Hut Six

Cyber Awareness Training and Simulated Phishing

Train, test and track your organisation's cyber security awareness with automatically customised training and phishing simulations in one platform. Hut Six specialises in high quality, interactive and engaging training. Create your own phishing attacks or leverage our pre-built templates in unlimited campaigns. Comprehensive, flexible reporting integrates training and phishing metrics.

Features

• Comprehensive security awareness course with animated and voiced tutorials
• Phishing Simulation, automated campaigns and configurable email templates
• Add custom questions to assess your workforce
• Real-time reporting dashboards or save custom reports
• Automated scheduling, notifications and alerts
• Single Sign On and Active Directory Integrations
• Learning Management System, built in-house, designed for information security training
• Mobile and tablet compatible
• Fully accessible and conformant with WCAG 2.1 level AA
• Integrations into existing Learning Management Systems

Benefits

• Change user behaviour through increased information security awareness
• Assess your staff against the latest phishing threats
• Demonstrate understanding of security policies through custom questions
• Meet compliance obligations such as ISO27001, Cyber Essentials, GDPR
• Simplify the security audit process with easily readable training metrics
• Measure and reduce the cyber security risk of your organisation
• Engage users with scenario-based training that adapts to their actions
• Regular and concise training maintains awareness in your organisation
• Create a secure culture within your organisation
• Manage your awareness and phishing campaigns in one platform

£4 to £16 a user a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sfraser@hutsix.io. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

234283724713506

Contact

Simon Fraser
07960605233
sfraser@hutsix.io

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Hut Six shall use commercially reasonable endeavours to make the Services available 24 hours a day, 7 days a week, except for:; (a) planned maintenance carried out during the maintenance windows of 8:00 am to 10:00 am Saturdays, Sundays and Mondays UK time; and; (b) unscheduled maintenance performed outside Normal Business Hours, provided that the Supplier has used reasonable endeavours to give the Customer at least 3 Normal Business Hours' notice in advance.
• System requirements:
  • Any supported web browser
  • An internet connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 9 working hours (excluding weekends and bank holidays) where a working hour is between 9am-5pm, Monday-Friday.
• User can manage status and priority of support tickets: No
• Phone support: No
• Web chat support: No
• Onsite support: No
• Support levels: Hut Six provides email support to all end users 9am-5pm Monday-Friday, excluding bank holidays.; ; Clients will have a dedicated Customer Success Specialist.; ; Technical support is provided by our Product Team or Software Engineers.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Clients are onboarded by their dedicated Customer Success Specialist.; ; Upon first use of the platform users are taken through a simple tutorial.; ; Super users have access to a comprehensive knowledgebase and support articles.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: Hosted Knowledge-base
• End-of-contract data extraction: An Electronic form of the database (.csv)
• End-of-contract process: (a) Hut Six may destroy or otherwise dispose of any of the Customer Data in its possession unless they receive, no later than ten days after the effective date of the termination of the contract, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data. Hut Six shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by Hut Six in returning or disposing of Customer Data; and (b) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Each user is authenticated individually and has their own dashboard where they can complete training, access resources and see their own metrics.; ; Super users also have access to the Management Dashboard, Reporting and Administrative functions.; ; Flexible integration options for our Learning Management System.; ; APIs available for reporting and administrative operations.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: Worked directly with users of assistive technology within our public sector customer base to ensure all users are able to fully benefit from our training.; ; Internal testing completed with screen readers and other assistive technology.
• API: Yes
• What users can and can't do using the API: Flexible integration options for our Learning Management System.; ; APIs are available for all reporting and administrative operations.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Hut Six's awareness platform enables easy customisation at scale. All modules, release schedules and notifications are configurable.; ; Our training is automatically customised to end user and organisation. With placeholders that populate policy and contact information, names, branding and logos. ; ; Customisations to the tutorial content can be made through the management dashboard by Super Users. This ensures that the training that is delivered to a user is directly relevant and meets requirements.; ; In addition, Hut Six has built optional content segments that can be enabled. These segments are used to cover common differences in policies between organisations in topics such as password security.; ; Hut Six’s Second & Third Year content uses branching scenarios to customise the learning experience for individual users. Each action the user takes impacts the narrative. ; ; This multiyear approach keeps users engaged, focusing on personal reasons for secure behaviour and reinforces past knowledge without feeling repetitive.; ; Phishing attacks can be customised and edited by super users for use within campaigns.; ; Reports can be customised to analyse and draw out key security awareness metrics.

Scaling

• Independence of resources: The service is hosted in Amazon Web Services, which provides the ability for the system to dynamically scale with usage.

Analytics

• Service usage metrics: Yes
• Metrics types: The Management Dashboard creates a snapshot view of the security awareness across organisations.; ; Training campaigns are monitored on key metrics including score, completion and progress.; ; Metrics are tracked across configurable Users Groups, typically mapping department, team and job role or by Courses enabling clients to identify topics that users struggle with.; ; Automated alerts reduce manager workload and bring attention to problem areas in the organisation.; ; Three-stage phishing attacks provide metrics on open rates, click rates and data submissions. Reports are generated analysing the performance of templates and users.; ; Clients can track metrics in their existing LMS through our xAPI integration.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Users can export organisation metrics relating to the training from the platform in the form of a (.csv) database record file.; ; If a user wishes for all of their data to be exported as part of a GDPR subject access request, they must email Hut Six directly and will be supplied with a (.csv) database record file of all their data.; ; Some reporting functions generate easy to read .pdf files in addition.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • Azure Active Directory Integration
  • Direct form data entry
  • XAPI

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Hut Six shall use commercially reasonable endeavours to make the services available 24 hours a day, seven days a week, except for:; (a) planned maintenance carried out during the maintenance windows of 8:00am to 10:00am Saturdays, Sundays and Mondays UK time; and; (b) unscheduled maintenance performed outside Normal Business Hours, provided that Hut Six has used reasonable endeavours to give the Customer at least 3 Normal Business hours' notice in advance
• Approach to resilience: Available on request
• Outage reporting: E-mail alerts, general error page in case of scheduled downtime or unscheduled service outage.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: API tokens
• Access restrictions in management interfaces and support channels: 1. Only Authorised users can access the management dashboard for access to end user analytics and metrics; 2. Support channels are available for use by any end user should they require it.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Description of management access authentication: API tokens

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: We are currently Cyber Essentials certified and are working toward an ISO 27001 Accreditation.; ; Our information security policy reflects the guidelines set out by ISO 27001
• Information security policies and processes: Hut Six's information security is managed by the CTO who reports to the Executive Team (our information security committee) on any and all security risk matters. The CTO is responsible for the instruction of all Hut Six employees in the policies and procedures of the company.; ; Security policies and objectives are established and made available to all employees.; Risk Assessments and controls are put in place to test these.; Security Assessments training is delivered to all employees.; Monitor and review our ISMS.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All changes to components in the service are processed through issue tracking software and before any changes are committed they are analysed for security flaws.; Builds are created by a continuous integration server, and each build is stored indefinitely.; In the event that a security flaw is introduced, the system can be rolled back to the previous version while a fix is developed.; Before any change is made to the production environment, they must be verified by the Technical Director for any potential security issues.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The mitigation of the companies vulnerabilities are handled in-house by our development team.; Potential threats to our services are diagnosed, ranked on severity and prioritised accordingly.; We look to fix security bugs as soon as possible within a 24 hour window. Potential threats come to our attention through customer feedback and an open source vulnerability scanner.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Hut Six uses a protective monitoring system to track potential compromises. Incidents are responded to appropriately as quickly as possible within a 24 hour window.
• Incident management type: Undisclosed
• Incident management approach: Users report incidents to a dedicated email address. The support and development team handle these incidents on a case-by-case basis, prioritising the most severe cases.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Tackling economic inequality:

  Tackling economic inequality

  Hut Six is an ambitious cyber company based in Newport, South Wales and a graduate of the Alacrity Foundation Entrepreneurship Programme which was established to help attract entrepreneurs and graduates to South Wales. The founders of Hut Six continue to provide support and mentorship to current Alacrity members and alumni through talks, regular meetings and advice.
• Equal opportunity:

  Equal opportunity

  Hut Six have strived to make our training fully accessible to all potential trainees.; ; We have established a diversity and inclusion committee to review our content and ensure that all persons are properly represented in our materials without bias.
• Wellbeing:

  Wellbeing

  Cyber crime can be just as emotionally distressing as physical crime.; ; When people are the victims of cyber attacks through common scams, social engineering, phishing or simply the loss of their personal data in a breach that wasn't their fault, there can be feelings of shame, anxiety, depression and anger.; ; At Hut Six we specialise in reducing the risk of these human error led cyber attacks and give people the skills they need to avoid scams at work and in their personal lives.; ; A great deal of the feedback we receive from clients is orientated around how useful our training and resources have been in their end users' personal lives; also helping their friends and families.; ; Hut Six have published public training materials to help engage the wider public with security awareness and improve their resilience against cyber crime.; ; We strive to build a strong culture of security awareness within our clients without attributing blame. So that suspicious behaviour can be caught and true visibility is achieved without the stigma of reporting on colleagues.

Pricing

• Price: £4 to £16 a user a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We offer a free 14 day demo instance that supports up to 5 users.; ; The trial includes limited access to the training materials.
• Link to free trial: https://www.hutsix.io/free-trial

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sfraser@hutsix.io. Tell them what format you need. It will help if you say what assistive technology you use.