This article explains the steps you will take to implement security awareness training and simulated phishing tests in your KMSAT console. Read the sections below to learn more.
Step 1: Add Your Users
You can add your users to your KMSAT console to send them simulated phishing emails and enroll them in training campaigns. You have multiple options for adding your users to your KMSAT console. Review your options and the associated articles linked below:
- User Provisioning: This is the preferred method for syncing users to your KMSAT console and maintaining your user list over time. You can use our Active Directory Integration (ADI) or SCIM to automatically provision users in your KMSAT console. To learn more, see our Active Directory Integration (ADI) Configuration Guide or our SCIM Configuration Guide.
- Quick Import: This method is useful for importing fewer than 100 users. To learn more, see the Quick Import section of our Users and Groups article.
- CSV Import: This method is useful for importing a larger number of users and for including other user data such as names, phone numbers, group memberships, and more. To learn more, see our How to Import Users With a CSV File article.
- Other: There are other ways you can import users for your specific organization. If you need specific advice, please reach out to our customer support team or read the below articles from our Knowledge Base:
Step 2: Conduct a Baseline Phishing Test
Before you begin your security awareness training program, we strongly recommend that you send a baseline phishing test to all of your users. You can use this test as a starting point for your security awareness training program.
To learn more about our recommendations for the baseline phishing process, see the below subsections or our One Minute Baseline Phishing Campaign (Clicks) video.
Preliminary Test Campaign
Before you create a baseline phishing campaign for your users, we recommend running at least one test campaign that is limited to a small group of users, such as your IT team.
The purpose of this preliminary test campaign is to ensure that you have whitelisted correctly and that the emails pass through your spam filters and firewall protection.
This preliminary campaign will also ensure that clicks and other phishing test failures are tracked in your account. Click the simulated phishing link in your test email to ensure that failures are being tracked in your account. To learn more, see our Creating and Managing Phishing Campaigns article or our How to Monitor and Review Phishing Campaigns article.
Establishing a Baseline
After you have confirmed that your preliminary phishing test campaign was successful, you will create a baseline phishing test campaign for all of your users. This test will show your organization’s initial Phish-prone Percentage. Consider the initial Phish-prone Percentage as your starting point. Use this initial Phish-prone Percentage to measure the success of your security awareness training plan.
To learn about our recommendations for setting up your baseline phishing campaign, please see our What is the Best Method for Setting up a Baseline Test? article or our What Email Should I Use in My Initial Baseline Test? article.
Send a Baseline Test to Your IT Team
Another option you may want to consider is to send two baseline phishing tests: one to your IT or help desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your IT or help desk employees will be aware of the situation, and they will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.
Step 3: Train Your Users
For your initial security awareness training campaign, we recommend that you enroll all of your users in the 45-minute Kevin Mitnick Security Awareness Training or another comprehensive course. To learn about the training content that is available to you, see our ModStore and Library Guide.
To learn about our recommendations for setting up your first training campaign, see our Create Your First Security Awareness Training Campaign article.
Click the below links to learn more about conducting training campaigns:
- Creating and Managing Training Campaigns
- How to Set Up a Remedial Training Campaign
- Video: Setting Up a Training Campaign
- Video: Monitoring Training Campaigns
- Video: Getting Started with Your KnowBe4 Security Awareness Training
Step 4: Conduct Ongoing Phishing and Training Campaigns
Conducting ongoing phishing and training campaigns is essential to helping your organization manage the problem of phishing and social engineering.
There are three sample plans to choose from when integrating KnowBe4 into your organization: High Awareness, Medium Awareness, and Low Awareness. These plans are categorized by those awareness levels. Your organization's awareness level is based on the maturity level that you would like to achieve with your security awareness training program. To learn more about different awareness levels, see our Best Practices Guide: How Do I Effectively Integrate KnowBe4 into My Organization? article.
If you aren't sure which plan is right for you, take a look at some of our general recommendations for security awareness training in the subsections below.
Ongoing Phishing Campaign Recommendations
At a minimum, send a phishing test to all of your users on a monthly basis. You can do this by creating a monthly phishing campaign using the following criteria:
- Include multiple email categories and include different types of phishing tests.
- Spread emails out over a longer duration, such as one week. That way, users will not know when they are going to receive a phishing test.
- Add the users who fail the phishing test to a remedial training group.
In addition to your monthly phishing tests for all users, we recommend that you set up additional tests for your high-risk departments or employees who are more vulnerable to a phishing attack.
To learn how to determine which of your departments or employees are the highest risk to your organization, see our Virtual Risk Officer (VRO) and Risk Score Guide.
To learn more about creating and customizing phishing campaigns, see the following articles:
- Creating and Managing Phishing Campaigns
- Customizing Emails and Landing Pages
- How to Use Placeholders
- How to Use Placeholders: Use Cases
Ongoing Training Recommendations
Below you’ll find our minimum recommendations for conducting ongoing security awareness training in any organization:
- Create a remedial training group and a remedial training campaign. To learn more about remedial training, see our How to Set Up a Remedial Training Campaign article or our Remedial Training Campaigns video.
- Train specific groups or employees with role-based training and other specialty courses. We recommend browsing the ModStore to find the courses you need. To learn more, see our ModStore and Library Guide.
- Set up a monthly campaign to send Security Hints and Tips emails to your users. To learn more, see our What Is the Security Hints and Tips Newsletter? article.
- To keep your users aware and ready to defend against the latest phishing and social engineering scams, set up a campaign to send Scam of the Week emails to your users. To learn more, see our What Is the Scam of the Week Newsletter? article.