Social Engineering is one of the most important tests you can have performed because it evaluates the largest risk to your organization. In 2018, 83% of organizations faced a social engineering attack, so it is very likely that this is a threat you are going to continue to see in the new year. Because of that, it is vital to make sure you are having social engineering tests performed, even if you know your users will fall for it.
In this blog, we are going to take a look at the cost of a social engineering assessment, what is included in that cost, and what are the factors that make the cost more or less expensive. Without further ado, let’s dive in.
Typical Social Engineering Cost?
Unfortunately, it depends. If you are having other testing completed and just need a small sample of social engineering to gauge your risk, we can do a small social engineering engagement that includes 3 campaigns: One phone-based vishing for 5 individuals, one targeted spear phishing campaign for 5 individuals, and one bulk phishing campaign targeting 25 employees. This would cost around $3,690. However, if you wanted a larger engagement with more campaigns and targeting a larger subset of your employees, that can easily climb north of $10,000.
What Factors Into Social Engineering Cost?
As with all penetration testing, social engineering cost will be derived from the amount of time it takes a skilled engineer to perform the work necessary. There are several things that will cause the assessment to take longer, and therefore will drive cost:
- Size – The number of employees you would like us to target will drive the cost of the assessment.
- Campaigns – The number of unique campaigns we launch will have an impact on cost. A campaign is essentially a scenario we will follow to try to trick the victims into falling for it. For example we may pose as an internal IT asset and call them telling them to register for a new employee portal, or we may pretend to be a corporate recruiter offering a job. Each of these scenarios requires time to setup the backdoor payload, the fake website, etc. By default, our social engineering engagements include three scenarios.
- Awareness Training – One of the things we really enjoy to help get the most out of a social engineering engagement is to use it as part of an awareness training. In the awareness training, which should happen soon after the engagement, we will use the exact campaigns and screenshots from the engagement to teach your employees. This is a fun way for them to learn what a sophisticated attack looks like and how to spot it.