Somerford Associates Limited

KnowBe4 - Email Phishing and Security Awareness Training

KnowBe4 is the world’s largest platform for both security awareness training and simulated phishing attacks. There are over 1000 pieces of security awareness training content including interactive modules, videos, games, posters and newsletters. Simulated Phishing attacks are easily created using any of the thousands of templates available within the platform.

Features

  • The world's largest library of 1000+ security awareness training items.
  • Translated phishing and training content in 30+ languages.
  • On-demand, engaging, interactive browser-based training.
  • Identify users that have a higher proficiency in security.
  • Automate enrollment and follow-up emails to “nudge” users.
  • Visible training results displaying phish-prone percentages.
  • KnowBe4 allows you to create an effective “Human Firewall”.
  • Email Phish Alert Button.
  • Dynamic risk scores for users, groups or the whole organisation.
  • PhishER to help identify and respond to email threats faster.

Benefits

  • Reduce phishing vulnerability from 27% to 2% in 12 months.
  • Demonstrate effective governance, risk and compliance management.
  • Analyse trends in user behaviour and implement focused training.
  • Customised phishing attacks and landing pages.
  • Initial phishing vulnerability test for 100 users.
  • Reduced vulnerability to invoice fraud and ransomware.
  • Industry/Sector benchmarking of your organisation's vulnerability.
  • Rapid time to effect through the Automated Security Awareness Programme.
  • Enhanced efficiency with PhishER allowing automated processing of email threats.
  • KCM GRC Platform - audits done in half the time.

Pricing

£500 to £2,000 a licence a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

7 1 7 2 5 5 8 4 8 6 2 6 6 3 5

Contact

Somerford Associates Limited Penny Harrison
Telephone: +44 1242 388168
Email: penny.harrison@somerfordassociates.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
No
System requirements
  • Browser and Internet connection
  • Solution is cloud hosted by KnowBe4

User support

Email or online ticketing support
Email or online ticketing
Support response times
Somerford Associates' Service Desk is available between 9am-5:00pm (Monday-Friday). KnowBe4 provide support 6am-9pm EST Monday-Friday.
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
No
Support levels
Our Service Desk provides support for P1 to P4 where a part of the software, appliance or license was previously working and is not working as expected or at all.

If an issue requires a level of Professional Services to engage, a member of the support team will discuss with your Account Manager to discuss this further.

Service Desk offer support through several channels, including telephone, e-mail and remote sessions where appropriate. Any employee of our entitled customers can raise a support desk ticket via telephone or e-mail with their company e-mail address. This will be logged and assigned to an engineer who will respond within 1 business hour.

Somerford resolve 80% of service desk tickets without requiring the involvement of our Partners. Where Partner involvement is required, we will advise you on this the process. Wherever possible, we will manage your service desk case with our Partners.

Our service desk is available between 9am and 5:30pm Monday to Friday, excluding Bank Holidays. Our service desk will provide support for existing Customers and companies that are engaged in Proof of Concepts.

All our customers have a Technical Account Manager.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
A comprehensive onboarding procedure is in place including, administrator training, monthly customer service engineer calls, getting started documentation and hand holding, local UK based first line support and guidance - all included in the price.
Minimal configuration is required for this cloud service to be ready to phish and train your users. All you need to do it whitelist the KnowBe4 servers and upload your users' email addresses and you are ready to start improving your organisation's security.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
If a customer wishes to terminate the service, their data is first archived and then securely wiped from the KnowBe4 servers on instruction.
End-of-contract process
All required elements of the service are included in the price. The subscription, training, documentation, support and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew, all data is archived and then securely deleted.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Fully accessible via a mobile browser.
Service interface
No
API
Yes
What users can and can't do using the API
KnowBe4’s API is a REST API.
KnowBe4’s API feature, allows you to push and pull your external data to and from the KnowBe4 console. Specifically you can pull phishing, training, user and group data from the KnowBe4 console. Data is returned in a JSON structure by default--no additional parameter is needed.
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • PDF
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
All email templates are editable as are the landing pages. The training content is not directly customisable although we can offer a paid for service to customise the training material should it be required.

Scaling

Independence of resources
KnowBe4 uses Amazon Web Services globally for the provision of their service. They have strict SLA's in place to ensure an optimal user experience.

Analytics

Service usage metrics
Yes
Metrics types
The administration dashboard provides realtime reporting on phishing and training.
Enterprise level reporting is available to report on all aspects of a simulated phishing campaign or training campaign.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
KnowBe4

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
A customer can export data from KnowBe4 in the form of reports on user activity. The customer can upload user data to KnowBe4 either via a CSV file or through Active Directory synchronisation.
Data export formats
CSV
Data import formats
  • CSV
  • Other
Other data import formats
Active Directory Synchronisation

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Online Services to be available 99.9% of the time - measured annually, excluding any planned downtime, maintenance windows, or any unavailability caused by circumstances beyond KnowBe4’s reasonable control
Approach to resilience
AWS load balancing, multi zone, mirrored databases, snapshots, Web app firewall and redundant DNS
Outage reporting
Outages reported by email and on status webpage

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Single SignOn SAML with access restrictions based on Role.
Administrators of the console can have privileges set according to function.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
Yes
CSA STAR accreditation date
11/12/2018
CSA STAR certification level
Level 4: CSA C-STAR Assessment
What the CSA STAR doesn’t cover
Unknown
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • GDPR Compliant
  • US-EU / US-Swiss Privacy Shield certified

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
CISO - Brian Jack.

KnowBe4 follow a significant number of formal processes within their data security strategy, including Incident Response Plan, Build Process Automation, authentication, audits etc. To view further details: https://www.knowbe4.com/security

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Changes are approved, peer reviewed, tested, and put onto staging environments. QA tests changes in staging and approves for production. Changes deployed to production - Use Jira and git repositories.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Annual, Quarterly, and Monthly security scans and reviews and testing. Vulnerability scans, risk assessments and other configuration and security testing.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Centralised logging with alerts and dashboards. Anomaly detection and daily/weekly/monthly reviews.
Incident management type
Supplier-defined controls
Incident management approach
Based on alerts, KnowBe4 investigate and follow their IR procedures. Notifications to customers within 48 hours.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£500 to £2,000 a licence a year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
A trial is available for a proof on concept by a prospective buyer. A KnowBe4 engineer would configure the environment and walk the potential buyer through how to use the application. The trial is the full product, with restrictions only based upon the number of users.
Link to free trial
https://info.knowbe4.com/phishing-security-test-partner?partnerid=0013Z00001Zm3cVQAR

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at penny.harrison@somerfordassociates.com. Tell them what format you need. It will help if you say what assistive technology you use.