Frequently Asked Questions

A social engineering risk assessment evaluates how vulnerable your organization is to psychological manipulation tactics that cybercriminals use to gain unauthorized access to systems, data, or facilities.

What we do: Our assessment tests your employees' susceptibility to various social engineering techniques through authorized simulations, identifies security gaps, and provides actionable recommendations to strengthen your human security controls.

Simulated attack exercises are controlled, safe recreations of real-world cyberattacks that help identify security gaps before actual attackers can exploit them.

Benefits: These exercises test your technical controls, security monitoring capabilities, and incident response procedures against realistic attack scenarios without causing actual damage to your systems or data.

Our security awareness training provides employees with the knowledge and skills to recognize and respond appropriately to security threats.

Core topics include:

• Phishing recognition and defense
• Password security and authentication
• Safe internet usage and data protection
• Physical security awareness
• Mobile device security
• Incident reporting procedures

Consider our services if:

• Your employees handle sensitive customer or business data
• You've never conducted security awareness training
• Your organization has experienced security incidents
• You need to meet compliance requirements
• You want to proactively improve your security posture

Most small to medium businesses benefit from regular security assessments and training programs.

Our assessment follows a five-step process:

• Planning and scoping: Define objectives and permissible techniques
• Reconnaissance: Gather publicly available information about your organization
• Testing phase: Conduct authorized simulations (phishing emails, phone calls, text messages, or in-person attempts)
• Analysis: Identify vulnerabilities and patterns
• Reporting: Provide comprehensive findings and remediation advice

Yes, all our simulated attacks operate under strict safety protocols:

• Signed Rules of Engagement (ROE) documents before testing
• All scenarios approved by management before execution
• "Stop words" to immediately halt any simulation if needed
• Non-destructive techniques that won't damage systems or data
• Meticulously documented and monitored activities
• Phishing emails clearly recoverable as test messages
• Physical tests conducted with proper identification and authorization

We offer multiple training formats to accommodate different learning styles and organizational needs:

• Online self-paced modules: Accessible anytime
• Live virtual sessions: Instructor-led with Q&A
• In-person workshops: Interactive group learning
• Microlearning: Brief 3-5 minute lessons on specific topics
• Gamified learning: Competitions and rewards
• Video-based training: Engaging content
• Hybrid approaches: Combining multiple formats

We simulate multiple attack vectors to provide comprehensive coverage:

• Phishing: Targeted email campaigns with various sophistication levels
• Vishing: Voice-based social engineering via telephone
• Smishing: SMS-based attacks through text messages
• Pretexting: Creating false scenarios to obtain information
• Physical access attempts: Testing building security through social manipulation
• USB drop tests: Strategically placing devices to test employee behavior
• Tailgating attempts: Testing physical access controls

For most small to medium businesses, we recommend:

• Quarterly simulated attacks with varied techniques
• Monthly phishing campaigns for high-risk industries
• Additional simulations following security awareness training
• Extra tests when significant new attack vectors emerge

This balanced approach helps maintain security awareness without causing "security fatigue" among employees.

We measure training effectiveness through multiple metrics:

• Pre/post knowledge assessments showing improvement
• Phishing simulation results before and after training
• Security incident reporting rates
• Observable changes in security behaviors
• Reduction in security incidents
• Time-to-report for suspicious activities
• Engagement metrics and completion rates
• Department-specific performance analytics

We track several key metrics to quantify your organization's vulnerability:

• Click rates on phishing links
• Credential submission rates
• Reporting rates by employees
• Time-to-report suspicious activity
• Resilience factor (ratio of reporting to failure)
• Department-specific susceptibility rates
• Security team response time
• Overall control effectiveness rates

After completing security assessments, you'll receive comprehensive reports tailored to different audiences:

• Executive Summary: High-level overview designed for leadership
• Detailed Technical Report: Comprehensive documentation for IT and security teams
• Remediation Roadmap: Prioritized action plan for addressing vulnerabilities
• Compliance Mapping: How findings relate to relevant regulatory requirements
• Metrics Dashboard: Quantitative analysis of your security posture

Our sustainable security awareness programs include:

• Annual comprehensive training: Complete refresher on all key security topics
• Monthly microlearning: Brief 5-minute modules on specific topics
• Quarterly refresher modules: Targeted reinforcement on core concepts
• Bi-monthly phishing simulations: Ongoing testing of awareness
• Security newsletter subscription: Regular updates on emerging threats
• Just-in-time training: Immediate education when new threats emerge
• Annual security awareness day: Focused organization-wide reinforcement

Our role-based training approach includes:

• Executive-level training: Strategic risks, governance, and leadership responsibilities
• IT staff training: Technical security controls, implementation best practices, and incident response
• Department-specific modules: Tailored to unique security challenges (finance, HR, etc.)
• General employee training: Essential security practices for all staff members
• New hire orientation: Foundational security awareness for onboarding
• Privileged user training: Enhanced security for those with elevated system access
• Third-party/vendor training: Security requirements for external partners

Ongoing security maintenance typically includes:

• Continuous vulnerability scanning of external and internal systems
• Regular security assessments based on your preferred schedule
• Security awareness training and phishing simulations
• Compliance monitoring and documentation updates
• Security policy reviews and updates
• Incident response support
• Threat intelligence monitoring relevant to your industry
• Security program maturity improvement guidance

Our services support HIPAA compliance through:

• Risk assessments that fulfill the required security risk analysis component
• Social engineering testing to evaluate workforce security awareness
• Technical testing of access controls, encryption, and authentication systems
• Physical security assessments to evaluate facility safeguards
• Security awareness training tailored to healthcare privacy requirements
• Policy and procedure development aligned with HIPAA standards
• Incident response planning to address breach notification requirements

Each service is mapped to specific HIPAA Security Rule requirements to ensure comprehensive coverage.

Law firms have several critical obligations regarding client data security:

• Maintaining confidentiality of client information (ABA Model Rule 1.6)
• Taking "reasonable efforts" to prevent unauthorized access to client data
• Demonstrating technology competence (ABA Model Rule 1.1, Comment 8)
• Complying with state bar ethics opinions on data security
• Adhering to specific regulations when handling certain data types (healthcare, financial)
• Protecting attorney-client privilege through appropriate safeguards

Our security services help ensure your firm meets these ethical and legal obligations through comprehensive assessment and remediation.

For small to medium law firms, reasonable security measures typically include:

• Strong access controls with unique user credentials and multi-factor authentication
• Data encryption for sensitive information at rest and in transit
• Secure client communication methods (encrypted email, client portals)
• Regular security awareness training for all staff
• Documented security policies and procedures
• Secure backup systems with tested recovery processes
• Regular security assessments and vulnerability testing

Security services are typically priced using several models:

• Fixed fee assessments: One-time cost for specific security tests or evaluations
• Project-based pricing: Set cost for defined security initiatives with clear deliverables
• Subscription services: Recurring monthly, quarterly, or annual fees for ongoing security services
• Retainer models: Pre-purchased blocks of security service hours used as needed
• Tiered service packages: Different service levels (Basic, Standard, Premium) with increasing features

We can provide detailed pricing options based on your specific needs and organizational requirements.

Several key factors influence security service pricing:

• Organization size (number of employees, locations, systems)
• Assessment scope (breadth and depth of testing)
• Industry-specific requirements (compliance needs, risk profile)
• Technical environment complexity (number of systems, applications, networks)
• Service frequency (one-time, quarterly, annual, monthly)
• Deliverable detail (report comprehensiveness, remediation guidance)
• Response time requirements (standard vs. expedited)

We provide transparent pricing based on these factors with options that align with your security goals and budget.

When considering security service investments, it's important to compare costs to potential breach impacts:

• Average data breach cost for small businesses is approximately $120,000-$1.24 million
• Business disruption costs from ransomware average $274,200
• Regulatory fines for compliance failures can range from $100 to $50,000+ per violation
• Legal costs from breaches average $60,000 for small businesses
• Reputation damage can result in 20-30% customer loss

Investing in security services typically represents 5-15% of the potential cost of a significant security incident, making it a valuable risk management investment.

Your company will:

• Identify human-factor vulnerabilities before real attackers can exploit them
• Measure security awareness levels across departments
• Validate the effectiveness of existing security training
• Receive customized recommendations for improving security
• Demonstrate security due diligence for compliance purposes
• Reduce risk of costly breaches through employee manipulation