Best Practices

Share

Is this article helpful?

Last updated:

Best Practices Guide: Integrate KnowBe4 into Your Organization

Tip: Join the KnowBe4 Community! In the community, you can connect, share knowledge, and collaborate on new ideas with other admins, partners, and employees. For more information, see our KnowBe4 Community Guide.

We are frequently asked by clients for the best way to integrate KnowBe4 into their organization's overall security practices. Although there is no catch-all cybersecurity defense plan that will work for every organization or industry, the below sample plans are meant to serve as a starting point to help you manage the problem of social engineering for your organization.

Alternatively or in conjunction with this guide, we recommend that you use our Automated Security Awareness Program (ASAP) product. This feature is built-in to your console and will provide you with a customized, detailed security plan including step-by-step instructions for building a strong human firewall.

Our product is not meant to take the place of quality spam filters, firewalls, or anti-virus. It is meant to be a tool to use in addition to other products as part of a defense-in-depth strategy. What we offer you is an easy-to-use platform that can help you manage the problems that arise when attacks make it past those other defense mechanisms. Employees are your last line of defense. By using KnowBe4’s services, you will prepare your users to better defend your organization against cyberattacks.

First Step: Read the article below for the steps you should take before you “go phishing!”

Get Started with the KnowBe4 Console

This article will outline steps for importing users, whitelisting our mail servers, customizing your console, and more.

Second Step: Choose a Sample Plan to Integrate KnowBe4: High, Medium, and Low Awareness

We’ve listed three sample plans below: High, Medium, and Low Awareness. These plans are based on the maturity level that you'd like to achieve with your security awareness program. We recommend the High Awareness plan to achieve the best results. However, you will be the most suitable person to decide exactly how your organization should implement our services.

No matter which plan you choose, the foundation of all of our plans for new-school security awareness training consists of a three-step process. This process is listed below:

  1. Conduct a baseline phishing test to determine your organization's Phish-prone Percentage.
  2. Assess your users' current knowledge of security awareness. Then, assign security awareness training for all users to increase their knowledge.
  3. Conduct ongoing phishing campaigns. These campaigns will allow your users to practice the skills that they’ve gained in their security awareness training.

Click the links below to jump to each plan:

 

High Awareness

This plan will constantly remind your users to keep security in mind. We strongly recommend this plan for high-risk organizations or any organization that handles sensitive information.

Click each step for additional details:

Engage Your Stakeholders

In order to ensure that your organization gets the most value out of any program, it’s crucial to have buy-in from stakeholders. See the below article for a sample email you can modify and send to your internal stakeholders.

How Can I Engage My Stakeholders In My Security Awareness Training Plan?

Back to High Awareness Plan Details

Complete a Blind Baseline Test

Before you get started with training your users with our security awareness training modules, we strongly recommend that you conduct a blind baseline phishing test to all of your users.

Be sure to follow the instructions in the below article to understand how the test should be set up.

Engage My Stakeholders in My Security Awareness Training Plan

Best Practices Guide: Set Up a Baseline Test

Also, you'll want to consider what sort of landing page you will use in your blind baseline test. Using landing pages, you have the ability to influence your users’ reaction to a phishing test. See the below link to learn about different types of landing pages and how your users may react to them.

Baseline Test Communication for Your IT or Help Desk Team

Back to High Awareness Plan Details

To Prevent Help Desk Overload, Phish Your IT Team First

Another option you may want to consider is to send two baseline phishing tests: one to your IT/Help Desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your Help Desk employees will be aware of the situation but will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.

Back to High Awareness Plan Details

Communicate with Your Employees

After the baseline test, your employees who received the simulated phishing email may be confused. Those who click the phishing link may worry that they will face repercussions. We recommend that once the duration of your baseline test phishing campaign is complete, you communicate with them that a test was conducted and explain why.

You can also use this opportunity to convey the importance of everyone completing security awareness training. Letting your users in on the potential threat to the organization or to themselves may increase their participation level once you enroll them in training. We've provided a template for this purpose on the below link.

Template for After Your Baseline Phishing Test

Back to High Awareness Plan Details

Assess Your Users' Security Awareness

Before you enroll your users in Security Awareness training, it's important to establish their current security awareness to see how it improves over time. Assign your users the Security Awareness Proficiency Assessment (SAPA) to test their knowledge of seven different knowledge areas. We recommend you assign the SAPA after your first phishing test but before your first training campaign. Continue to assign your users the SAPA on a yearly basis to see how your strengths and weaknesses change.

Use the links below to learn more about adding assessments and about the Security Awareness Proficiency Assessment (SAPA).

Organizational Assessments Guide

Security Awareness Proficiency Assessment (SAPA) Overview

Back to High Awareness Plan Details

Enroll Employees in Security Awareness Training

After your baseline test, you should set up security awareness training for all of your users. Before you do this, you'll want to set up your learner experience and decide if you want to include gamification as part of your training program.

We strongly recommend enrolling all your employees in our 45-minute KnowBe4 Security Awareness Training or a similar, comprehensive course in your first training campaign. You can also add policies to training campaigns and require your users to accept or acknowledge these policies. See more: Create and Manage Policies

To help users start their training, we recommend sending them a link to one of our getting started videos. Each video has unique instructions based on your sign-on settings and explains how to use the Learner Experience. Use the links below to find a video that best fits your organization:

For recommendations on how to set up your first security awareness training campaign, see the below link.

Best Practices Guide: Create Your First Training Campaign

Back to High Awareness Plan Details

Install the Phish Alert Button

The Phish Alert Button (PAB) is a free tool you can use to encourage your users to become interactive with their security training. The PAB is an add-in for your mail client (See our PAB compatibility matrix here) which enables your users to report a suspected phishing email. The reported message can be a simulated phishing test from KnowBe4 or a possible real cyber attack.

For more information about the PAB and how you can inform your users about it once installed, check out the below link.

Best Practices: Phish Alert Button (PAB) Implementation

Back to High Awareness Plan Details

Determine Your Security Culture

In order to ensure your security awareness training is as effective as it should be, you should establish a strong security culture. Security culture is defined as the ideas, customs, and social behaviors that impact the security of your organization. The Security Culture Survey breaks down your organization's security culture into seven different dimensions. Use this survey to see which dimensions can be made stronger and how your security culture changes over time. Continue to survey your users once a year to see how your security culture score changes.

Use the links below to learn more about adding assessments and about the Security Culture Survey (SCS).

Organizational Assessments Guide

Security Culture Survey (SCS) Overview

Back to High Awareness Plan Details

Enhance Your Email Incident Response Management Plan

If you decide to use the PAB, or if you otherwise ask your users to forward suspicious or potentially malicious emails to a designated email or department in your organization, you will need a product that allows you to manage these forwarded emails and efficiently analyze and respond to them. PhishER is a platform that can be used for this.

Using PhishER as a detective security control, your organization can identify potential threats and strengthen your security measures and defense-in-depth plan. PhishER can be used seamlessly with the PAB to manage reported phishing emails, or you can have your reported emails forwarded to your PhishER inbox. For more information about PhishER, be sure to check out the PhishER Product Manual.

Back to High Awareness Plan Details

Create Your Clickers Group

Click on Users, then the Groups tab, and you will see an option to create a new group. Here you can create a group for your phish-prone users, or clickers. You can use this group in future phishing campaigns and to set up automated remedial training for people that continue to fail your phishing tests. Platinum and Diamond-level customers can also create a Smart Group that will automatically group users who fail phishing tests.

Back to High Awareness Plan Details

Continue Phishing All of Your Users 

Bi-Weekly Phishing Test

For the High Awareness plan, we recommend at least a bi-weekly test for all users. Regular phishing tests will allow your employees to practice the skills they’ve learned in security awareness training.

The recommended settings are shown below and will help you maximize the variety of phishing emails used and spread the emails out over time. Through this fully random method, employees will not be able to warn each other about the phishing test taking place.

  • Frequency: Bi-weekly.
  • Sending: Send emails over at least three business days.
    • This way, users will not receive the emails all at once, and cannot warn each other about a phishing test taking place.
  • Track Activity: Track phishing test failures for at least three days. 
  • Track Replies: We recommend enabling this setting. For more information on reply-to phishing, see our Reply-To Phishing Guide.
  • Categories: Choose multiple template categories, and choose "Full Random" from the template drop-down to choose a random template for each user.
    • Exclude non-applicable languages, Security Hints and Tips, and Scam of the Week categories.
  • Difficulty Rating: Optional
    • If you'd like, here you can choose to limit the difficulty of the templates you've selected to specific star ratings, from one to five.
  • Phish Link Domain: Leave as random
  • Landing Page: Optional
    • Choose a particular landing page you'd like to use for all phishing templates, or leave as default.
  • Add Clickers: Here you can select your Clickers group. If you're creating a Smart Group for automated remedial training, you can leave this blank.
    • Each time someone fails your phishing test, they will be added to the selected group.
  • Check "Send an email report to account admins..." if you'd like to be notified when the bi-weekly phishing test is completed.

Back to High Awareness Plan Details

Optional Additional One-Time Monthly Test Using a Targeted or Current Events Template

Sometimes we will add a new template that you’ll want to use right away on all of your users, or you may come up with an inventive concept for a phishing test that will catch even those who rarely click. You can set up an additional one-time test each month to keep your phishing tests unique and relevant.

For the High Awareness plan, you’ll definitely want to target your employees with organization-specific or industry-specific templates for these tests--something that will really challenge your users and keep them on their toes.

As a best practice, whenever you’re using only one template, it’s recommended you uncheck the “Spread emails over campaign duration” box so that your users receive the simulated phishing email at the same time. This will minimize the time users will have to warn each other about the phishing test taking place.

Back to High Awareness Plan Details

Optional Phishing Test Each Month for Clickers

Your phish-prone users may need even more testing to learn the skills needed to defend against social engineering attacks. You can set up an ongoing phishing campaign which targets only your Clickers group. We recommend setting this up similarly to your bi-weekly “full random” phishing campaign, with lots of template categories selected, and with the emails spread out over the duration of the campaign. You can also use this opportunity to utilize our Reported Phishes of the Week category if you haven't already.

Back to High Awareness Plan Details

Send Security Hints and Tips/Scam of the Week

In addition to phishing templates, we also have built-in Security Hints and Tips and a Scam of the Week category. Security Hints and Tips will remind users of various general methods of how to stay safe online and at work. Scam of the Week will prepare your users to defend themselves against the latest cybersecurity and social engineering scams. 

Security Hints and Tips Newsletter Overview

Scam of the Week Newsletter Overview

Back to High Awareness Plan Details

Start a Remedial Training Campaign for Clickers

To encourage your most phish-prone users to analyze the emails they receive with more detail, you can schedule a remedial training campaign for your Clickers group.

To do this, make sure that when you set up your recurring bi-weekly phishing campaign, you also choose to “Add Clickers To” your Clickers group.

After setting up your phishing campaign, set up your remedial security training for Clickers.

If you're a Platinum or Diamond-level customer, you can also set up automated remedial training using Smart Groups instead.

Create a Remedial Training Campaign

Back to High Awareness Plan Details

Schedule Additional Quarterly Security Training

In addition to our KnowBe4 Security Awareness Training, KnowBe4 offers a variety of training modules to meet your organization’s security training needs. For a list, description, and previews of all of our training content, you can browse the ModStore from within your KnowBe4 account.

We recommend that to keep your users security-focused, you assign quarterly training. Assigning a new course quarterly will keep your users engaged in their security awareness training and will keep the content fresh.

If applicable to your organization, you should also target departments with specific content most relevant to them. For example, for any employees that encounter sensitive credit card data, you could enroll them in our Basics of Credit Card Security course. You can filter our ModStore content to find specific topics you'd like to focus on, or use our Targeted Training filter. 

We recommend a Platinum-level subscription to ensure that you always have the latest and greatest content available to you. If you’d like to discuss upgrading your account, contact your Customer Success Manager or Account Manager. They are here to assist with anything you need.

Back to High Awareness Plan Details

Complete Additional Vulnerability Testing Quarterly (Platinum/Diamond Only)

In addition to checking your users’ vulnerability to clicking on phishing links, we recommend performing additional vulnerability testing on them throughout the year. Below are platinum-level features that you can easily set up and manage through our console.

  • USB Drive Tests: To see if users are prone to picking up unknown USB drives and plugging them into their computers, you can conduct a USB drive test using our platform. For this test, you will load specially designed files provided by us on USB drives and leave them in locations around your office frequented by your employees. We will be able to track data about the users who plug in the USB drives and attempt to open the files. See: USB Drive Test Overview

Back to High Awareness Plan Details

Check-In on Progress

You'll want to review your various report options throughout your console to see your organization’s progress over time. Analyzing the various reports available to you may help you to shape future plans for phishing tests or security training campaigns by revealing “weak links” in the organization, where a heavier focus on security training may be required.

Your Dashboard provides an overview of your organization's risk score, Phish-prone Percentage, and other data to help you see at a glance how your security awareness program is going, but you'll want to drill down further so you can identify trends, find out what users still need to take their training, analyze what groups, locations, or departments are most vulnerable to clicking on phishing links, or even see which email template was the most clicked by your users.

Here are resources regarding the reports that are available to you:

Back to High Awareness Plan Details

Medium Awareness

Click each step for additional details:

Engage Your Stakeholders

In order to ensure that your organization gets the most value out of any program, it’s crucial to have buy-in from stakeholders. See the below article for a sample email you can modify and send to your internal stakeholders.

Engage My Stakeholders In My Security Awareness Training Plan

Back to Medium Awareness Plan Details

Complete a Blind Baseline Test

Before you get started with training your users with our security awareness training modules, we strongly recommend that you conduct a blind baseline phishing test for all of your users.

Be sure to follow the instructions in the below article to understand how the test should be set up.

Best Practices Guide: Set Up a Baseline Test

Baseline Test Communication for Your IT or Help Desk Team

Also, you'll want to consider what sort of landing page you will use in your blind baseline test. Using landing pages, you have the ability to influence your users’ reaction to a phishing test. See the below link to learn about different types of landing pages and how your users may react to them.

Best Practices: Choosing a Landing Page

Back to Medium Awareness Plan Details

To Prevent Help Desk Overload, Phish Your IT Team First

Another option you may want to consider is to send two baseline phishing tests: one to your IT/Help Desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your Help Desk employees will be aware of the situation but will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.

Back to Medium Awareness Plan Details

Communicate with Your Employees

After the baseline test, your employees who received the simulated phishing email may be confused. Those who click the phishing link may worry that they will face repercussions. We recommend that once the duration of your baseline test phishing campaign is complete, you communicate with them that a test was conducted and explain why.

You can also use this opportunity to convey the importance of everyone completing security awareness training. Letting your users in on the potential threat to the organization or to themselves may increase their participation level once you enroll them in training. We've provided a template for this purpose on the below link.

Template for After Your Baseline Phishing Test

Back to Medium Awareness Plan Details

Assess Your Users' Security Awareness

Before you enroll your users in Security Awareness training, it's important to establish their current security awareness to see how it improves over time. Assign your users the Security Awareness Proficiency Assessment (SAPA) to test their knowledge of seven different knowledge areas. We recommend you assign the SAPA after your first phishing test but before your first training campaign. Continue to assign your users the SAPA on a yearly basis to see how your strengths and weaknesses change.

Use the links below to learn more about adding assessments and about the Security Awareness Proficiency Assessment (SAPA).

Organizational Assessments Guide

Security Awareness Proficiency Assessment (SAPA) Overview

Back to Medium Awareness Plan Details

Enroll Employees in Security Awareness Training

After your baseline test, you should set up security awareness training for all of your users. Before you do this, you'll want to set up your learner experience and decide if you want to include gamification as part of your training program.

We strongly recommend enrolling all your employees in our 45-minute KnowBe4 Security Awareness Training or a similar, comprehensive course in your first training campaign. You can also add policies to training campaigns and require your users to accept or acknowledge these policies. See more: Create and Manage Policies

To help users start their training, we recommend sending them a link to one of our getting started videos. Each video has unique instructions based on your sign-on settings and explains how to use the Learner Experience. Use the links below to find a video that best fits your organization:

For recommendations on how to set up your first security awareness training campaign, see the below link.

Best Practices Guide: Create Your First Training Campaign

Back to Medium Awareness Plan Details

Install the Phish Alert Button

The Phish Alert Button (PAB) is a free tool you can use to encourage your users to become interactive with their security training. The PAB is an add-in for your mail client (See our PAB compatibility matrix here) which enables your users to report a suspected phishing email. The reported message can be a simulated phishing test from KnowBe4 or a possible real cyber attack.

For more information about the PAB and how you can inform your users about it once installed, check out the below link.

Best Practices: Phish Alert Button (PAB) Implementation

Back to Medium Awareness Plan Details

Enhance Your Email Incident Response Management Plan

If you decide to use the PAB, or if you otherwise ask your users to forward suspicious or potentially malicious emails to a designated email or department in your organization, you will need a product that allows you to manage these forwarded emails and efficiently analyze and respond to them. PhishER is a platform that can be used for this.

Using PhishER as a detective security control, your organization can identify potential threats and strengthen your security measures and defense-in-depth plan. PhishER can be used seamlessly with the PAB to manage reported phishing emails, or you can have your reported emails forwarded to your PhishER inbox. For more information about PhishER, be sure to check out the PhishER Product Manual.

Back to Medium Awareness Plan Details

Create Your Clickers Group

Click on Users, then the Groups tab and you will see an option to create a new group. Here you can create a group for your phish-prone users, or clickers. You can use this group in future phishing campaigns and to set up automated remedial training for people that continue to fail your phishing tests. Platinum and Diamond-level customers can also create a Smart Group that will automatically group users who fail phishing tests.

Back to Medium Awareness Plan Details

Continue Phishing All of Your Users 

Monthly Phishing Test

For the Medium Awareness plan, we recommend a monthly test for all users. Regular phishing tests will allow your employees to practice the skills they’ve learned in security awareness training.

The recommended settings are shown below and will help you maximize the variety of phishing emails used and spread the emails out over time. Through this fully random method, employees will not be able to warn each other about the phishing test taking place.

  • Frequency: Monthly.
    • Sending: Send emails over 5-10 business days.
    • This way, users will not receive the emails all at once, and cannot warn each other about a phishing test taking place.
  • Track Activity: Track phishing test failures for at least three days.
  • Track Replies: We recommend enabling this setting. For more information on reply-to phishing, see our Reply-To Product Manual.
  • Categories: Choose multiple template categories, and choose "Full Random" from the template drop-down to choose a random template for each user.
    • Exclude non-applicable languages, Security Hints and Tips, and Scam of the Week categories.
  • Difficulty Rating: Optional
    • If you'd like, here you can choose to limit the difficulty of the templates you've selected to specific star ratings, from one to five.
  • Phish Link Domain: Leave as random
  • Landing Page: Optional
    • Choose a particular landing page you'd like to use for all phishing templates or leave it as default.
  • Add Clickers: Here you can select your Clickers group. If you're creating a Smart Group for automated remedial training, you can leave this blank.
    • Each time someone fails your phishing test, they will be added to the selected group.
  • Check "Send an email report to account admins..." if you'd like to be notified when the bi-weekly phishing test is completed.

Back to Medium Awareness Plan Details

Optional Additional One-Time Monthly Test Using a Targeted or Current Events Template

Sometimes we will add a new template that you’ll want to use right away on all of your users, or you may come up with an inventive concept for a phishing test that will catch even those who rarely click. You can set up an additional one-time test each month to keep your phishing tests unique and relevant.

For the Medium Awareness plan, you may want to target your employees with organization or industry-specific templates for these one-time tests.

As a best practice, whenever you’re using only one template, it’s recommended you select the Send all emails when the campaign starts option so that your users receive the simulated phishing email at the same time. This will minimize the time users will have to warn each other about the phishing test taking place.

Back to Medium Awareness Plan Details

Determine Your Security Culture

In order to ensure your security awareness training is as effective as it should be, you should establish a strong security culture. Security culture is defined as the ideas, customs, and social behaviors that impact the security of your organization. The Security Culture Survey breaks down your organization's security culture into seven different dimensions. Use this survey to see which dimensions can be made stronger and how your security culture changes over time. Continue to survey your users once a year to see how your security culture score changes.

Use the links below to learn more about adding assessments and about the Security Culture Survey (SCS).

Organizational Assessments Guide

Security Culture Survey (SCS) Overview

Back to Medium Awareness Plan Details

Send Security Hints and Tips/Scam of the Week

In addition to phishing templates, we also have built-in Security Hints and Tips and a Scam of the Week category. Security Hints and Tips will remind users of various general methods of how to stay safe online and at work. Scam of the Week will prepare your users to defend themselves against the latest cybersecurity and social engineering scams. 

Security Hints and Tips Newsletter Overview

Scam of the Week Newsletter Overview

Back to Medium Awareness Plan Details

Start a Remedial Training Campaign for Clickers

To encourage your most phish-prone users to analyze the emails they receive with more detail, you can schedule a remedial training campaign for your Clickers group.

To do this, make sure that when you set up your recurring monthly phishing campaign, you also choose to “Add Clickers To” your Clickers group.

After setting up your phishing campaign, set up your remedial security training for Clickers.

If you're a Platinum or Diamond-level customer, you can also set up automated remedial training using Smart Groups instead.

Using Groups for Remedial Training

Back to Medium Awareness Plan Details

Schedule Additional Security Training Every Six Months

In addition to our KnowBe4 Security Awareness Training, KnowBe4 offers a variety of training modules to meet your organization’s security training needs. For a list, description, and previews of all of our training content, you can browse the ModStore from within your KnowBe4 account.

We recommend that to keep your users security-focused, you create a new training campaign every six months. Assigning a new course will keep your users engaged in their security awareness training and will keep the content fresh. 

If applicable to your organization, you should also target departments with specific content most relevant to them. For example, for any employees who encounter sensitive credit card data, you could enroll them in our Basics of Credit Card Security course. You can filter our ModStore content to find specific topics you'd like to focus on or use our Targeted Training filter. 

We recommend a Platinum-level subscription to ensure that you always have the latest and greatest content available to you. If you’d like to discuss upgrading your account, contact your Customer Success Manager or Account Manager. They are here to assist with anything you need.

Back to Medium Awareness Plan Details

Complete Additional Vulnerability Testing Every Six Months (Platinum/Diamond Only)

In addition to checking your users’ vulnerability to clicking on phishing links, we recommend performing additional vulnerability testing on them throughout the year. Below are platinum-level features which you can easily set up and manage through our console.

  • USB Drive Tests: To see if users are prone to picking up unknown USB drives and plugging them into their computers, you can conduct a USB drive test using our platform. For this test, you will load specially designed files provided by us on USB drives and leave them in locations around your office frequented by your employees. We will be able to track data about the users who plug in the USB drives and attempt to open the files. See: USB Drive Test Overview

Back to Medium Awareness Plan Details

Check-In on Progress

You'll want to review your various report options throughout your console to see your organization’s progress over time. Analyzing the various reports available to you may help you shape future plans for phishing tests or security training campaigns by revealing “weak links” in the organization, where a heavier focus on security training may be required.

Your Dashboard provides an overview of your organization's risk score, Phish-prone Percentage, and other data to help you see at a glance how your security awareness program is going, but you'll want to drill down further so you can identify trends, find out what users still need to take their training, analyze what groups, locations, or departments are most vulnerable to clicking on phishing links, or even see which email template was the most clicked by your users.

Here are resources regarding the reports that are available to you:

Back to Medium Awareness Plan Details

Low Awareness

Click each step for additional details:

Engage Your Stakeholders

In order to ensure that your organization gets the most value out of any program, it’s crucial to have buy-in from stakeholders. See the below article for a sample email you can modify and send to your internal stakeholders.

Engage My Stakeholders In My Security Awareness Training Plan

Back to Low Awareness Plan Details

Complete a Blind Baseline Test

Before you get started with training your users with our security awareness training modules, we strongly recommend that you conduct a blind baseline phishing test for all of your users.

Be sure to follow the instructions in the below article to understand how the test should be set up.

Best Practices Guide: Set Up a Baseline Test

Baseline Test Communication for Your IT or Help Desk Team

Also, you'll want to consider what sort of landing page you will use in your blind baseline test. Using landing pages, you have the ability to influence your users’ reaction to a phishing test. See the below link to learn about different types of landing pages and how your users may react to them.

Best Practices: Choosing a Landing Page

Back to Low Awareness Plan Details

To Prevent Help Desk Overload, Phish Your IT Team First

Another option you may want to consider is to send two baseline phishing tests: one to your IT/Help Desk department first, and then a separate one to the rest of your employees afterward. This way, when the rest of your employees begin reporting the suspicious email, your Help Desk employees will be aware of the situation but will also have had the chance to participate in the baseline assessment. In addition, this is a great way to ensure you’ve whitelisted our mail servers effectively, and that your baseline test will reach everyone’s inbox.

Back to Low Awareness Plan Details

Communicate with Your Employees

After the baseline test, your employees who received the simulated phishing email may be confused. Those who click the phishing link may worry that they will face repercussions. We recommend that once the duration of your baseline test phishing campaign is complete, you communicate with them that a test was conducted and explain why.

You can also use this opportunity to convey the importance of everyone completing security awareness training. Letting your users in on the potential threat to the organization or to themselves may increase their participation level once you enroll them in training. We've provided a template for this purpose on the below link.

Template for After Your Baseline Phishing Test

Back to Low Awareness Plan Details

Assess Your Users' Security Awareness

Before you enroll your users in Security Awareness training, it's important to establish their current security awareness to see how it improves over time. Assign your users the Security Awareness Proficiency Assessment (SAPA) to test their knowledge of seven different knowledge areas. We recommend you assign the SAPA after your first phishing test but before your first training campaign. Continue to assign your users the SAPA on a yearly basis to see how your strengths and weaknesses change.

Use the links below to learn more about adding assessments and about the Security Awareness Proficiency Assessment (SAPA).

Organizational Assessments Guide

Security Awareness Proficiency Assessment (SAPA) Overview

Back to Low Awareness Plan Details

Enroll Employees in Security Awareness Training

After your baseline test, you should set up security awareness training for all of your users. Before you do this, you'll want to set up your learner experience and decide if you want to include gamification as part of your training program.

We strongly recommend enrolling all your employees in our 45-minute KnowBe4 Security Awareness Training or a similar, comprehensive course in your first training campaign. You can also add policies to training campaigns and require your users to accept or acknowledge these policies. See more: Create and Manage Policies

To help users start their training, we recommend sending them a link to one of our getting started videos. Each video has unique instructions based on your sign-on settings and explains how to use the Learner Experience. Use the links below to find a video that best fits your organization:

Was this article helpful?

23 out of 27 found this helpful

Can't find what you're looking for?

Contact Support