Professional Documents
Culture Documents
Report Prepared Especially For:: Razan Essa February 6, 2021
Report Prepared Especially For:: Razan Essa February 6, 2021
Report Prepared Especially For:: Razan Essa February 6, 2021
Razan Essa
February 6, 2021
Welcome
Congratulations on becoming part of the KnowBe4 ASAP family. The following pages reflect your
individual survey responses and contain recommendations for specific training modules, videos and
supporting materials to help you catapult your training plans into a mature and multifaceted information
security awareness program.
A successful information security awareness program is essential to ensure your employees are
empowered with the knowledge they need to protect your organization. While employees are your most
important asset, they are at the same time your weakest link and your last line of defense. One of the best
ways to make sure your employees will not make costly errors regarding information security is to institute
company-wide security awareness training initiatives.
Effective security awareness and training programs are multifaceted. For example, an effective
program will include:
Deployment of learning modules that cover topics critical to the organization, related to behavior,
policy, or compliance expectations
Simulated phishing and social engineering attacks so that employees are conditioned to look for
red flags in any communication they receive
Additional supportive messaging, information delivery methods, communication channels, and
interactive activities so that your organization has the best chance to effectively develop a
sustainable security mindset within each employee, job role, division, and region
Knowledge and skills that are relevant and transferrable to an employee’s personal life and overall
security hygiene
Your ASAP program covers these requirements and also accounts for the uniqueness of your
organization based on your provided answers. The tasks that follow should serve as a guide towards the
implementation of a successful security awareness program. KnowBe4 is determined to help you achieve
your goal of strengthening your human firewall with your customized program.
7. Communicate the Security Awareness Program with your employees February 24, 2021
After the baseline test, your employees who received the simulated phishing email may be
confused. Those that clicked the phishing link may worry that they will face repercussions. We
recommend that once the duration of your baseline test phishing campaign is complete, you
communicate with them that a test was conducted and explain why. As an option, you can even
share your company’s overall phish-prone percentage.
The message should convey the importance of everyone completing security awareness
training. Letting your users in on the potential threat to the organization or to themselves may
increase their participation level once you enroll them in training. We’ve provided a template in
the below link that you can send to all of your users after the baseline test is complete:
-My baseline test is finished. What do I tell my users now?
You can also provide the below link to your users, which is a short video explaining what their
training experience will look like:
-Getting started with KnowBe4 training
9. Establish a procedure for users to report suspected phishing emails March 2, 2021
KnowBe4’s Phish Alert Button (PAB) lets your end users report suspicious emails with just one
click. It is an add-in to your mail client or server that can be used to streamline the process of
what your employees should do when they receive a potential phishing email. Your users can
click the PAB if they suspect that they have received a suspicious email, whether the email is a
simulated phishing test or a real phishing attack.
Reported emails which are not simulated tests will be forwarded to your incident response
team or help desk, allowing you to see real-life phishing attacks that are making it to your end
users.
Your users can also receive fully customizable feedback from you. For instance, if they report a
potential phishing email and it turns out to be a simulated phishing test, you can congratulate
them for reporting the email and let them know it was not a real phishing attack.
The PAB is compatible with Outlook, Outlook Web Access, Office 365, GSuite (Chrome
Extension), and the Outlook Mobile App (for iOS and Android). Our Compatibility Matrix can
help you decide if the PAB is compatible with your environment.
For full installation details, see the below link:
-Phish Alert Button Installation Guide
You'll want to inform your users about this new tool and explain why and how it should be
used. See the below link for more information:
-How can I inform my users about the Phish Alert Button?
10. Develop a threat response and management process for reported phishing emails March 5, 2021
Regardless of whether your employees have gone through security awareness training and
simulated phishing tests, processes should be in place for reporting suspicious or malicious
emails. How does your Incident Response team manage these reported emails?
PhishER helps to quickly identify and respond to the most dangerous email threats. Use this
Security Orchestration and Automation Response (SOAR) platform to manage all of the emails
your users report, and automatically disposition emails so you can prioritize and respond
quickly to real-life phishing attacks.
When using PhishER as a detective security control, your organization can identify potential
threats and strengthen your security measures and defense-in-depth plan.
Use the link below to see frequently asked PhishER questions:
-PhishER Frequently Asked Questions
See our full PhishER Product Manual here:
-PhishER Product Manual
Contact your Account Representative or Customer Success Manager if you’re interested in
learning more about PhishER, or see here to request a demo.
12. Create a training campaign for your fundamental training module March 8, 2021
The below article will advise you on the settings you should choose when setting up your first
Training Campaign.
First, review the recommendations in the below article which covers enrolling employees in
training:
-Enrolling your employees in security awareness training
If you'd like more guidance, we offer short videos explaining the various features of training
campaigns. You can access those videos below:
-Setting up a training campaign
-Monitoring training campaigns
-See more tutorial videos
When you're ready, create your training campaign by clicking the below link:
-Set up your training campaign
Hint: You may also want to consider adding a security policy to your training modules which
your users will have to read and accept as part of completing training. You can also optionally
provide this link to your users, which is a short video explaining what their training experience
will look like.
13. Review and select a remedial training module for phishing test failures March 9, 2021
Remedial training allows you to target your high-risk users or "clickers" with additional security
training. High-risk users could be those employees that have clicked a link, opened an
attachment, or carried out other potentially dangerous behavior on a phishing test. Below is an
article explaining this further:
-Remedial training
We've suggested remedial training courses for you below. When choosing remedial courses for
your high-risk users, consider shorter-length courses which go into detail about the specific
action you're trying to address with remediation.
Select a course for your phish-prone users below. You can see additional training modules and
interactive games in our ModStore.
After you've selected the right modules for your organization, you'll also want to add them to
your account's Store Purchases. This is done by clicking on the "Add to Account" button within
the ModStore. Further information about that process is available at the below link:
-How do I add content to my Store Purchases?
See below link for additional tips on handling your phish-prone users:
-How to handle your clickers
Platinum and Diamond-level customers can also use our Smart Groups feature to create
dynamic groups of users based on specific criteria, such as clicking a link or opening an
attachment. These groups can be targeted with phishing or training campaigns. Learn more
about Smart Groups on the below link.
-Smart Groups
14. Create a training campaign for phishing test "clickers" March 9, 2021
People who fail a phishing test should be enrolled in a remedial training campaign so they can
learn to "think before they click" on a phishing test in the future. Create a campaign using the
remedial training module you selected in the previous task by following the steps in the below
article:
-How to set up remedial training
Below is a video which will walk you through the steps you'll need to take when setting up a
remedial training campaign:
-Remedial training campaigns (Video)
When you're ready, use the below link to create your remedial training campaign:
-Create your remedial training campaign
17. Review and select quarterly training modules March 11, 2021
When selecting quarterly training modules, you'll want to choose those that will refresh a user's
memory and bolster the skills they learned in previous training. You'll also want to consider
introducing fresh content regularly to keep your users interested and engaged.
Preview the courses we've suggested below to see what you'd like to use. You can also browse
the ModStore to check out what other courses we have available.
After you've selected the right modules for your organization, you'll also want to add them to
your account's Library. This is done by clicking on the "Add to Library" button within the
ModStore. Further information about that process is available at the below link:
-How do I add content to my Library?
18. Create training campaigns for your quarterly training modules March 15, 2021
After selecting what modules you'd like to introduce quarterly, you can set up training
campaigns in advance. When you're ready, use the below link to set up your campaign:
-Set up your training campaign here
Hint: You can clone your first quarterly training campaign to quickly create the rest once you
have your settings the way you'd like them. Be sure to select the correct training module and
start date for your additional campaigns after cloning them. See the below article:
-How to clone a training campaign
If you'd like more guidance, we offer short videos explaining the various features of training
campaigns. You can access those videos below:
-Setting up a training campaign
-Monitoring training campaigns
-See more tutorial videos
21. Review and select the appropriate role-based training modules March 18, 2021
Based on your questionnaire, we've suggested role-based training modules for you to enroll
your users in below.
Select all that apply for your organization. You can view all of our available content in the
ModStore.
After you've selected the right modules for your organization, you'll also want to add them to
your account's Library. This is done by clicking on the "Add to Library" button within the
ModStore. Further information about that process is available at the below link:
-How do I add content to my Library?
22. Create training campaigns for your role-based training modules March 18, 2021
Once you've selected what role-based module(s) you'll need train users with, you'll want to
make sure you've added users to specific groups that you can target for role-based training.
Creating groups allows you to target subsets of your users in the console. If you need to do
ongoing role-based training for only certain users, it will be worthwhile for you to take the time
to create and group users into specific "role-based training" groups now. See the below article:
-How do I create a new group?
Once you've grouped your users into their individual role-based groups, you can set up training
campaigns in advance. When you're ready, use the below link:
-Set up your role-based training campaigns
Hint: You can clone your first role-based training campaign to quickly create the rest once you
have your settings the way you'd like them. Be sure to select the correct training module, role-
based user group, and start date for your additional campaigns after cloning them. See the
below article:
-How to clone a training campaign
If you'd like more guidance, we offer short videos explaining the various features of training
campaigns. You can access those videos below:
-Setting up a training campaign
-Monitoring training campaigns
-See more tutorial videos
23. Set up Security Hints and Tips campaign March 19, 2021
To reinforce basic security hints, tips, and tricks to your users, you can set up a monthly Security
Hints and Tips campaign. Security Hints and Tips contain general security tips that would be
useful for any employee to review. However, we also have specialized Security Hints and Tips
focusing on PCI and HIPAA compliance.
To learn how to set up this campaign, review the below article:
-How to set up a Security Hints and Tips campaign
When you're ready, set up your recurring Security Hints and Tips campaign by clicking the below
link:
-Create your Security Hints and Tips campaign
Hint: We recommend scheduling this campaign to begin after your initial security awareness
training campaign has been completed. You may also want to hide this campaign from your
overall phishing reports. To learn how, click the below link:
-How to hide a campaign from reports
24. Enable users to think twice about clicking on potentially dangerous links March 24, 2021
KnowBe4’s Second Chance security tool enables your users to make smarter cybersecurity
decisions by allowing them to back out of clicking a suspicious link in an email or email
attachment.
Second Chance inspects the links that your users click from their inboxes, and before navigating
to a potentially dangerous website, users are prompted to either “continue” or “abort” their
action. Aborting the action could provide your users with a “second chance” to avoid scenarios
such as malware infections or loss of sensitive data to a malicious website.
Second Chance also lets you decide what URLs are “safe” to visit in your organization–these
URLs will not trigger a prompt window to appear.
To learn if Second Chance is compatible with your email environment and for full product
details, see the below link:
-Second Chance Installation and Product Manual
You’ll want to introduce this tool to your users and explain how it should be used. See the below
link:
-How can I inform my users about Second Chance?
26. Relay improvements in user behavior to your organization’s leadership March 26, 2021
As you’re building your security awareness culture, you may notice your users taking a more
active role in helping to keep your organization safe from cyber attacks. They may start to
report potential phishing emails, comment on how much they enjoyed their training
assignment, or communicate with their colleagues about proper security practices. When you
notice these improvements in user behavior, you’ll want to share that information with your
stakeholders or Executive team.
Your combined efforts of simulated phishing and security awareness training, if following
KnowBe4 best practices, should lower your organization’s Phish-prone Percentage and risk
score over time. You can navigate to the Reports tab in your console to find reports which
display these improvements, which you can then share with your stakeholders.
See the below resources for more information:
-Advanced Reporting Guide
-Virtual Risk Officer (VRO) Guide
27. Customize high-difficulty phishing campaign for low Phish-prone users March 29, 2021
It is important to craft high-difficulty phishing campaigns for your low Phish-prone users.
Attackers often use highly-sophisticated, realistic phishing emails to trick their victims. Consider
using phishing templates with a 4-5 star difficulty rating in these campaigns, or craft a custom
template to spear-phish these users.
See the below resources we've provided for additional insight:
-Customizing Emails and Landing Pages
-Customization of Phishing Templates and Landing Pages (Video)
Using Smart Groups (for Platinum and Diamond subscriptions), you can automate tiered
phishing campaigns for users based on their past performance with phishing tests.
-Automated Remedial Training and Tiered Phishing with Smart Groups
28. Identify high-risk groups so you can take action March 30, 2021
We recommend identifying the users and groups who are at a higher risk of receiving a phishing
email, so you can enroll them in additional, role-specific training.
Users who may receive more phishing attempts include, but are not limited to, your Executive,
Accounting/Payroll, and IT/Help Desk teams.
You can also review your user and group risk scores to find high-risk users and groups.
See more here:
-Advanced Reporting Guide
-Virtual Risk Officer (VRO) Guide
29. Use targeted training to initiate a training campaign for high-risk groups March 31, 2021
We recommend additional, role-specific training for the users who are at a higher risk of
receiving a phishing email due to the nature of their job role. Users who may receive more
phishing attempts include, but are not limited to, your Executive, Accounting/Payroll, and
IT/Help Desk teams.
You can use the Targeted Training filters when browsing the ModStore to find the content best
fit for training your high-risk employees.
See the below link to learn more:
-Finding Industry-Specific or Role-Based Training
4. What level of maturity would you like to attain over the next 12 - 18 months?
Average maturity
5. What would you like to have as the primary focus of your program?
Security awareness delivery
11. What roles does your organization need specific training for?
General IT Staff
Administrators
Typical office employee
12. How often would you like to train your users with simulated phishing emails?
Monthly
13. Would you like to test your users with other attack vectors besides phishing?