Implementing KnowBe4's Security Awareness Training Platform (KMSAT) in Four Steps
This article explains the steps you will take to implement security awareness training and simulated phishing tests in your account. Click on the name of each step below to learn more.
Step 1: Add Your Users
Add your users to your KnowBe4 console to send them simulated phishing emails and enroll them in training campaigns.
Step 2: Conduct a Baseline Phishing Test
Send a baseline phishing test to all of your users to find out which of your users are the most phish-prone, or vulnerable to phishing attacks.
Step 3: Train Your Users
Enroll all of your users in the 45-minute Kevin Mitnick Security Awareness Training course or a similar, comprehensive security awareness training module.
Conduct randomized phishing tests along with remedial training campaigns to help strengthen your human firewall.
Tip:For more information on implementing the KnowBe4 Security Awareness Training Platform, we recommend using our Automated Security Awareness Program (ASAP) or reviewing our Best Practices Guide.
Step 1: Add Your Users
You have multiple options for adding your users to KnowBe4's Security Awareness Training Platform. Review your options and the associated articles linked below:
- User Provisioning: This is the preferred method for syncing users to your KnowBe4 account and maintaining your user list over time.
You can use our Active Directory Integration (ADI) or SCIM to automatically provision users in your KnowBe4 console. To learn more see our Active Directory Integration (ADI) Configuration Guide article or our SCIM Configuration Guide article.
- Quick Import: This method is useful for importing fewer than 100 users.
- CSV Import: This method is useful for importing a larger quantity of users and for including other user data such as name, phone number, group memberships, and more.
- To learn more, see: How Do I Import Users With a CSV File?.
User Management Resources
The articles linked below are useful resources to help you with adding users to your platform.
- Video: Adding/Importing Users
- Users and Groups Manual
- How Do I Import Users With a CSV File?
- Active Directory Integration (ADI) Configuration Guide
- SCIM Configuration Guide article
- How to get emails from Active Directory using PowerShell
- Managing Multiple Email Domains
Step 2: Conduct a Baseline Phishing Test
Before you begin your security awareness training program, we strongly recommend that you send a blind baseline phishing test to all of your users. You can use this test as a starting point for your security awareness training program. See the following subsections to learn more.
Before you begin this step, please ensure you've whitelisted KnowBe4's IP addresses or domains in your email environment. Use our Whitelisting Wizard or review our Whitelisting Guide to learn how to whitelist your email client and spam filters.
Preliminary Test Campaign
Before you create a baseline phishing campaign for your users, we recommend running at least one test campaign that is limited to a small group of users, such as your IT team.
The purpose of this preliminary test campaign is to confirm the following:
- Ensure that you have whitelisted correctly and that the emails pass through your spam filters and firewall protection.
- Ensure that clicks and other phishing test failures are tracked in your account. Click on the simulated phishing link in your test email to ensure that failures are being tracked in your account. To learn more, see: Monitoring and Reviewing Individual Phishing Campaigns.
Tip:When you are done with your preliminary test, you should delete or hide the campaign so that it will not interfere with your reports or risk score.
Establishing a Baseline
After you have confirmed that your preliminary phishing test campaign was successful, you will create a baseline phishing test campaign for all of your users. This will show your organization’s initial phish-prone percentage. Consider the initial phish-prone percentage as your starting point. Use this initial phish-prone percentage to measure the success of your security awareness training plan.
To learn about our recommendations for setting up your baseline phishing campaign, please see: What is the Best Method for Setting up a Baseline Test?.
To Prevent Help Desk Overload, Phish Your IT Team First!
Another option you may want to consider is to send two baseline phishing tests: one to your IT/Help Desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your Help Desk employees will be aware of the situation but will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.
The articles linked below are useful resources to help you set up your baseline phishing test.
- What is the Best Method for Setting up a Baseline Test?
- What Email Should I Use in My Initial Baseline Test?
- Video: One Minute Baseline: Change Your Password (Clicks)
- Creating Phishing Campaigns
Step 3: Train Your Users
For your initial Security Awareness training campaign, we recommend that you enroll all of your users in the 45-minute Kevin Mitnick Security Awareness Training or another comprehensive course. To learn about the training content that is available to you, see: What kind of ModStore content can I add to training campaigns?
To learn about our recommendations for setting up your first training campaign, please see: Enrolling Your Employees in Security Awareness Training.
The articles linked below are useful resources to help you with conducting training campaigns.
- Enrolling Your Employees in Security Awareness Training
- Creating and Managing Training Campaigns
- Setting Up Remedial Training Campaigns
- Video: How to Set Up Training Campaigns
- Video: How to Monitor Training Campaigns
- Video: Getting Started with Your KnowBe4 Security Training
Step 4: Conduct Ongoing Phishing and Training
Conducting ongoing phishing and training campaigns are essential components for your organization to manage the problem of phishing and social engineering.
In our Best Practices Guide, you can find three sample plans to choose from when integrating KnowBe4 into your organization. These plans are categorized by awareness level. Your organization's awareness level is based on the maturity level that you would like to achieve with your security awareness training program. Click on one of the following awareness plans to learn more:
If you aren't sure about which plan is right for you, take a look at some of our general recommendations for security awareness training in the sections below.
Ongoing Phishing Campaign Recommendations
At a minimum, send a phishing test to all of your users on a monthly basis. You can do this by creating a monthly phishing campaign using the following criteria:
- Include multiple email categories and include different types of phishing tests.
- Spread emails out over a longer duration, such as one week. That way, users will not know when they are going to receive a phishing test.
- Add the users who fail the phishing test to a remedial training group.
In addition to your monthly phishing tests for all users, we recommend that you set up additional tests for your high-risk departments or employees who are more vulnerable to a phishing attack.
- To learn how to determine which of your departments or employees are the highest-risk to your organization, see our Virtual Risk Officer (VRO) and Risk Score Guide.
To learn more about creating and customizing phishing campaigns, see the following articles:
- Creating and Managing Phishing Campaigns.
- Customizing Emails and Landing Pages
- How to Use Placeholders
- How to Use Placeholders: Use Cases
Ongoing Training Recommendations
Below you’ll find our minimum recommendations for conducting ongoing security awareness training in any organization:
- Create a remedial training group and a remedial training campaign.
- Train specific groups or employees with role-based training and other specialty courses.
- We recommend browsing the ModStore to find the courses you need. To learn more, see: ModStore.
- Set up a monthly campaign to send Security Hints and Tips emails to your users.
- To learn more, see: How to Set Up a Security Hints & Tips Newsletter.
- To keep your users aware and ready to defend against the latest phishing and social engineering scams, set up a campaign to send Scam of the Week emails to your users.
- To learn more, see: How to Set Up a Scam of the Week Newsletter.