primary providers. They don’t need to do any research. Who are the key executives at XYZ, you know, dental group? Oh, chat GPT just told me that too. Oh, by the way, do you have their email addresses? Oh, look at this, I do. And the attackers are able to get a list of their targets that they want to go after, often the executive teams, HR, finance, CEOs, CTOs, COOs. And you know what the amount of time invested in? minute, two minutes of time, versus having to do days, weeks, or months of research. So AI, unfortunately, is being used for nefarious purposes. And the other thing that we’re starting to see now is AI can be used to generate computer code, right? So now you could write programs very easily for good purposes. You can have it create spreadsheets that you probably couldn’t create on your own, write the code for that. But unfortunately, the hackers have access to technology that says, hey, I want you to create code that starts with a phishing email, steals a person’s username and password, takes their multi-factor authentication token off their machine, and downloads this payload. So they sit back, wait a couple seconds, and the AI is like, there you go, go deploy it, have a good day. You know, versus, you know, weeks or months from a very, you know, that would normally take a very experienced person, you know, trying to generate that code. So, you know, that that’s a challenge. But really, the solution to AI is, is AI. You know, so I mean, I know Paul, Paul knows, like some of the technology we leverage that’s extremely effective. And It’s a cat and mouse game. We’ll take one step forward and we’re like, oh crap, look what they figured out. There’ll be one step forward and it’s literally just this cat and mouse game and a constant battle and a fight. having a visibility into this, right, with all the connections we have with various organizations, all the data we’re being fed by, you know, various government agencies, that is really powerful, you know, because we can take that information and leverage it and be able to help DSOs. I think to your point, what we see in almost every DSO is a reactive environment. where still reactive, like, oh crap, look what’s happening. Someone got someone’s password, they’re logged into one of our machines, and they’re executing something. Well, our philosophy is like, well, why did that even happen in the first place? There are processes, there’s technology, there are solutions, there’s human intellect that can be applied and basically say, okay, if we do these things, the likelihood of that event being a reactive event goes to a very low probability. Not zero, because there’s never a zero in the cyber world. But our concept is like, how do we harden the environment so much that these reactive tools that react to a threat don’t even have to trigger? Because the hackers aren’t actually able to get into that environment to begin with. So we leverage some AI tools for that and tools that we’ve created as well to try and be proactive versus reactive. Because what we always tell DSOs is, Once something’s going off in your environment, something’s in your environment. That’s like your alarm system going off when your motion sensor detected someone walking down your hallway because they cut the glass on your window. They didn’t have to open the window, so the sensors on the window didn’t go off, but they got into your building. So now, hopefully, the dog or the cameras or the motion sensor is going to trigger, but that dude’s in your house already.
Bill Neumann: So AI is a big threat. And you talked a little bit about DSOs still being reactive. So that is obviously a mistake. So I want to get into the top five mistakes, cybersecurity mistakes that DSOs are making. And then more importantly, what are the solutions? So if we’re making mistakes, what can we do to kind of alleviate what, you know, to not make these mistakes? So not be reactive, right? That might be one of them.
Paul Murphy: So one of the issues that we’ve seen, especially more lately, is addressing something Gary just talked about, right, which is focusing on defense. So actually showing some initiative, maybe being a little more proactive and investing in technology designed to trigger after someone gains access to a network. Great technology, we use it ourselves as a company. but they’re overlooking what the main goal should be, which is offense, right? We need to do whatever it takes to keep people completely out of our systems, completely out of our network, and only rely on defensive technology when all else fails. And so we have seen an increase in people becoming a little bit more knowledgeable, being more proactive, but they’re focusing on just one thing, which is defense, by deploying some of the newer technology like EDR and MDR. Great technology, What is EDR and MDR? Endpoint detection and response or managed detection and response? It’s really advanced antivirus, much better designed to protect organizations from a modern day ransomware attack than traditional antivirus, which is just a dictionary. That’s it.
Bill Neumann: All right, very, very good. Let’s talk through some more of these mistakes and solutions.
Gary Salman: Okay, so I think a lot of organizations have no visibility into what is called their attack surface. Attack surface is defined as anything kind of internet facing, so firewalls, modems, servers that you can connect to directly. And there’s so much connected to the internet. So much, right? And the bigger organization you are, the bigger your attack surface. It is proportional, right? The more offices you have, The more firewalls you have, the more computers you have, and the more people you have. So attack surface is typically broken into two categories for the most part, your technology and your humans. And tech can be broken down to servers and workstations and laptops and firewalls and cloud. Humans are humans, right? So from an attack surface perspective, we know that about 60% of all cyber attacks are the result of a human making a mistake. It’s John or Stacy at the front desk, or a doctor who gets an email. It looks legit. Maybe it’s from a practice down the street.
Bill Neumann: So this is 60%? Is that what you said?
Gary Salman: Yeah, about 60%. And they do something. They click on a link. They open an attachment that executes the downloading of a payload, like a malicious piece of code. Or they’re giving up something, a username, a password, critical information, God forbid, their multi-factor authentication code. And that’s giving hackers access to email, to servers, to data. So you address that part of the attack surface through training, right? That’s one methodology. Making people aware, hey, these are the types of phishing emails you’ll see. These are the types of spear phishing emails. These are the types of phone calls you may receive purporting to be your IT resources. your imaging company, your practice management, being friends with the CEO of your company that they just met at an organization, a meeting. So making people aware through comprehensive training, which is actually required under HIPAA, is very powerful. And you can test their training in a couple ways. You can give them the quizzes as they do the training modules, that’s obvious. But the gold standard is to phish them, right? Have a cybersecurity company send simulated phishing emails to all of the individuals in the group and see if they’re clicking on things or doing things that they shouldn’t be doing and then immediately retraining them. So they click, then a box will pop up like, hey, this is a simulated attack from black talent. Please watch this one minute training video and they get retrained. You know, it’s very, very effective. That’s how you address the human element. The technical element is where I would argue 90% of DSOs are missing the boat. And the issue is, Firewalls can’t just be plugged in and connected to the internet. They have to be configured properly. A firewall is a physical device, but it has software on it. Software was built by humans on the firewall. Humans make coding mistakes. Hackers find coding mistakes and exploit them. So if you look, do a little research on the internet right now, you’ll see a month and a half ago, two months ago, SonicWall, which I’d be willing to bet is systemically deployed in the DSO world, SonicWall is a brand of firewalls, had a critical vulnerability on their VPN connection. So DSO’s like, oh, we’re secure. We run VPNs. And to executives, like, yeah, that sounds great. We run VPNs. We can’t get breached. It’s encrypted. That’s not how it works, guys. So what the hackers found was a flaw in the VPN code and built a toolkit that scans the entire internet looking for sonic walls that have their VPN turned on. When it finds the target, the code executes on the firewall. And the firewall’s like, oh, I don’t need a username and password. Come on in. right? And they bypass authentication. And then two days later, they’re under a full ransomware attack. Right? So, DSOs don’t have visibility into these types of vulnerabilities. So, there are some very powerful technologies out there that we deploy, that we’ve built that will scan their firewall every single day and say, hey, do you have one of the 50,000 firewall vulnerabilities out there? And if so, How severe is it? How likely is it to be exploited? That information is then sent back to our security engineers and directly to the IT resource saying, hey, we ran some tests today. We found that your firewall is vulnerable. This has to be fixed immediately. Right? And often what happens is, you know, they may do this test once a year. And that’s it, or more likely, they never test their firewalls. So they think, hey, we just spent, you know, $3,000 on that firewall, we’re properly secure, we’re safe. And little do they know, they’re fully exposed, because they have no tool sets, they have no engineers watching to making sure or watching to make sure that this is properly configured and not exposed. And not having this type of visibility into the attack surface, you will get hit. It’s a guarantee, because we’ve done hundreds of incident response cases in the DSO space, in the medical space. And inevitably, if it’s not a human, it’s a problem with a computer on the network that has a vulnerability or the firewall. It always comes down to that. And I think a lot of people are hanging their hat on, hey, I’ve got good firewalls. I bought a Cisco. I bought a SonicWall. I bought a Fortinet brand firewall. These are tier one solutions, and we’re good to go. So we have nothing to worry about. You know, so I think organizations, if you don’t have a picture of your attack surface painted for you daily, you will have an effect. That’s the bottom line. Marc Thiessen Absolutely.
Paul Murphy: I think another area that’s an issue that we see is too many organizations think that they can offset risk, you know, by having a cyber insurance policy, or they’ll have layers or redundancy in place with their backup solution. both incredibly important things, right? I would not even consider operating any type of healthcare organization without being covered with the cyber policy, right? Because the likelihood of being hit now has gotten so high. But insurance, you know, number one, insurance can’t really do anything for the damage done to your reputational horn, right, after you are the victim of one of these attacks. And most organizations are woefully underinsured, honestly, because I think most people don’t understand what’s at stake. and how expensive these breaches actually are for organizations. Backups are incredibly important.
Bill Neumann: Let me stop you there, because I’m really curious. Gary talks a little bit about this this morning during his session. So there’s the ransom that you have to pay. Correct. 90%, I think you say, pay, right? Typically in the seven-digit And most companies are paying millions.
Paul Murphy: Marc Thiessen Look, I want to just clarify. So we never once as a company have ever told anyone that they have to pay ransom. All we do is forensics investigations, collect data, provide that data to the target and their attorney, and that’s who will make the decision typically if a ransom needs to be paid.
Bill Neumann: So that’s one cost. You’re talking about the cost. There’s a reputational harm. So there is a dollar amount attached to that somehow. It might be a little hard to kind of determine. But then there’s also the downtime. So there’s the cost of being down. Do you have an average of how, you know, when there’s some type of attack? Is there a certain amount of days that you can kind of average out that would?
Gary Salman: Yeah, for sure. So what I tell everyone is regardless of the size of your organization, whether you’re a single location with 15 computers or a very large DSO with thousands, you’re going to be down for a couple of weeks. And everyone looks at me like, how is that even possible? But we have to understand that you are working with highly regulated data in states that have their own laws. The attorney generals enforce certain types of laws related to privacy, depending on the type of organization. You have federal laws you have to comply with. It’s not just, hey, let’s just press a button, restore, backup, rebuild computers, come back online. There’s a very controlled and methodical process that you have to get to to get from A to Z. And if you misstep along that way, that misstep could cost your organization millions of dollars in fines and penalties, longer down times because you screwed up. You know, so typically, when we get on these calls with the leading law firms that specialize in data privacy and healthcare, for healthcare, they laid out right at the very beginning, guys, here’s the deal. You’ve done hundreds of these cases, you’re going to be down for approximately two weeks, start making plans right now for that length of outage. And you know what? It could be longer. We’ve done cases where it’s four or five weeks because the organization is so big. It’s just not possible to get so many computers back online that quickly. And look, in some cases, like practices that have cloud technology, if the data hasn’t been compromised, per se, to the extent as it would maybe if they have their own server, They may get online a little bit sooner. But you still have to go through the whole process. There’s a lot of regulatory steps you have to go through. Negotiation with the hackers. Money has to be moved around. You can’t just pay a hacking group money because they could be associated with a terrorist organization or a nation state and now you’re violating federal law by paying the ransom. So there’s a lot of steps that you have to go through, and you can’t short circuit the steps. So I think your operational point is well taken. And for a lot of organizations, they may not even know which patients are coming in for the next couple of weeks because all of their data is encrypted. And one of the other challenges that we see is a lot of the cloud providers in the contract that the cloud provider has with the client, it says, if you are the victim of a cyber event, you under contract have to notify us within 24 hours, and we reserve the right to terminate your access to our system until it can be proven that you are no longer affected by the malware, because they don’t want the malware to propagate from your infected system up to the cloud. So I think, I’m a huge proponent of cloud, but I think a lot of people have completely hung their hat on the cloud. We heard it this morning. from one of the CEOs. It’s like, well, I’m in the cloud. I don’t have to worry about any of this. It’s like, well, that’s not actually how it works. And the other issue is we’ve seen multiple cases now where the hackers have used the computers at a practice location to access the practice management system in the cloud. So they remotely access Stacy’s computer at the front desk, and they use Stacy’s credentials to log into the cloud software, and then they use The cloud’s data export capability to download all the patient records, all the billing, and they steal all the practice’s patient data. And that’s where it becomes extremely costly, because what most law firms are saying is like, you guys have to make a decision. 500,000 or millions of patient records and all of their identities exposed on the dark web? Or does it make sense to potentially pay this ransom in order to suppress that? There’s different philosophies and concepts. But these are the decisions to Paul’s point that organizations are making in every one of these attacks. Look at some of these major ones, change health care, things like that. These guys paid the ransom. We come across a lot of people like, I am never, ever paying the ransom. It’s not that easy. And to ball point, no one wants to pay the criminals. It’s the worst thing ever. It’s the worst feeling ever when you see $2.5 million being wired out of your bank account to a bunch of criminals.
Paul Murphy: So Gary just touched on something very important. Um, there’s a shift that occurred just a few years ago that it completely changed the cyber industry. And it’s the theft of patient data. You know, if we go back four years ago, five years ago, when we were doing incident response cases, uh, and almost a hundred percent of those cases, hackers were breaching networks that were encrypting data, holding that data ransom. And if you pay the ransom, they would supply you with a decryption key. Sometimes organizations would have a valid backup in place. and they were able to pound their chest, right? And say no to these extortionists. I’m not going to be extorted. I’ll lose two weeks worth of data before I pay criminals. The theft of data has changed all that because in, I’m comfortable saying 100% of healthcare breach cases, data is being stolen by the hackers and it’s being published on the websites. What organizations are paying for now when they pay ransom is the removal of their patient data from a publicly facing website or to prevent their data from being contacted by the hackers directly. We’re at a point now where I think that we’re within about a year of seeing data encryption go away. So what does that mean? Well, encrypting data and decrypting data creates more work for the hackers that they don’t have to go through. They don’t have to do this work anymore because they figured out how to steal and publish data. So what does that mean for backups? Big fan of backups. We preach redundancy, but is having a valid backup gonna matter a year from now when data encryption is no longer even happening? Probably not. Right. Because that’s not what you’re paying for. You’re not going to lose access to your data. Right. But you’re going to you’re paying these criminals to have your patient data removed from an auction site. That’s what’s become so powerful. That’s what has given criminals the ability to back so many organizations into a corner and force their hand into having to pay something like, you know, pay ransom, essentially.
Bill Neumann: Still have a mistake here and then a solution. So give me your I think is the top mistake you feel.
Paul Murphy: Number one, by far number one, is organizations still thinking that they should be relying on their existing IT resource to be their cybersecurity protectors. If an organization is working with a great IT resource, I know that they’re worth the weight in gold. but they typically have a completely different skillset than, you know, credential cybersecurity experts do. You know, a great IT resource, you know, maintains networks, keeps organizations up and running, you know, patches outdated software systems, makes sure that a front desk one can print to this printer. What cybersecurity professionals do is completely different. Gary, obviously, you know, you have a lot more of an IT background than I do, so you can probably speak about this topic better than I can, but what are your thoughts?
Gary Salman: Do you agree? Yeah, no, I agree wholeheartedly. You know, I think what happens is because we do this 24-7 literally, and we are a incident response and forensics firm, we see firsthand how these networks are being breached. So almost on a weekly basis, we’re like, oh my gosh, look how these guys got in. Like, we got to change our tactics too. And what I find for a lot of DSOs is they’re relying on a piece of software called antivirus that sits on their network and like, woo, check out that cool skull looking thing in the corner that’s blinking and saying, oh, I’m protected and no threats.
Bill Neumann: My IT person handles cybersecurity because I have that.
Gary Salman: Right. And it’s an old school thought, right, where, hey, I got the firewall. I have the antivirus software. You know, this is the greatest and latest antivirus software in the world. I’ve gone to their lectures and heard the Kool-Aid, and I’m drinking gallons of the Kool-Aid on this antivirus software. And they believe, like, hey, that’s going to stop everything, because that’s what they’ve been told. And they’re not dealing with the real threats and they don’t understand who we’re up against. We are not up against a kid sitting in his basement. We’re up against threat groups that are generating hundreds of millions and billions of dollars a year on these attacks against US entities. And they don’t care for a small single location organization or you have, you know, 500 locations as a DSO. They’re hitting everyone. So we have to think differently. And our whole process that we utilize is multi-layered, right? We look at the human element of an attack. We look at the vulnerabilities and the exploitation, the configuration of software, you know, and, you know, what we see a lot of times IT companies will do is they do what’s called security by obscurity. They’re like, oh, I’ll just hide this because the hackers are never going to find it. And a day later, they’re like, oh, man, we got hit with ransomware. You know, and because they don’t understand the sophisticated tools that these criminals are using. So, you know, we look at, and it’s kind of like an overplayed word, but we look at the entire environment holistically. Because what I often hear when I am on the phone with an executive team and their managed service provider, their IT, they’re like, oh, we’re doing all this to protect the organization this way. I’m like, well, what about over here? Like, you’re completely unprotected there. And then it’s crickets. They’re like, oh, yeah, we didn’t know about that, or we didn’t think about that, or we don’t think it’s a risk. I’m like, no, that’s a huge risk. And I think the issue here is there’s just a lack of information. And what a lot of executive teams are doing is they’re saying, well, my IT company does a really good job of keeping us running their IT. I’m sure they know cyber. But it’s the same thing. Would a cardiologist do open heart surgery on you? No, you’re going to have a cardiothoracic surgeon. They’re both working on the heart, per se, but they’re very, very different. OMS versus GP, they both play critical roles in dentistry. You’re not going to a GP for an orthognathic surgeon. That’s just the reality of it, you know? So the skill sets are very, very important. The credentialing of the engineers are very important, et cetera.
Bill Neumann: So switching gears a little bit. Is there a way now that we can predict if a breach is going to happen, a cybersecurity breach? Are we at that point where we can take a look based on certain criteria and say, it’s not going to happen? Or maybe it’s not. We can’t say that definitively. But there is a greater likelihood based on certain criteria. Are we at a point where we can measure that? So I think we are, finally.
Paul Murphy: And how do you do that? So number one, I want to say, if you are a health care organization, your chances of being targeted are 100%. Emphatically, I can say that it’s 100%. There is new technology getting ready to be released. It’s proprietary technology that was developed by the team at Black Talent Security. that is going to be game-changing specifically for the DSO community. It’s the most recent version of our Eagle Eye technology. Gary is the CEO. I think that you should be the person that kind of… gets into the detail of what’s going to be your baby.
Gary Salman: Oh, it’s all my fault now if it doesn’t work, right?
Paul Murphy: That’s what I’m hearing. But the amount of time and the amount of effort and the amount of development hours that has gone into this technology that I will say was specifically developed for our DSO clients and our DSO technology partners, it’s just something we’re so excited about and so crowded. So who better than the CEO to
Gary Salman: Yeah. So one of our larger clients came to us and they’re like, we have so much data, right, from you guys. Like, we can’t even process the amount of issues you’re finding with our system. Just tell us what to do. We’re like, OK, good point. Like, sending you a spreadsheet of 80,000 items that’s wrong with your network isn’t working for them anymore. And then we realized, okay, we can process this data, we can present it back to them in an actionable way, using KPIs, you know, charts, graphs, doing some analytics, and basically saying, hey, you know, these are your practices that need attention. out of your 200 locations or your 10 locations, go focus your attention here. These are the firewalls that are misconfigured, right? These are the employees that haven’t been trained, go get them trained. So what I like to say is we have so much telemetry and so many data points that are now being extracted from these computers and these networks, we can take all this data, triangulate it, and now we can actually predict the likelihood of a breach at an organization. based on whether you’re doing things really well, right? So we can now give a DSO the probability of a breach, right? So we score it on a scale of 1 to 100. 1 is very low probability. 100 is a very high probability of a breach. And what we do is we look at, like I said, training, firewalls, vulnerabilities, open ports on firewalls, misconfigurations. And because we are bringing all this in, the system will almost in near real time redo its calculations and say, hey, These are your 20 locations that are most likely going to be breached because the firewalls are misconfigured. You have very low acceptance of cybersecurity awareness training and many other proprietary things that we’re calculating. And then you know what? Think about the amount of time and resources that can be saved by not just trying to do kind of a spray and pray approach, which is what I find happening at most DSOs. They’re running like, you know, it’s like wildfire, right? They’re just running all over the place, trying to fend off attacks, trying to mitigate risk. And they don’t actually often know where to start or what to do. They’re doing what I like to say is feel good things, you know, without any data behind it. And I challenged CEOs and the rest of the executive team do you typically make business decisions without data? And most people were like, no, we can’t. We do everything off of data. And sometimes it’s a gut thing. You make a gut call, I get it, as the CEO, too. So now with EagleEye, you’re presented with all of this actionable data. So you know where to focus your attention. You’re not over or under staffing your help desk, overstaffing your managed service providers. And you can then say to yourself, all right, guys, here’s what I want to happen. I see that on average, we have a risk score of 65 out of 100. Within the next six months, I’m going to give you some more resources. I want our risk score to be under 35, because that will put us on par with the benchmark of all other Black Talent customers. So another thing we do now is we benchmark. So once you get on our platform, you’ll see, oh, wow, we’re not doing so great. On average, we have 20 high-risk vulnerabilities per computer. The average Black Talent client has nine. The executive team will challenge everyone and be like, I want to be nine or below. And before this, executives would have no visibility into risk. It was a hope and a prayer or trust. And when these things go sideways and there’s a cyber event, that doesn’t work. Right, the executives are always saying, you know what, I had no visibility, I was being told we were secure, our IT resources or managed service provider had assured us we were secure. And here we are, you know, I’ve got a multi million dollar event on on my hands, it’s gonna crush my EBITDA, you know, we’re in talks with another DSO to buy us like all these things unravel really quickly. But this is the beauty of this platform, you know, you have to understand where you have risk. similar to like a FICO score, right? How’s my credit? Is it good? Is it average? Is it poor? So this risk and exposure score is absolutely game-changing. As far as we know, no one in the cyber world has a tool like this that looks at so many different components of risk. The tools that say, hey, your external risk is this, or your internal risk is this. But with all of this telemetry coming in, it really gives you a clear picture of where you need to focus your attention.
Paul Murphy: this’ll, this’ll create visibility, right, for C-suite members that they’ve never had before, you know, but it also, uh, increases visibility for, you know, uh, CTOs, right, or VPs of IT. The amount of visibility they’re going to have into their environments is going to increase, uh, dramatically, you know, with this, uh, with this tech. And it makes everything digestible and actionable. Right. And that’s a, that’s a big part of what it does.
Gary Salman: And you don’t need to be technical to ingest the data. You can look at that and be like, we’ve got a high risk or we got a problem. I don’t need to understand vulnerabilities or anything else as an executive. That’s right.
Bill Neumann: Industry loves KPIs. So let’s go through some cybersecurity KPIs.
Paul Murphy: So, again, this ties right back to Eagle Eye, right? So, you know, how are we doing as an organization, right? So, let me check with the head of HR, you know, how are people doing with their training? Eagle Eye is providing complete visibility into not only the training and the testing associated with the training, but also the results from our simulated phishing test. You know, you have immediate eyes on information that will tell you who some of the people are who may be, you know, continue to click on simulated phishing emails, who are putting your organization at a higher risk. You know, these are the folks who need to, you know, maybe put through some additional training. You know, how are we doing with management of our firewalls, right? That’s our first line of defense. If I were to ask even most chief technology officers or VPs of IT today who are managing 50 practices, You know, where do you have holes in your 50 firewalls today? I bet you none of them would be able to give me an answer to that, right? But through EagleEye, I thought they’ll have that capability. What are some of the other KPIs?
Gary Salman: Do you think that EagleEye addresses? How long it takes to address a threat. You know, so, you know, the AI detects some type of threat, how long did it take to mitigate the threat? I think that’s a really important KPI. And then Risk over time is probably one of the biggest ones because when you onboard this technology, you could be in a bad place. You could be in a good place. We don’t know, right? And just like any type of business, you set a goal and say, hey, for this KPI, I want to go from, you know, a 20 level 29 in terms of high risk vulnerabilities to a 10 over the next, you know, three months. And by month six, I want to be sub nine, you know, in terms of the number of risks per device. That is something that is extremely actionable. And this is all graphed and all charted out for you. So once again, from an executive team, you don’t need to understand anything. You look at that graph, you’re like, we started here. I made them commit to me that they would be at this level at month three. We hit that goal. Here we are at month six. We’re tracking to the right place. And you know what? Things like that are very powerful. Because this is no different than revenue generation. Like, hey, our revenue goal for this month is $5 million. Did we get to the $5 million? Oh, we did? OK, we hit our target. Conceptually, it’s very similar. And the executive teams are loving it. And one of the things we’re finding is they’re now taking screen captures of the dashboards. And then when they go to present to their board or the private equity company, they show up with a whole deck basically prepared for them on their cyber risk. And the boards are eating it up because they know there’s tremendous risk there, right? They could lose their entire investment if that DSO gets taken down in a cyber event. Look at some of the bigger DSOs that have been hit that have probably lost, you know, $50, $75 million from these cyber events. It’s a tremendous hit to the bottom line. So, you know, tracking those types of KPIs are extremely important.
null: So.
Paul Murphy: And in regard to insurance, right? So when it’s time to renew that cyber insurance policy with the entire organization, And you get what’s now a thick booklet of questions that you have to answer for that insurance company. Now you have a single pane of glass that you can just go, here you go. This is what we have in place. And it’s real data. And it shows all the tools that are in place. It shows how well the organization is protected. How much they’ve increased, you know, their protection over a six-month or nine-month span. Training results from all their staff. I mean, what better data to have to present to an insurance company when it comes time to renew. And that often results in significant premium reduction.
Gary Salman: Because they’re going to base your premium on your risk. Absolutely. So I think a lot of the DSOs that are paying these massive cyber premiums could see significant savings. And Paul brought up a really good point where we’ve had conversations with CTOs. They’re like, well, I have like four or five different tools. Some of them do kind of what you’re talking about. And I was like, well, who’s accessing that data and how are you managing that? And then they start laughing. They’re like, yeah, look, everyone knows that’s the inside joke. We have these tools. No one’s watching them. And I got to open up four different screens. I have to log into four different products.
Bill Neumann: And they’re not doing that. They’re not doing it.
Gary Salman: Almost like a sick joke, because they know it’s a problem, but they just don’t have the resources to deal with it. Now they open up a single window, and I tell everyone, within 30 seconds, you can know exactly where you have problems in your organization, regardless of your size.
Paul Murphy: While cutting spending on redundancies, sometimes antiquated redundancies, and increasing what? Standardization. Across all locations, right, is the goal of most DSOs.
null: 100%.
Paul Murphy: Yeah, absolutely.
Bill Neumann: Great conversation. We went over a ton of information. I’m trying to recap it in my mind here. Fortunately, I’ve got some notes, so I think I could. But we talked about the tabletop exercise. Again, I would highly recommend if you are in an event and you can attend the tabletop exercise that Gary puts on and the team at Black Talent. I mean, it’s great. It’s eye-opening. I think it’ll give you a feel for how prepared or not you are as an organization. puts you in a position where you have to make some decisions. And, yeah, it’s, again, gives me a little agita every time I sit in on it. But really good. Went through some, we talked about AI as a threat, also as a solution, mistakes, solutions, right, top mistakes. And then we, of course, went through some of the KPIs, talked about Eagle Eye a little bit. So, as we kind of wrap things up here on the podcast, I did want to just mention that every month, Black Talent and Group Dentistry now have an article called Cyberwatch, where we cover cybersecurity incidents in healthcare over the past month. And then you always have some great – I’m looking at Paul because he does a lot of the content creation for this, so Paul’s writing a lot of this. A lot of tips and tricks. So, we’re going to continue that in 2025. So, really keep an eye out for that column again once a month. Really chock full of great information and it’s free. So, you know, even better, you can take advantage of that and see how prepared you are. If anybody wants to find out more about Black Talent Security, they want to reach out to either one of you gentlemen, what’s the best way to do that?
Paul Murphy: I’d probably say go to the website. Best place to start, blackhallensecurity.com. You can always find either me or Gary on LinkedIn as well and contact us directly that way. Any other suggestions that you have for that? They can call.
Gary Salman: Yeah, we have an 800 number they can call. They can talk to a security engineer, you know, so we can have a better understanding of what they’re looking for and how we can potentially help them.
Bill Neumann: So we’ll drop all that information in the show notes. So you can always go to groupdentistrynow.com and type in CyberWatch, BlackTalon, plenty of articles, really chock full of really helpful educational content. Paul, appreciate you being here today. This was a great conversation, Gary. Great seeing you again. And until next time, this is the Group Dentistry Now Show, and I’m Bill Neumann. Thanks for tuning in.
The Group Dentistry Now Show has listeners across North and South America, Europe, Asia, and Australia. If you like our show, subscribe today and please tell your colleagues about us.