SEP2 LIMITED

KnowBe4 - Security Awareness Training Platform

"KnowBe4 is the world's most popular integrated platform for awareness training combined with simulated phishing attacks.
On-demand, interactive, engaging training with over 1000 course modules available, the largest online database available anywhere. Fully automated simulated phishing attacks, 4000+ email templates with unlimited usage.
Enterprise-strength reporting for both training and phishing."

Features

• Unlimited Phishing Security Tests with 3000+ ready built templates
• Email client Phish Alert Button

Benefits

• Dramatically reduce your 'phish prone' user percentage
• Train & Assess all users

£2.80 to £24.40 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@sep2.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

129037457353585

Contact

sep2 sales team
03300437372
sales@sep2.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Internet Browser
  • Internet connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Email or online ticketing
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 1st point of contact is through the UK where the majority of queries are managed. Escalation to the US based support engineers will then be categorised level 1, 2 and Priority dependent on urgency. All telephone and web-based support is included in the cost of the subscription, there are no extra charges for support or maintenance.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: "A comprehensive onboarding procedure is in place including, administrator training, monthly customer service engineer calls, getting started documentation and hand holding, local UK based first line support and guidance - all included in the price. New customers will also be assigned a Customer Success Manager to handhold them in getting the product up and running, and working effectively for them.; Very little configuration is required for this cloud service to be ready to phish and train your users. Just whitelist the KnowBe4 servers and upload your users' email addresses and you are ready!"
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Downloadable via CSV/ API extraction. The remaining data is securely destroyed on customer request. Our SOC can provide a certificate of destruction.
• End-of-contract process: All required elements of the service are included in the price. The subscription, training, documentation, support and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew, the customer can request the data be deleted.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Yes - Training content is available on mobile through supported browsers. The Phishing Alert Button (PAB) for mobile is enabled for use through Windows and iOS.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: "KnowBe4’s APIs are REST APIs that allow you to pull phishing, training, user, and group data from the KnowBe4 console. Data is returned in a JSON structure by default--no additional parameter is needed.; ; Our APIs use resource-oriented URLs for requests and HTTP response codes for error handling. HTTP features, such as HTTP authentication and HTTP verbs, are built-in and understood by standard HTTP clients.; ; Our APIs are available to Platinum and Diamond subscription customers."
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: All email templates are editable as are landing pages. The training content is not directly customisable although we can offer a paid for service to customise the training material should it be required

Scaling

• Independence of resources: "We use auto scaling which monitors our application and automatically adjusts capacity to maintain steady, predictable performance. ; "

Analytics

• Service usage metrics: Yes
• Metrics types: "Reporting on phishing and training as well as a real time view through the administration dashboard.; Enterprise level reporting is available to report on all aspects of a simulated phishing campaign and training campaign."
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Knowbe4

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • European Economic Area (EEA)
  • Other locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: In-house
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Exporting data from KnowBe4 by the customer is done in the form of reports on user activity.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats: Through Active Directory

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: KnowBe4 will respond to service-related incidents and/or requests submitted by Customer within the following time frames:; • Within 2 business days for issues classified as High Priority. “High Priority” means complete failure of the Web Hosted Services or the complete unavailability of core functionality such as training and phishing services for KMSAT.; • Within 3 business days for issues classified as Medium Priority. “Medium Priority” means impacted operations, core operations such as user and admin login operational but functionality impaired or requiring workarounds to achieve documented operation.; • Within 5 business days for issues classified as Low Priority. “Low Priority” means inconvenience due to operations not performing as defined or at a degraded speed.
• Approach to resilience: "KnowBe4 engineers have designed a cloud first highly scalable and resilient product architecture within AWS.; ; Performance of systems within our product architecture are monitored for key metrics to ensure that the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will execute to bring online additional temporary systems or to cycle out existing systems for new ones.; ; Automation is built into the KnowBe4 architecture so system monitoring, updates, and corrective actions can take place as needed with no downtime."
• Outage reporting: Outages reported by email and on status webpage

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Other
• Other user authentication: SAML 2.0
• Access restrictions in management interfaces and support channels: Single Sign on SAML with access based on Role.; ; Administrators of the console can have privileges set according to function.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Description of management access authentication: SAML 2.0

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: N/a
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: N/a
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • All KnowBe4 Products are SOC 2 type 2 compliant.
  • KMSAT is also FedRamp Compliant.

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: All KnowBe4 Products are SOC 2 type 2 compliant. KMSAT is also FedRamp Compliant. Please reference: https://marketplace.fedramp.gov/#/product/knowbe4-security-awareness-training?sort=productName&productNameSearch=knowbe
• Information security policies and processes: KnowBe4 has established and maintained various Information Security and Privacy Policies. These are inspected and reviewed for completeness as part of our multiple annual external audits. These include but are not limited to Change Management, BCP/DR, Information Security, Third Party Security Guidelines, Data classification, eetc

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The KnowBe4 R&D department leverages a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment before they are pushed into production. The staging and production environments are logically separated and no data is shared between them.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The KnowBe4 information security team performs web application vulnerability scans monthly. These scans are configured to run as authenticated scans. Any vulnerabilities found during these scans or any other vulnerability discovery activities are added to a vulnerability tracking system. There the vulnerabilities are verified, categorised, and evaluated for actual risk. Vulnerabilities are remediated in accordance with a defined schedule.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: All KMSAT processes have audit logging enabled as part of the default configurations. Additional logging for Infrastructure, system and networking are managed leveraging various tools. These are monitored by a dedicated team.
• Incident management type: Supplier-defined controls
• Incident management approach: "KB4 has a formal incident response plan, of which the key elements include: Preparation, Identification, Containment, Remediation, Investigation, Follow-up/ Lessons Learned, and Notifications. ; In the event of an incident involving your data you will be informed via email within 72 hours."

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  SEP2 have a published Carbon Reduction Plan, available at https://www.sep2.co.uk/carbon-reduction-plan/. As per the information within that plan, SEP2 are committed to achieving Net Zero by 2035. SEP2 already have a number of initiatives in place to help manage our carbon footprint, including: • During 2020, SEP2 fleet vehicles were changed to be 100% Batter Eclectic Vehicles (BEV), and any and all additions to the SEP2 fleet will continue to be full 100% BEV. • SEP2 are a member of Cycle2Work scheme and encourage employees to reduce their emissions through cycling to work. • SEP2 provide re-usable bottles and cups for all employees and do not allow single use paper or plastic cups in the offices. • Hybrid home working is common across SEP2 to reduce commute emissions and direct Scope 2 GHG emissions. Future considerations in support of our plans to be Net Zero by 2035, the following future initiatives are being discussed within the SEP2 Senior Leadership Team • Electric car salary sacrifice scheme for employees who do not have a fleet vehicle • Projects to increase management of Scope 2 emissions through use of PIR/non-occupancy timers and other such technology within our office space • Review of company travel policy to better understand carbon emissions within Scope 3 that can be managed in this way • Review of our Scope 3 emissions within our supply chain to better understand our abilities to manage these with our suppliers By the end of 2024 SEP2 aim to have an established Environmental, Social and Governance committee which will have produced a report capturing the current initiatives that are in place within SEP2 to manage such considerations, as well as capturing a 12, 36 and 60 month plans detailing future initiatives in aim of meeting our NetZero by 2035 stated mission.

  Tackling economic inequality

  During one of the topical discussions in the Women in SEP2 group, Maya wanted to explore the reasons why, during recent recruitment for the SEP2 Central Response Team, only 7% of applications were Women. Maya said: “We considered the full route into Cyber Security, where does the interest begin? And how can we create opportunities? We decided it made sense to start with younger kids, getting them interested at an early age and showing them how exciting Cyber Security can be! We expanded this to not only girls and women, but to other minority groups who exist in schools and may not have the same level of access into a career in tech”. The outcome of this was the development of the SEP2 Cyber Schools initiative. SEP2 partnered with and invited local high schools within the Leeds area to come into the SEP2 offices and SOC and to participate in a day of activities to help educate students as to the potential career opportunities within the Cyber Security industry. Key goals of the event was to show the attendees of SEP2 Cyber Security School one of three distinctive areas of our business, as a good general starting point: 1. Attack (White hat, of course) 2. Defend 3. Analysis By providing a sample session on each focus area, we hope to encourage our students to be able to help identify their areas of interest and start to ask practical questions on how they can advance their learning to get one step ahead of their competition as they try to get their first foot through the door. We also held group presentations covering an overview of the industry as well as more practical sessions led by our People Manager who specialises in Learning and Development on topics such as CV writing.

  Equal opportunity

  SEP2 is a Medium Sized business, having between 50 and 250 employees. SEP2 is owned by three individuals, and a core commitment from the owners is shared and social responsibility. Within SEP2, there is a Share Ownership Scheme which over the past years and with future considerations included will see over 10% of the ownership of SEP2 be owned by our employees at all levels and across all teams. This is delivered primarily through a EMI incentive platform where employees are given actual shares, not share options as part of their ongoing development with SEP2. SEP2 have an award-winning Apprenticeship programme that spans a number of our different teams. Within the last 3 years we have had 20 apprentices join and go through this programme. Of the total, 8 are still within the programme and 8 have graduated into full roles within SEP2. Women in SEP2 is a community that fosters empowerment and collaboration. We aim to create a supportive and safe space for the Women in our business; a place where ideas can be shared, achievements celebrated, and advice sought from other Women in Tech. Each session is based around a 'Ponder Point', that we collectively think about before the session and come together to discuss. Anyone in the group can suggest a ponder point, some of the previous ones being Imposter Syndrome, Being Assertive Without Being Seen as a B*tch, and the underrepresentation of Women in Tech. Maya Lea-Langton, Cyber Security Analyst, has found a lot of value in joining these meetings. They said, “These sessions are also valuable for being a space to get to know people you may be unlikely to meet day-to-day due to remote working or being in different departments. Being able to have fun and thought-provoking discussions makes asking for help easier.”

  Wellbeing

  SEP2 pay the Living Wage to all employees SEP2 offer a number of benefits to our employees including being a member of the Cycle2Work Scheme to allow for employees to access bikes and cycling equipment without initial upfront expenditure. SEP2 are also a member of the TechScheme, which is a similar initiative allowing employees to purchase technology from places such as Currys via a salary sacrifice scheme. In addition, in 2022 to assist our employees with the cost of living crisis, SEP2 partnered with Sodexo to offer an employee benefit portal (SEP2 Rewards) that brings a huge number of options to our employees such as 3-10% savings on day to day shopping at locations such as Asda, Tesco etc, as well as benefits for the wider family such as discounted cinema tickets, bowling tickets etc. This is all available via an easy to use app and has enabled many of our employees to make significant savings across their daily spend. SEP2 provides our employees access to an Employee Assistance Program (EAP). The EAP provides; • Freephone advice, information and counselling service • 24 hours a day, 365 days of the year • Online information regarding health, fitness, nutrition and stress management resources SEP2 recognises the importance of employee wellbeing and seek to support this via Medicash, a healthcare cashback scheme which is delivered within our EAP program. With this benefit our employees are able to claim back their medical outgoings to a specific amount plus giving them numerous other services and products. Medicash can be extended to employee spouses and up to 4 children under the age of 18 who will receive half of the outlined monetary benefits.Medicash is available for all SEP2 employees and all new joiners will be auto enrolled onto the scheme

Pricing

• Price: £2.80 to £24.40 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: With our free Phishing Security Test you can phish employees to find out what percentage are Phish-prone™. This test is available for up to 100 users and customisable for your organisation. We'll also provide a PDF with your Phish-prone % and charts to share with management.
• Link to free trial: https://www.knowbe4.com/phishing-security-test-offer

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@sep2.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.