The objection we hear most often from smaller practices is that a phishing simulation program feels like overkill: "We all know each other, everyone's careful, and it feels like we're tricking our own team." It's a reasonable instinct, and it's also wrong.

Phishing remains the top initial access vector in the healthcare and dental incidents we see. The click-through rate on a first simulation at a new client typically sits between 18% and 30%. After two quarters of targeted training, we consistently bring that under 5%. That's not a corporate metric — that's a practice-saving one.

A twelve-person practice has twelve inboxes, each of which is a door. A simulation program is low cost, well-studied, and produces an artifact every cyber insurance carrier now asks for at renewal. The awkwardness of "tricking your own team" is solved by good framing: this is coaching, not testing, and the first number you share is the one you improved.