INTEGRITY360 LIMITED

KnowBe4 PhishER

PhishER is a light-weight SOAR platform that automatically analyses and prioritises reported email messages to identify and quarantine malicious email across your organisation. Additionally, transforms in-the-wild phishing emails into training opportunities
by flipping them into simulated phishing campaigns.

Features

• Global Blocklist
• Global PhishRIP
• Analysis Backed by KnowBe4 Threat Research Lab
• CrowdStrike Falcon Sandbox Integration

Benefits

• Automate prioritisation of messages by Clean, Spam, or Threat
• Search, find, and remove email threats
• Easily integrate with KnowBe4's email add-in button, Phish Alert
• Block email-threats that bypassed other email security filters or systems
• Isolate malicious-emails that bypassed your mail filters
• Crowdsource threat-intelligence from 13+million KnowBe4 users
• Save time/budget by reducing volume of remediation

£9 a user

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidreviewboard@integrity360.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

587931959623482

Contact

Paul Momirovski
+44 20 3397 3414
bidreviewboard@integrity360.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Browser
  • Internet connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide UK office hours support directly, including technical and best practice related questions. The client also has access to a dedicated Customer Success Manager (CSM) who will assist throughout the subscription period. On top of this the full KnowBe4 technical support service is available on US hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 1st point of contact is through the UK where the majority of queries are managed. Escalation to the US based support engineers will then be categorised level 1, 2 and Priority dependent on urgency. All telephone and web-based support is included in the cost of the subscription, there are no extra charges for support or maintenance.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: A comprehensive onboarding procedure is in place including, administrator training, monthly customer service engineer calls, getting started documentation and hand holding, local UK based first line support and guidance - all included in the price. New customers will also be assigned a Customer Success Manager to handhold them in getting the product up and running, and working effectively for them.; Very little configuration is required for this cloud service to be ready to phish and train your users. Just whitelist the KnowBe4 servers and upload your users' email addresses and you are ready!
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Downloadable via CSV/ API extraction. The remaining data is securely destroyed on customer request. Our SOC can provide a certificate of destruction.
• End-of-contract process: All required elements of the service are included in the price. The subscription, training, documentation, support and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew, the customer can request the data be deleted.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Yes - Training content is available on mobile through supported browsers. The Phishing Alert Button (PAB) for mobile is enabled for use through Windows and iOS.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: KnowBe4’s APIs are REST APIs that allow you to pull phishing, training, user, and group data from the KnowBe4 console. Data is returned in a JSON structure by default--no additional parameter is needed.; ; Our APIs use resource-oriented URLs for requests and HTTP response codes for error handling. HTTP features, such as HTTP authentication and HTTP verbs, are built-in and understood by standard HTTP clients.; ; Our APIs are available to Platinum and Diamond subscription customers.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: All email templates are editable as are landing pages. The training content is not directly customisable although we can offer a paid for service to customise the training material should it be required

Scaling

• Independence of resources: We use auto scaling which monitors our application and automatically adjusts capacity to maintain steady, predictable performance.

Analytics

• Service usage metrics: Yes
• Metrics types: Reporting on phishing and training as well as a real time view through the administration dashboard.; Enterprise level reporting is available to report on all aspects of a simulated phishing campaign and training campaign.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller (no extras)
• Organisation whose services are being resold: KnowBe4

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: KnowBe4 leverages AWS for data encryption at rest (AES-GCM 256)
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Exporting data from KnowBe4 by the customer is done in the form of reports on user activity.
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats: Through Active Directory

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: KnowBe4 leverages AWS for data encryption in transit (TLS)
• Data protection within supplier network: Other
• Other protection within supplier network: Production environment leverages Amazon AWS, WAF, Guard Duty, Shield, VPCs, IAM, security groups and other controls. Changes to environment or logged and monitored. All changes require going through the change management process.Production environment leverages Amazon AWS, WAF, Guard Duty, Shield, VPCs, IAM, security groups and other controls. Changes to environment or logged and monitored. All changes require going through the change management process.

Availability and resilience

• Guaranteed availability: 99.9% to be measured annually
• Approach to resilience: KnowBe4 engineers have designed a cloud first highly scalable and resilient product architecture within AWS.; ; Performance of systems within our product architecture are monitored for key metrics to ensure that the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will execute to bring online additional temporary systems or to cycle out existing systems for new ones.; ; Automation is built into the KnowBe4 architecture so system monitoring, updates, and corrective actions can take place as needed with no downtime.
• Outage reporting: Outages reported by email and on status webpage

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: KnowBe4 applications support MFA and SAML 2.0
• Access restrictions in management interfaces and support channels: Single Sign on SAML with access based on Role.; Administrators of the console can have privileges set according to function.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Other
• Description of management access authentication: KnowBe4 manages access to our production environment with MFA and password policies. Clients are responsible for managing their own access to their KB4 instance this can be done with MFA and SAML 2.0

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ISOQAR
• ISO/IEC 27001 accreditation date: 11/06/2021
• What the ISO/IEC 27001 doesn’t cover: N/a
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 08/31/2021
• CSA STAR certification level: Level 1: CSA STAR Self-Assessment
• What the CSA STAR doesn’t cover: N/A
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • All KnowBe4 products are SSAE18 SOC2 Type 2 certified.
  • KMSAT is also FedRamp Compliant
  • ISO27701:2019

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: All KnowBe4 Products are SOC 2 type 2 compliant. KMSAT is also FedRamp Compliant. Please reference: https://marketplace.fedramp.gov/#/product/knowbe4-security-awareness-training?sort=productName&productNameSearch=knowbe
• Information security policies and processes: Keeping our customers' data secure is the most important thing KnowBe4 does. KB4 goes to considerable lengths to ensure that all data provided to KnowBe4 is done so securely - keeping KnowBe4 systems and your data secure is fundamental to our business. KB4 has built and maintain multiple cyber security, physical security, and ethic based controls to assure KnowBe4 not only meets recognised standards but is taking significant efforts to protect all your data. Please see https://www.knowbe4.com/security

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: The KnowBe4 R&D department leverages a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment before they are pushed into production. The staging and production environments are logically separated and no data is shared between them.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: The KnowBe4 information security team performs web application vulnerability scans monthly. These scans are configured to run as authenticated scans. Any vulnerabilities found during these scans or any other vulnerability discovery activities are added to a vulnerability tracking system. There the vulnerabilities are verified, categorised, and evaluated for actual risk. Vulnerabilities are remediated in accordance with a defined schedule. ; KnowBe4 currently participates in a private bug bounty program where vetted researchers conduct ongoing security testing of our infrastructure and applications.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: All KMSAT processes have audit logging enabled as part of the default configurations. Additional logging for Infrastructure, system and networking are managed leveraging various tools. These are monitored by a dedicated team.
• Incident management type: Supplier-defined controls
• Incident management approach: KB4 has a formal incident response plan, of which the key elements include: Preparation, Identification, Containment, Remediation, Investigation, Follow-up/ Lessons Learned, and Notifications. ; In the event of an incident involving your data you will be informed via email within 72 hours.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Tackling economic inequality
  • Equal opportunity

  Fighting climate change

  At KnowBe4, we take our responsibility to the environment very seriously. We understand the importance of implementing sustainable business practices to ensure the world that we are leaving for the next generation is a better one. Our overarching goals are to reduce our carbon footprint, reduce the amount of waste we send to landfills, and increase our use of clean energy. We seek to incorporate sustainability into all aspects of our operations and aim to reach our goals through a combination of energy conservation, waste reduction, environmental stewardship, employee engagement, community engagement, and external partnerships.

  Tackling economic inequality

  As an organization, we see past the bottom line and make an investment not only in our employees but the communities we serve. We empower our employees to take action by offering dedicated paid time off towards volunteering and giving back to the community. We understand that as a global organization we not only have the ability but also the obligation to have a dedicated corporate social responsibility plan. We must use our influence to impact change in our employees, our communities, our industry, and the world as a whole. We aim to be leaders in creating positive change in the world because we believe it is the right thing to do. We strive to ensure that our work environment, our policies, and our treatment of our employees will stand out as an example to others as we can continue to be a leader within our industry and become a standard of excellence globally.

  Equal opportunity

  At KnowBe4, we recognize that people are at the heart of our success. We celebrate the creativity, innovation and increased performance that comes from an inclusive and diverse workspace culture. We believe that when everyone is free to be their authentic selves, our collective culture leads to greater success and gratification due to the diversity that each person brings to their position. From the beginning, KnowBe4 has been and continues to be committed to unwavering support of diversity, inclusion, and building a strong sense of belonging across all of KnowBe4.; ; KnowBe4 leverages the broad diversity of its teams’ knowledge and identities to build quality products that reflect the collective experience of our users and surrounding communities.

Pricing

• Price: £9 a user
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: With our free Phishing Security Test you can phish employees to find out what percentage are Phish-prone™. This test is available for up to 100 users and customisable for your organisation. We'll also provide a PDF with your Phish-prone % and charts to share with management.
• Link to free trial: https://www.knowbe4.com/phishing-security-test-offer

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at bidreviewboard@integrity360.com. Tell them what format you need. It will help if you say what assistive technology you use.