Somerford Associates Limited

KnowBe4 - Email Phishing and Security Awareness Training

KnowBe4 is the world’s largest platform for both security awareness training and simulated phishing attacks. There are over 1000 pieces of security awareness training content including interactive modules, videos, games, posters and newsletters. Simulated Phishing attacks are easily created using any of the thousands of templates available within the platform.

Features

• The world's largest library of 1000+ security awareness training items.
• Translated phishing and training content in 30+ languages.
• On-demand, engaging, interactive browser-based training.
• Identify users that have a higher proficiency in security.
• Automate enrollment and follow-up emails to “nudge” users.
• Visible training results displaying phish-prone percentages.
• KnowBe4 allows you to create an effective “Human Firewall”.
• Email Phish Alert Button.
• Dynamic risk scores for users, groups or the whole organisation.
• PhishER to help identify and respond to email threats faster.

Benefits

• Reduce phishing vulnerability from 27% to 2% in 12 months.
• Demonstrate effective governance, risk and compliance management.
• Analyse trends in user behaviour and implement focused training.
• Customised phishing attacks and landing pages.
• Initial phishing vulnerability test for 100 users.
• Reduced vulnerability to invoice fraud and ransomware.
• Industry/Sector benchmarking of your organisation's vulnerability.
• Rapid time to effect through the Automated Security Awareness Programme.
• Enhanced efficiency with PhishER allowing automated processing of email threats.
• KCM GRC Platform - audits done in half the time.

£500 to £2,000 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

717255848626635

Contact

Penny Harrison
+44 1242 388168
penny.harrison@somerfordassociates.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Browser and Internet connection
  • Solution is cloud hosted by KnowBe4

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Somerford Associates' Service Desk is available between 9am-5:00pm (Monday-Friday). KnowBe4 provide support 6am-9pm EST Monday-Friday.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all. ; ; If an issue requires a level of Professional Services to engage, a member of the support team will discuss with your Account Manager to discuss this further. ; ; Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour. ; ; Somerford resolve 80% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this the process. Wherever possible, we will manage your service desk case with our Partners. ; ; Our service desk is available between 9am and 5:30pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.; ; All our customers have a Technical Account Manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: A comprehensive onboarding procedure is in place including, administrator training, monthly customer service engineer calls, getting started documentation and hand holding, local UK based first line support and guidance - all included in the price.; Minimal configuration is required for this cloud service to be ready to phish and train your users. All you need to do it whitelist the KnowBe4 servers and upload your users' email addresses and you are ready to start improving your organisation's security.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: If a customer wishes to terminate the service, their data is first archived and then securely wiped from the KnowBe4 servers on instruction.
• End-of-contract process: All required elements of the service are included in the price. The subscription, training, documentation, support and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew, all data is archived and then securely deleted.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Fully accessible via a mobile browser.
• Service interface: No
• API: Yes
• What users can and can't do using the API: KnowBe4’s API is a REST API.; KnowBe4’s API feature, allows you to push and pull your external data to and from the KnowBe4 console. Specifically you can pull phishing, training, user and group data from the KnowBe4 console. Data is returned in a JSON structure by default--no additional parameter is needed.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: All email templates are editable as are the landing pages. The training content is not directly customisable although we can offer a paid for service to customise the training material should it be required.

Scaling

• Independence of resources: KnowBe4 uses Amazon Web Services globally for the provision of their service. They have strict SLA's in place to ensure an optimal user experience.

Analytics

• Service usage metrics: Yes
• Metrics types: The administration dashboard provides realtime reporting on phishing and training.; Enterprise level reporting is available to report on all aspects of a simulated phishing campaign or training campaign.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: KnowBe4

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: A customer can export data from KnowBe4 in the form of reports on user activity. The customer can upload user data to KnowBe4 either via a CSV file or through Active Directory synchronisation.
• Data export formats: CSV
• Data import formats:
  • CSV
  • Other
• Other data import formats: Active Directory Synchronisation

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Online Services to be available 99.9% of the time - measured annually, excluding any planned downtime, maintenance windows, or any unavailability caused by circumstances beyond KnowBe4’s reasonable control
• Approach to resilience: AWS load balancing, multi zone, mirrored databases, snapshots, Web app firewall and redundant DNS
• Outage reporting: Outages reported by email and on status webpage

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Single SignOn SAML with access restrictions based on Role.; Administrators of the console can have privileges set according to function.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 11/12/2018
• CSA STAR certification level: Level 4: CSA C-STAR Assessment
• What the CSA STAR doesn’t cover: Unknown
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications:
  • GDPR Compliant
  • US-EU / US-Swiss Privacy Shield certified

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: CISO - Brian Jack. ; ; KnowBe4 follow a significant number of formal processes within their data security strategy, including Incident Response Plan, Build Process Automation, authentication, audits etc. To view further details: https://www.knowbe4.com/security

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Changes are approved, peer reviewed, tested, and put onto staging environments. QA tests changes in staging and approves for production. Changes deployed to production - Use Jira and git repositories.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Annual, Quarterly, and Monthly security scans and reviews and testing. Vulnerability scans, risk assessments and other configuration and security testing.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Centralised logging with alerts and dashboards. Anomaly detection and daily/weekly/monthly reviews.
• Incident management type: Supplier-defined controls
• Incident management approach: Based on alerts, KnowBe4 investigate and follow their IR procedures. Notifications to customers within 48 hours.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £500 to £2,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: A trial is available for a proof on concept by a prospective buyer. A KnowBe4 engineer would configure the environment and walk the potential buyer through how to use the application. The trial is the full product, with restrictions only based upon the number of users.
• Link to free trial: https://info.knowbe4.com/phishing-security-test-partner?partnerid=0013Z00001Zm3cVQAR

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.