Fordway

KnowBe4 Security Awareness Training platform

KnowBe4 is the world's most popular integrated platform for awareness training combined with simulated phishing attacks. On-demand, interactive, engaging training with over 1000 course modules available, the largest online database available anywhere. Fully automated simulated phishing attacks, 4000+ email templates with unlimited usage.
Enterprise-strength reporting for both training and phishing.

Features

• Unlimited Phishing Security Tests with 3000+ ready built templates
• Email client Phish Alert Button
• Full Active Directory Integration
• Monthly Email Exposure Check
• Dynamic smart user grouping
• USB Drive Test
• Administrator level security roles
• Virtual Risk Officer
• Over 1000 Security Awareness Training Modules
• Enterprise Level Reporting

Benefits

• Dramatically reduce your 'phish prone' user percentage
• Train & Assess all users
• Centrally manage training & phishing through the console
• Make awareness part of the culture
• All user relevant cyber security topics covered
• Greatly assists compliance throughout the organisation
• Change users behaviour by changing their mindset
• Employees become part of the 'Human Firewall'
• Greatly reduce the risk to the organisation
• Full GDPR training modules available

£8.45 to £24.70 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@fordway.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

983391430428647

Contact

Richard Blanford
01483 528200
tenders@fordway.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Hybrid cloud
• Service constraints: No
• System requirements:
  • Windows 8, 10, 11, MacOS 10 and later, Chromebooks supported
  • IOS and Android client support for tablets and mobiles
  • All data storage costs included
  • Browser
  • Internet connection

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We provide UK office hours support directly, including technical and best practice related questions. The client also has access to a dedicated Customer Success Manager (CSM) who will assist throughout the subscription period. On top of this the full KnowBe4 technical support service is available on US hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 1st point of contact is through the UK where the majority of queries are managed. Escalation to the US based support engineers will then be categorised level 1, 2 and Priority dependent on urgency. All telephone and web-based support is included in the cost of the subscription, there are no extra charges for support or maintenance.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: "A comprehensive onboarding procedure is in place including, administrator training, monthly customer service engineer calls, getting started documentation and hand holding, local UK based first line support and guidance - all included in the price. New customers will also be assigned a Customer Success Manager to handhold them in getting the product up and running, and working effectively for them.; Very little configuration is required for this cloud service to be ready to phish and train your users. Just whitelist the KnowBe4 servers and upload your users' email addresses and you are ready!"
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Downloadable via CSV/ API extraction. The remaining data is securely destroyed on customer request. Our SOC can provide a certificate of destruction.
• End-of-contract process: All required elements of the service are included in the price. The subscription, training, documentation, support and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew, the customer can request the data be deleted. Exporting data from KnowBe4 by the customer is done in the form of reports on user activity.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Windows Phone
  • Other
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Yes - Training content is available on mobile through supported browsers. The Phishing Alert Button (PAB) for mobile is enabled for use through Windows and iOS.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: "KnowBe4’s APIs are REST APIs that allow you to pull phishing, training, user, and group data from the KnowBe4 console. Data is returned in a JSON structure by default--no additional parameter is needed.; Our APIs use resource-oriented URLs for requests and HTTP response codes for error handling. HTTP features, such as HTTP authentication and HTTP verbs, are built-in and understood by standard HTTP clients.; Our APIs are available to Platinum and Diamond subscription customers."
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
  • PDF
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: All email templates are editable as are landing pages. The training content is not directly customisable although we can offer a paid for service to customise the training material should it be required

Scaling

• Independence of resources: Users are guaranteed scalability through solution design and Fordway's ISO27001 accreditation on their service structure. We use auto scaling which monitors our application and automatically adjusts capacity to maintain steady, predictable performance.

Analytics

• Service usage metrics: Yes
• Metrics types: Reporting on phishing and training as well as a real time view through the administration dashboard.; Enterprise level reporting is available to report on all aspects of a simulated phishing campaign and training campaign.
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: KnowBe4

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Exporting data from KnowBe4 by the customer is done in the form of reports on user activity.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Import into OneDrive, Dropbox or other cloud service
  • Export to portable hard disk
• Data import formats:
  • CSV
  • Other
• Other data import formats: Import from OneDrive, Dropbox or other hosted file storage

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection between networks: Disclosed on request
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
  • Other
• Other protection within supplier network: Disclosed on request

Availability and resilience

• Guaranteed availability: 99.9% measured annually
• Approach to resilience: KnowBe4 engineers have designed a cloud first highly scalable and resilient product architecture within AWS. Performance of systems within our product architecture are monitored for key metrics to ensure that the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will execute to bring online additional temporary systems or to cycle out existing systems for new ones. Automation is built into the KnowBe4 architecture so system monitoring, updates, and corrective actions can take place as needed with no downtime.
• Outage reporting: Outages reported by email and on status webpage

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
• Access restrictions in management interfaces and support channels: None
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users receive audit information on a regular basis
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users receive audit information on a regular basis
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ISOQAR
• ISO/IEC 27001 accreditation date: 14/03/2022 (recertification) original certification March 2008
• What the ISO/IEC 27001 doesn’t cover: ISO27001/27017/27018 Statement of Applicability disclosed on request
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • PSN Service Provider (PSN/SP)
  • Pan Government Accreditation to OFFICIAL & OFFICIAL-SENSITIVE
  • NHS IGSoC for N3/HSCN certification
  • PAS555
  • GCLOUD Assured
  • ISO27017
  • ISO27018

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: These are defined and audited as part of Fordway's ISO27001 certification, with regular senior management review. Details and supporting documentation will be made available on request.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Fordway change and configuration process aligns with ITIL v3.0 and ISO27001 and ISO20000
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Fordway's risk management aligns with ISO27001
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Fordway's security incident and event monitoring conforms to ISO27001 and DPA requirements. Any incident will be assessed for risk and prioritised accordingly.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Fordway incident management process complies to ISO27001:2013 and aligns to ITIL best practise and ISO20000. Incident management and reporting is defined within Fordway's standard SLA and tailored to customer requirements.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Using Cloud offers considerable efficiency and consumption savings compared to running in house, on premises and hosted environments

Pricing

• Price: £8.45 to £24.70 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: https://www.knowbe4.com/phishing-security-test-offer

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at tenders@fordway.com. Tell them what format you need. It will help if you say what assistive technology you use.