Implementing KMSAT in 4 Steps:
Step 1: Add Your Users
Add all of your users to your KnowBe4 console so that you'll be able to send them simulated phishing emails and enroll them in training campaigns.
Step 2: Conduct a Baseline Phishing Test
Send out a baseline test to all of your users to find out who is phish-prone.
Step 3: Train Your Users
Enroll all of your users in the 45-minute Kevin Mitnick Security Awareness Training course or a similar, comprehensive security awareness training module.
Conduct randomized phishing tests along with remedial training campaigns to help strengthen your human firewall.
Step 1: Adding Your Users:
Three Options to Add and Manage Users
- User Provisioning: This is the preferred method for syncing users to your KnowBe4 account and maintaining your user list over time. We have two methods to automatically provision users in your KnowBe4 console:
- Quick Import: Useful for importing fewer than 100 users.
- CSV Import: Useful for importing a larger quantity of users or including other data such as name, phone number, and more.
Manual Import Recommendations
If you're not using User Provisioning and would prefer to import your users using the Quick Import or CSV Import options, review the below recommendations:
- Gather a list of all user email addresses you wish to import. We don't recommend importing “catch-all” email addresses or distribution lists that go to more than one recipient. (For example, “firstname.lastname@example.org”)
- Identify any groups you may wish to create. Groups can be used for targeted phishing and training campaigns.
- Decide if you'd like to import any other user information other than an email address. The fields you can import are as follows: First Name, Last Name, Phone Number, Mobile Number, Extension, Group, Location, Division, Manager Name, Manager Email, Job Title, Employee Number, Password, Date Format. Many of these fields can be used to customize phishing templates and training notifications.
User Management Resources
- Users and Groups Manual
- Placeholders (for use in phishing templates/training notifications)
- Managing Multiple Email Domains
- How to get emails from Active Directory using PowerShell
Step 2: Baseline Phishing Test
We recommend setting up whitelisting in your email client before beginning with this step. See our Whitelisting articles for more information.
Preliminary Test Campaign
We recommend that you run at least one phishing campaign that is limited in scope to only one or two administrative users. The purpose of this test campaign is to confirm that the phishing test email was received and that clicks or phishing test failures are being tracked properly. This test should be done before the baseline test and will confirm that our phishing emails are getting through any spam/firewall protection.
Establishing a Baseline
The first thing you should do after your preliminary test campaign is successful is to conduct a baseline phishing test. Here are the recommended parameters for a baseline test:
Recommended settings for initial baseline phishing test:
Campaign Name: Baseline Test
Send to: All Users
Frequency: One time
Start Time: Select the day/time (Monday or Tuesday is recommended, and a time when users are active and checking emails is best)
Sending Period: Send all emails when the campaign starts
Track Activity: Leave as-is.
Template Categories: IT > Change of Password Required Immediately
Difficulty Rating/Phish Link Domain: Leave as-is.
Landing Page: If you'd like, you can choose a different landing page here, such as the 404 page, blank page, or a custom landing page that you've created. See our article about selecting landing pages.
Add Clickers to: Select a group if this feature is being used. If you are unsure, leave this blank.
Send an email report to account admins after each phishing test: Enable this option. The email report will be sent to all admins when the duration of the campaign is met.
Step 3: Training
For your initial Security Awareness training campaign, we recommend that you enroll all of your users in the 45-minute Kevin Mitnick Security Awareness Training or a similarly-comprehensive course. See What kind of ModStore content can I add to training campaigns?
Recommended settings for an initial training campaign for all staff:
Campaign Name: Security Awareness Training for All Users
Start Date: Set as applicable
End Date: Select a Relative Duration of three weeks
Content: Kevin Mitnick Security Awareness Training - 45 Min
Enroll Groups: Select All Users (Check box to Enable automatic enrollment for new users)
- Add a welcome email to users which will contain the link for your users to confirm their account and log in for training.
- Add additional reminder X days after enrollment and X days before the due date to remind users to complete their training on the specified schedule.
This will create a training campaign for all of your users, and as you add new users to the console in the future they will be automatically enrolled and receive a welcome email. Each user will have three weeks from the time of enrollment to complete the training. You can manually initiate notifications emails from within the console if users are taking too long to complete the training.
If you'd like, you can send a video to your end users that explains how to get started with their assigned KnowBe4 security awareness training. Check it out here.
- Creating and Managing Training Campaigns
- Setting Up Remedial Training Campaigns
- Video: How to Set Up Training Campaigns
- Video: How to Monitor Training Campaigns
- Video: Getting Started with Your KnowBe4 Security Training
Step 4: Ongoing Phishing and Training
Ongoing phishing and training are key components to help manage the problem of phishing and social engineering. The following is an outline of ongoing actions we recommend you take:
Ongoing Phishing Campaign Recommendations
- At a minimum, send a monthly phishing test to all users.
- Include multiple email categories and types (Attachment tests, phishing, spear-phishing, reply-to).
- Set up additional monthly testing for higher-risk departments or roles.
- Spread emails out over a longer duration, such as one week, so users will not know when they are going to be phished.
- Add clickers to a remedial group (For example, you can call the group “Clickers” or “Phish-Prone users”) and assign this group additional training.
Ongoing Training Recommendations
- Create a remedial training campaign. On your Remedial Training Campaign settings, you can choose to remove users from the Clickers group once they complete training, and enable them to take the training multiple times.
- Train specific groups as needed with various specialty courses--we recommend browsing the ModStore to search for and filter courses as needed.
- Send out monthly Security Hints and Tips emails from the phishing templates area to all users.
- Set up a weekly Scam of the Week newsletter to keep your users aware and ready to defend against the latest phishing and social engineering scams.