S3 Ltd

BoxPhish - Security Awareness Training & Simulated Phishing

Boxphish provide interactive training courses and real-world phishing simulations to educate and protect our users

Features

• SaaS Based Security Training - Easily Accessible
• Delegated Administration - Assigned admin
• Varied Resources - includes videos, quizzes, infographics etc
• Hints & Tips - Security tips for the end users
• Fully automated managed service - rely on our experts.
• Office 365 & Google integration
• Interactive Reporting Suite & Dashboard
• Phishing Simulation - test your users and track results
• Continuous Security Training & Evaluation
• Pre-Configured & Bespoke training journeys available

Benefits

• Dramatically reduce your phishing prone users
• Improved end user awareness to spot cyber attacks
• Real time dashboard showing risk in organisation
• Greatly reduce the risk to the organisation

£3.75 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tony.mason@s3-uk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

885707191530327

Contact

Tony Mason
01628 362784
tony.mason@s3-uk.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements:
  • Browser
  • Internet Connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide UK office hours support directly, including technical and best practice related questions. The client also has access to a dedicated Customer Success Manager (CSM) who will assist throughout the subscription period. On top of this the full KnowBe4 technical support service is available on US hours.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: P1 = 1 HOUR; P2 = 2 HOURS; P3 = 4 HOURS; P4 = 1 DAY
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Manged onboarding process including training, online training modules, user guide and dedicated Customer Success Management for any additional training requirements throughout the subscription period.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: MP4
• End-of-contract data extraction: Via our Reporting tool as CSV or XLS
• End-of-contract process: Access to the portal is revoked and data delated in line with the DPO

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Fully accessible through the mobile browser
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Accessed through a browser
• Accessibility standards: None or don’t know
• Description of accessibility: They can use the user interface to interact with the product and access will depend on which rights each user is granted.
• Accessibility testing: N/A
• API: No
• Customisation available: Yes
• Description of customisation: Templates are editable via CSM as are landing pages. The training content is not directly customisable although certain editing can be done on your behalf via the CSM

Scaling

• Independence of resources: Scales through AWS, serverless elastic infrastructure

Analytics

• Service usage metrics: Yes
• Metrics types: Yes, real time dashboard and historical reporting
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: BoxPhish

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Secure DB in AWS, registered IP access only, unique and strong passwords on the DB accounts with a full audit of accounts
• Data sanitisation process: No
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Via the Reporting tool as CSV or XLS
• Data export formats:
  • CSV
  • Other
• Other data export formats: Pdf
• Data import formats:
  • CSV
  • Other
• Other data import formats: Through M365/Google

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • Other
• Other protection between networks: Each customer has their own account which is segregated. Please see Security & Data Protection document.; BoxPhish have implemented a diverse Cyber Security strategy available in the Security and Data Protection Document
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.99% uptime guarantee
• Approach to resilience: Using AWS inbuilt application resilience, not relied on a single point of infrastructure due to serverless deployment
• Outage reporting: Outages reported by email and on status webpage

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Single Sign on SAML with access based on Role.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: Please see Security & Data Protection Documentation

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Undisclosed
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Undisclosed
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Undisclosed
• Incident management type: Supplier-defined controls
• Incident management approach: Undisclosed

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  S3 is committed to doing all it can to ensure our practices are environmentally sound
• Covid-19 recovery:

  Covid-19 recovery

  We operate strict Covid-19 protocols to keep staff and customers safe
• Tackling economic inequality:

  Tackling economic inequality

  S3 ensure they do all they can to tackle economic inequality where at all possible
• Equal opportunity:

  Equal opportunity

  S3 is a great believer in equal opportunities for all as can be seen clearly in our recruitment practices for example
• Wellbeing:

  Wellbeing

  Physical and mental well being are very important to the management at S3 and they do everything possible to accommodate requirements from its staff and customers

Pricing

• Price: £3.75 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: A limited time period trial is available for a proof of concept by the prospective buyer. A BoxPhish engineer would set this up and walk the buyer through usage.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tony.mason@s3-uk.com. Tell them what format you need. It will help if you say what assistive technology you use.