Bob's Business Ltd

Cybersecurity Awareness Training and Simulated Phishing

A fully managed service including cybersecurity awareness training, policy management, and delivery of simulated phishing campaigns.
Human Vulnerability Assessments and cognitive-behavioral learning.
Delivery of bespoke training packages and cyber masterclasses.
Providers of a learning management system.

Features

• Remote Access
• Real time reporting
• SSO and SCIM
• LMS

Benefits

• Bite-sized cybersecurity elearning
• NCSC assured service provider
• Policy management and integration
• Organisational risk profiling
• Bespoke content to each client
• Fully managed service
• Over 70 courses available
• ISO 27001 and Cyber Essentials compliant
• Award-winning phishing simulations
• Demostrable RoI

£0.25 to £49.99 a licence a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at melanie@bobsbusiness.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

324297188230750

Contact

M Oldham
0330 058 3009
melanie@bobsbusiness.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements: Suitable for all systems

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Monday to Friday 9 am - 5 pm. Acknowledgment response within 2 hours, Full response within 24 hours
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Web chat is accessible via our website and platform. This can be used for enquiries, complaints and general questions.
• Web chat accessibility testing: None to date
• Onsite support: Yes, at extra cost
• Support levels: We supply both technical and customer support at no additional cost. We provide a fully managed service with a dedicated account manager by default. This service is included as part of the subscription.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: An onboarding call is completed with every client to explain all the procedures and to discuss client requirements. We supply a host of 'how to' documents and videos to cover most issues any new client would encounter.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
  • Other
• Other documentation formats:
  • Flipsnack
  • Scorm
  • Tincan
• End-of-contract data extraction: Clients request how they want their documentation to be returned. This can be specific to the client. If no request is made then all data is deleted after 3 months of the end of any agreement.
• End-of-contract process: Depending on the product purchased, clients and users get access to all content in that product group. For training, access is granted to all training content and marketing/support documents. For simulated phishing, clients get access to all phishing templates and phishing-related training courses. There are no additional costs unless and additional product is required and purchased. At the end of the contract, all access is removed and the data is deleted within 3 months

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Services detect mobile use and adapt to accommodate this. All services are mobile-friendly.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: LMS portal unique to each organisation
• Accessibility standards: None or don’t know
• Description of accessibility: We aim for WCAG 2.1 AA as a minimum for all new features, however we are still in the process of updating legacy functionality to the standard
• Accessibility testing: None directly with users, however we have utilised screen readers and WCAG compliance tools on the most recent features
• API: Yes
• What users can and can't do using the API: Administrators can create API tokens which can be used to read or make changes to the system programmatically. This can be used to create integrations with other systems. API tokens must have an expiry date set and a level of permissions assigned
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Every client portal can be customised and branded. Certain pages on training content can be customised to meet specific customer requirements or to adhere to specific policies and procedures. ; All simulated phishing templates can be modified from our current catalogue or totally new templates can be designed to meet specific client needs

Scaling

• Independence of resources: AWS scaling rules in place and any need or requirement on this level can be administered immediately. This should never be an issue as user levels are monitored in real-time and changes can be made at any point certain levels are reached.

Analytics

• Service usage metrics: Yes
• Metrics types: Number of users that:- ; log on,; Complete training,; Pass the course test,; Fail the course test,; Complete courses on time,; Click on phishing links,; Interact with phishing emails
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported via the user portal. This can be done as an excel, pdf, or CSV export.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Pdf
  • Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • SSO
  • SCIM

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99% uptime. Any updates are carried out, out of normal trading hours and all clients are informed of any downtime or potential disruption to services
• Approach to resilience: Available on request
• Outage reporting: Public dashboard and email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Full, role-based access control in line with ISO 27001:2022
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: NQA
• ISO/IEC 27001 accreditation date: 21/2/2024
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: ISO 27001; ISO 9001; Internal policies available on request

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: In line with ISO 27001:2022
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: In line with ISO 27001:2022
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: In line with ISO 27001:2022
• Incident management type: Supplier-defined controls
• Incident management approach: In line with ISO 27001:2022

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Equal opportunity
  • Wellbeing

  Equal opportunity

  We provide courses around DEI. Internal DEI process in place to ensure equality within our organisation

  Wellbeing

  We provide courses and education around employee wellbeing to all of our clients as standard, as well as delivering these internally to our own employees

Pricing

• Price: £0.25 to £49.99 a licence a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Bespoke PoCs available on request

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at melanie@bobsbusiness.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.