Frequently Asked Questions
Quick answers to the cybersecurity questions we hear most often. Can't find what you're looking for? Contact us—we're happy to help.
General Cybersecurity Questions
Why do small businesses need cybersecurity?
Small businesses are actually more likely to be targeted than large enterprises. Attackers know smaller companies often have weaker defenses and fewer resources to respond. 43% of cyberattacks target small businesses, and 60% of small businesses that experience a significant breach close within 6 months.
What's the most common way businesses get hacked?
Email. Phishing attacks and business email compromise account for the majority of successful breaches. Attackers trick employees into clicking malicious links, opening infected attachments, or revealing credentials. Email security and employee training are your first lines of defense.
What should I do first to improve my security?
Start with the basics: enable multi-factor authentication on all accounts, use a password manager, ensure you have working backups, and implement email security. These foundational steps address the most common attack vectors.
How do I know if my business has been hacked?
Signs include unusual account activity, unexplained system slowdowns, employees locked out of accounts, unfamiliar programs or files, unexpected data transfers, and ransom messages. However, sophisticated attackers often go undetected for months. Regular security monitoring helps identify breaches earlier.
What should I do if I think I've been hacked?
Don't panic, but take it seriously. Isolate affected systems if possible, preserve evidence (don't wipe or restart), and contact a cybersecurity professional. If you have an incident response plan, follow it. You may also need to notify affected parties depending on what data was exposed.
Questions About Our Services
What's the difference between managed IT and managed cybersecurity?
Managed IT handles day-to-day technology operations: helpdesk support, system maintenance, patching, backups, and keeping your technology running. Managed cybersecurity focuses specifically on security: monitoring for threats, detecting attacks, responding to incidents, and protecting your data. Many businesses benefit from both.
What is a vCISO?
A Virtual Chief Information Security Officer (vCISO) provides executive-level cybersecurity leadership without the cost of a full-time executive. A vCISO develops your security strategy, creates policies, manages compliance, reports to leadership, and guides security decisions—all on a part-time or retainer basis.
Do I need a security assessment?
If you're not sure where your business stands on security, yes. An assessment gives you a clear picture of your current posture, identifies gaps, and provides a prioritized roadmap for improvement. It's especially valuable if clients or insurers are asking about your security, or if you're preparing for compliance audits.
How much do your services cost?
It depends on the service and your organization's size and needs. Security assessments start at $1,500 for businesses. Managed services are typically priced per user or per device. vCISO services are available on monthly retainer. Contact us for a custom quote based on your specific situation.
How long does it take to get started?
Most engagements begin within 1-2 weeks of agreement. Assessments typically take 1-2 weeks to complete. Managed services onboarding usually takes 2-4 weeks depending on environment complexity.
Compliance Questions
Does my business need to be HIPAA compliant?
If you're a healthcare provider, health plan, or handle protected health information (PHI) on behalf of healthcare organizations (business associate), HIPAA applies to you. This includes medical practices, dental offices, mental health providers, and many healthcare technology companies.
Do I need PCI-DSS compliance?
If your business accepts credit card payments, PCI-DSS applies to you. The scope of your requirements depends on your transaction volume and how you handle cardholder data. Many businesses can significantly reduce their compliance burden by using hosted payment solutions.
What is SOC 2?
SOC 2 is an audit framework for service organizations that demonstrates your security controls meet defined criteria. It's increasingly required by enterprise clients before they'll do business with you. SOC 2 reports are issued by CPA firms after examining your security controls.
How long does it take to achieve compliance?
It varies significantly based on your starting point and the framework. HIPAA compliance for a small practice might take 2-3 months. SOC 2 certification typically takes 9-18 months including the observation period. We help you understand realistic timelines for your situation.
Working With Dragon Scale
What industries do you serve?
We work with small and medium businesses across many industries, with particular expertise in healthcare, accounting, legal, financial services, non-profits, and professional services firms. Our approach adapts to your specific industry requirements.
What areas do you serve?
We serve clients throughout California and can work with businesses nationwide for many services. Certain services like on-site training are location-dependent.
How is Dragon Scale different from other IT/security companies?
We're a cybersecurity company first—security isn't an afterthought or add-on. We focus on education rather than fear tactics. We prioritize your best interest over our revenue. And our team brings experience from Fortune 500 companies, major banks, and government agencies—expertise we make accessible to businesses of all sizes.
Do you require long-term contracts?
We offer flexible engagement options. Some services are project-based (assessments, implementations). Ongoing services typically have monthly terms with reasonable notice periods. We believe in earning your continued business, not locking you into contracts.
Still Have Questions?
We're happy to help. Contact us directly or schedule a free consultation.