KnowBe4 FAQs

Why Do I Have to Whitelist?

Because our phishing templates mimic real-life phishing attacks, your mail server may block them. Without whitelisting our servers, our templates may end up in your users' Junk or Spam folders or blocked entirely.

If our templates are unable to reach your users, it will be impossible to get an accurate representation of your organization's Phish-prone Percentage.

Your users will also be inadequately prepared to defend your organization when a real, dangerous phishing email gets past your mail filters.

Properly whitelisting KnowBe4's mail servers will guarantee the delivery of phishing test emails and training notifications. More information about how to properly whitelist our servers in both your mail server and additional spam filters can be found here.

If you have trouble whitelisting, contact our support team for additional assistance.

Whitelist Data and Links

Before you begin phishing and trainingyour users, you must whitelist. It is extremely important that you whitelist us in order to prevent our phishing security test emails and training notifications from being blocked or filtered into your Spam folder.

Jump to: Whitelisting Best Practices IP Addresses, Hostnames, and Header Information Adding KnowBe4 to Your SPF Records Common Mail Servers Common Email and Web Filters Link Testing and Intent Analysis Can't Whitelist in an Email Filter? Try Smart Hosting Prevent KnowBe4 Emails From Going to Junk/Spam Third-party Whitelisting Assistance Whitelisting Troubleshooting

Whitelisting Best Practices

The way you'll need to whitelist KnowBe4 varies depending on your environment. For guidance, you can use our Whitelisting Wizard which will point you in the right direction. As a best practice, we recommend whitelisting our IP addresses or hostnamesin your mail server if you're not using a cloud-based spam filter. If you are using acloud-based spam filter, you will need to whitelist by email header in your mail server and whitelist by IP addressor hostname in your spam filter.

If you find that you are unable to whitelist IP addresses for whatever reason, you can whitelist our mail server hostnames instead.

Take into consideration the various products or services you may be using in your mail or web environment to prevent issues with deliverability. Our support team is available for assistance.

Also, consider your mail server or mail filter may have rate limiting. Rate limiting can slow or block the delivery of a phishing test when sending a large number of emails at once. Review your mail server or filter settings for its rate limiting rules to ensure that your phishing test will arrive to your users. Although we do not recommend this, a potential workaround is to temporarily turn off rate limiting but be sure to turn it back on as soon as the phishing emails have been delivered successfully.

Conduct a preliminary test campaign before your Baseline Phishing Test.

We recommendthat you run at least one phishing campaign that is limited in scope to only one or two administrative users who can confirm receipt and tracking of clicks on phishing links. This should be done before the baseline test and will confirm that our phishing emails are getting through any spam/firewall protection.

As soon as you are done with your preliminary test, you should delete or hide the campaign so that it will not interfere with your reports or risk score.

Back to top

IP Addresses, Hostnames, and Header Information

Below is a list of our IP addresses or hostnames, and header information for the purpose of whitelisting KnowBe4. Not sure how or where to whitelist? Try our Whitelisting Wizard for guidance.

Note:

Be careful not to over-whitelist. Choose one method to whitelist and do not mix and match.

For accounts located at Training.KnowBe4.com:

Whitelist by IP Addresses

Whitelist by Hostnames

Whitelist by Header

IP Addresses

Messages Sent

147.160.167.0/26 *

Future IPs for Simulated Phishing and Training Emails

23.21.109.197

23.21.109.212

Current IPs for Simulated Phishing and Training Emails

NOTE: These IP addresses will be retired by the end of 2020.

* Please note that "/26" is the CIDR format for an IP subnet mask. In this case, it indicates the following IP range: 147.160.167.0 -147.160.167.63. For more information on IP network subnets, please see here.

Hostnames

Messages Sent

psm.knowbe4.com

phishtest.knowbe4.com *

KnowBe4 Simulated Phishing and Training emails

* Deprecated in October 2019

For security purposes, whitelisting by email header is NOT recommended on your public email endpoint.

Simulated Phishing Email Header

Email Header Text

X-PHISHTEST

This is a phishing security test from KnowBe4 that has been authorized by the recipient organization

For accounts located at EU.KnowBe4.com:

Whitelist by IP Addresses

Whitelist by Hostnames

Whitelist by Header

IP Addresses

Messages Sent

147.160.167.0/26 *

Future IPs for Simulated Phishing and Training Emails

52.49.201.246

52.49.235.189

23.21.109.197

23.21.109.212

Current IPs for Simulated Phishing and Training Emails

NOTE: These IP addresses will be retired by the end of 2020.

* Please note that "/26" is the CIDR format for an IP subnet mask. In this case, it indicates the following IP range: 147.160.167.0 -147.160.167.63. For more information on IP network subnets, please see here.

Hostnames

Messages Sent

psm.knowbe4.com

eu-phishtest.knowbe4.com *

KnowBe4 Simulated Phishing and Training emails

* Deprecated in October 2019

For security purposes, whitelisting by email header is NOT recommended on your public email endpoint.

Simulated Phishing Email Header

Email Header Text

X-PHISHTEST

This is a phishing security test from KnowBe4 that has been authorized by the recipient organization

Back to top

Adding KnowBe4 to Your SPF Records

Although generally not necessary, if you'd like to add KnowBe4 to your SPF records you can do so. We have steps to do so located here: Adding KnowBe4 to your SPF records

Back to top

Common Mail Servers

Do you need assistance with setting up whitelisting? The steps that need to be taken will vary across different email clients, servers, and internet security platforms. Here are some articles that may be helpful:

Exchange 2007/2010:

Setting up an IP Allow List in Exchange 2007

Setting up an IP Allow List in Exchange 2010

Whitelisting by Header in Exchange 2010

Exchange 2013, 2016, & Office 365:

Exchange 2013, 2016, & Office 365 (Whitelist by IPAddresses)

Exchange 2013, 2016, & Office 365 (Whitelist by Email Header) Whitelisting Training Emails in Office 365 (Whitelist by Email Header) Exchange 2013 Add-IPAllowListEntry (Command Line) Focused Inbox on Outlook or Office 365 (PowerShell)

GSuite/Google Apps:

Whitelisting by IP Address in GSuite/Google Apps

Whitelisting by Email Header in GSuite/Google Apps

If you're using GSuite, you will also need to follow the steps in this article to disable the return-path header on KnowBe4 phishing tests.

Back to top

Common Email and Web Filters:

Whitelisting in AppRiver

Whitelisting in Barracuda

Whitelisting in Cisco Ironport Whitelisting in EdgeWave

Whitelisting in Forcepoint (Websense)

Whitelisting in Forefront Protection for Exchange Whitelisting in Fortinet FortiGate

Whitelisting in McAfee/MX Logic

Whitelisting in Mimecast

Whitelisting in Proofpoint: Proofpoint has whitelisted our IP addresses and hostnames in their system globally, so you do not have to whitelist us there. However, if you are having issues, please see our article on Whitelisting in Proofpoint.

Whitelisting in Securence: Securencehas whitelisted our IP addresses in their system globally, so you do not have to whitelist us there.

Whitelisting in SonicWall

Whitelisting in Sophos

Whitelisting in SpamAssassin

Whitelisting in Symantec.Cloud/MessageLabs

Whitelisting in Mailprotector: Mailprotector has whitelisted our IP addresses in their system globally, so you do not have to whitelist us there.

Whitelisting in TrendMicro

Whitelisting in VIPRE

Back to top

Link Testing and Intent Analysis

Some common email filtering and anti-spam services (such asBarracuda, Symantec, Websense, MessageLabs, etc.)will sometimes have link-following or link inspection options. These services may follow links found in incoming messages, resulting in skewed or 100% click-through rates. You can either whitelist/exempt our emails from being subject to these types of features/services or disable these features for the duration of a phishing test. More information can be found here.

Back to top

Using a Third-party Hosted Spam/Content Filter? Try Smart Hosting

If you cannot add our whitelist data or your third-party solution impacts deliverability of the phishing emails, we are able to establish direct routes to your mail server to bypass that filtering. Just ask our technical support staff about the option of smart hosting, and they can assist you. Click here to submit a support ticket.

If you are using Exchange 2016, you may find Scenario 3 on this article helpful after speaking with our support team: Scenarios for Custom Receive Connectors in Exchange 2016

Back to top

Emailfrom KnowBe4 Employees Going to Junk or Spam?

Occasionally, we may send you notificationsabout updates to the system (new features, templates, etc.), or our employees may check in with you to see how things are. If you'd like to ensure these emails will make it through without going into Junk or Spam, you canwhitelist emails coming fromknowbe4.comandknowbe4.mail.intercom.io

If you're using Office 365, we have instructions on how to set this up: Whitelisting emails from KnowBe4 in Office 365

Back to top

Third-party Whitelisting Assistance

KnowBe4's support team will provide assistance with whitelisting as much as possible. However, due to the many variations of mail filtering services and providers in use, we recommend working directly with your service provider to properly whitelist KnowBe4 if you're experiencing issues. Below is an email template you may send to your service provider's support team as a request for whitelisting assistance, so they understand the services KnowBe4 offers:

Our organization uses KnowBe4, a security awareness training platform that provides simulated phishing tests and training for our employees. We would like to whitelist all KnowBe4 simulated phishing tests and training emails to ensure they successfully reach the inbox of our employees. Please provide us with the appropriate whitelisting assistance to achieve this.

Back to top

Whitelisting Troubleshooting

We have two whitelisting wizards that can help guide you through the whitelisting process. Visit here to learn more about each wizard.

Back to top

How to Use the Phish Alert Button in Gmail

Your organization may have recently installed the Phish Alert Button (PAB) in your Chrome browser. Learn how this tool works and how you can use it to help keep your organization safe from malicious phishing emails.

When do I use it? How do I use it? Why should I use it?

When do I use it?

Click the PAB if you believe you have received a phishing email or any potentially dangerous email. Any emails you report using the PAB will be automatically deleted from your inbox. The emails you report will also be forwarded to a designated contact within your organization for analysis.

The PAB should only be used to report emails you believe to have malicious intent. If you are receiving spam or marketing emails, you should not use the PAB to report these. You can delete these types of emails or add the sender or sender's email domain to a block list.

Note:

The steps for blocking an email sender vary based on your email client. Contact your supervisor or IT team with any questions.

How do I use it?

Once the PAB add-in is installed, upon your next Chrome restart, you will be prompted with a messageto "Allow" the KnowBe4 PAB app. Click the "Allow" button on this message.

Back to top After allowing the PAB app, you will see the PAB as an orange Phish Hook within Gmail. You can use the Phish Hook to report any email as a phishing email, but you cannot use the PAB to report multiple emails at once. Each potential phishing email should be reported individually. However, if an email has multiple emails associated with it, ALL of the emails will be reported when you report the single email.

Note:

In order to report potential phishing emails using the Google PAB extension, you must be logged in to Google Chrome and your Gmail account.

There are three ways to report an email as a phishing email:

1) Click the Phish Hook while viewing the email.

2) Select the checkbox to the left of the email while in the inbox view. Then, click the Phish Hook.

3) Click the drop-down on the top-right whileviewing the email. Then, click the Phish Alert text.

Note:

By using any one of the three options, the email you reportwill be forwarded to an email address designated by your organization and then deleted from your inbox. If you report an email in error, you can retrieve the email from your Trash/Deleted Items.

Back to top

Why should I use it?

Reporting emails will help your organization stay safer. Because the potential phishing emails you report are sent for analysis toyour organization, your organization will nowbe aware of whichphishing attacks are able to reachtheir employee inboxes. Once they're aware of possible vulnerabilities, they can better defend against them. You are an important part of theprocess of keeping your organization safe from cybercriminals. Stop, Look, and Think!

Office 365 Advanced Threat Protection (ATP) Bypass Rules

If you are using Advanced Threat Protection (ATP) in your mail environment and have experienced false clicks or false attachment opens, you can set up mail flow rules. Setting up mail flow rules allows you to bypass safe links and attachments processing for phishing test emails from KnowBe4's IP addresses. However, if you have a mail filter in front of your mail server, we recommend you whitelist in ATP by email header instead.

Note:

We recommend that you allow an hour for the rules to circulate to all of your users and to test the rules' effectiveness with a small group prior to starting a phishing campaign.

Jump to

ATP Link Processing Bypass Rule ATP Attachment Processing Bypass Rule

ATP Link Bypass Rule

To set up a mail flow rule to bypass ATP link processing:

Create a new mail flow rule in your Exchange/Office Admin center.

Name the rule, for example, Bypass ATP Links.

Click more options.

From the Apply this rule if. drop-down menu, select Senders IP address is in the range

Enter our IP address. For the most up-to-date list of our IP addresses, please see this article.

From the Do the following drop-down menu, select Set the message header and then to this value...

Set the message header to:

X-MS-Exchange-Organization-SkipSafeLinksProcessing

Set the value to:

1

Save your new rule.

Back to Top

Back to Top

ATP Attachment Bypass Rule

Below are the steps to set up a mail flow rule to bypass ATP Attachment Processing:

Create a new mail flow rule in your Exchange/Office Admin center.

Name the rule, for example, Bypass ATP Attachments.

Click more options.

From the Apply this rule if;drop-down, select Senders IP address is in the range

Enter our IP addresses. Please see this article for the most up-to-date list of our IP addresses.

From the Do the following drop-down, select Set the message header... and then To this value....

Set the message header to:

X-MS-Exchange-Organization-SkipSafeAttachmentProcessing

Set the value to:

1

Save your new rule.

Still need assistance? Submit a support ticket and we can help!

Branding Your KnowBe4 Console

Jump to: Access Your Account Settings Company Logo URL Company Logo Main Theme Color

Access Your Account Settings

To add your company logo, company logo URL, and set a main theme color for your console, log in to your console, click your email address toward the top-right, and then click on Account Settings.

Access Your Account Settings

Back to top

Back to top

Adding Your Company Logo URL

We recommend adding your company logo URL to your console to personalize items sent to yourusers. Adding your company logo URL will allow your company logo to populate when the Company Logo Url and Company Logo image placeholders are used in phishing templates, training notifications, and landing pages.

Under the Company Information section is the Company Logo Url for Templates field. Here, you can paste the URL of your company logo. This must be a publicly-available URL.

We recommend using a small logo here, preferably less than 200px by 200px (our branded landing pages will automatically resize your URL logo to have a height of 80px). Click the Update Account Infobutton at the bottom of the page to save your settings.

Back to top

Adding Your Company Logo

We recommend adding your company logo to your console to personalize your KnowBe4 environment. Adding your company logo will provide a familiar face to your users upon logging into the security training for the first time.

Under theCompany Informationsection, you can import a Company Logo for Console. The company logo you select must be in PNG format, less than 300KB, and resized to 166px x 46px to fit the console. Click Update Account Infobutton at the bottom of the page to save your settings.

If you're a reseller, MSP or multi-account organization, you can also add your logo in the same fashion, management portal. Your logo will output to all of your accounts.

Back to top

Main Theme Color

Selecting a main theme color improves your end user's learner experience (LX) by providing a familiar feeling when they log in for training. We recommend matching your main theme color to one of the main colors on your company logo to fully brand your end user training console.

Under theLearner Experience section, you canSet a main theme color for your console. Click the colored box towards the right to display a color picker, or enter the hex color code that matches your brand color.

Learn more about the LX in our Learner Experience Guide.

LMS Compatibility

Yes! If your organization has an LMS that you use for internal training, you will be able to download the SCORM files from your Store Purchases tab within your KnowBe4 account so you can load them in your LMS.

Formats Available

SCORM 2004

4th Edition.

Available for Training Modules, Video Modules, and Games.

Available for all ModStore Publishers.

SCORM 1.2

Available for Training Modules, Video Modules, and Games.

Third-party content may not be available.

AICC (KnowBe4 content ONLY)

xAPI (Tin Can) (KnowBe4 content ONLY)

Mp4

Available for Video modules.

Available for all ModStore Publishers.

Note:

Canada Privacy Training modules are only available in SCORM 2004 format.

If a module is not available through the platform as a download, reach out to your Customer Success Manager. If you don't know or cannot reach your Customer Success Manager, please contact our KnowBe4 support team so we can assist you.

Completion Settings Available

Complete/Incomplete

Passed/Failed

Passed/Incomplete

Complete/Failed

Keep in mind, though, that SCORM files will only be downloadable after you add the desired training module to your Store Purchases. You will first need to add the training module to your account and then download the SCORM files for the module.

It is important to note that if you decide to use an internal LMS, you will not be able to track user progress in the Training area within the KnowBe4 console. If you wish to use our console to track training, you need to use our built-in LMS and training.

I Can't See My Files!

If you are unable to see the downloadable course files beneath your Store Purchases, please submit a ticket to our Support team including the module name(s), and publishing settings that you need, and one of oursupport technicians will be able to assist you.

KnowBe4 and Flash

As of May 2019, new KnowBe4-published moduleswill only be published in HTML5. Flash will not be supported.

Whitelisting by IP Address in Office 365

Check out our Whitelisting by IP Address in Exchange 2013, 2016, or Office 365 article for more information!

Uploading Your Own Content

Check out our Uploading Custom Content to Your KnowBe4 Platform article for more information!

What is a Phishing Security Test (PST) and How Does it Work?

A Phishing Security Test is a tool provided by KnowBe4, which can determine the vulnerability level of your network by giving you an indication of how many people may be susceptible to an email-born social engineering attack.

It can also be used to supplement and reinforce training received in the KnowBe4 training modules by giving your users real world practice in recognizing social engineering attacks and responding to them appropriately.

It works like this: The PST sends one email to each user in your organization. In our initial, free phishing security test, the email sent is a link test, which involves some text meant to lure the user into clicking an embedded link. Once the link is clicked, the user is directed to a Landing Page. Our Basic Landing Page tells the user they have been part of a simulated phishing test and gives them some rules to apply when inspecting emails in their inbox.

The results of the test include the number of users who failed the test divided by the number of users to whom the test was delivered. This gives you a Phish-Prone Percentage the percentage of your users who failed the PST.

If you're a current KnowBe4 customer, you probably already have access to this great tool and can explore our product manual and documentation for best practices on how to utilize it. If you're not a current customer, but are interested in a free phishing test for up to 100 users, check out our website at https://www.knowbe4.com/ to sign up.

This page will let you know when our phishing domains and landing domains have been updated. If you have utilized our phish and landing domains for whitelisting in the past, you should request a new list by opening up a support ticket.

The update could either be the addition of new domains or the removal of old ones.

Latest update: September 20, 2019

A new phish domain was added.

Previous update: June 21, 2018

The default landing domain has changed. If you've already whitelisted our phishing and landing domains, you will not need to make any additional changes.

Previous update: October 12, 2017

KnowBe4 KCM GRC: Glossary of Compliance Terms

This glossary contains terms and key concepts that will help you better utilize your KCM Governance, Risk and Compliance (GRC) Platform, easing the burden of staying compliant year-round!

In addition to the terms highlighted in the jump links below, you can find related concepts within each of these sections.

JUMP:

Controls Evidence Requirements Scopes Tasks Templates Users

Controls

Controls can be thought of as the method, evidence or proof that demonstrates how you are meeting your various Requirements. Controls are a document, process, technical implementation, or other action that relates to one or more Requirements.

We recommend making yourControl description very detailed. The description should include what the Control is, how to review and assess the Control, what type of Evidence is expected as a result of a review, and where that Evidence should be placed. The Control description is used in the Task reminder emails and in the Detailed Compliance Reports. If you should need to change ownership of the Control, providing these details will make it much easier for the new user to understand what is expected.

Examples of Controls are:

Disaster Recovery Policy and periodic review and testing of the policy

Active Directory password configuration settings review

Apply the latest patches to SERVER1

Collect Security and Privacy documentation from VENDOR

Review and Document Incident

Testing/Task Schedules

Recurring Tasks can be scheduled on an Annual, Semi-annual, Quarterly, Monthly, or Weekly basis and are assigned to the "User Responsible" for completion. Tasks may also be created on an ad-hoc basis, whenever they are needed outside of the recurring schedule. For more information, please see this article: Working with One-Time Tasks, Task Schedules, and Effective Date Range.

Control Documents

Control Documents are an optional way to submit an example of evidence documents needed by the Responsible User, in order to satisfy a Task. While this is not a replacement for the Evidence of Task completion, it is a way to support the act of gathering evidence for a particular Control.

Examples of Control Documents:

Blank management sign-off form

Screenshot of a particular area in Active Directory

Back to Top

Evidence

Evidence is provided to satisfy Tasks, in order to support a Requirement's Control. The Evidence Repository section of KCM GRC is a file/URL repository where you can store evidence that Controls are in place and operating as they should be. Evidence can be provided in the form of file uploads or URLs (DocuLinks) that point to the Evidence.

Documents (File Upload)

File upload is one way you can use KCM GRC to store audit evidence. Each file that is uploaded is uniquely encrypted and stored securely in the cloud. Uploaded files are associated with a specific Task.

You should use the file upload feature if you are not currently using a central storage facility for audit evidence.

DocuLinks (URLs)

DocuLinks, or links to Evidence, is an option forstoring audit evidence in KCM GRC. If you are currently using a centralized storage area on your internal network for maintaining audit evidence, you do not need to upload files to KCM GRC as well. By providing a URL to the Evidence, you get the benefits of linking that information to a specific Control or Task without storing files in multiple places.

Any web-based file storage application can be used, whether it's internal to your network or external, such as Sharepoint, Dropbox, Google Drive, Jira, etc.

Back to Top

Requirements

A Requirement is a concrete statement that describes a compliance objective, audit finding, best practice, or other obligation that the organization is striving to achieve or correct.

Some examples of Requirements are:

PCI DSS 1.1.2 Current Network Diagram There must exist a current network diagram with all connections to cardholder data, including any wireless networks.

HIPAA 164.308(a)(2)(ii) Facility Security Plan Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Internal IT Audit FY2015 Finding #4 Missing Security Patches The following servers did not have the most recent security patches applied: SERVER1.

Back to Top

Scopes

A Scope is an umbrella structure to manage a series of related Requirements, Controls, and Evidence. A Scope is a way to describe the boundaries of a project or audit. In KCM GRC, permissions, Reports, and Dashboards are divided up by Scope.

For example, Scopes can represent separate physical locations, different ongoing compliance initiatives, remediation and audit findings, incident and vendor management, tracking projects, etc.

Scopes are typically created from Templates, see the Custom Templates section below for more information.

Scope Export

Each Scope can be exported so that the data can be saved for offline archiving. The format of this export is a zip file (which can be password-protected), containing a series of HTML files that mimic the Detailed Compliance Report found in the console. For more information, please see this article: KCM GRC: Reports and Exporting Scopes.

Scope Requirements Self-Assessment (Optional)

Each Scope has a set of Requirements. Each Requirement has a Self-Assessment question, or status, associated with it. You can set the status for each Requirement in a Scope by going through the Scope's Self-Assessment. You can set the status as: -Met if this is a Requirement that you are meeting -Not Met if you have not yet met the Requirement -Not Applicable if the Requirement is not applicable to your organization for that Scope (You can later remove the non-applicable Requirements from the Scope by unmapping them.)

The answers to the Self-Assessment questions determine your compliance percentage. For more information, see Step 3: Complete Scope Self-Assessment in our Getting Started with the Compliance Management Module article.

Back to Top

Tasks

Tasks allow for the continuous monitoring of Controls. They give you an opportunity to collect Evidence relating to a Control on a periodic basis so you will be prepared when it is time for an audit.

Automated email reminders are sent to the User Responsible upon the Task's creation, and when the Task's due date is approaching. For more information, see What is the KCM GRC task reminder email schedule? in our Frequently Asked Questions article.

Effective Date Range

You can choose whether or not you want to use Effective Date Range when setting up a Task Schedule for a Control. If you utilize Effective Date Range, you are choosing to specify the length of time that the Evidence submitted for a particular Task is validin reference to the associated compliance Requirement. For example, with specific compliance frameworks, if an auditor cannot verify the effectiveness of a control, they may request an expanded sample size to show the operating effectiveness of the control over a greater period of time. When using EDR, the auditor can see that the control evidence has been collected during the specified time period and not just submitted prior to the due date of the control task.

Example:

Say you must submit network access files in order to meet a compliance requirement, and the date range for these files to remainvalid is January 1, 2018 - December 31, 2018.

When setting a Task Schedule for these files, you would select "Yes" for "Use Effective Date Range", choose"Annually" for theFrequency, and input January 1, 2018, as the Start Date. The Effective Date Range feature will assume 12/31/18 is the date this Evidence is no longer valid. Therefore, the due date to submit new Evidence for this Task would be three months after 12/31/18, by default. You have the ability to change the Effective Date Range default due dates in your Account Settings.

For more information, please see this article: Working with One-Time Tasks, Task Schedules, and Effective Date Range.

Back to Top

Templates

Compliance Templates are the highest-level object within KCM GRC. A Compliance Template is a repository or collection of Requirements that are related to one another. A Compliance Template can either be a "Managed Template" which is created and kept current by KnowBe4, or a "Custom Template" which is created by the KCM GRC customer to suit their needs.

Compliance Templates

Custom Templates

Templates contain a group of Requirements that a KCM GRC user will create and manage. This can be anything from audit requirements and findings, state and local regulations, security best practices, vendor management, incident management, IT and non-IT based projects, and more.

As a best practice when creating Scopes, we recommend you start with a Template and convert it into a Scope. We recommend this method because you can continue to utilize the Template's References for additional compliance (or general) objectives, by adding them to additional Scopes.

Managed Templates

We offer a wide variety of managed templates for your use in the KCM GRC platform. Our team ensures that we have the up-to-date versions of the published framework available for your use.

You can find a current list of the Managed Templates we offer here.

Risk Templates

The Risk Templates are a portion of the KCM GRC Risk Management Module.The Risk Templates area of your console holds the pre-populated Risks offered from our Master Risk Repository, as well as any Risks you've imported or manually created in your KCM GRC platform. See the KCM GRC: Risk Templates article for more information.

Back to Top

Users

The KCM GRC platform consists of four different modules: Compliance Management, Policy Management, Risk Management, and the Vendor Risk Management module. There are multiple user roles associated with each of the KCM GRC modules.

See our KCM GRC: User Roles guide for more information on each type of user and what permissions they're allotted.

Back to Top

See more here:

KCM GRC: Glossary of Compliance Terms

KCM GRC: How Do I Satisfy/Complete Tasks?

KCM GRC: How Do I Approve Tasks?

How Do I Add and Manage my Organization's Policies in my KnowBe4 Console?

The Policy Management feature in your Security Awareness Training platform allows you to store, distribute, and track the various acknowledgments and agreements required of the employees in your organization.

You can use training campaigns in your KnowBe4 console to assign and distribute your organization's policies. This gives you the ability to track which users have acknowledged the policies and how much time they spent reviewing the policies. You can even set an optional minimum review time for users to spend reading policies.

Jump to:

Adding Policies Editing Policies Assigning Policies Monitoring Policy Acknowledgments User Experience Frequently Asked Questions (FAQs)

Adding Policies

You can upload your organization's policies in a PDF format. To create a new policy, log in to your console, navigate to the Trainingsection, and click on the Policies tab. From there, click the + Create Policy button to add your policy.

Policy Creation Screen

Back to top

Title: Add the title of your policy or agreement.As a best practice, we recommend adding the policy version and/or creation date to the title.This title will display on the interface your users will see when reading the policy.

Status: Select the status of the policy. See here for a list of the available statuses and what they mean.

Required Review Minutes:(optional)You can specify a minimum number of minutes that users are required to spend reviewing the policy before having the ability to acknowledge it.

Allow Download:(optional)If you enable this checkbox your users will have the option to download the policy from the Policy Viewer interface.

Description: Here you can provide your users with details about the policy and the acknowledgment process. When your users log in to the console to acknowledge the policies you've assigned, they'll see this description underneath the policy title.

Note:

If you choose to use the "Required Review Minutes" option, include this required time in the description so your users know how much time they must spend reading the policy before they're able to acknowledge.

Policy Creation Screen

Upload: Use the Choose File button to upload a PDF file.

Select Policy Language: Choose the language of the uploaded policy file from this drop-down menu. If you upload multiple versions of the policy PDF, your users will be able to pick which language they want to read the policy in.

Policy Acceptance Requirements: Choose what type of acknowledgment you want to require of your users. You can require that they acknowledge each page of your policy or only the final page.

Checkbox text: This is the text shown in the Policy Viewer interface, next to the checkbox that serves as the acknowledgment submission. It can say something simple, such as "Accept" or "I Agree". The ability to specify this text is helpful for policies with various language versions.

Per Page Acceptance Text: (optional) This text is displayed at the bottom of the Policy Viewer interface, for each page of the policy, aside from the final page.If you require users to accept each page, this text will accompany the checkbox your users click before proceeding to the next page of the policy.

Final Page Acceptance Text:(optional)This text is displayed at the bottom of the Policy Viewer interface, on the final page of the policy. This text will accompany the acknowledgmentcheckbox users are required to check.

Save File:Click this button to save this language version of the policy.

+ Add Language: Use this button to upload the policy in an additional language. Ideally, you'll also add the acceptance text details in the appropriate language for the policy.

Save Policy: Once you've added all necessary language versions, click this button to save the policy. Policies can be edited to add additional versions. Although, once a policy is in a campaign, original policy files should not be changed to a revised version. See the next section for more information.

Back to top

Editing Policies

After a policy has been created, you can edit the policy or add additional language versions as needed. Edits to the policy take effect immediately and users who are already assigned the policy will be able to see your changes the next time they view it.

Note:

If a policy has already been distributed through acampaign: As abest practice, if you need to update a policy to a newer version, we recommend creating a new policy and a new campaign rather than editing the existing policy.

You can edit a policy by clicking the drop-down arrow to the far right of the policy title, as shown below.

Policies Tab

Policy Statuses

Draft

Use this status if you don't want the policy to be available when creating a campaign but you want to save your current progress.

Published

Use this status when you are ready to use this policy in a campaign. This is the only status that makes the policy available from the Create Campaign window.

Archived

Use this status to archive the policy. Archived policies cannot be assigned to new campaigns but if the policy is in an active campaign, users will still be able to see it.

Edit Policy Screen

From the policy editing page, you can edit the general policy details, add additional language versions, edit existing language versions, and change the default policy language option. The default language is the first shown in the drop-down menu that users see before opening the policy. See an example of the drop-down menu here.

Back to top

AssigningPolicies

Once you've added one or more policies to your account, you will assign and distribute the policy to your users by creating a training campaign.

To create a training campaign for your policy, navigate to the Training section of your console, and click on the Campaigns tab. Then, click the + Create Campaignbutton.

You can set up the training campaign as you normally would. See our Training Campaigns article for details.

You have the ability to assign both policies and training content in the same campaign. The "Content" drop-down menu will contain two sections: Courses and Policies. Choose any combination of content to include in your campaign.

See our FAQ: Can I arrange the order of the content I assign through training campaigns?

Back to top

Monitoring Policy Acknowledgments

Once a campaign has started, you can monitor the status of alluser acknowledgments as well as any training courses you may have included in your campaign. Click on the campaign name under the Campaigns tab to view the details of that campaign. For more information see the Monitoring Campaigns section of our Training Campaigns and Course Management article.

The Users tab (shown below) will provide detailed information on each user's status in the campaign. Here you can see when users were enrolled in the campaign, their current status in the policy acknowledgment (or course completion), the time they've spent reviewing the policy (or in a course), and the amount of time they have left before the content is due.

Campaign Reports

From this page, you can also send manual reminder notifications, pass users, reset users' progress on a course or policy, and download a CSV file containing details about the completion status of all enrolled users.

Note:

Users will not receive a completion certificate for policy acknowledgment campaign assignments. See here for more information about training completion certificates.

Back to top

User Experience

If you've set up campaign notifications to send to your end users (for example, reminding them to acknowledge your organization's policies) they'll use the link in the notification email to access the console.

As an accountadministrator, you have the ability to customize the notifications that you can automate when setting up a campaign. These notifications can be sent to users, users' managers, and account administrators at a frequency that you choose. See here for more general information on campaign notifications, and see here for more information on customizing training notifications.

Once users have logged into their account, they'll see the active campaigns they're enrolled in and can clickStart to open and view their policy assignment. The policy will open in a new window, so users must have their pop-up blocker turned off, or allow the window to open when prompted.

If you've added multiple language versions of the policy, users can click the Flag drop-down button to choose their native language, before clicking Start Policy (see below).

Users will review the policy in the Policy Viewer, shown below.

Policy Viewer

Users will navigate through the policy by clicking the forward navigation arrow. If you've required users to agree to each page of the policy, they'll have to click the acceptancecheckbox before proceeding to the next page. Otherwise, users will navigate through the entire policy, then click the acceptancecheckbox once they've read the final page of the policy. After clicking the acceptance checkbox, users must close the Policy Viewer window in order to receive a Completed status for their policy acknowledgment.

If you've enabled the policy Allow Download feature, users can click the Download button at the top of the page to save a copy of the PDF file.

If you've assigned Required Review Minutes to a policy, users must spend this amount of time reading the policy before they will be able to accept it. If users attempt to click the final acknowledgment checkbox prior to the time requirement, they will be prompted with a warning message, shown below.

Back to top

Frequently Asked Questions (FAQs)

Question:After assigning a policy through a campaign, I added an additional language version to the policy. Will users in the campaign be able to view the policy in the additional language?

Answer: Yes. Any edits made to the policy will be automatically reflected in the policy campaign.

Question: Can you preview all language versions of the policy?

Answer: Only the default version of the policywill be available for preview in the console. If you'd like to preview the remaining versions, temporarily change the default version of the policy. See the Editing Policies section of this article for more info.

Question:Can I arrange the order of the content I assign through training campaigns?

Answer: Yes. From the Create New Training Campaign page, drag and drop the content to the desired order, as shown below. When the users log in to complete their training and/or policies, they'll see the content in this order.

Question:Why can't I see/select my policy when creating a training campaign?

Answer:Ensure you've published the policy under the Training > Policies tab before creating a new campaign. To do so, click on the drop-down arrow to the far right of the policy name, then click Edit. Enable the Publish toggle and save the policy.

Question: Why don't the "Users who did not acknowledge their course policies" and "Users who acknowledged their course policies" reports under the Training >Reports tab include my policy campaign users?

Answer: These specific reports are related to the alternative method of mandating policy acknowledgments through your console. You can find more information on this type of Policy Acknowledgement here. If you would like reports for your training campaigns that include policy PDF files, see the Monitoring Policy Acknowledgments portion of this article.

Question: Can I assign Security Roles to an individual that I want to handle policy management, distribution, and acknowledgment?

Answer: Yes. You can add one or more users to a group in your console for the purpose of assigning the necessary Security Roles for policy management. See our Security Roles article for more information.

Question: Is there a maximum file size for policy PDFs?

Answer: No. However, the system may time out if files are excessively large. If this happens, try reducing the file size and uploading again.

Question: I have links in my policy and I can't click them. Why aren't the links clickable in my policy viewer?

Answer: Are you using a Mac? If so, you must use PDFs that have been created in Adobe Acrobat if you want to have clickable links for your users within your policy.

Adding/Importing Users

Check out our Users and Groups article for more information.

Description of System Templates Categories

The below glossary will provide a description of what types of emails are in each phishing template category.

JUMP TO: A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - R - S - T - U - V

A

Arabic Phishing Templates

Phishing templates in the Arabic language.

Attachments with Macros

This category contains templates including an attachment with a macro as the Phishing Security Test attack vector. A macro is a small, potentially dangerous bit of computer code which, once enabled, can trigger ransomware or other dangerous activities on a victims computer. Files that may be attached to these templates include Powerpoint, Excel, or Word, or the Zipped versions of each.

Australian Phishing Templates

Phishing templates localized for Australian end-users.

Austrian Phishing Templates

Phishing templates localized for Austrian end-users.

B

Banking and Finance

This category contains templates replicating popular banks and financial institutions. Also included are generic banking templates with subjects such as transaction and confirmation activity. The majority of the sender email domains for these templates are spoofing well-known organizations.

Baseline Templates

A category dedicated to revealing an accurate Phish-Prone Percentage of your organization when performing a baseline Phishing Security Test. These templates consist of both generic and organization-specific emails that could fool almost anyone. Subjects include anything from Internal IT emails spoofing your own domain, to social media activity notifications.

Brand Knock-Offs

This category consists of templates which do not actually spoof real companies but are similar to real companies (Example: Wheels Fargo).

Business

This category contains typical communication that employees might receive. The subjects of these emails include theoretical invoices, purchase orders, requests for information, shared files, and more. These templates typically do not spoof companies and will come from a large assortment of sender email domains.

Burmese Phishing Templates

Phishing templates localized for Burmese end-users.

C

Canadian Phishing Templates

Phishing templates localized for Canadian end-users.

Chinese - Security Hints and Tips

This category contains general security tips in the Chinese language. These emails would be useful for any employee to review. This category is not used for Phishing Security Tests; therefore these emails do not contain clickable links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest security hints and tips.

For more details on Security Hints and Tips campaigns, click here.

Chinese Phishing Templates

Phishing templates in the Chinese language. The language used is Mandarin/Simplified.

Controversial/NSFW*OFFENSIVE LANGUAGE*

This category contains templates with controversial content that could be considered offensive or inappropriate to some organizations, but others may find these templates appropriate and helpful for use in an aggressive simulated phishing campaign.

This potentiallynot suitable for work(NSFW) content is hidden by default within the System Templates area (for accounts created in June 2018 and later). It can be unhidden by following the steps in this article. Once unhidden, this category can be used for effective campaigns that provoke users to click or open attachments in reaction toshockingcontent.

The unpleasant truth is the bad guys do not shy away from using controversial subject matter and language to socially engineer users, and neither should we when training and strengthening our human firewall.

CPA/Business Advising Industry

This category contains templates that are typically seen in the financial advising and public accounting industries, including common exchanges between clients and advisors, or among colleagues.

Current Events

This category contains a variety of templates appropriate for current events, news, matters, occasions, etc. Templates include anything from national headline alerts (real and fake) spoofing major news channels, to popular app downloads, to shopping discounts and coupons.

Current Event of the Month

This category will contain a single Current Events or Holiday template, hand-selected by the Content team each month, to ensure that you're getting a high-quality, timely, and relevant template. Review the Current Events and Holiday template category descriptions to understand the types of templates that may be selected for this category.

For more detail about this category, see here.

Current Event of the Week

This category will contain a single Current Events or Holiday template, hand-selected by the Content team each week, to ensure that you're getting a high-quality, timely, and relevant template. Review the Current Events and Holiday template category descriptions to understand the types of templates that may be selected for this category.

For more detail about this category, see here.

Czech Phishing Templates

Phishing templates in the Czech language.

D

Danish Phishing Templates

Phishing templates in the Danish language.

Data Breach

This category of Phishing Templates allows you to spear-phish users that have been part of specific data breaches. Each template spoofs a unique organization that has had a large-scale data breach incident.

Each template includes a corresponding data entry landing page, so you can test your users on not only their susceptibility to clicking a link,but also if they are prone to entering sensitive information.

This category is intended to be used in conjunction with KnowBe4's Email Exposure Check Pro (EEC Pro), but can be used in any type of phishing campaign.

See: How to Use the Data Breach Category

Dutch Phishing Templates

Phishing templates in the Dutch language.

E

Education Phishing Templates

This category includes education-related templates involving college and graduate matters, high school news alerts, teacher incentives, pay raises, and student loan information. The majority of these templates could apply to anyone working or involved in the education industry.

F

Finnish Phishing Templates

Phishing templates in the Finnish language.

French - Security Hints and Tips

This category contains general security tips in the French language. These emails would be useful for any employee to review. This category is not used for Phishing Security Tests; therefore these emails do not contain any links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest security hints and tips.

For more details on Security Hints and Tips campaigns, click here.

French Canadian Phishing Templates

Phishing templates localized for French Canadian end-users.

French Phishing Templates

Phishing templates in the French language.

G

German - Security Hints and Tips

This category contains general security tips in the German language. These emails would be useful for any employee to review. This category is not used for Phishing Security Tests; therefore these emails do not contain any links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest security hints and tips.

For more details on Security Hints and Tips campaigns, click here.

German Phishing Templates

Phishing templates localized for German end-users.

Greek Phishing Templates

Phishing templates localized for Greek end-users.

Government

This category contains templates spoofing state, local, and federal governments, regarding issues such as speeding tickets, court summons, jury duty, and criminal activity notifications. The sender email addresses in these templates spoof government domains.

H

Healthcare

This category includes healthcare related templates involving insurance and coverage matters, medical files, medical bills, and appointment reminders. The majority of these templates could apply to anyone with health insurance.

Hebrew Phishing Templates

Phishing templates in the Hebrew language.

Hindi (India) Phishing Templates

Phishing templates in Hindi language.

HIPAA Security Hints and Tips (Not PST)

This category contains general security tips for end-users in organizations who must be in compliance with HIPAA. These emails would be useful to review for any employee that deals with protected health information (PHI). This category is not used for Phishing Security Tests; therefore these emails do not contain any links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest HIPAA security hints and tips.

Holiday

This category contains templates relevant to any upcoming holidays. Examples include coupons for Christmas shopping, sales for Presidents Day, and real or fake news stories in relation to specific holidays.

Holiday (Off-Season)

This is essentially a container for off-season Holiday templates. Current holiday templates will be located the Holiday category. You could utilize templates in this category to create phishing campaigns set to start at a specified time in the future,precedingupcoming holidays.

Human Resources

This category consists of topics typically handled by Human Resources departments. The majority of the sender emails in this category spoof your own domain with an HR mailbox name.

Hungarian Phishing Templates

Phishing templates in the Hungarian language.

I

Indian (English) Phishing Templates

Phishing templates localized for Indian end-users.

Indonesian Phishing Templates

Phishing templates in the Indonesian language.

Irish Phishing Templates

Phishing templates localized for Irish end-users.

IT

This category contains various Information Technology-themed subject matters. There are various types of templates including email account matters, anti-virus notifications, and security matters. The majority of the sender email addresses for these templates spoof well-known IT companies, and there are also some sender email addresses that spoof your own domain.

Italian - Security Hints and Tips

This category contains general security tips in the Italian language. These emails would be useful for any employee to review. This category is not used for Phishing Security Tests; therefore these emails do not contain any links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest security hints and tips.

For more details on Security Hints and Tips campaigns, click here.

Italian Phishing Templates

Phishing templates localized for Italian end-users.

J

Japanese Phishing Templates

Phishing templates localized for Japanese end-users.

K

Korean Phishing Templates

Phishing templates localized for Korean end-users.

L

Legal Industry

This category was created for those in the law/legal industry and many of the available templates contain legal language.

M

Mail Notifications

This category contains automated messages that users would normally receive from their mail client. The template content typically references mailbox storage, bounced or pending email alerts, and required system updates.

Malay Phishing Templates

Phishing templates in the Malay language.

N

New Zealand Phishing Templates

Phishing templates localized for New Zealand end-users.

Norwegian Phishing Templates

Phishing templates localized for Norwegian end-users.

O

Online Services

This is our largest category of templates. This category contains emails from various well-known online services including shopping, entertainment, applications, financial and security services. The majority of the sender email addresses in these templates include spoofed domains of very popular websites and applications that your users will recognize.

Outdoor/Sporting Goods

This category includes templates replicating emails from well-known outdoor/sporting good distributors. The emails in this category contain announcements of store sales as well as coupons from popular manufacturers.

P

PCI Security Hints and Tips (Not PST)

This category contains general security tips for end-users in organizations who must be in compliance with Payment Card Industry Data Security Standards (PCI DSS). These emails would be useful to review for any employee who handles credit cards. This category is not used for Phishing Security Tests; therefore these emails do not contain any links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest PCI security hints and tips.

Phishing For Sensitive Information

Templates in this category have Phishing for Sensitive Information landing pages assigned to them. If users click on any links in these Phishing Security Test emails, they will be redirected to a landing page which has a form on it asking the user to enter sensitive data. If the user does enter data, a failure for this action will be recorded in the system.

For more details on Phishing for Sensitive Information email templates and landing pages, click here.

Polish Phishing Templates

Phishing templates in the Polish language.

Portuguese (Brazil) Phishing Templates

Phishing templates localized for Brazilian end-users.

Portuguese (Portugal) Phishing Templates

Phishing templates localized for Portuguese end-users.

R

Real Estate Industry

This category contains templates specific to email exchanges found in the real estate industry, such as buyer closing documents and loan information.

Reply-To Only *No Links or Attachments*

The emails in this category of templates do not contain any links or attachments and will only test the user on whether or not they will reply to a phishing email. You can enable the console to track replies to Phishing Security Test emails when you set up your phishing campaign. If you enable this feature and your user replies to any of the PST emails, this will record as a failure in the console.

For more on reply-to phishing, click here.

Reported Phishes of the Week

This category consists of the top ten phishing emails reported to us by users of the Phish Alert Button. This category contains ten new emails every week. The sender domains vary in this category and include, but are not limited to, those that spoof popular companies and those that spoof your own organization domain.

For more information about the Reported Phishes of the Week, click here.

Retired Current Events

This category consists of templates that were once popular but are no longer relevant. These templates were originally added to our Current Events category. You can use them as a starting point to create your own "Breaking News" phishing templates.

Russian Phishing Templates

Phishing templates in the Russian language.

S

Scam of the Week (Not PST)

This category consists of a new email template/newsletter every week which can inform your users of the newest phishing and social engineering scams. This category is not used for Phishing Security Tests; therefore these emails do not contain any links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest phishing and social engineering scams that they should look out for.

For more details on the Scam of the Week newsletter, click here.

Scam of the Week (Branded) (Not PST)

This category consists of a new email template/newsletter every week which can inform your users of the newest phishing and social engineering scams. This category is not used for Phishing Security Tests; therefore these emails do not contain any links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest phishing and social engineering scams that they should look out for. What makes Branded Scam of the Week different is a built-in placeholder for your company logo, which replaces the KnowBe4 logo in the header. In order to use this properly, you must have imported your company logo into the "Company Logo Url" field in your Account Settings.

For more details on the Scam of the Week newsletter, click here.

Seasonal (Non-current)

This template category contains non-current seasonal templates, such as Black Friday, Fantasy Football, and March Madness. This category holds templates thatdon'tfit into the Holiday category and are not timely enough to be categorized in Current Events.

Security Hints and Tips (Not PST)

This category contains general security tips that would be useful for any employee to review. This category is not used for Phishing Security Tests; therefore these emails do not contain clickable links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest security hints and tips.

For more details on Security Hints and Tips campaigns, click here.

Security Hints and Tips (Branded) (Not PST)

This category contains general security tips that would be useful for any employee to review. This category is not used for Phishing Security Tests; therefore these emails do not contain clickable links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest security hints and tips. What makes Branded Security Hints and Tips different is a built-in placeholder for your company logo, which replaces the KnowBe4 logo in the header. In order to use this properly, you must have imported your company logo into the "Company Logo Url" field in your Account Settings.

For more details on Security Hints and Tips campaigns, click here.

Singapore (English) Phishing Templates

Phishing templates localized for Singaporean end-users.

Social Networking

This category consists of templates spoofing all types of social media sites and applications. The templates consist of subjects such as invites to join, confirmation of your account, resetting your password, and notifying you of new messagesyou'vereceived.

South African Phishing Templates

Phishing templates localized for South African end-users.

Spanish - Security Hints and Tips

This category contains general security tips in the Spanish language. These emails would be useful for any employee to review. This category is not used for Phishing Security Tests; therefore these emails do not contain any links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest security hints and tips.

For more details on Security Hints and Tips campaigns, click here.

Spanish (Colombian) Phishing Templates

Phishing templates localized for Colombian end-users.

Spanish Phishing Templates

Phishing templates in the Spanish language.

Swedish - Security Hints and Tips

This category contains general security tips in the Swedish language. These emails would be useful for any employee to review. This category is not used for Phishing Security Tests; therefore these emails do not contain clickable links. You can send these emails by setting up a separate phishing campaign consisting only of this category to keep your users up to date on the latest security hints and tips.

For more details on Security Hints and Tips campaigns, click here.

Swedish Phishing Templates

Phishing templates in the Swedish language.

T

Thai Phishing Templates

Phishing templates in the Thai language.

Turkish Phishing Templates

Phishing templates in the Turkish language.

U

UK Banking

This category of templates consists of banking and financial institutionnotifications, including security and transaction alerts, localized for users in the United Kingdom.

UK Current Events

This category contains a variety of templates appropriate for current events, news, matters, occasions, etc. Templates include anything from national headline alerts (real and fake) spoofing major news channels, to popular app downloads, to shopping discounts and coupons. All current events are localized for users in the United Kingdom.

UK Phishing TemplatesThis category of templates consists of organizations and topics localized for United Kingdom users.

Ukrainian Phishing TemplatesPhishing templates in the Ukrainian language.

V

Vietnamese Phishing TemplatesPhishing templates in the Vietnamese language.

Security Culture Survey (SCS)

You can assign a Security Culture Survey to your users to assess your organization's current security culture. Security culture is defined as the ideas, customs, and social behaviors that impact the security of your organization.

The results of your survey will provide you with a breakdown of the seven dimensions that make up your security culture, as well as an overall security culture score for your organization. Use this information to establish a baseline for your security culture, to make changes as necessary, and to track the way your culture evolves over time. It is important to have a strong security culture in order to improve your organizations risk management.

The survey questions were developed using a scientific approach. The seven dimensions we use in this survey have been developed and researched.For more information on how these questions were created and why we are using these particular dimensions, please see our Security Culture Survey technical document.

Below, you'll learn about the Security Culture Survey. For specific information about how to use assessments or what the Security Awareness Proficiency Assessment is, please see these articles on the Knowledge Base:

How to Use Assessments

What is the Security Awareness Proficiency Assessment (SAPA)?

Use the jump links below to navigate to a specific section of the article.

Jump to: Best Practices Learner Experience Security Culture Survey Results

Best Practices

We recommend that you have your users take this security culture survey after their first 90 days. This way, you can ensure they have adjusted to your organization's culture. After your initial test, you should continue to survey your users yearly to see how your organization's security culture changes over time.

Back to Top

Learner Experience

After they clickStart, usershave the option to clickStart SurveyorCome Back Later. Your users may opt to come back later or if they start the survey, they are free to close the survey and pick up where they left off. If they clickStart Survey, the user will be asked 28 questions.

After they have completed the survey, they will be directed to a thank you page.

At the end of the survey, your users will also have the opportunity to submit feedback. Feedback is anonymous and can be downloaded from theResultstab of the campaign.

Back to Top

Security Culture Survey Results

On the Results tab, you will see your organizations culture score which is based on the average of all the survey results. To navigate to your results, follow these instructions from the How to Use Assessments article. Beneath the score, you will see the Security Culture Index. This index shows you what the score means. There is also a radar graph that breaks down the survey results by dimension. Beneath the Results by Dimensions radar graph, you have the option to Download Feedback. This option exports a CSV of any feedback your users provided regarding the survey.

Back to Top

The seven dimensions are:

Attitudes

Behaviors

Cognition

Communication

Compliance

Norms

Responsibilities

Below the index and the radar graph, these dimensions are explained and presented in the order of highest score to least. Read through these descriptions for tips on how to improve the score in certain areas. For more information on these dimensions and what you can do to change your score in each area, please see this PDF about the 7 Dimensions of Security Culture.

Social Engineering Indicators (SEI)

Check out our Social Engineering Indicators (SEI) article for more information!

Automation with Smart Groups: Dynamic Phishing and Remedial Training Plan

If youre a Platinum or Diamond-level customer, you can use our Smart Groups feature to automate tiered phishing tests, as well as remedial training, for users who fail your phishing security tests.

Using Smart Groups, we've designed two plans that work together to train your users in a highly efficient manner:

Watch theAutomation with Smart Groups (Part 1) video below to learn about our dynamic phishing security test plan. We discuss how to set up the Smart Groups and phishing campaigns needed to automate this process.

Then, watch theAutomation with Smart Groups (Part 2) video to learn about the remedial training plan we've created to accompany the dynamic phishing plan. We discuss how to set up the Smart Groups and training campaigns needed to automate this process.

To view the full details of this two-part plan, see our knowledge base article: Automation with Smart Groups: Dynamic Phishing and Remedial Training Plan.

Automation with Smart Groups (Part 1): Dynamic Phishing Plan

Automation with Smart Groups (Part 2): Remedial Training Plan

Note:

The plan presented in the video above was specifically designed to work with the dynamic phishing plan covered in theAutomation with Smart Groups (Part 1) video. To see a standalone, alternative plan for automating remedial training, see: How to Use Smart Groups: Automated Remedial Training.

Additional Smart Group Resources

See the following resources to learn more about what you can do with Smart Groups:

How to Use Smart Groups How to Use Smart Groups: Use Cases How to Use Smart Groups: Automated Remedial Training (an alternative remedial training plan) Video: Introduction to Smart Groups Video: How to Rollout Periodic Training Using Smart Groups

Back to Top

Below are the releases for Active Directory Integration. If your organization is using an older version, we recommend upgrading to the latest version. The latest version is at the top.

To upgrade:

Download and run the newest installer.

Close the DOS config prompt that comes up (no new config needed).

Start the sync service.

2019 Changes

2018 Changes

2017 Changes

Release Date

Description

May 2019

Active Directory Integration (ADI) Version 1.0.18.0 released

This versioncorrects an issue with the previous installer, where it allowed installation on Windows 32-bit machines. ADI is unsupported on Windows 32-bit and should only be used with Windows 64-bit.

January 2019

Active Directory Integration (ADI) Version 1.0.16.5 released

This version adds support for the sync fields added in 1.0.16.3.

Added support for OUs that start with a # in the [sync.groups] includedOUs section.

Active Directory Integration (ADI) Version 1.0.16.3 released

This version adds additional sync fields for more user customization.Note:The <domain>.conf will be updated with the new user fields when the service first runs after installation.

Improves ADI logging by now including <domain> in the log.

Release Date

Description

October 2018

Active Directory Integration (ADI) Version 1.0.15.1 released, which adds support for a large number of users.

June 2018

A new version of Active Directory Integration (ADI) has been released that corrects an uncommon error related to using LDAPS to connect to your Domain Controller. ADI tools that are functioning as normal do not need to be updated to the latest version.

March 2018

You now have the capability to use our Active Directory Integration (ADI) with Azure Active Directory Domain Services. See our ADI and Azure AD Domain Services article for more information.

Release Date

Description

October 2017

Active Directory Integration (ADI) Version 1.0.11.0 released

This version adds support for synchronizing group membership using a user's primary group. There is no need to upgrade functioning ADI deployments to this new version.

September 2017

Active Directory Integration (ADI) Version 1.0.10.0 released

Addresses an issue with group synchronization when using userPrincipalName as the email address. If you are not experiencing issues with your ADI services, there is no need to upgrade your ADI version.

July 2017

Active Directory Integration (ADI) Version 1.0.9.0 released

Addresses a crashing issue with the ADI service when an Active Directory has missing email address information. If you are not experiencing issues with your ADI services, there is no need to upgrade your ADI version.

March 2017

Active Directory Integration (ADI) Version 1.0.7.3 released

This version adds the emailAttribute field to the ADIsync.conf file, which allows admins to enter the AD field from where they'd like to pull user email addresses and sync to the KB4 console. More details here: How Do I Change Where to Pull the Email Addresses from Active Directory?

How to SyncActive Directory with your KnowBe4 Console

The KnowBe4Active Directory Integration (ADI) feature allows you toleverage Active Directory to populate and maintain your users and groups within yourKnowBe4Console. After you configure ADI, users and groups will be automatically added, changed, and archived based on information sent from your Active Directory. It is important to note that this is a one-way process of synchronization, and no information will be sent back to your Active Directory from the KnowBe4 console.

We also have a video which shows how to set up Active Directory Integration--first, though, we recommend that you read through the below documentation.

Jump to: Benefits of ADI How ADI Operates Prerequisites: Before You Get Started Installation & Configuration

Service Configuration

LDAP Filter Configuration

Start Your Synchronization Advanced Configuration Options

Multiple Source Domain Support

How Do I Change Where to Pull the Email Addresses from Active Directory?

How Do I Install the Newest Version of ADI?

What Are the Benefits of Setting Up ADI?

Using ADI makes it easy tokeep your KnowBe4 user list up-to-date. If your users' information changes, new employees come on board, or anyone leaves your organization, oncethe relevant changes are madein Active Directory, those changes will automatically be carried over to your KnowBe4 console during the next sync.

You can set up campaigns that work with your integration toautomate security awareness training for new employees. Imagine that when a new employee comes on board in your organization, they will A) have an account created in your KnowBe4 console, B)begin to receive phishing emails, and C) be enrolled in a new employee training campaign. All in one single step of adding them to Active Directory.

Back to Top

How ADI Operates

New Customers vs. Existing Customers

If you're a brand new KnowBe4 customer and have not yet imported users, by integrating your KnowBe4 console with Active Directory, you can import all the users you'd like to set up for phishing and training campaigns at the same time.

For existing customers, it is important to configure ADI so that current user account information is maintained during syncs.The synchronization of data from Active Directory is considered authoritative; this means that by default, any users who are not found in yourActive Directory will be archived in your KnowBe4 console. Also by default, any manual changes you've made to a user in the KnowBe4 console will be overwritten by the data contained in your Active Directory.

Prior to Active Directory Integration (ADI), all user accounts in the KnowBe4 Console were consideredconsole-managed. This means changes are made in the console by either editing the users directly or updating them via CSV imports. Once ADI has been enabled and the sync occurs, users are considered to be AD-managed, meaning changes are all done at the Active Directory level and then pushed out to the console.

For existing customers with console-managed user accounts, an automatic process will match console-managed user accounts with user accounts in your Active Directory, making your account AD-managed. This process works as follows:

You install and configure the ADISync component at your site.

The ADI Sync service queries the Directory(s) for user and group information and sends the results to the KnowBe4servers.

The KnowBe4servers review the information sent and update the users and groups on the server according to the following logic:

For user email addresses, proxy addresses will be pulled by default. If you want to use something other than proxy addresses, you will need to change the ADIsync.conf file's emailAttrib setting to a different field name (such as "mail") after installation but prior to running the ADI sync service. For more information, see: How Do I Change Where to Pull the Email Addresses from Active Directory?

If an AD user has an email address that matches an existing KnowBe4console account, then that console user account becomes AD-managed.

If an AD user is not found in the KnowBe4console, then an AD-managed user account is created.

After all AD users have been processed, any console accounts that have not become AD-managed will be archived.

Back to Top

Prerequisites

Before you begin setting up ADI, you should complete the below stepsand gatherthe requiredinformation to streamline the process.

Confirm your setup meets our basic requirements:

You'll need an Active Directory.

Microsoft Active Directory: Make sure it isrunning at a functional level 2003 or higher

Azure Active Directory:Azure Active Directory Domain Services. See: Setting up ADI with Azure AD Domain Services

Windows Desktop 7/Vista/8/10 or Windows Server 2008/2012/2016 (64 bit). Also, ensure your PC (where ADI is installed) can reach https://training.knowbe4.com (Allow outbound connections to remote servers on port 443 (SSL/HTTPS)--that is the server URL ADI is trying to contact via a POST request).

If you're using a mail server otherthan Exchange or Office 365, click here for specific instructions to assist you with your sync.

If you're configuring ADI through a proxy, you'll need to also follow the instructions on this article.

Make sure you have the following domain information ready: NOTE:If you have multiple domains with user objects for synchronization, youll want to have that information ready as well. See: Multiple Source Domain Support

IP address or FQDN for an AD Directory Controller: By default, all Domain Controllers are set up to respond to LDAP requests.

AD Domain Name: This is the root domain for your Active Directory, i.e., organization.com.

Username/Password to query LDAP: An AD account which has access rights to perform LDAP queries. By default, any account in the "Domain Users" group has sufficient permissions. If the AD account you're using is not a domain admin, you will want to ensure that account has certain "read" permissions for your AD. See: How tocreate an ADI Service Account in Active Directory

Access your Account Settings: Log in to your KnowBe4 console. Click your email address on the top right and then click on Account Settings to view your account options. Once there, complete the following three steps:

IMPORTANT:

In your Account Settings, you will see that the Test Mode option is checked by default. This MUST remain checked until you have completed setting up the synchronization and verified that it is operating correctly. While Test Mode is enabled, nothing is actually altered but rather, a report is generated showing what would have happened if the sync took place. This allows you to resolve any potential issues without affecting current users in the console.

Obtain your Active Directory Synchronization Token: Your account's AD Sync token is located in your KnowBe4 console under your Account Settings. The 32 digit key is located under the Active Directory Integration set of options and will look similar to '9X140X4829E37XX545401X97912X604X'.

Enable ADI on your Account: Check the Active Directory Integration Enabled option located in the same Account Settings area and click the Update Account Info button to save the settings.

Download the Active Directory Sync Tool: This is the .msi file located in your Account Settings area.

Know what users you want to synchronize: Part of the configuration requires knowing where in AD the user objects are. The configuration supports specifying a combination oforganization units (OUs) and groups (security and distribution) to be queried for users. It's helpful to have Active Directory Users and Computers (ADUC) open when configuring the synchronization so that OU paths and groups are readily available.

If the users you'd like to sync are located in the built-in User container instead of an OU, you'll want to create a security group, add those users to it, and sync that group instead. (You cannot sync containers.)

If you find that your AD is not organized in an ideal way for syncing with the KnowBe4 console or are unsure, you can set up one or more groups in Active Directory for the purposes of containing all of the user objects and/or groups you'd like to sync, and then choose to sync ONLY those groups.

Know that the ADI service will pull your users' proxy addresses as their KnowBe4 account email by default. If you want to use something other than proxy addresses, you will need to change the ADIsync.conf file's emailAttrib setting to a different field name (such as "mail") after installation but prior to running the ADI sync service. For more information, see: How Do I Change Where to Pull the Email Addresses from Active Directory?

Back to Top

Installation and Configuration

Service Configuration

Once you've gathered all the information you need, you're ready to begin installing and configuring your ADI Sync.

Run theActive Directory Sync Tool (the .msi file from your console's Account Settings). The AD sync tool may be installed anywhere in the environment aslong as the system can communicate with a Domain Controller that accepts LDAP connections. The application does not need to be installed on a Domain Controller.

Note:

LDAPS is not enabled on most Domain Controllers. If you'd like to set up LDAPS, see our FAQ: I want to set up LDAPS.

Acommand prompt will be opened and will navigate to the installation directory automatically:

C:\Program Files (x86)\KnowBe4\ADISync (default location on 64 bit platforms)

You'll be prompted to enter the below information:

The first time this command is run, you will be prompted for the Active Directory Synchronization Token. This is the string from your Account Settings within your KnowBe4console.

When prompted, enter the Domain Name of your Active Directory (see example below). Back to Top

When prompted, enter the Domain Controller hostname (FQDN) or IP address.

When prompted, select ifyou'vegot LDAPS available. This is set to FALSE bydefault. If you do have LDAPS enabled, you can change that setting to TRUE if you wish.

When prompted, select the LDAP/LDAPS port--389/636 respectively is default.

When prompted, enter the username for LDAP. Use the format of "user@domain".

When prompted, enter the password for the supplied user.

Press Enter to Exit once all information has been added.

As long as the connection was successful, you will be returned to the command prompt with no errors. If there were issues reaching or authenticating, an error will be displayed and the above process will need to be done again with valid configuration data.

Back to Top

LDAP Filter Configuration

After the above steps have been completed successfully, there will be a <your domain here>.conffile located in the installation directory. Open this file in a text editor (such as Notepad) and specify the filter criteria for user and group synchronization. You need to ensure you have edit permissions on the ADISync folder.

This configuration is required in order to sync users from AD, so you must include at least one OU, group, or user beneath the sync.users portion of the .conf file. Visit the sections below to learn more about syncing information to KnowBe4 through AD:

Sync Users by Inclusion/Exclusion of OU, Group, or Specific User

Sync Groups by Inclusion/Exclusion of OU or Group

Syncing Other User Information to KnowBe4

Back to Top

Start Your Synchronization

If you've completed everything above, your ADI service is now configured and may be started in one of two ways:

By using the Windows Service Control Manager (the service is called "Active Directory Integration Sync Service"), or

By opening a command prompt in admin mode, navigating to the below directory as applicable, and typing "ADIsync.exe service start".

C:\Program Files (x86)\KnowBe4\ADISync (default location on 64 bit platforms)

The sync service will attempt to run immediately after start and every six hours after that.

The details of the synchronization results are located in the KnowBe4console under the Users > Active Directory tab. Here you can see what users are being added, what users are set to be managed by Active Directory, and what users will be archived.

The Test mode icon indicates that theimport was run while in Test mode. Test mode doesnt actually make any changes to console users and groups--the report is meant to indicate what would have happened. This gives youan opportunity to review the import results and make changes and corrections as needed. Once you are happy with what you see in your Users > Active Directory report, feel free to uncheck Test mode in your Account Settings and run your actual import.

Back to Top

Advanced Configuration Options

Multiple Source Domain Support

If your users are split between multiple domain sources, you will need to set up a configuration for each domain to be queried. This is done by running ADIsync.exe config as an Administrator in the installation directory for each of the additional domains. This will create the additional <domain>.conf files, which you can then edit to containthe desired filter criteria as explained above.

To run ADI Sync again:

Open Command Prompt

Browse to the \ADIsync systemdirectory

Enter ADIsync.exe config

Enter the details for your additional domain/DC

Check out our Service Configuration steps for more details.

This will create the additional <domain>.conf files which may be edited with filter criteria, with what OUs, users, and groups you'd like to include/exclude as you normally would.

NOTE: The system where ADI sync is installed must be able to connect to both DCs.

Back to Top

How Do I Change Where to Pull the Email Addresses from Active Directory?

By default, ADI sync will sync all proxy email addresses for your users. However, we allow you to alter where you'd like to pull email addresses from in Active Directory or choose to sync ONLY the primary proxy email address of the user.

You can open your ADISync.conf file from within C:\Program Files\KnowBe4\ADISync and you will see the following available fields by default:

emailAttribute = "proxyAddresses"

primaryproxyonly = false

Here is how to change what email addresses sync (the fields are case-sensitive):

Primary Proxy Only: If you'd like to use only the primary proxy address for each user, change the primaryproxyonly field from false to true, save the .conf file, and start the ADI service again. This will make sure no alias email addresses are synced.

Mail Attribute: If you'd like to change to use the Mail attribute instead of proxyAddresses, change the emailAttribute to "mail" instead of "proxyAddresses", save the .conf file, and start the ADI service again.

User Principal Name: If you'd like to change to use the userPrincipalName (UPN) instead of proxyAddresses, change the emailAttribute from "proxyAddresses" to "userPrincipalName", save the .conf file, and start the ADI service again.

If you don't see the emailAttribute field in your ADIsync.conf file, it is likely you are using an older version of ADI, and if you need to make one of the above changes, you should upgrade to the latest version of ADI.

Back to Top

How Do I Install the Newest Version of ADI?

You can install the newest version of ADI right over your previous version. To do this, follow the steps below:

Download the new installer from your KnowBe4 Account Settings.

Run the installation.

Close the DOS prompt that appears at the close of installation.

Start the sync service.

As of version 1.0.16.5, we added additional sync fields for more customization. To use the updated sync fields, you must install this version of ADI and then manually start the service. After starting the service, your existing <domain>.conf file(s) will be updated with the new sync fields. If you decide to customize the new fields, the service must be run again for your changes to sync.

Phish Alert Button (PAB) Updates

Below are the release notes for the Phish Alert Button. The most recent version is at the top. If you're using an older version and are experiencing issues, we recommend upgrading to the latest version.

Outlook PAB

Exchange PAB

Office 365 PAB

Chrome PAB

Outlook PAB Updates

Release Date

Version

Notes

05/07/2019

1.3.98

Updated version to support future PAB feature.

11/09/2018

1.2.45

Fixes Hash Error message on some versions of Outlook.

10/25/2018

1.2.36

Fixes uncommon error with signature enforcement.

08/16/2018

1.2.30

Fixes an issue when TLS 1.0/1.1 is disabled.

08/02/2018

1.2.29

Fixes an issue with the PAB appearing twice in the drop-down in Outlook 2010.

Fixes log files for users of the PAB. Log files will be located in: C:\Users<username>\AppData\Roaming\KnowBe4\Phish Alert

03/13/2018

1.1.17

Fixes an error -ADX Loader - Error code: 0x80131022.

01/17/2018

1.1.16

Fixes a "Failed to parse response" error as well as an uncommon error where the PAB is unclickable.

09/29/2017

1.1.11

Fixes issue of Outlook Ribbon disappearing.

02/03/2017

1.1.9

Minor release to bring a few of the libraries we use up to the current versions.

11/07/2016

1.1.7

Includes a bug fix to support scaled fonts. This is for high-resolution devices like the Microsoft Surface that do scaling of fonts.

Adds support for a debug log.

10/20/2016

1.1.6

A couple of the PAB DLLs have been signed, so there are no more security warnings in really tight security environments.

Updates to the Exchange PAB are delivered automatically. Your version number will not change (Version 1.0.0.0).

Office 365 PAB Updates

Release Date

Version

Notes

11/09/2018

N/A

Fixes issue with Centralized Deployment.

Updates to the Office 365 PAB are delivered automatically. Your version number will not change (Version 2.0.0.0).

Chrome PAB Updates

Release Date

Notes

12/10/2019

We have added the ability to set the length of time the messages users see when they report an email using Google PAB. You can change the response duration from your Account Settings page under the Phish Alert section. For more information about the Phish Alert Button and its features, please see this article on our Knowledge Base.

Updates to the Chrome PAB are delivered automatically.

Whitelisting in Mimecast

If you're using Mimecast's services, you can whitelist KnowBe4 to allow our simulated phishing test emails and training notifications through to your end users.

Below you'll find instructions for several different policies you'll need to add to your Mimecast console to allow the use of KnowBe4's various services. The policies below are in a suggested order for the highest probability of success for your phishing security tests.

Each Mimecast policy section has a descriptionof the policy's purpose regarding KnowBe4's phishing security test features.

If you run into issues whitelisting KnowBe4 in your Mimecast services, we recommend reaching out to Mimecast for specific instructions. You can also contact our Support team whenever you need assistance.

Jump to:

Anti-Spoofing Policy Permitted Senders Policy Attachment Protection Bypass Policy URL Protection Bypass Policy Impersonation Protection Bypass Policy Attachment Management Bypass Policy Preventing Mimecast from Re-Writing Phishing Links (Optional) DNS Authentication Bypass Policy (Optional)

Anti-Spoofing Policy

Follow the steps below to allow KnowBe4 to send emails appearing to come from an email address at your domain, on your behalf.

Log on to your Mimecast Administration Console.

Click the Administration toolbar button.

Select the Gateway | Policies menu item.

Select Anti-Spoofingfrom the list of policies displayed.

Select the New Policy button.

Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring an Anti-Spoofing Policy article (opens in a new window).

In the Source IP Ranges field (shown below), enter our IP ranges.For the most up-to-date list of our IP addresses, please see this article.

here

Be sure to save the policy. This should allow the simulated phishing templates appearing to come from your organization's domain, to successfully reach your users' inboxes. We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.

Back to Top

Permitted Senders Policy

To successfully whitelist our phishing and training-related emails when using Mimecast, you should Create a newPermitted Sender policy to allowour phishing and training-related emails through to your users' inbox.

Important:

Do not edit your default Permitted Sender policy. A new one must be created.

Follow the steps below to allow KnowBe4 emails to arrive successfully in your users' inboxes.

Log on to your Mimecast Administration Console.

Click the Administration toolbar button.

Select the Gateway | Policies menu item.

Select Permitted Senders from the list of policies displayed.

Select the New Policy button.

Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings see Mimecast's Configuring a Permitted Senders Policy article(opens in a new window).

In the Source IP Ranges field (shown below), enter the appropriate IP ranges for your KnowBe4 account's location. For the most up-to-date list of our IP addresses, please see this article.

Be sure to save the policy.We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.

Back to Top

Attachment Protection Bypass Policy

If you'd like to use attachments in your simulated phishing tests, follow the steps below to increase the likelihood that emails with attachments from KnowBe4 will successfully arrive in your users' inboxes. Mimecast may still prevent the delivery of attachments. Set up a test after creating this policy to ensure your desired attachment goes through.

Log on to your Mimecast Administration Console

Click the Administration toolbar button.

Select the Gateway | Policies menu item.

Select Attachment Protection Bypassfrom the list of policies displayed.

Select the New Policy button.

Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring Attachment Protection Bypass Policies article (opens in a new window).

In the Source IP Ranges field (shown below), enter the appropriate IP ranges for your KnowBe4 account's location. See here for the IP ranges, listed above.

Be sure to save this new policy. After allowing time for this new rule to propagate, we recommend setting up a phishing campaign to yourself, or a small group to test out the various attachment types.

Back to Top

URL Protection Bypass Policy

Mimecast's URL Protection service scans and checks links in emails upon delivery. This can sometimes result in false positives for your phishing security tests. Follow the steps below to create a URL Protection Bypass policy for accurate phishing security test results.

Log on to your Mimecast Administration Console

Click the Administration toolbar button.

Select the Gateway | Policies menu item.

Select URL Protection Bypassfrom the list of policies displayed.

Select the New Policy button.

Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring a URL Protection Bypass Policy article (opens in a new window).

In the Source IP Ranges field (shown below), enter the appropriate IP ranges for your KnowBe4 account's location. See here for the IP ranges, listed above.

Be sure to save the policy.We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.

Back to Top

Impersonation Protection Bypass Policy

If youre sending whaling/phishing emails purporting to come from users/domains that look like they are internal to your organization, you'll want to create an Impersonation Protection Policy in your Mimecast console.

Impersonation Protection Bypass Policy

Log on to your Mimecast Administration Console.

Click the Administration toolbar button.

Select the Gateway | Policies menu item.

Select Impersonation Protection Bypass from the list of policies displayed.

Select the New Policy button.

Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring an Impersonation Protection Bypass Policy article (opens in a new window). NOTE: In the Select Option field under Options, select the impersonation protection definition you want to be bypassed. If you have multiple definitions you would like to bypass, you will need to create a separate Impersonation Protection Bypass Policy for each one.

In the Source IP Ranges field (shown below), enter the appropriate IP ranges for your KnowBe4 account's location. See here for the IP ranges, listed above.

Be sure to save the policy.We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.

Back to Top

Attachment Management Bypass Policy

If you'd like to use attachments in your simulated phishing tests, follow the steps below to prevent attachments from being stripped from emails, potentially resulting in skewed test results.

Log on to your Mimecast Administration Console.

Click the Administration toolbar button.

Select the Gateway | Policies menu item.

Select Attachment Management Bypass from the list of policies displayed.

Select the New Policy button.

Select the appropriate policy settings under the Options, Emails From, Emails To, and Validity sections. For more information on these settings, see Mimecast's Configuring Attachment Management Bypass Policies article (opens in a new window).

In the Source IP Ranges field (shown below), enter the appropriate IP ranges for your KnowBe4 account's location. See here for the IP ranges, listed above.

Be sure to save the policy.We suggest setting up a test campaign to yourself or a small group of people to ensure the policy works as intended, before sending a campaign to all of your users.

Back to Top

Preventing Mimecast from Re-Writing Phishing Links

If you'd like to prevent Mimecast from re-writing the links in the Phishing tests you send, you can do so by adding KnowBe4's phish link domains as Permitted URLs in Mimecast.Our support team can provide a list of our phish link domains. Submit a support ticket to request this.

Keep in mind, we don't recommend creating an exception for thisunless you also have exceptions for other senders already in place. Otherwise, seeinganythingother than a rewritten Mimecast URL will be a red flag for users and may skew your results.

For more information on disabling link rewriting on permitted URLs, see Mimecast's Targeted Threat Protection: Managed URLs article (opens in a new window).

Back to Top

DNS Authentication Bypass Policy (Optional)

If you are having issues with our emails being sent to your spam folder or being quarantined, you may want to set up this additional policy. First, you'll need to set up the inbound definition and then you can create the policy. Below are instructions on how to add this policy.

DNS Authentication - Inbound Definition Setup

Log on to your Mimecast Administration Console.

Select the Gateway | Policies menu item.

Click the Definitions drop-down menu and select the DNS Authentication - Inbound option.

Select New DNS Authentication - Inbound Checks.

Create a name for the definition and leave all options unchecked.

Click Save and Exit to save your changes.

DNS Authentication - Inbound Policy Setup

Log on to your Mimecast Administration Console.

Select the Gateway | Policies menu item.

Click the Definitions drop-down menu and select the DNS Authentication - Inbound option.

Select New Policy.

Specify the following settings listed in the image below:

Enter the KnowBe4 IP ranges into the Source IP ranges field.

Check the Policy Override option.

Click Save and Exit to save the changes.

Back to Top

Note:

After following this article, we recommend setting up a test phishing campaign to 1-2 users to ensure your whitelisting was successful. As a last resource, we suggest reaching out to your service provider for assistance. Visit for an email template you can send to your service provider.

Unable to Open the Training Assignment Window

Ifyou'veclicked on the Startbutton to launch a training assignment and do not see it appear in a new window, this may be due to your browser blocking pop-ups.

Please allow pop-up windows from KnowBe4.com so you can view the assignment in its own window. See: How to Disable Your Pop-Up Blocker

You can click the Startbutton to launch the assignment again after disabling your pop-up blocker.

If you continue to experience issues, try a different browser. Make sure you are using a browser that meets our Browser Requirements.

Browser Compatibility

We support the latest version of the following browsers:ChromeFirefoxSafariEdgeInternet Explorer (See note below)

Browser requirements: JavaScript EnabledCSS3 CompliantHTML5 Compliant

NOTE:If you're using Internet Explorer and have Flash installed and enabled, then ensure it is updated to the latest version. To check if you have the latest version, visit https://get.adobe.com/flashplayer/.

KnowBe4 Training Quickstart Guide

Did you receive an email or notification from your organization letting youknow you've been enrolled in training? If so, follow the steps below!

Step 1:

If you've received an email that has notified you that you've been enrolled in training, click the link in the email (or copy and paste it the link into your browser's address bar).

Example of Training Invitation

here

Typically, the link provided in the notification will automatically confirm your account in KnowBe4's system and will send you an activation link to the email address that was assigned training. If this happens, move on to Step 2.

Alternatively, the link may send you to a sign-up page, as shown below. It will prompt you to enteryour email address to create your account.

Click Next after you enter your email.

Sign-Up Page

Thank You Page

Step 2:

You will be sent a confirmation email with a link inside which will activate your account.

Confirmation Email

Click Activate my accountto confirm your account.

Step 3:

You'll be prompted to enter your information. Add your name (or verify it is correct) and then set a password for your account.

User Account Creation Page

After saving your user information, you will be logged in and will be able to access the training content assigned to you. This may include training modules, games, videos, or policies. If you need to change the language of the interface, you can do so by selecting the language drop-down menu to the left of your name ( click to view ). Any courses that are available in that language and have not been previously started will default to the selected language.

Changing Your Language

Close

Available Content

Step 4:

Click theStart button on any assignment to begin your training. Your assignment will open in a new window. Make sure you have disabled your pop-up blocker to ensure you can access your training.

Allow Pop-Ups

Training Screen

To save your progress when completed, or whenever you need to take a break from your assignments, close the training or policy browser window. Your trainingpage will refresh to show you your progress/status with your assignment.

After you've completed a course, that course is moved to the bottom of your list of courses and will have a "Complete" banner over it. You'll be able to download your completion certificate, see when you completed the training, and review the course from here.

Download Certificate - Use this button to download the PDF of your Certificate of Achievement for the course.

View Details - Hover over this field to see details about the course. You'll be able to see information such as the course's due date, how long you spent on the course, and the date you completed it.

Review - Click this button to take the course again or to review what you've learned.

Language- Click the drop-down arrow to select which language you'd like to review the course in.

Campaign- Displays the name of the campaign the course was assigned to.

If you need any assistance, click here to contact our Support Team.

Note:

If you need to view an assignment in a different language, select the language drop-down next to the Start button. Clicking the drop-down will allow you to select a different language for your training assignment (if one is available). See more .

Note:

If you're an admin in your account and you need to complete training, you can log in using the same steps as above and then click on your email in the top-right corner of the console and selectMy Trainingto access your assigned training. Alternatively, you can access your training by clicking on the Training tab and then clicking on the My Training subtab.

I Forgot To Print My Training Certificate

If you have completed your assigned training and forgot to print or download your certificate, you can log in to your Training page andclick theDownload Certificate link next to your completed training assignment.

here

If you are required you to read and acknowledge a URL policy with your training, you will need to do that first before your Download Certificate link will appear.

If you have any difficulty printing your certificate, or if you do not see your training or completion certificate link available, please contact your administrator for assistance.

Note:

If you have an assignment to review and acknowledge an internal policy (click to view an example), you will not recieve a completion certificate. Certificates are only granted for training courses. Please contact your administrator if you have any questions.

Policy Assignment

Close

Resolving Issues with Training Content

See the two sections below if you're experiencing issues with your assigned training content.

My Training Course is Not Showing Completion/Status Not Appearing Correctly

Because the issue you're experiencing could be caused by your browser, please try the steps below before accessing training again:

Try a different browser. If this isn't possible, please move on to step 2.

Go into your browser settings and clear your browser cache.

Restart your computer.

Try to access training again.

Note:

If you're using Internet Explorer, the latest version of Flash must be installed and enabled. To check if you have the latest version, visit https://get.adobe.com/flashplayer.

Clearing Your Cache

Below are the steps you can use to clear your cache based on your browser:

Internet Explorer

Edge

Chrome

Safari

Click the Setting icon in the top right corner and select Safety.

Click Delete Browser History and check Temporary Internet Files and Website Files.

Click Delete.

Click the menu button by clicking the 3 dots in the top right corner.

Click History and select Clear History.

Check the Cached Data and Files box.

Click Clear.

Click the menu button in the top right corner and select More Tools.

Select Clear Browsing Data and Check Cached Images and Files.

Click Clear Data.

Click on the Safari drop-down menu and select Preferences.

Click on Advanced and select Show Develop menu in menu bar.

Close the Preferences window.

Select the Develop drop-down menu and click Empty Cache.

My Training Course Is Not Playing with Sound

Sound not working?

Ensure your browser tab is not muted and that your computer's sound is not low or muted.

Still not working?

Try pausing your training module, then playing that section again.

If you are still having issues, please contact our support team.

Can I Review the Training Content in a Different Language?

We offer many assignments that have been translated into multiple languages. In addition to multi-language training content, policies required by your organization can be offered in multiple languages.

If you've been assigned training content that is available in multiple languages, you will see a language selection drop-down menu next to the Start buttonon your training page.

here

Click the drop-down to see additional available languages. Once you select the language you'd like, the title, description, and course will be updated to the selected language. Click Start to begin the assignment or policy and it will pop-up in a new window.

Need additional assistance? Contact our Support Team .

If you have Compatibility View turned on when accessing the KnowBe4 site, it can cause issues that will prevent you from properly viewing training modules. Compatibility View essentially makes your browser interpret a website as if you are using amuch older version of Internet Explorer.

To properly view the training, you should always use the latest version of the browser you're using. So you'll need to make sure you are not viewing the KnowBe4 site with Compatibility View enabled.

To turn off Compatibility View, click the gear icon on the top right of your browser, then click Compatibility View settings.

Selecting Compatibility View Settings

contact support

If KnowBe4 is listed under the Websites you've added to Compatibility Viewlist, click Remove to remove it, then click Close.

Compatibility View Settings

If this does not fix the issue immediately, there is another setting you should turn off called Display intranet sites in Compatibility View. Open Compatibility View settings again, uncheck this box, andclick Close.

Uncheck Display Intranet Sites in Compatibility View

Disabling Display intranet sites in Compatibility View generally applies when you are using a proxy for internet connection and have bypassed the proxy for connections to training.knowbe4.com or eu.knowbe4.com (usually done for Phish Alert Button compatibility). The reason for disabling this setting is that by default, Internet Explorer thinks any site on the proxy bypass list is an intranet site and will display that site in Compatibility View unless Display intranet sites in Compatibility View is disabled.

If you're still experiencing issues, you can for additional assistance.

How Do I Turn Off My Pop-Up Blocker?

When you log in to complete your assigned training or policy acknowledgments, you must disable your pop-up blocker in order for the training window or policy viewer to open.

If you need assistance with turning off the pop-up blocker in any of the browsers listed below, these articles may help:

Google Chrome

Mozilla Firefox

Apple Safari (See the section: Check Safari settings and security preferences)

Microsoft Internet Explorer

Microsoft Edge

Opera

If the instructions provided on the browser's site are different from what you are seeing in your browser, we recommend that you update to the latest version of your browser.

If you continue to experience issues with starting your training, please contact your supervisor, IT team, or the KnowBe4 support team.

Additional Resource

Enrolled in Training? A 4-Step Guide to Getting Started

Earning Cyber Hero Badges

Ready to earn some badges to add to your Cyber Hero collection? Earning badges is easy while taking training in the KnowBe4 console. You'll earn them automatically based on various achievements. The badges you are allowed to earn will vary based on your organization.

Read more below to learn about our badges and how to achieve them.

How to Earn Badges

Badge

How to Earn it

Cyber Hero

Complete your first assignment.

Night Owl

Work on an assignment in the evening, between 8 p.m. and 2 a.m.

Early Bird

Work on an assignment early in the morning, between 2 a.m. and 8 a.m.

Pioneer

Be one of the first ten users to start an assignment.

Lightning Fast

Be the first user to complete an assignment.

New Recruit

Start your first assignment.

Graduate

Download your first completion certificate.

Hat Trick

Complete three assignments within a 24 hour period.

What Multi-Factor or Two-Factor Authentication App Should I Use?

Setting up multi-factor authentication (MFA) for your KnowBe4 account requires an authentication application on your smartphone device.The links below will take you directly to where you can download the authentication application.

Note:

Before downloading an authentication application to a company-owned smartphone, you should contact your IT administrator to ask which MFA application is recommended for your organization.

After downloading an authentication application, follow the steps in this article to set up MFA in your KnowBe4 account.

Name of Application

Android/Google Devices

iOS/Apple Devices

Authy

Guide: How to enable 2FA for KnowBe4 accounts

Download in Google Play Store

Download in App Store

Google Authenticator

Download in Google Play Store

Download in App Store

LastPass

Download in Google Play Store

Download in App Store

Guide to Leaderboard Rankings

The Leaderboard allows you to compete with your fellow employees while taking your assigned training.You can rise to the top of the rankings by completing all of your assigned training before the deadline.

Example of Leaderboard

Each group's ranking is determined by the percentage of assigned training completed by the group members. All groups that have a 100% completion rate will be ranked depending on how fast all users within that group completed the training.

If you're a member of multiple groups shown on the leaderboard, you'll show as part of the highest-ranking group.

Be sure to take your training on time and fast to defeat the competition!

Additional Resources

Enrolled in Training? A 4-Step Guide to Getting Started

How to Earn Badges

How Leaderboards Work

Additional Resource

Enrolled in Training? A 4-Step Guide to Getting Started

Getting Started with Cyber Hero Training (Video)

How to Earn Badges

Additional Resources

Enrolled in Training? A 4-Step Guide to Getting Started

Getting Started with Cyber Hero Training (Video)

How Do Leaderboards Work?

Additional Resource

Enable Multi-Factor Authentication

Working with Passwords

Below are instructions on resetting passwords as well as tips for troubleshooting some common password issues.

Jump to: Resetting Your Password

Didnt receive your reset password instructions?

Common Password Issues

I never received the confirmation instructions.

When I tried to reset my password, I got the following warning: Reset password token is invalid.

I was assigned training and I can't login to my account.

Resetting Your Password

You can reset your own password by entering your company email address on our Reset Password page. Visit the link below that applies to you to go directly to this page or click the Forgot your password? link on the login page.

US Users

EU Users

Reset password dialog

Back to Top

Enter the email address associated with your organization then click Send me reset password instructions. The password reset confirmation and instructions will be emailed to that address.

If you receive an error that says: "This account is not yet confirmed", you will need to click the activation link in the activation email in order to confirm your account and set your password. If you didn't receive this email, click the Didn't receive confirmation instructions? button.

Otherwise, you will receive an email to the email address you entered which will provide you a link to click on to set your new password.New password links will be active for approximately six hours.

Didnt receive your reset password instructions?

If you're an existing user who has previously logged in, please ensure you are entering the correct email address. The email you are using should be the one that you use with your organization (with your organization's domain) rather than a personal email account. If you are certain you entered the correct email address, check your Junk or Spam folder.If you still do not see the email, contact your supervisor or IT team for assistance.

If you are a new user and you've never logged in before, clickDidn't receive confirmation instructions?instead ofForgot Password.

Back to Top

Common Password Issues

Select the password issue that you are experiencing:

I never received the confirmation instructions.

When I tried to reset my password, I got the following warning: Reset password token is invalid.

I was assigned training and I can't log in to my account.

If the password issue you are experiencing is not on this list, please reach out to our support team here.

Back to Top

I never received the confirmation instructions.

If you are a new user and you've never logged in before, clickDidn't receive confirmation instructions?instead ofForgot Password.

Entering your organization email there will send you a new confirmation email with an activation link to confirm your account and set up your password.

If problems persist, please reach out to your supervisor, your organization's IT administrator, or the KnowBe4 support team for assistance.

Back to Top

When I tried to reset my password, I got the following warning: Reset password token is invalid.

There are a few reasons that could make this error occur. Select the scenario that best applies to you:

I Requested a Reset Password Email More Than Once

If you request a reset password email and you do not receive this email within a few minutes, it may be in your junk or spam folder.

If you've requested a reset password email more than once before, you must be sure to use the link from themost recent"Reset password instructions" email.

I Requested a Reset Password Email More Than 6 Hours Ago

When you request an email to reset your password, the link found within this "Reset password instructions" email is only valid for six hours from the request.

If you're receiving the "Reset password token is invalid" error and it's been over more than six hours since you've requested your password to be reset, please request a new password reset email. For instructions, see here.

I am Using the Safari Browser to Access My Account/Reset My Password

If you're attempting to reset your password in Safari using the reset password email you've received from KnowBe4, you may receive a "Reset password token is invalid" error.

This error can becaused by Safari's password-storing feature. If you've used this feature to store your KnowBe4 password, follow the steps below to delete this password entry.

From your Safari browser's menu bar (at the top of your monitor's screen on Mac operatingsystems) select Safari then Preferences...from the drop-down menu.

Select the Passwords tab from the Preferences menu (you may need to enter your user account's login password to access your password entries).

Select the password entry for training.knowbe4.com, then click the Remove button at the bottom right, as shown below.

Now, use the link inthe Change my password email you've received in your inbox to reset your account's password.

I am Experiencing a Different Issue

Can't find a helpful solution? Contact our support team and we will assist you.

Back to Top

I was assigned training and I can't login to my account.

There are a few reasons this error may occur. Select the scenario that best applies to you:

I was notified via email about my assigned training and clicked a link in that email to log in.

If so, the first time you click the link in your training notification, you will be emailed an activation link to confirm your account and set your password for training.

Occasionally, users will be set up with a password by their IT administrator or supervisor. You should still be able to reset your password if you forget your assigned password, though. For instructions on how to reset your password, see this section of this article.

I have already confirmed my account but I need to reset my password.

For instructions on resetting your password, please see this section.

I am able to log in, but I can't see any of my training assignments.

Contact your supervisor or IT team. It is possible the campaign you were enrolled in has ended, or that you were signed up for training using a different email address for your login.

Additional Resource

Enrolled in Training? A 4-Step Guide to Getting Started

Additional Resources

Enrolled in Training? A 4-Step Guide to Getting Started

How to Earn Badges

How Leaderboards Work

Phish Alert Button (PAB) Guide for Outlook, Exchange, Office 365, and GSuite

The Phish Alert Button (PAB) add-in for Microsoft Outlook, Exchange, Office 365, and Google Apps/GSuite gives end-users the ability to report suspicious emails. PAB allows your employees to take an active role in managing the problem of Phishing and other types of malicious emails. This will provide IT with earlywarning of possiblephishing attacks or malicious emails to take effective action to prevent security or network compromise.

If you want to know how a PAB installation can benefit your organization or best practices for implementation, visit our Best Practices for PAB Implementation article.

Paid Integration: If you are using our full-featured Phishing console, the PAB will also track if your users report our simulated phishing emails, so you can see which users are successfully identifying potentially malicious emails.

Jump to: PAB installation guides Enable and configure PAB Multiple PAB instances PAB reporting Data the add-in sends to our servers PAB compatibility matrix

PAB installation guides

Installation of the PAB depends on the mail environment in your organization. Below are our main installation guides:

Exchange (Server-based) install

Office 365 (Server-based) install

Outlook (Client-based) install

GSuite extension install (Chrome)

In addition to our installation guides, you can review our PAB installation video tutorial:

PAB Installation and User Experience

Note:

We recommend enabling and configuring your PAB before starting the installation process. Learn how to do this by visiting our Enable and configure Phish Alert section.

Back to top

Enable and Configure PAB

Step 1: Log in to your KnowBe4 account and navigate to your Account Settings screen. This screen will look different depending on your account version.

Free Version: Log in to your console and click the "Get Started" button. This will take you to the Phish Alert Enabled screen. Skip to Step 3 for further instruction.

Back to top

Paid Version: Log in to your console and click on your email address in the top-right corner of the screen. Choose Account Settings to enter the Account Settings area.

Step 2: Scroll down to the Phish Alert section and check the Phish Alert Enabled checkbox.

Step 3:Configure your PAB by filling out the corresponding fields. Each field is described below.

1) Enabled- check this box if you want to enable Phish Alert for your account. If the checkbox is not checked but you have deployed Phish Alert in your organization, no reporting will be recorded.

2) Icon - use this option to upload your own custom icon for the Phish Alert Button. The image must be PNG format, should be less than 1 MB in size, and should be a square image between 32 x 32 and 256 x 256 pixels. If left blank, the default PAB icon will be used. For more information, see our article on how to change the PAB icon.

Please note if you have previously installed the Phish Alert Button and this is your first time adding a custom icon, you will need to reinstall the PAB for the change to take effect.

3) License Key- this is the license key you will use to install Phish Alert on your workstations. For Google Apps/GSuite Chrome Extension installations, you will not need this, as it is built into your .json Config file automatically.

4) Forward non-simulated phishing emails to- when the user reports a non-simulated phishing email, a copy of the email including the original headers as an attachment will be forwarded to these email addresses. Emails must be separated by commas.

5) Send us a copy - when the user reports a non-simulated phishing email, a copy of the message including original email headers will be forwarded to us. We can then analyze and even create phishing templates to use in simulated phishing attacks.

6) Forwarded email prefix- when a non-simulated phishing email is forwarded to the recipients you set above, this prefix will be added before the original subject line.

7)Confirmation Message- this message will be displayed to the user after they click the phish alert button, asking them to confirm whether or not they want to report the email.When creating your custom message, be mindful that the maximum character count is 255.

8) Show a response when the user reports anon-simulated phishing email- when enabled, the message will be displayed to the user when they report a non-simulated phishing email. When creating your custom message, be mindful of the maximum character count - Client PAB (469 characters) and Server PAB (500 characters).

9) Paid Only: Show a response when the user reports a phishing security test email- when enabled, the message will be displayed to the user when they report a phishing email that was a simulated phishing email. When creating your custom message, be mindful of the maximum character count - Client PAB (469 characters) and Server PAB (500 characters).

10) Response Duration __ seconds- (Office 365/Google PAB Only) Use this field to set the length of time the simulated and non-simulated phishing email response messages display after a user reports an email using the PAB. The maximum duration length is 60 seconds.

11) Button text- the text that will appear on the Phish Alert button in the user email client.

12) Button group text- the labelthat will appear under the Phish Alert button in the user email client.

13)Save Phish Alert settings- click this button to save any changes made to your phish alert button.

14) DownloadOutlook add-in installer - the link you use to download the latest version of Phish Alert for Outlook.

15) Download manifest for Exchange 2013, 2016- this is the manifest file for installation of the add-in for Exchange 2013, 2016.

16) Download manifest for Office 365 (supports mobile)- this is the manifest file for installation of the add-in for Office 365 and the Outlook mobile app (Android and iOS).

17) Download Config file for Chrome Extension -download this file if you're installing the Phish Alert on your organization's Google Apps/GSuite.

Note:

All settings, except Enabled and Forward non-simulated phishing emails to, will be applied to the mail client once it is restarted. For the email address(es) being forwarded the reported phishing emails, the settings will be applied once a user clicks the PAB to report an email.

Back to top

Multiple PAB instances

You can set up multiple instances of the PAB for your organization to define unique settings (prompt messages, languages, or other) for specific end-users. Adding another PAB instance provides you with an additional license key for your new instance and a new set of editable settings.

Instructions for setting up multiple PAB instances will vary depending on your mail client. To help get you started, review the articles below:

Setting Up Multiple Phish Alert Button Instances for Your Organization

Multi-PAB: How to Set Up Multiple PAB Instances in Exchange or Office 365

Multi-PAB: How to Set Up Multiple PAB Instances in Google Suite

Back to top

PAB reporting

Free Version: The console Dashboard will display a graph tracking how many phishing emails are being reported by your users. You can download a CSV of this data, which will include the date and number of times the PAB was used by your users.

Paid Version:The console Dashboard will display a graph tracking how many phishing emails are being reported by your users, and whether these emails are simulated or non-simulated (potential real phishing attacks). You can download a CSV of this data, which will include the date and number of times the PAB was used by your users, and if the reported emails are simulated or non-simulated.

All individual phishing campaign reports will include a check mark under the Reported column (see below) if a user reports a simulated phishing email from that campaign. This allows Admins to see which users are correctly identifying potential threats and paying attention to their inbox.

You can see which phishing emails a user reported in their user profile area, as well as in the "Users" tab of any phishing campaign in the console.

Example of a user profile showing reported phishing emails:

Back to top

Data the add-in sends to our servers

The add-incommunicates with our API overTLS 1.2, which is always securely encrypted. The external IP address, user agent, and other standard browser information are sent to usas part of the standard HTTPS communication.

Information sent from the user's machine to our servers:

LicenseKey

Add-inVersion

Operating System

Operating System Architecture (32 or 64 bit)

Outlook Version

Windows configured language (EN, DE, etc.)

OSID - random GUID generated for each individual workstation

User's email address (we don't store it unless it is already in our system)

When the email is not a phishing security test and the user clicks the PAB, the reported email is never sent to us (unless you explicitly allow that in your account settings). Rather, the add-in communicates with our servers to retrieve the email address(es) the reported email needs to be forwarded to. The email is then forwarded to the email address(es) straight from the email client. The process is similar to when a user presses the Forward button.

Back to top

PAB compatibility matrix

Office 365 (Server-based)

Exchange (Server-based)

Outlook (Client-based)

GSuite Extension

Office 365

MICROSOFT WINDOWS

Outlook 2019

Outlook 2016 (Click-to-Run)OWA/Outlook Online

Compatible

Compatible

Compatible

APPLE OSX

Outlook 2016OWA/Outlook Online

CompatibleCompatible

ANDROID

Outlook mobile app

Compatible

IOS

Outlook mobile app

Compatible

Note: Office 365 PAB is also available for Exchange Server 2016 (Hybrid only) - version 15.1.544.27 (CU3) or newer.

Installation guide: Phish Alert Button Guide for the Outlook Mobile App (iOS and Android) and Office 365

Exchange Version

2013

2016

Office 365

MICROSOFT WINDOWS*

Outlook 2013

Compatible

Compatible

Compatible

Outlook 2016

Compatible

Compatible

Compatible

Outlook 2019

Compatible

APPLE OSX

Outlook 2016

Compatible

Compatible

Compatible

*Exchange (Server-based) PAB is not compatible with Outlook Online. Note: Server PAB is also supported for Mac Outlook 2016 (up until version 16.23) on OSX High Sierra (version 10.13 or newer).

Installation guide: Phish Alert Button Guide for Exchange 2013/2016 (Server-based)

MICROSOFT WINDOWS

Outlook 2010

Compatible

Outlook 2013

Compatible

Outlook 2016

Compatible

Outlook 2019

Compatible

*Internet Explorer 11 and some other OWA servers requires third-party cookies to be enabled.

Installation guide: Phish Alert Button Guide for Outlook (Client-based)

The G Suite PAB (GPAB) Chrome extension is compatible with Chrome browsers used in G Suite-managed environments. The GPAB is not compatible with mobile devices or applications.

Installation guide: Phish Alert Button Guide for Google Suite

Below is a list of our new feature releases and updates on the KnowBe4 Security Awareness Training Platform. Check back frequently to learn of new updates.

The latest list of updates will be displayed at the top of the page.

2019 Changes

2018 Changes

2017 Changes

2016 Changes

Release Date

Description

December 2019

We've added a new phishing template category: Education.

We've added the ability to export a CSV of user feedback for the Security Culture Survey (SCS). This option can be found under the Results tab for an SCS campaign. To learn more about the Security Culture Survey (SCS), click here.

We have added the ability to set the length of time the messages users see when they report an email using Google PAB. You can change the response duration from your Account Settings page under the Phish Alert section. For more information about the Phish Alert Button and its features, please see this article on our Knowledge Base.

Weve made updates to the Phishing tab in your KnowBe4 account. You may notice faster speeds, improved functionality, and minor user interface enhancements.

New items were added to the ModStore :

El Pescador:

3 posters available in 3 languages

Popcorn

1 newsletter

The Security Awareness Company

1 poster available in 8 languages

1 poster

1 training module

1 newsletter available in 16 languages

November 2019

Weve made updates to the Phishing tab in your KnowBe4 account. You may notice faster speeds, improved functionality, and minor user interface enhancements. This change will only affect customers on eu.knowbe4.com.

We've improved the encoding of phishing links used in our phishing emails to increase the security of these links.

We've added the ability to use a custom header for training notifications. To learn more, please check out this article.

We've updated the archive/delete functionality for Groups

After archiving a group, that group can now be permanently deleted.Deleted groups cannot be restored.

Deleted group names can be reused.

We've added the ability to bulk delete groups via CSV

We've updated our login URLs to no longer include email addresses in an effort to make our URLs more secure. We've updated the Login Link placeholder in our training notifications to reflect this change.

We've added two new getting started videos for SSO users. Check them out here:

Getting Started with KnowBe4 Security Awareness Training for SSO Users

Getting Started with Cyber Hero Training for SSO Users

We've updated the Users tab for the Security Awareness Proficiency Assessment (SAPA). You will now be able to see your users' scores from the table. For more information on SAPA, check out this article.

The industry benchmarking data has been updated on your Dashboard. Our benchmarking data was gathered from over 16 million users across nearly 28,000 customers. For more information on our industry benchmarking, please see this article.

New items were added to the ModStore :

Twist and Shout

21 video modules

3 posters

Inside Man Season 1 available in German

Popcorn

2 newsletters

El Pescador

1 video module

2 training modules

The Security Awareness Company

1 training module

4 posters

8 newsletters

1 newsletter available in 17 languages

October 2019

We have added the ability to set the length of time the messages users see when they report an email using the PAB stays on the screen. You can change the response duration from your Account Settings page under the Phish Alert section. For more information about the Phish Alert Button and its features, please see this article on our Knowledge Base.

You can now assign assessments to your users. We offer two types of assessments: the Security Awareness Proficiency Assessment (SAPA) and the Security Culture Survey (SCS). Use the SAPA to test your users' knowledge of security knowledge. Use the SCS to survey your users to determine your organization's security culture. For more information, check out these articles on our Knowledge Base.

How to Use Assessments

What is the Security Awareness Proficiency Assessment (SAPA)?

What is the Security Culture Survey (SCS)

New items were added to the ModStore :

Twist and Shout

22 video modules

3 posters

El Pescador

3 posters

2 video modules

KnowBe4

2 assessments

Syntrio

6 training modules

Popcorn

1 game

1 poster

2 newsletters

The Security Awareness Company

2 training modules

1 newsletter available in 17 languages

September 2019

You can now disable the return-path header for training emails from your Account Settings area. You'll want to enable this setting if you are using SPF alignment checks and want to spoof your domain. See more information here.

We've added a new phishing template category: Indian (English) Phishing Templates.

We have added the ability to customize the confirmation users see when they click the Phish Alert Button. You can change this message from your Account Settings page under the Phish Alert section. For more information about the Phish Alert Button and its features, please see this article on our Knowledge Base.

We've added a security role for the Uploaded Content tab. Previously, access to the Uploaded Content tab was included in the Training Store Purchases role. We have added this new security role to give you more control over who has access to upload and manage custom content. For more information about this new security role and other security roles, check out this article on our Knowledge Base.

New items were added to the ModStore :

Twist and Shout

7 video modules available in 17 languages

7 posters

KnowBe4

5 video modules

El Pescador

3 posters

The Security Awareness Company

2 training modules

1 poster available in 17 languages

1 newsletter

KnowBe4

10 training modules

Popcorn

3 newsletters

9 posters

8 modules

8 security docs

We've added a new landing page category: Role-Based. This category focuses on five different roles in an organization (Executive/CEO, Finance, Sales, Human Resources, and IT). Each landing page explains why a specific role is a target, potential attacks, and helpful tips to stay safe online.

We now have two whitelisting wizards that can help guide you through the whitelisting process. Visit here to learn more about each wizard.

We've added a new "safelinks" phish domains. If you whitelist our phish domains in your environment, make sure you whitelist the newest domain. If you're unsure which domain is new, contact Support.

We've added seven new landing pages to our Point of Failure Video Training category. These landing pages are a part of the Cybersecurity Starter Kit video series.

We recently updated our mail server infrastructure. This improvement may require you to update your current whitelisting setup. Visit our whitelisting guide for more information.

August 2019

You can no longer share landing page previews. In order to preview a landing page, you must be logged in to the console.

We've updated the drop-down menus throughout the admin console and the learner experience to include new options and icons. You can now click your email in the top-right corner of the console and navigate to your training and PhishER from anywhere within the console.

We've refined the AI algorithm behind our Virtual Risk Officer (VRO) to lessen a user's Exposure Risk over time. The Exposure Risk factor is increased when user information is found in a data breach. With this update, the Exposure Risk factor will decrease over time for older breaches, while more recent breaches will have a stronger impact on the user's Exposure Risk.

We've added a new phishing template category: Retired Current Events.

New items were added to the ModStore :

Popcorn

2 security docs

1 training module

Teach Privacy

1 training module

El Pescador

2 training modules

2 posters

Syntrio

1 training module

KnowBe4

2 training modules

The Security Awareness Company

1 newsletter available in 15 languages

2 security docs

3 posters

We've added two new landing pages to the Phishing > Landing Pages > Generic category:

Warning Signs of Phishing (Translatable)

20 Ways to Block Mobile Attacks (Translatable)

We've added new Google Apps Login landing pages that include multi-factor authentication. Check them out under thePhishing > Landing Pages > Phishing For Sensitive Informationcategory:

Google Apps Login (Updated)

Google MFA (Do Not Edit)

Google Apps Login with MFA (Do Not Edit)

We've renamed our phishing template category "Banking" to "Banking and Finance" to better represent the templates within that category.

July 2019

We've added new policy statuses. When creating a policy, there will be a new drop-down field with the following status options: draft, published, or archived

We've updated the Quarterly Product Update video in our Knowledge Base.

We've refined the AI algorithm behind our Virtual Risk Officer (VRO). You'll see a slight increase to your users' Risk Scores. The end goal is to increase the stratification between High and Low Risk users to more accurately reflect their risk to your organization.

New items were added to the ModStore :

El Pescador

4 video modules

Exploqii

2 video modules

The Security Awareness Company

3 security docs

5 training modules

2 posters

Syntrio

2 training modules

Our Reporting APIs have been updated to include user and group risk score information.

See more here: KnowBe4 API Documentation

Two changes have been added to user training sessions:

If users open duplicate training windows, only the most recent window will remain active. This will be indicated by a message that says "Your training has been launched in another browser window. This training window will be closed."

If users leave their training window unattended for four or more hours, their session will be closed and they will need to re-open their training. This will be indicated by a message that says "Your training session has expired. Please relaunch your training from the KnowBe4 learner experience."

We added training notification templates with a new design that you can customize for your organization. These templates will have a (Banner) or (Border) tag in the template name.

A new training notification template category was created: Blank Templates. This category includes blank versions of our training notification templates with styling. To understand how to best use this category, review this article.

A new "Summer: Don't get burned by the bad guys!" landing page was added. Check it out under thePhishing > Landing Pages > Holiday/Seasonal Landing Pages.

EZXploit was deprecated from new phishing campaigns.

We've localized our Learner Experience (LX). You can now set the language for the LX interface using the language drop-down menu. To learn more about this feature, see this article.

June 2019

Sign-ups are now open for our Knowledge Assessment beta! Our Knowledge Assessment allows you to measure your users' understanding of security-related topics so that you can make data-driven decisions about your security awareness plan.

Sign up for our beta here

You can now enable surveys for new or existing training campaigns. Surveys will help you gather feedback from your users about the training content you are assigning them. To learn more about surveys, please read this article on our Knowledge Base.

You can now use a date range in Smart Groups criteria. For more information, see this section of our How to Use Smart Groups article.

We changed the word "Cancel" to "Close" on training campaigns.

We've added three new local vishing numbers for Brazil, Australia, and South Africa. See more here.

You can now create branded training certificates using the certificate templates we've provided as a starting point ( click here to view ). This setting is located in your Account Settings. Learn more by reading this article on the knowledge base.

Replaced the flag icon next to the Start button for a course with a language drop-down menu. Click the arrow next to the selected language to change the language for a course.

New items were added to the ModStore :

KnowBe4

1 video module

2 security docs

The Executive Series training modules are now also offered as video modules.

The Security Awareness Company

1 newsletter

2 training module

6 security docs

8 posters

3 Security One Sheets

4 games

3 video modules

Twist & Shout

1 video module

El Pescador

1 video module

1 training module

1 security doc

Popcorn

5 security docs

The User Event API was released and it allows you to import your users' security-related events or training activities from external sources and push them into the console.

See more here: KnowBe4 API Documentation

May 2019

New items were added to the ModStore :

KnowBe4

1 poster

1 security doc

The Security Awareness Company

1 newsletter

2 video modules

4 posters

3 security docs

A new publisher, El Pescador, was added to the ModStore.

El Pescador

4 video modules

3 posters

The ability to use a custom icon for the Phish Alert Button was added. For more information, please see this article on our Knowledge Base.

We've added two new template categories: Current Event of the Week and Current Event of the Month. To understand how to best use these categories, review this article.

We've added a new Point of Failure Course landing page about phishing and spearphishing. Check it out under your Point of Failure Courses landing page category.

Three tabs have been added to the Campaigns tab that categorizes Training Campaigns. These tabs are Active, Closed, and All. Use these tabs to choose which campaigns you'd like to view.

The User Timeline has been changed to the Events Timeline and a new filter has been added that allows you to filter your results. Use the Event Type and Date Range drop-downs to find specific events in your user's history.

The Learner Experience (LX) now has a View Details option where you can see the course's due date, the time spent on the course, and the date you completed the course for completed courses.

You now have full control over which AD fields sync to your KnowBe4 console. This feature is optimal for admins wanting to have a mix of AD-managed and non-AD-managed fields, but without the worry of blank fields overwriting existing data during a sync. Learn more about how you can make the most of your AD sync by visiting here.

April 2019

In phishing reports, the first names of users with longer names will be truncated. Longer email addresses will also be truncated.

You now have the ability to set a default landing pageand default landing domainunder your Account Settings. Your default landing page and domain will be used across all phishing campaigns, unless otherwise specified when creating a campaign or phishing template.

You can now upload videos as custom courses to your KnowBe4 console. You'll enroll your users and track their progress on your custom courses, just as you would with any content from the ModStore. See here to learn more about uploading custom content.

New items were added to the ModStore :

Syntrio

1 training module

KnowBe4

1 security doc available in 32 languages

1 training module

Security Doc: 20 Ways to Block Mobile Attacks is now available in 32 languages

The 15 minute 2019 Kevin Mitnick Security Awareness Training is now available

The 30 minute 2019 Kevin Mitnick Security Awareness Training is now available

1 game

Popcorn

8 training modules

The Security Awareness Company

1 newsletter

The 2019 version of the Danger Zone game is now available.

1 training module

The Privacy Basics training module has been translated into 13 additional languages

All 12 Cyber Hero Series modules are now available in French and Portuguese.

8 video module

Landing Pages:

A new landing page category called Hack Attacks (Use With Caution) was added. This category mimics classic and newer ransomware attacks.

March 2019

You can now upload your own SCORM-compliant content in any language you choose, directly into your account! You'll enroll your users and track their progress on your custom courses, just as you would with any content from the ModStore. See here to learn more about uploading custom content.

Weve added feature enhancements to your training campaigns! When your users miss their training deadlines, you can now extend the training due date for individual users or allow training assignments to be completed after the due date. Learn more about modifying your training campaign deadlines here.

New items were added to the ModStore :

Popcorn

9 posters

18 security docs

8 video modules

1 game

Security Awareness Company

1 newsletter

7 Security One Sheets

KnowBe4

1 training module

This is our 2019 version of the Kevin Mitnick Security Awareness training module which features increased functionality and accessibility.

5 security docs

9 video modules

Twist & Shout

13 video modules

13 posters

February 2019

New items were added to the ModStore :

KnowBe4

1 video module

1 training module

1 poster

1 security doc

Exploqii

48 video modules were translated into 11 languages

Security Awareness Company

1 newsletter available in three languages

8 Security One Sheets

Syntrio

17 training modules

Popcorn

4 training modules

The new learner experience (LX) was enabled.

Learn more about our new LX on our Learner Experience Guide, or watch our LX-related videos.

A new search filter was added to the ModStore : Targeted Traning.

You can now easily browse the industry and role-based training content available at your subscription level.

Phishing Templates:

Finnish and Danish templates were added

Burmese and South African templates were added

January 2019

New items were added to the ModStore :

Syntrio**new publisher!**

8 training modules

KnowBe4

4 training modules

5 posters

7 video modules

Security Awareness Company

3 training modules

1 game

3 Security One Sheets

1 poster

1 newsletter

1 security doc (Activity Book for kids)

Popcorn

1 security doc (Activity Book for kids)

You now have the ability to clone Security Roles in your KnowBe4 console. See here for more information.

You can now enable a sneak preview of our new training experience for your users. KnowBe4 is updating its user training interface, or learner experience, for all accounts in early February. This updated interface includes gamification, branding, a tour, and more.

See our Learner Experience guide to review all of the changes, and then enable the new learner experience in your Account Settings to try it out!

Our industry benchmarking numbers on your Dashboard and Reports were updated to include the latest data, as well as new available industries to select from. Learn more on our industry benchmarking article.

Active Directory Integration (ADI) Version 1.0.16.5 released.

This version adds additional sync fields for more user customization. Note:The <domain>.conf will be updated with the new user fields when the service first runs after installation.

Improves ADI logging by now including <domain> in the log.

The Accounts tab of the Account Management Console was improved. See here for more information.

A Reports tab was added to the Account Management Console. You can now run reports that provide metrics for your managed accounts from one central location. For more information on the specific reports offered, read our How to Use Account Management Reporting article.

Release Date

Description

December 2018

New items were added to the ModStore :

KnowBe4

4 training modules

Popcorn

2 Security Docs

exploqii

1 video module

Security Awareness Company

1 newsletter

3 Security One sheets

1 poster

4 video modules

The Reseller Dashboard was renamed to Account Management Dashboard.

You now have the ability to add your own allowed domains to your KnowBe4 console. See here more information.

Under Account Settings, the Business hours, Business days, and Time Zoneinformation was moved from the Phishing section to the Company Information section.

November 2018

Updated videos for Customizing Phishing Templates and Landing Pages and Customizing Training Notifications wereadded.

New items were added to the ModStore :

Teach Privacy **new publisher!**

10 training modules

1 game

Popcorn

7 posters

5 Security Docs

1 training module

KnowBe4

1 poster

1 training module

6 video modules

Security Awareness Company

1 newsletter

2 Security Docs

New placeholders were added to your Placeholder dropdown on phishing templates, landing pages, and training notifications. You can now add dynamic numbers and dates to your custom content.

A new tag was added to specific email templates: SPF. See more about what this tag means here.

A new video for Domain Doppelganger was added.

Training-related certificates have been updated with a new design.

Teach Privacy was added as a publisher to the ModStore.

A new version of the Office 365 PAB was released which fixes an issue with centralized deployment. Server-based PABs update automatically. See more on our Phish Alert Release Notes.

You can now set a required password length for your users from your Account Settings.

A free KnowBe4 training module and PDF printable has been released, only available for the holiday season (November and December)

See more here: Safe Travels for Road Warriors: Holiday Edition

Added navigation buttons to email template previews for both phishing email templates and training email notifications.

October 2018

New items were added to the ModStore :

KnowBe4

2 training modules

4 posters

exploqii

1 video module

Security Awareness Company

5 posters

3 newsletters

Popcorn

10 newsletters

3 training modules

Twist & Shout

30 pieces of artwork

ThinkHR

2 training modules

A new version of the PAB was released for Office 365 and the Outlook Mobileapp.

View our Phish Alert Button (PAB) Product Manual to see which PAB installation method is compatible with your organization.

An option to modify the session timeout for admins and users was added to your Account Settings. If inactive for the specified period of time, the admin or user will be logged out of their account automatically. MSPs/Resellers also have an admin session timeout available.

Advanced Reporting and Virtual Risk Officer (VRO) was released for US and EU accounts.

Advanced Reporting simplifies and expands your ability to create reports about your security awareness training plan progress, while our Virtual Risk Officer (VRO) feature calculates a risk score for users, groups, and your organization as a whole, helping you detect and strengthen the weakest points in your human firewall.

A new version of Second Chance was released which addresses several bugs.

View our Second Chance Release Notes for more information.

Tutorial videos have been added/revised:

User Profile Guide

Account Settings Guide

Adding/Importing Users

Creating Phishing Campaigns

RanSim

One Minute Baseline (Clicks)

One Minute Baseline (Clicks and Data Entry)

PAB Office 365 Install

PAB Exchange Install

One Minute Baseline: Check Your Password (Clicks + Data entry)

One Minute Baseline: Change Your Password (Clicks)

You can now update user time zones in bulk via CSV import.

See more here:

CSV Import

Time Zones

A new version of ADI was released which adds support for a large number of users. See our ADI release notes for more details.

You can now filter users into Smart Groups based on specific policies they have or have not been assigned, started, or completed.

MSP/Resellers: Added the ability to sort columns under the Accounts tab from the Account Management portal.

September 2018

Videos are now called "video modules" and can be used as content for training campaigns.

New tutorial videos are available on our Tutorial Videos page:

Automated Security Awareness Program (ASAP)

Social Engineering Indicators (SEI)

Policy feature overview

Advanced Reporting

Virtual Risk Officer (VRO)

The ability to hide a phishing campaign from reports during campaign creation was added.

The ability to selectively notify admins upon user import via CSV was added.

Two new attachment types for your simulated phishing tests were added, .docm and .xlsm.

New landing pages are available:

Automatically branded versions of our basic "Oops" and SEI landing pages were added. Look for the tag (Branded).

These landing pages use your "Company Logo URL" as indicated in your Account Settings.

New items were added to the ModStore :

Popcorn

1 training module

The Security Awareness Company

5 posters

KnowBe4

1 training module

A new version of RanSim is available which adds a crypto-mining simulation scenario. See more in our RanSim product manual.

New user fields were added that you can add to user profiles, download in CSV reports, and use in Smart Groups, including:

Organization

Department

Risk Booster

Language

Employee Start Date

Archived Date

Comment

Custom Fields (up to 4)

Custom Date (up to 2)

We've released Domain Doppelgnger, a web-based tool that performs searches specific to your organizations domain and collects data on any potentially harmful or "evil twin" domains that the bad guys have registered with malicious intent.

See more here: Domain Doppelgnger Product Manual

Added a drop-down that allows you to select which columns to hide or show in a phishing report.

You can now filter ModStore content by Duration.

The name of the delete user button has been changed from Delete to Archive to more accurately reflect its functionality.

You can now clone Groups.

Added the ability to bulk delete users.

August 2018

New API endpoints were released to coincide with our new Policy feature.

See: KnowBe4 API Reference Guide

Twist & Shout and Canada Privacy Training were added as publishers to the ModStore.

New items were added to the ModStore :

Canada Privacy Training **new publisher!**

1 training module

Twist & Shout **new publisher!**

6 video modules

KnowBe4

1 training module

Popcorn

2 training modules

exploqii

1 video

1 video module

Our training-related placeholders were revised and built-in training notifications were updated to reflect this. The previous versions of the placeholders will still be supported.

Training reports were revised slightly to coincide with our new Policy feature.

The ability to include or exclude archived users from phishing reports was added to the Account Settings area.

The ability to clone a group was added.

A new version of PAB was released (1.2.30). See our Phish Alert Release Notes for details.

A content "Duration" search filter was added to the ModStore.

Advanced Reporting and Virtual Risk Officer (VRO) was released to beta.

Advanced Reporting simplifies and expands your ability to create reports about your security awareness training plan progress, while our Virtual Risk Officer (VRO) feature calculates a risk score for users, groups, and your organization as a whole, helping you detect and strengthen the weakest points in your human firewall.

You can enable this in your KnowBe4 Account Settings to participate in the beta. Send your feedback, comments, and questions regarding the beta to KnowBe4's support team.

The ability to bulk delete users via CSV was added. Additionally, the "Delete" button was changed to "Archive" throughout the Users tab to represent its actual functionality.

Landing Pages:

A new multi-provider login landing page was added. Check it out under the Phishing > Landing Pages > Phishing for Sensitive Information.

Phishing Templates:

A new Security Hint and Tip was added.

Several new Current Events templates were added.

German, Malay, Thai, Vietnamese, and South African phishing templates were added.

July 2018

New items were added to the ModStore :

KnowBe4

2 training modules

30 posters in five different sizes

Security Awareness Company (SAC)

5 training modules

6 Security One sheets

Popcorn

11 training modules (micro-modules)

ThinkHR

9 training modules

We've added a new Policies tabbeneath the Training area of your platform.

Our Policy feature allows you to store, distribute, and track various policy acknowledgments and agreements required of your employees as part of your security awareness training program.

We've added Release Notes to your console.

These release notes will inform you of any major updates, new features, or changes that have happened since your last login. Dismiss the messages by clicking the "X" icon in the top-right corner of the message.

Upgrades were made to the design of our phishing test attachments.

All attachments now include a link within it, so users can have a "click" failure in addition to an "attachment opened" failure and will be taken to a landing page upon clicking the link. The design was also changed to improve the overall user experience.

Landing Pages:

A new "Robot CAPTCHA" landing page was added. Check it out under the Phishing > Landing Pages > Generic.

A new Instagram login landing page was added. Check it out under the Phishing > Landing Pages > Phishing for Sensitive Information.

June 2018

New items were added to the ModStore :

24 new Security Docs from Popcorn

These are one-page infographics that relate to their corresponding Popcorn training modules.

The Privacy Series of training modules (published by Popcorn) now has matching Posters (in 11x17, 18x24, and Digital Signage formats) and Security Docs available.

New Posters and Security One Sheets from the Security Awareness Company

2018 Creating Strong Passwords module (in each language)was enhanced to make each version more localized.

Our landing page interface was redesigned and now includes a Copy URL feature.

Second Chance is now available on our EU server.

KnowBe4's default landing domain for both servers has changed.

New API endpoints for Training-related data were released.

See: KnowBe4 API Reference Guide

The ability to change the default Date/Time Format in your console was added. This setting can be edited in your Account Settings area.

Short demo videos for all of KnowBe4's free tools are now available.

A new version of Active Directory Integration (ADI) has been released that corrects an uncommon error related to using LDAPS to connect to your Domain Controller. ADI tools that are functioning as normal do not need to be updated to the latest version.

May 2018

New modules for Gold, Platinum, and Diamond-level subscriptions were added to the ModStore:

PCI Simplified

2018 Common Threats, Part 2 - Kyle's Story

Enhancements were made to our Security Roles feature, allowing you to further limit permissions to only include specific, "targeted groups". See our How to Use Security Roles manual for more information.

Banners will be added to new, updated, and soon-to-be-retired content in the ModStore. See here for more information on the "Retiring Soon" banner.

Employee number option was added to Smart Groups.

Benchmarking data settings on the Dashboard will be saved whenever changed. The setting is at the account-level, meaning all admins on the account will see the same saved settings.

If you're using our server-based Phish Alert Button (PAB) with Mac OSX, we recommend upgrading to the latest version of High Sierra (10.13 or newer) if you experience issues. See our PAB compatibility matrix.

You can now remove failures from your phishing tests. All failure types can be removed from a user's timeline (on their individual profile page) or from within an individual Phishing Campaign's report.

Changes to the Training Campaign Creation Screen were added:

The "Courses" dropdown has been modified to allow sorting by Published date, Duration, and Title.

Retired courses will also be hidden by default on this dropdown, but can be displayed if desired.

The order of courses can now be changed by dragging and dropping the selected courses in the order they should be prioritized.

17 new modules have been added to the ModStore from publisher ThinkHR for Diamond-level subscriptions. These courses cover a variety of topics, including (but not limited to) sexual harassment, bullying, campus security, and diversity.

To browse all ThinkHR courses, access the MODSTORE tab from within your console and beneath the Publisher filter, click "ThinkHR".

24 new posters by Popcorn have been added to the ModStore for Diamond-level subscriptions. These posters correspond to 24 of the Popcorn Cyber Heroes Series, Security Moments Series, and Something Phishy training modules. The posters are available in 11x17 tabloid, 18x24 large poster, and 16:9 digital signage formats.

44 exploqii video modules are now live in the ModStore for Diamond-level subscriptions. These video modules are currently available in English and German. As well, our exploqii video modules have downloadable versions available in MP4 format and can be added to training campaigns.

A new Phish Alert Button (PAB) training module is available. This modulecan be assigned to users within training campaigns as part of the process of implementing the PAB in your organization.

The module is titled "Using the Phish Alert Button: Report Suspicious Emails" and is available all subscription levels.

April 2018

Mailserver Security Assessment (MSA) was released. This tool allows you to test your email security controls and mail server with over 30 different types of email messages. Using this tool will provide you with the knowledge you need to understand the types of emails and email attachments that can reach your end users.

See our product manual here: MSA Product Manual

Modules for Diamond-level subscriptions were added to the ModStore:

OWASP Top 10

Executive Awareness and Leadership

Computer Security & Data Protection

Mobile Security Basics

End of the Day Security Challenge

PCI DSS Retail Store Experience

A new version of Second Chance was released which adds support for Gmail and Office 365. This new version also includes:

A new URL report in the console which lets you see what URLs are triggering Second Chance prompts for your users.

The addition of URL unwinding, which decodes shortened or rewritten URLs to display the actual destination of the link that was clicked.

The option to specify a Web Proxy during installation.

Vishing 2.0 was released with support for US and international numbers. There are over 200 built-in templates and 21 different language categories.

We have modules now available in 20 additional languages in the ModStore for Gold/Platinum/Diamond subscriptions:

2018 CEO Fraud

2018 Ransomware

2018 Safe Web Browsing

As part of the Popcorn Series "Security Moments", the module Hacking Emotions is now available in the ModStore for Diamond subscriptions.

March 2018

Industry benchmarking data was added to KnowBe4's Free Phishing Security Test.

Popcorn Training was added as a publisher in the ModStore and is available with Diamond-levelsubscriptions.

A new version of PAB was released (1.1.17). See our Phish Alert Release Notes for details.

The EEC Pro has been updated. Customers receiving the previous version of the EEC will now receive the new EEC Pro moving forward. See more here: EEC Pro Product Manual

The "2018 Mobile Device Security" module is now available in 20 languages (Gold/Platinum/Diamond subscriptions).

You now have the capability to use our Active Directory Integration (ADI) with Azure Active Directory Domain Services. See our ADI and Azure AD Domain Services article for more information.

An external (non-KnowBe4) SAML vulnerability was announced and KnowBe4 promptly patched to prevent any issues with this vulnerability.

See more information here: Vulnerability Note VU#475445

February 2018

An API has been released to allow you to pull user and group data from your console.

See more here: API Reference Guide

Industry benchmarking data was added to the Dashboard of your console. This allows you to compare your security awareness program's results with those in your industry or others.

Industry Benchmarking Data

There has been an update to the whitelisting process for Office 365 mail environments.

If you have whitelisted our mail servers by IP Address, see here.

If you have whitelisted our mail servers by emailheader, see here.

January 2018

A video for your end users was released--it explains how to get started with their KnowBe4 training. You can include a link to this video with your training notifications if you'd like to, to help explain the training process.

End User Training Video

Phish Alert Button CSV download is now available on the KnowBe4 console Dashboard and shows the number of simulated vs. non-simulated emails reported.

New Facebook, Office 365, and Netflix Landing Pages were added to System Landing Pages.

Enhancements were made to all tabs that display email templates. This includes:

The My Templates, System Templates, and Community Templates tabs under the Phishing portion of the console

The My Templates and System Templates tabs under the Training portion of the console

Check out this quick video explaining the changes.

AwareGO was added as a publisher in the ModStore and is available with Diamond-levelsubscriptions.

The "2018 Creating Strong Passwords" module is now available in 20 additional languages (Gold/Platinum/Diamond subscriptions).

A new version of PAB was released (1.1.16). See Phish Alert Release Notes for details.

A reporting API for Phishing data was released and allows customers to pull Phishing data from their consoles. For more information, see the links below:

KnowBe4 API Manual

A new category of "Security Hints & Tips" templates was added to System Phishing Templates which automatically include your organization logo. Look for the (Branded) tag on the category.

The MSP/Reseller Console's Dashboard page was updated to include more information, including subscription level and end date, number of active accounts, number of purchased seats, and number of active seats (paid/free/trial).

Release Date

Description

December 2017

Security Roles feature release

New customers with Diamond-level subscriptions will not have any training content automatically added to their accounts.

You can select the content suitable for your organization, from the ModStore. Learn more here.

Second Chance feature release

You can enable Second Chance in your existing KnowBe4 account by updating your Account Settings.

Additions to Training Campaign "Users" page, including the date the user was enrolled, how much time is left for each user, and if the user acknowledged any policy assigned to a training module in a particular campaign.

Check out this quick video explaining the changes.

You can now see the length of available videos in the ModStore.

November 2017

Securable.io was added to our list of publishers within the ModStore.

October 2017

Smart Groups feature release

Active Directory Integration (ADI) Version 1.0.11.0 released

This version adds support for synchronizing group membership using a user's primary group. There is no need to upgrade functioning ADI deployments to this new version.

Update to Free Phishing Test version 2.0 (additional template and landing page options offered) on EU server

September 2017

Active Directory Integration (ADI) Version 1.0.10.0 released

Addresses an issue with group synchronization when using userPrincipalName as the email address. If you are not experiencing issues with your ADI services, there is no need to upgrade your ADI version.

Phish Alert Button (PAB) Version 1.1.11 released

Addresses rare scenario where the Outlook Ribbon was disappearing. If you are experiencing this issue please see our Phish Alert Button (PAB) Release Notes. If you are not experiencing issues there's no need to update.

August 2017

MSP/Resellers: Ability to import and export Phishing Templates, Landing Pages, and Training Notifications is now available when logging into accounts via your Reseller console.

We've updated our training notification placeholders to be functional in manager and admin templates.The following placeholders: [[email]], [[first_name]], [[last_name]], and [[display_name]] wereupdated and can be used in notifications directed towards managers and admins.

Improvements were made to the User List and Group Member List interfaces. You can now sort all columns, show/hide specific columns, and increase/decrease the number of entries per page.

Enhancements made to the Phish Alert Button. You can now set up multiple Phish Alert Button instances for your organization, allowing greater PAB customization.

July 2017

Automated Security Awareness Program (ASAP) feature release

Active Directory Integration (ADI) Version 1.0.9.0 released

Addresses a crashing issue with the ADI service when an Active Directory has missing email address information. If you are not experiencing issues with your ADI services, there is no need to upgrade your ADI version.

June 2017

Password-less logins feature released

Below is a list of our new feature releases and updates for the KnowBe4 Compliance Manager GRC (KCM GRC) platform.

The latest list of updates will be displayed at the top of the page.

2019 Changes

2018 Changes

2017 Changes

Release Date

Description

December 2019

The following arenewManaged Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):

Singapore Personal Data Protection Act

VDA - Trusted Information Security Assessment Exchange (TISAX)

November 2019

From the Vendor Risk Management module, you can now export a CSV file containing the details of a questionnaire that your vendor has completed. For more information, see Exporting Finalized Questionnaires.

From the Vendor Risk Management module, you can now export a CSV file containing the details of your blank questionnaires. See here for more information.

The questionnaire builder under the Vendor Risk Management (VRM) module has been completely overhauled to provide a better user experience and additional functionality.

You can now preview, clone, and export the questionnaires you've created in your questionnaire builder. See this article to learn more.

We've made the following changes to the Vendor Risk Management module :

Resolved an issue where Vendor Users were unable to update vendor Issues from their Vendor Portal.

Resolved an issue where updating/editing a questionnaire name from the Questionnaire - [Questionnaire Name] page did not carry over to previously and currently-scheduled questionnaires.

Changing the questionnaire name will now change the name of all versions of the questionnaire.

The following arenewManaged Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):

Bank Secrecy Act Examination Manual

Colorado Data Protection Act

Internet of Things Assessment Questionnaire

US Government Auditing Standards

October 2019

Resolved an issue with some email clients incorrectly displaying company logo images in email notifications sent from the console.

We've made the following changes to the Vendor Risk Management module :

Resolved an issue where the incorrect answer was considered the 'correct answer' for vendor responses when using the 2019 SIG Lite and/or 2019 SIG Full questionnaire templates. These changes affected 46 questions in total.This will also update the Vendor Score for all affected vendors. If you'd like details about the answer changes, please reach out to our Support team.

Resolved an issue where deleted questionnaires were not being removed from the Questionnaire List.

Made minor visual changes to the way you view questionnaire schedules. For more information, see the Schedules tab under the Working with Vendor Profiles (Vendor Details) section of this article.

We've updated the Quarterly Product Update video in our Knowledge Base. This video covers new features that have been added to KCM GRC, and the remaining KnowBe4 product lineover the previous quarter.

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

American Land Title Association Assessment Procedures

Association of Corporate Counsel (ACC) Model Information Protection and Security Controls for Outside Counsel

Canada's Anti-Spam Legislation

Cayman Islands Data Protection Law

Cloud Computing Compliance Controls Catalogue

Illinois Personal Information Protection Act

North Carolina Identity Theft Protection Act

UK Data Security and Protection Toolkit

The following areupdatedManaged Templates are now available for your account (contact your Customer Success Manager to have additional Templates added to your account):

Secure Controls Framework v2019.6

September 2019

Regarding the Questionnaire Templates offered under the Vendor Risk Management (VRM) module, we've resolved an issue where the incorrect answer was considered the 'correct answer' for vendor responses. This change affects any questionnaire that includes the question(s) below. Therefore, this will also update the Vendor Score for all applicable vendors. For more information, please reach out to our Support team.

Affected Questionnaire Templates: 2019 SIG Lite, 2019 SIG Full

Affected Questions: D.7 Are Constituents able to view client's unencrypted Data?

The 'correct answer' has been changed from "Yes" to "No"

Regarding the Vendor Risk Management (VRM) module, we've fixed an issue in the questionnaire builder where the question text wasn't fully visible if it were longer than a single line.

This issue also impacted "free-form" responses from vendors. The issue has now been resolved.

Regarding the Vendor Risk Management (VRM) module, we've fixed an issue where questionnaire questions were displayed in an incorrect order for vendor users and for KCM administrators when they were completing or reviewing questionnaires, respectfully.

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

Connecticut Insurance Data Security Law

Lexcel England and Wales for In-house Legal Departments

Lexcel England and Wales for Legal Practices

Lexcel International

Portugal Data Protection Law

Sarbanes Oxley Act

UK Data Protection Act

August 2019

If you're using OneLogin or Okta as your SSO/SAML provider, you can configure your single sign-on by adding the "KCM GRC Platform" application to your provider's portal. See this article for more information.

The following enhancements have been made to the Vendor Risk Management (VRM) Module :

Regarding evidence due dates when using EDR, you can now override the default Effective Date Range Settings (found under Account Settings ) on a per-control basis. See this article for more information.

You can now manually offset the Vendor Score found under each vendor profile. From the Vendor Details page, click the Update button to change the existing Vendor Score.

You can now include informational questions in your vendor assessments. These questions are not counted against the questionnaire score.

Vendor Users can now edit their questionnaire answers after they have been saved, before the questionnaire has been finalized.

You can now permanently delete vendor profiles from the Vendor List area of your VRM module.

You can now permanently delete questionnaires from the Questionnaire List area of your VRM module.

Fixed an issue in the questionnaire builder where you could save questions without adding answer options and were unable to configure the questionnaire as a result.

Fixed an issue where auditor users were able to view tasks that had not been approved by an approving manager. Auditor users can only see tasks and task evidence that has been approved. See this article for more information about KCM user role permissions.

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

Australian Privacy Act

Australian Prudential Standard CPS 234

BDSG - German Federal Data Protection Act

MDSAP - Australia: Therapeutic Goods (Medical Devices) Regulations

MDSAP - Brazil: RDC (16, 23, 67)

MDSAP - Canada: Medical Devices Regulations

MDSAP - Japan:MHLW MO 169

MDSAP - USA: Title 21 Food and Drug Regulation

New Hampshire Senate Bill 193 v8.2019

Privacy Shield Framework - EU-US

Privacy Shield Framework - Swiss-US

Texas House Bill 4390 - Privacy Protection Act

July 2019

The KCM GRC platform now supports single sign-on and SAML 2.0 to allow your users to quickly and easily log in to KCM using your organization's single sign-on, without having to set up or use a password. See this article for more information.

Under the Policy Management module, we've fixed an issue where "Invalid Date" was incorrectly showing under Policy Management > Campaigns > Campaign Name > Users tab (in Safari browsers).

We've updated the Quarterly Product Update video in our Knowledge Base. This video covers new features that have been added to the KnowBe4 product line over the previous quarter.

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

Brazilian Internet Law

Commonwealth of Virginia Hosted Environment Information Security Standard SEC 525

FERPA

Financial Conduct Authority Handbook (UK)

Interagency Guidelines - Information Security Standards

ISO 27002

Texas Administrative Code 202 - State Agencies

Texas Administrative Code 202 - Institutions of Higher Education

UK Public Sector Network Code of Connection

The following are updatedManaged Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):

CJIS Security Policy v5.8

HIPAA Privacy and Breach Rule

HIPAA Security Rule

The following enhancements have been made to the Vendor Risk Management (VRM) Module :

When reviewing vendor questionnaires, you can now filter questions by the following: incorrect answers, answers with attachments, answers with issues, and informational questions.

When reviewing vendor questionnaires, incorrect answers are now visually notated by a red line on the left-hand side of the question.

In response to the significant growth of KCM GRC, the architecture of your platform was upgraded on July 17, 2019. This upgrade improves performance and allows us to better serve you by streamlining platform administration and maintenance.

June 2019

The following enhancements have been made to the Vendor Risk Management (VRM) Module :

When creating questionnaires, you can now upload a CSV file of custom questions. See here for details.

When reviewing questionnaires, you can now change the score of vendor responses from the Questionnaire Reviewand Issue Details pages.

When sending (scheduling) a questionnaire, you can set a suggested due date. The questionnaire assessee will see the due date in their email notification, and in their vendor portal.

A Scheduled Questionnaires Calendar has been added to the Vendor Management Dashboard. All questionnaires are listed on the day were sent or will be sent.

You can now cancel active questionnaires from the Assigned Questionnaires tab, under the Vendor Details page.

You can now cancel questionnaire schedules (questionnaires to be sent) from the Schedules tab,under the Vendor Details page.

If your vendor did not receive the email notification for their assigned questionnaire, you can now generate and send their login link from the Assigned Questionnaires tab, underthe Vendor Details page.

You can now archive questionnaires that have not been sent or scheduled.

Vendor Administrator users can now view vendor profiles and questionnaires that have been archived. See this article to learn more about KCM user role privileges.

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

Gramm-Leach-Bliley Act Privacy Rule

Gramm-Leach-Bliley Act Safeguard Rule

IRS Publication 1075

May 2019

You can now follow this article to stay informed of the new and updated Managed Templates available for your account. Our team ensures we have the up-to-date versions of these frameworks available for your use. Contact your Customer Success Manager to have additional templates added to your account.

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

ASD Information Security Manual v3.2019

Commonwealth of Virginia ITRM Standard SEC501 v10.1

UK Ministry of Defence - Defence Standard Low Profile

UK Ministry of Defence - Defence Standard Moderate Profile

UK Ministry of Defence - Defence Standard High Profile

The following are updatedManaged Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):

CIS Critical Security Controls Group 1 7.1

CIS Critical Security Controls Group 2 7.1

CIS Critical Security Controls Group 3 7.1

April 2019

The Vendor Risk Management (VRM) module was released.

The VRM module lets you centralize your third-party risk management processes by prequalifying risk, assessing your vendors, and conducting remediation efforts in your KCM GRC platform. See our Introduction Guide to learn more.

Updates were made to the User Roles available in your account. This includes updates to the User Management and User Profile pages in your account. See more information in our Working with Users article.

You can now manage evidence submission settings (DocuLinks and documents) at the scope levelin addition to the account-wide settings. See more information in our Managing Account Settings article, here.

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

NCUA ACET v1.0

DFARS NIST 800-171 SA v11.2017

HMG Security Policy v1.0

Massachusetts Data Privacy Regulation v2009

The following are updatedManaged Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):

CIS Critical Security Controls 7.1

CCIS Critical Security Controls 7 to 7.1_Changes

March 2019

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

PCI DSS SAQ A

PCI DSS SAQ B

PCI DSS SAQ B-IB

PCI DSS SAQ C

PCI DSS SAQ C-VT

PCI DSS SAQ D Merchants

PCI DSS SAQ P2PE

PCI DSS - SAQ D Service Providers v3.2.1

Secure Controls Framework

OWASP Level 1 v4.0

OWASP Level 2 v4.0

OWASP Level 3 v4.0

February 2019

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

Financial Services Sector Coordinating Council (FSSCC) v1.0

NIST SP 800-171 Appendix E v2016

FedRAMP High Baseline Controls v8.2018

FedRAMP Moderate Baseline Controls v8.2018

FedRAMP Low Baseline Controls v8.2018

FedRAMP LI-SaaS Baseline v8.2018

NIST 800-53 High-Impact Baseline rev4

NIST 800-53 Moderate-Impact Baseline rev4

NIST 800-53 Low-Impact Baseline rev4

International Traffic in Arms Regulations (ITAR) v12.2018

The following are updatedManaged Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):

NIST 800-53 rev4

January 2019

The following are new Managed Templates now available for your account (contact your Customer Success Manager to have additionalTemplates added to your account):

PCI DSS - Self-Assessment Questionnaire A-EP v3.2.1

AB-375 Consumer Privacy Act of California v1.0

NAIC MDL - Insurance Data Security Law v4th Quarter 2017

PIPEDA v12.2018

HITECH v2.2009

The following are updated managed Templates now available for your account (contact your Customer Success Manager to have additional Templates added to your account):

HIPAA Privacy and Breach v1.0

HIPAA Security Rule v1.0

PCI DSS Appendix A v3.2.1

CJIS Security Policy v5.7

SWIFT CSP v2019

Release Date

Description

December 2018

New Managed Template now available (contact your Customer Success Manager to have additionalTemplates added to your account):

SSAE18 SOC2 TSC (AT-C 105/205)

The ability to create Risk tags was added.

Added a new tab called Risk Settings to the Account Settings page where you can manage custom categories and risk tags.

You can now create, edit, delete, and CSV upload custom Risk templates.

November 2018

New Managed Template now available (contact your Customer Success Manager to have additionalTemplates added to your account):

NIST SP 800-171 A

Added the user role Risk Administrator.

Added the ability to map controls to a risk.

Added the Risk Management report. See here for more information.

Added the ability to export the Evidence Repository to a CSV file.

October 2018

The Risk Management Module has been added to KCM GRC.

Risk Management simplifies the processes of identifying, assessing, and managing the risks faced by your organization. See here for more information.

The threat Quick Add screen was added. For more information, see here.

The View Risk screen was added. See here for more information.

Added the ability to upload risk templates with a CSV file from the Risk Templates screen.

Added the ability to import risks to the risk registry with a CSV file.

Added sample CSV files to download and use as a template when using a CSV file for imports.

Added colors for the different Risk categories.

September 2018

The ability to Clone Scopes was added.

A new Managed Template is now available as a result of revisions to NIST SP 800-171 Rev. 1 (contact your Customer Success Manager to have additionalTemplates added to your account):

NIST SP 800-171 Rev. 1 (updated 06/07/2018)

June 2018

Executive Reporting features have been added to KCM GRC.

Executive Reports give you the ability to send status reports for one or more Scopes at a frequency you choose. See here for more information.

Two new Managed Templates are now available as a result of revisions to PCI DSS (contact your Customer Success Manager to have additionalTemplates added to your account):

PCI DSS v3.2.1:

The most current Template for this publication (supersedes PCI DSS v3.2)

PCI DSS Changes v3.2.1:

Consists only of the changes made to this publication since the previous KCM GRC Template (PCI DSS v3.2)

May 2018

Multi-Factor Authentication is now available for your KCM GRC platform.

New versions of Managed Templates are now available (contact your Customer Success Manager to have additionalTemplates added to your account):

CIS Critical Security Controls 7

NIST Cybersecurity Framework v1.1

NIST SP 800-171 Rev. 1(Updated 2/20/2018)

April 2018

New Managed Template now available (contact your Customer Success Manager to have additionalTemplates added to your account):

General Data Protection Regulation (GDPR)

The Policy Management module was added to KCM GRC.

Policy Management allows you to easily track and manage your organization's policy distribution and user acknowledgments. See here for more information.

February 2018

New Managed Template now available (contact your Customer Success Manager to have additionalTemplates added to your account):

UK Cyber Security Essentials

January 2018

Two new Managed Templates are now available as a result of revisions to NIST SP 800-171 (contact your Customer Success Manager to have additionalTemplates added to your account):

NIST SP800-171 2017:

The most current Template for this publication (supersedes NIST SP800-171 2015)

NIST SP 800-171 Changes 2015-2017:

Consists only of the changes made to this publication since the previous KCM GRC Template(NIST SP800-171 2015)

Release Date

Description

December 2017

Improved reporting features, such as Gantt charts and additions to the Evidence Repository table

November 2017

New and improved account settings features:

Ability to add a display name and company logo

Ability to restrict access to allow only certain IPs

Limit control and task documents to DocuLinksand/or uploads

Hide your console from KCM GRC support

Configure the time needed to prepare evidence for ongoing tasks, when using Effective Date Range (EDR) feature.

Effective Date Range (EDR) feature release:

Allows admins to set start, end, and due date for tasks.

End date/Due dates are dependent on Frequency of task. Frequency settings can be manually adjusted in Account Settings.

Start, end, and due date can be modified within each Task.

Set up an advanced, one-time task:

Allows admins to set up a one-time task with a start, end, and due date.

What Templates Are Available for My KCM GRC Platform?

We offer a wide variety of managed templates for your use in the KCM GRC platform. Our team ensures that we have the up-to-date versions of the published framework available for your use. Here is an inventory of our active templates. Please contact your KCM Customer Success Manager if you'd like to add one of these templates to your console.

ACCSC Self Evaluation v2015

American Land Title Association Assessment Procedures v2.5

Association of Corporate Counsel (ACC) Model Information Protection and Security Controls for Outside Counsel v2017

Australian Signals Directives Information Security Manual v3.2019

Australian Privacy Act v12.2018

Australian Prudential Standard CPS 234 v7.2019

Bank Secrecy Act Examination Manual v2014

BDSG - German Federal Data Protection Act v6.2017

Brazilian Internet Law v2018

California Consumer Privacy Act AB-375_v1.0

Canada's Anti-Spam Legislation (CASL) v2019

Cayman Islands Data Protection Laws v6.2017

CIS Critical Security Controls Implementation Group 1 7.1

CIS Critical Security Controls Implementation Group 2 7.1

CIS Critical Security Controls Implementation Group 3 7.1

CJIS Security Policy v5.8

Cloud Computing Compliance Controls Catalogue v9.2017

Cloud Security Alliance - CCM v3.0

Colorado Data Protection Law v9.2018

Commonwealth of Virginia Hosted Environment Information Security Standard SEC 525 v03.1

Commonwealth of Virginia ITRM Standard SEC501 v10.1

Connecticut Insurance Data Security Law v10.2019

DFARS NIST 800-171 SA v11.2017

Electricity Subsector Cybersecurity Capability Maturity Model v1.2014

FDA 21CFR11 v4.2016

FedRAMP High Baseline Controls v8.2018

FedRAMP LI-SaaS Baseline v8.2018

FedRAMP Low Baseline Controls v8.2018

FedRAMP Moderate Baseline Controls v8.2018

FERPA v12.2011

FFIEC Cybersecurity Tool 2015

Financial Services Sector Coordinating Council (FSSCC) v1.0

General Data Protection Regulation (GDPR) v1.0

Gramm-Leach-Bliley Act Privacy Rule v5.2000

Gramm-Leach-Bliley Act Safeguard Rule v6.2016

HIPAA Privacy and Breach v1.0

HIPAA Security Rule v1.0

HITECH v1.0

Illinois Personal Information Protection Act v2019

Interagency Guidelines - Information Security Standards v8.2013

Internet of Things Assessment Questionnaire v3.0

IRS Publication 1075 v9.2016

ISO 27001 2013

ISO 27001 2013 Annex

ISO 27002 2013

ITAR 12.2018

Lexcel England and Wales for In-house Legal Departments v6.1

Lexcel England and Wales for Legal Practices v6.1

Lexcel International v5.1

Massachusetts Data Privacy Regulation

MDSAP - Australia: Therapeutic Goods (Medical Devices) Regulations 2002 v7.2019

MDSAP - Brazil: RDC (16, 23 and 67) v1.0

MDSAP - Canada: Medical Devices Regulations v6.2019

MDSAP - Japan:MHLW MO 169 v2014

MDSAP - USA: Title 21 Food and Drug Regulation v1.0

NAIC MDL - Insurance Data Security Law 4th Quarter 2017

NCUA ACET v1.0

New Hampshire Senate Bill 194 v8.2019

NIST Cybersecurity Framework v1.1

NIST SP 800-171 A

NIST SP 800-171 Appendix E_v2016

NIST SP 800-171 Rev 1

NIST SP 800-53 rev4

NIST SP 800-53 rev4 High-Impact Baseline rev4

NIST SP 800-53 rev4 Moderate-Impact Baseline rev4

NIST SP 800-53 rev4 Low-Impact Baseline rev4

NIST SP 800-53 Privacy rev4

North Carolina Identity Theft Protection Act v2005

NY DFS Cybersecurity Requirements 2017

OCIE Cybersecurity Initiative 2014

OWASP Level 1 v4.0

OWASP Level 2 v4.0

OWASP Level 3 v4.0

PCI DSS v3.2.1

PCI DSS Self Assessment Questionnaire A v3.2.1

PCI DSS Self Assessment Questionnaire A-EP v3.2.1

PCI DSS Self Assessment Questionnaire B v3.2.1

PCI DSS Self Assessment Questionnaire B-IB v3.2.1

PCI DSS Self Assessment Questionnaire C v3.2.1

PCI DSS Self Assessment Questionnaire C-VT v3.2.1

PCI DSS Self Assessment Questionnaire D Merchants v3.2.1

PCI DSS Self Assessment Questionnaire D Service Providers v3.2.1

PCI DSS Self Assessment Questionnaire P2PPE v3.2.1

PCI DSS Appendix A v3.2.1

Personal Information Protection and Electronic Documents Act (PIPEDA) v. SC 2000, c. 5

Portugal Data Protection Law v1.2019

Privacy Shield Framework - EU-US v1.0

Privacy Shield Framework - Swiss-US v2017

Sarbanes Oxley Act v7.2002

SEC OCIE Cybersecurity Examination Initiative 2015

Secure Controls Framework v2019.6

Singapore Personal Data Protection Act v11.2012

SSAE16 SOC2 TSP and Privacy 2017

SSAE18 SOC2 TSC (AT-C 105/205)

SWIFT CSP v2019

Texas Administrative Code 202 - Institutions of Higher Education v2016

Texas Administrative Code 202 - State Agencies v2016

Texas House Bill 4390 - Privacy Protection Act v6.2019

UK Cyber Security Essentials 2

UK Data Protection Act v2018

UK Data Security and Data Protection Toolkit v1.9.6

UK Financial Conduct Authority Handbook v4.2019

UK HMG Security Policy v1.0

UK Ministry of Defence - Defence Standard 05-138 Issue 2 Low Profile

UK Ministry of Defence - Defence Standard 05-138 Issue 2 Moderate Profile

UK Ministry of Defence - Defence Standard 05-138 Issue 2 High Profile

UK Public Sector Network Code of Connection v1.31

US Government Auditing Standards v7.2018

VDA - Trusted Information Security Assessment Exchange (TISAX) v4.1.1

How to Install and Use the Phish Alert Button for the Outlook Mobile App (iOS and Android) and Office 365

The Phish Alert Button (PAB) add-in for the Microsoft Outlook mobile app (iOS and Android) and Office 365 gives your end-usersthe ability to report suspicious emails from not only their computer but from their mobile inbox as well. This empowers your employees to take an active role in managing the problem ofphishing and other types of malicious emails. The tool can also provide your IT or Risk Management team with early warning of possible phishing attacks or malicious emails so they may take timely and effective actions to prevent security breaches or network compromise.

We encourage you to inform all of your users of this tool before making it accessible. Below are helpful resources that you can use to assist with your implementation of the PAB:

Best Practices for PAB Implementation (For admins)

How Do I Use the Phish Alert Button for Office 365? (For end-users)

Paid Integration: If you are using our full-featured Phishing and Training console, the PAB will also track if your users report our simulated phishing emails, so you can see which users are successfully identifying potentially malicious emails.

Note:

For more information on PAB's compatibility with different mail clients and servers, click here.

Jump to: Installation prerequisites How to install How to uninstall User experience

Outlook app (for Android)

Outlook app (for iOS)

Additional resources Frequently Asked Questions (FAQs)

Installation prerequisites

This installation requires one of the following servers:

Office 365

Exchange Server 2016 (Hybrid only) - version 15.1.544.27 (CU3) or newer

This version can be used on the following mail clients:

Office 365 OWA

Outlook 2016 for Windows (Click-to-Run install only)

Outlook 2019 for Windows

Outlook 2016 for Mac

Outlook for iOS

Outlook for Android

You must enable and configure your PAB in the KnowBe4 admin portal. Youll also need to download the following file to begin installation:

O365Manifest.xml

For instructions on how to enable and configure your PAB in the admin portal, visit our main PAB article.

If you are using Internet Explorer, the following steps need to be performed in order for the PAB to run on your PCs:

Go to theInternet Optionssection of Internet Explorer and click theSecuritytab.

Inside the Internet Sites Zone box, check theEnabled Protected Modebox.

Click OK.

Note:

Microsoft disables the use of add-ins in shared mailboxes and folders. Users will only be able to access the PAB add-in from their primary mailbox.

Back to top

How to install

Step 1: Log in to your mail server Admin portal. Under the Settings menu, click Services & add-ins.

Back to top

Step 2: From the Exchange Services & add-ins screen, click Deploy Add-In. This will take you to the Centralized Deployment add-in management screen.

Step 3:From the Centralized Deployment area,click the I have the manifest file (.xml) on this device. radio button and thensign select the Browseoption.

Step 4:A file browser pop-up window opens. Locate and add the O365Manifest.xml file from your Account Settings and click the Next button to install.

Step 5: Select which users will have access to the add-in and which deployment method to use. We recommend that you make the add-in accessible to Everyone and to use the Fixed deployment method. You will need to click(View options)to edit the deployment method.

Note:

If you'd only like to enable this version of the PAB to specific distribution groups in O365, see step 6 in our Multiple PAB Instances in Exchange or Office 365 article for details on this process.

This is how the add-in should look once configured in the Services & add-ins area:

Note:

It can take up to an hour for the PAB add-in to be visible on Office 365.

Back to top

How to uninstall

Step 1: Log in to your mail server Admin portal. Then, navigate to Settings > Services &add-ins.

Step 2: Highlight the Phish Alert add-in. Then, click the Delete Add-Inicon.

Back to top

User Experience

Once installed, the PAB add-in will be available from any open email in the compatible mail clients, including the Outlook app for iOS and Android.

In O365, the Phish Alert Button will appear in the drop-down menu on an open email, as shown below.

A user can report any email as a phishing email. The reported email will be in the users' Sent Items as a forwarded message and will be deleted from the user's inbox. If the user incorrectly reported the email, they can retrieve it from their Deleted items/Trash.

Outlook Mobile App (for Android)

If users want to report an email using the PAB from the Outlook App on an Android device, they'll first tap the three dots at the top right of the screen, as shown below.

Then, they'll see Phish Alert listed in their add-ins.

Once they've selected the Phish Alert add-in, they'll be brought to the screen shown below to confirm that they want to report the email. From this screen, they'll tap the Mobile Phish Alert button to confirm submission.

After the email has been reported, the message you've set in your Account Settings will display, as shown below. Click OK to dismiss the message.

Outlook mobile app (for iOS)

If users want to report an email using the PAB from the Outlook App on an Apple device, they'll first click the three dots at the top right of the screen, as shown below.

Then, they'll see Phish Alert listed in their add-ins.

Once they've selected the Phish Alert add-in, they'll be brought to the screen shown below to confirm that they want to report the email. From this screen, they'll tap the Mobile Phish Alert button to confirm submission.

After the email has been reported, the message you've set in your Account Settings will display, as shown below. Click the OK button to dismiss it.

Back to top

Additional Resources

Phish Alert Button Guide for Exchange 2013/2016 (Server-based)

Video: PAB Installation and User Experience

How Do I Change the Phish Alert Text for Server-Based PAB (Exchange & Office 365)

Multiple Phish Alert Button Instances (Multi-PAB): Office 365/Exchange

PAB Compatibility Matrix

Back to top

Frequently asked questions (FAQs)

Below are questions you may have regarding the Office 365 PAB. If you don't see your question answered below, contact support.

Q: My usersaren'tseeing the PAB in their Outlook app on their phones. Why? A: When installing the PAB, did you make the add-in mandatory? This is step 5 of the installation process. The PAB will not appear in Outlook for mobile if the add-in was not deployed using the Fixed method. Your users must enable the PAB themselves in their Outlook app settings.

Q: Can I publish the PAB add-in using any other method? A: Yes, the add-in can also be sideloaded. Please contact support for assistance.

Introduction to the KCM GRC Vendor Risk Management Module

The Vendor Risk Management (VRM) module in KnowBe4's KCM Governance, Risk, and Compliance (GRC) platform lets you centralize your third-party risk management processes. You can prequalify risk, assess your vendors, and conduct remediation efforts all in one platform. You can even set a frequency for how often your vendors are assessed to continually monitor the associated risk. The VRM moduleis available to Platinum subscriptions.

This article provides an overview of the workflows and areas of the console you'll become familiar with when working in the VRM module. The jump links below are listed in the recommended order of steps you will take to implement your Vendor Risk Management module, see each section to learn more.

Jump to:

Before You Begin

Creating Questionnaires

Configuring and Finalizing Questionnaires

Adding Vendor Profiles to your Vendor List

Adding Vendor User Accounts

Sending Questionnaires

Vendor Experience

Reviewing Questionnaires and Creating Issues (KCM User)

Responding to Issues (Vendor)

Closing Issues (KCM Administrator)

Frequently Asked Questions

Before You Begin

Before you begin using your VRM module, here are a few things you might consider to better implement this platform into your third-party risk management program.

What types of KCM GRC user roles will I create for users working in the VRM module?

As an account administrator, you can assign the following user role so they can work in all areas of the Vendor Risk Management module:

Vendor Administrator

As a vendor (or account) administrator, you'll create user accounts for your questionnaire assesseesor theindividuals completing questionnaires on behalf of the third-party organization(see: Add Vendor User Accounts ). These user accounts will have the following role:

Vendor User

What kinds of questionnaires will I need for the different types of third-party affiliates working with my organization?

KCM GRC offers industry-standard templates to build questionnaires, and you can also create custom questions for your vendor assessments. Learn more in our Creating and Configuring Questionnaires article.

What is the best workflow, or order of tasks for onboarding with my VRM module?

The jump links at the top of this article are listed in order of our best practice workflow recommendation for implementing the VRM module into your risk management program.

Back to top

Creating Questionnaires

You'll create your vendor questionnaires from the Questionnaire List section of your console. You'll use the questionnaire builder to createfully-custom questionnaires, use questions from the industry-standard templates provided, orcreate questionnaires composed of both free-form questions and questions from the templates.

For details, see the Creating Questionnaires section of our Vendor Risk Management Module: Creating and Configuring Questionnaires article.

Configuring and Finalizing Questionnaires

Once you've added questions to your questionnaire, you will configure points for each answer in order to "score" your vendor on their assessment responses. After you assign points to each question, you will mark the questionnaire as "configured", then it must be reviewed once more before it can be sent.

For details, see the Configure Questionnaire Points section of our Vendor Risk Management Module: Creating and Configuring Questionnaires article.

Back to top

Adding Vendor Profilesto your Vendor List

Before you begin sending questionnaires to your vendors, you'll create vendor profiles under the Vendor List area of the VRM module. CreatingVendor profiles helps you prequalify the level of risk associated with the third-party. You'll then use vendor profiles to send questionnaire assessments and to work through any issues that may arise from assessment responses.

For details, see the Adding New Vendor Profiles section of our Vendor Risk Management Module: Working with the Vendor List article.

Adding Vendor User Accounts

Once you're ready to send your questionnaire to a vendor, you'll add a user account in KCM for the appropriate person so they can complete the questionnaire. This user will log in to a separate vendor portal associated with your accounta portal specifically for answering questionnaires and addressing issues resulting from the questionnaire responses.

For details, see the Adding User Accounts for Vendor Contacts section of our Vendor Risk Management Module: Working with the Vendor List article.

Back to top

Sending Questionnaires

Once you've finalized your questionnaire and added a user account for the questionnaire assessee, you can send the questionnaire directly from the vendor's profile in your VRM module.

For details, see the Sending Questionnaires to Vendors section of our Creating and Configuring Questionnaires article.

Back to top

Vendor Experience

This section provides an overview of the vendor's experience when completing your questionnaire. If you'd like to share an instructional guide with your vendors, see our Guide for Vendor Users article.

Once you've sent the questionnaire, the questionnaire assessee will receive an email ( click to view ) requesting them to complete the questionnaire. Once they've activated their account (see: Adding Vendor User Accounts, above), they'll log in and see the Vendor Portal Dashboard, as shown below.

Questionnaire Email

Back to top

Close

From the Questionnaires portion of the screen, the assessee will click the link under theName or Template columns (shown above) to begin the questionnaire(s) you've assigned.

The assessee will answer the questions by selecting one or more checkboxes, a multiple choice answer, or by typing a response in the Answer fielddepending on which answer type(s), or template(s) you used for your questionnaire. Then, they must use the Save button to finalize each answer.

Questionnaire assessees are also able to add comments or upload supporting files for each of the questions, by using the Add Comment or Attach File buttons, shown above.

The file attachment limitations for individual questions are as follows:

File Size: Maximum of 5 MB (for each question)

File Name: Maximum of 250 characters (including the file extension)

File Types: Please see this question in our Frequently Asked Questions article for details

Once the user has finished the questionnaire, they'll click the Finalize Questionnaire button at the bottom of the page. You'll receive an email notification and the questionnaire will be available for review in KCM.

Back to top

Reviewing Questionnaires and Creating Issues (KCM Administrator)

Once your vendor contact has completed your questionnaire assessment, the KCM GRC Vendor Owner ( click to view example ) will receive an email notification. You will review questionnaires from the applicable vendor profile,under the Vendor List area of your console.

If the vendor provided an undesirable answer to one or more questions, you'll create an "issue" to request additional information or to further discuss your concern with the vendor.

Vendor Owner Example

Close

For more information about reviewing questionnaires and creating or responding to issues, please see this article.

Back to top

Responding to Issues (Vendor)

This section provides an overview of the vendor's experience when responding to the issues you've created as a result of their questionnaire responses. If you'd like to share an instructional guide with your vendors, see our Guide for Vendor Users article.

When you create an issue in response to the vendor's answer to a question, the vendor receives an email informing them of the issue. See the steps below for an explanation of how the vendor will address the issues you've created.

They'll log in to their vendor portal to respond to the questionnaire issues. The vendor can see the open issues from both their Vendor Dashboard or by clicking Issues from the navigation panel on the left-hand side of their account, as shown below.

The vendor will click on an Issue Description to open the issue, as shown below.

The vendor can then type a response to your issue in the Response field, and click the Save Responsebutton to send the response to your account.

Back to top

Closing Issues (KCM Administrator)

Once you're satisfied with the vendor's response, you will close the questionnaire issue. Please see this article for instructions.

Back to top

Frequently Asked Questions

Question: How do I know when my vendor has completed their Questionnaire?

Answer: The owner of the vendor profile will receive an email when the questionnaire is complete.The KCM user who created the vendor profile is the vendor owner. You can view and modify the Vendor Owner from the Vendor Details page.

You can also see the status of the questionnaire at any time by looking under the vendor's profile in your KCM GRC account. Navigate to the vendor profile by selecting Vendor Management, then Vendor List from the navigation panel. Click on the vendor's name from the vendor list, then click the Assigned Questionnaires tab in the center of the page. The Statusand Progress columns will show the questionnaire's current status.

If you're waiting on the vendor to complete the questionnaire, you can use the Nudge User button from this tab to automatically send them another email.

Question: When adding a new vendor to my Vendor List,will my vendor receive an email when I add the Contact Email from the Create New Vendor Page?

Answer: No. After you've saved the vendor profile to your Vendor List, you'll go back into the vendor profile and create a KCM GRC user account for your vendor from the Contacts tab. See the Add Vendor User Accounts section above for more information.

Question: Where do I instruct my vendor to log in to complete the questionnaire?

Answer:Your vendor can use the link in the email they receive when you send a questionnaire ( click to view ). Alternatively, you can provide your vendor with the same URL that you use to log into your KCM GRC account. The vendor's login credentials will direct them to the vendor portal to complete the questionnaire. If you'd like to share an instructional guide with your vendors, please see our Guide for Vendor Users article.

Question: Will the vendor receive an email once I've created issues in a questionnaire?

Answer: Yes. Once you've reviewed the questionnaire and created one or more issues, the vendor user will receive one email notification with a link to log in to the console.

Question: Why can't I send questionnaires from my vendor's profile?

Answer: If the Send Questionnaire button is disabled under the Available Questionnaires tab, you will need to change the Vendor Status to Active before they're able to receive questionnaires. See step 3, here for more information.

Creating and Managing Vendor Profiles in KCM GRC

The Vendor Risk Management (VRM) module in KnowBe4's KCM Governance, Risk, and Compliance (GRC) platform lets you centralize your third-party risk management processes. You can prequalify risk, assess your vendors, and conduct remediation efforts all in one platform. The VRM moduleis available to Platinum subscriptions.

As part of working in the VRM module, you will create a "vendor profile" for each of the internal or external third-parties that you will be working with.The vendor profile helps you prequalify the level of risk associated with the third-party. You'll then use vendor profiles to send questionnaire assessments and to work through any issues that may arise from assessment responses.

Note:

As a best practice for onboarding with the VRM module, we suggest creating questionnaire assessments before creating vendor profiles. See our Vendor Risk Management Module: Introduction Guide for the full suggested order of workflow for onboarding with your VRM module.

See the sections below to learn about creating new vendor profiles, adding vendor contacts (vendor users), and working in vendor profiles in your KCM GRC account.

Jump to:

The Vendor List

Adding New Vendor Profiles

Organization Contact Details

Qualifying Questions

Adding User Accounts for Vendor Contacts

Working With Vendor Profiles (Vendor Details)

The Vendor List

Vendor profiles are found in theVendor Listarea of your VRM module, which serves as a central repository of internal and external vendor profiles.

Much of your VRM workflow will be carried out through vendor profiles, for example:

Adding user accounts for vendor contacts

Sending questionnaires

Reviewing questionnaires

Creating issues for questionnaire responses

Communicating with vendors about questionnaire issues

Closing questionnaire issues

Once you've added vendor profiles to your account, your Vendor List will look similar to the image below.

Back to top

The Name column displays the third-party organization's name. Click on the name of the organization to open their vendor profile.

The Contact Name will be the name of your primary contact at the third-party company

The Status of the vendor profile can be any of the following: Active, Inactive, Pending Approval, Rejected, Incomplete. Vendor profiles must be in Active status before you can send questionnaire assessments to this vendor.

You'll select the vendor Type when creating the vendor profile. The vendor type will be Internal or External.

The vendor Score is calculated after the vendor has completed one or more questionnaire assessments. For more information about vendor score, see the Working With Vendor Profiles section, below.

The Data Categories represent the types of data that the third-party will store, process, or transmit in order to carry out operations for your organization. You'll add the data types when creating the vendor profile. For details, see the Organization Contact Details section, below.

See the next section to learn more about adding new vendors to your vendor list.

Back to top

Adding New Vendor Profiles

Before you begin sending questionnaires to your vendors, you'll create vendor profiles under the Vendor List area of the VRM module. By adding contact information and other details relevant to business operations, the vendor profile helps you prequalify the level of risk associated with each third-party.

To create a vendor profile, you'll start by adding the Organization Contact Details, then you'll answer Qualifying Questions toprequalify the level of risk associated with each third-party or vendor. Before you can send questionnaires to your vendors, you'll create user accounts for the individuals who are responsible for completing your questionnaire assessments. Follow the next three sections to complete the vendor onboarding process in your VRM module:

Organization Contact Details

Qualifying Questions

Adding User Accounts for Vendor Contacts

Organization Contact Details

Navigate to theVendor List area by selectingVendor Management from the navigation panel, then clickVendor List.

You have two options for adding the organization's contact details. You can either import a CSV file or add the information directly to your console:

To upload the contact details, click the Import Vendor CSV button from the Vendor List page. The CSV file should have the following header line: name,primary_contact_name,primary_contact_email,mail_address,city,state,postal_code,country,phone

All fields except postal_code are mandatory. The separator should be a comma (,) and the file should be a valid CSV.

To add the contact details manually, click the Create New Vendor button from theVendor List page, then add information to the fields outlined below.

Name: The name of the internal or third-party organization that you are working with and/or sending assessments to.

Contact Name: The name of the primary person/contact you will be working with for questionnaire assessments.

Contact Email: The email address of the person you've listed for the Contact Name, above.

Important:

The email address you enter for the Contact Email is where automatic email notifications are sent when requesting your vendor to complete a questionnaire. Though, in order for them to complete the questionnaire, you'll need to create a user account for your vendor contact. See the Adding User Accounts for Vendor Contacts section below for details.

Telephone: The telephone number for either the organization or for the primary vendor contact at the organization.

Website: (Optional) The web address for the third-party organization.

Vendor Type: Select Internal or External.For example, an internal vendor may be a contracted business unit that provides services to your organization, while an external vendor is one outside of your organization.

Street Address:Use this and the remaining fields to add the third-party organization's address. If the United States is selected for the Country field, the Region field name will change to State.

After you've added the contact details, continueadding the Organization Overview details, as outlined below.

Organization Industry: Select the vendor's industryfrom the drop-down menu.

Data Types: Select all applicable categories of data that your vendor will store, process, or transmit in order to carry out operations for your organization. If the listed data types are not applicable, select Other. Click the drop-down below for details about the data types.

Vendor Details: Data Types

Acronym

Data Type

Description

CPI

Client Privileged Information

Any information that is considered confidential communication between an attorney and their client.

CUI

Controlled Unclassified Information

Federal, non-classified information that must be safeguarded by adhering to security requirements and controls designed to secure sensitive information.

ECR

Export Controlled Research

Includes any information that is regulated for reasons of national security, foreign policy, anti-terrorism, or non-proliferation. This includes ITAR and EAR data types.

FERPA

Family Educational Rights and Privacy Act

This act governs access to and the release of student education records.

FISMA

Federal Information Security Management Act

This Aat requires federal agencies and any contracted parties to develop, document, and implement an information security and protection program for federal data.

GLBA

Gramm Leach Bliley Act

This act requires financial institutions to explain how they share and protect their customers' sensitive data.

PHI

Protected Health Information

Under HIPAA, protected health information is considered to be individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.

IT

Information Technology (Security Information)

Information pertaining to safeguarding organizational IT resources.

PCI

Payment Card Industry

Information pertaining to storing, processing, or transmitting credit card, debit card, or any other type of payment card data.

PII

Personally Identifiable Information

Sensitive data that could potentially identify a specific individual.

Details of Services/Goods: You can optionally add details about the vendor in this field.

Once you've added all vendor details, answer the Qualifying Questions at the bottom of the page.

Click the Save Vendor button to add the vendor details to the vendor profile.

Back to top

Qualifying Questions

The qualifying questions found under each vendor's profile in your Vendor List will help you assess the level of risk associated with using the third-party.

Answer the qualifying questions as you're creating your new vendor in KCM GRC, or answer the questions at a later time by navigating to the Vendor List (Vendor Management > Vendor List) and clicking the vendor's name under the Name column.

Adding User Accounts for Vendor Contacts

Once you're ready to send a questionnaire to a vendor, you'll add a user account in KCM for the appropriate person so they can complete the questionnaire. This user will log in to a separate vendor portal associated with your accounta portal specifically for answering questionnaires and addressing issues resulting from the questionnaire responses. The Vendor Useruser role does not count against your licensed seat count for KCM, nor will this user have access to any of the information in your organization's account.

Important:

Once created, the vendor user will immediately receive an email to activate their new KCM GRC account ( click to view ). You may want to inform your existing vendor contacts that you will be implementing this process before adding these users to KCM GRC.

Activate Your Account Email

Close

Follow the steps below to add a vendor user account to your console:

Navigate to the vendor profile by clickingVendor Management > Vendor List from the navigation panel, then click the third-party organization's name from the Name column.

From the Vendor Details page, click the Contacts tab (shown below), then click the Create Vendor Contactbutton on the right-hand side.

Fill out the user information, then click the Create button.

See our Working with Users article for more information about creating users. For more information on sending questionnaire assessments, see this article: Creating, Configuring, and Sending Questionnaires.

Back to top

Working With Vendor Profiles (Vendor Details)

This section provides an overview of the vendor risk management workflows you will carry out from the vendor profiles (Vendor Details pages) found in your Vendor List.

Vendor Details: Organization Details

Use the Update button to edit any of the information shown on the Vendor Details page.

Use the ARCHIVE button to archive the vendor profile. Archiving the vendor will automatically disable any Vendor Users listed under the Contacts tab in the vendor profile. This may be helpful if you will be working with the vendor at a later time. Note, if a vendor profile is archived you will not be able to create a new vendor profile with the same name.

Account Administrators can use the DELETE button to fully delete the vendor profile and all associated data. All iterations of questionnaires that were sent to, or completed by this vendor will be deleted. Deleting the vendor willautomatically disable any Vendor Users listed under the Contacts tab in the vendor profile. This action cannot be undone.

The Vendor Score is calculated once the Vendor User (vendor contact) has completed and finalized one or more questionnaire assessments. Vendor scores range from 0 to 100%. This number is the average of the scores for all questionnaires completed by this vendor. Therefore, typically, the higher the vendor score, the lower the level of risk involved in working with this entity. If you'd like, you can manually offset the Vendor Score in the vendor profile, see more information below.

The Vendor Score Offset represents the percentage by which you are offsetting the OriginalVendor Score, whichwas calculated by the KCM platform. See the instructions below for more information.

Modifying Vendor Scores

Follow the steps below to offset the vendor score for a vendor profile.

Click the Update button at the top of the Vendor Details page.

Then, use the Vendor Score Offset field (shown above) to enter any integer between -100 and 100. For example, if the original vendor score is 89.4% and you enter "-3" in the Vendor Score Offset field, the adjusted vendor score will be 86.4%.

You can optionally leave a note explaining why you are offsetting the vendor score in the Vendor Score Adjustment Note field.

Click the Save button to save the offset percentage.

The adjusted vendor score will be automatically shown in the vendor profile along with the original vendor score that was calculated by KCM.

Back to top

Click on the tabs below to learn about the workflows you'll carry out from the tabs found onVendor Details pages (vendor profiles), under your VRM module.

Available Questionnaires

Schedules

Assigned Questionnaires

Issues

Attachments

Contacts

Use the Available Questionnaires tab to send questionnaire assessments to your vendors, or other third-party organizations. All finalized questionnaires are listed under this tab. In order for a questionnaire to be finalized, it must be marked as "Configured" and "Reviewed". Click the appropriate Send Questionnaire button to send the questionnaire to your vendor user's (vendor contact's) KCM account.

To learn more about creating, finalizing, and sending questionnaires, please see our Creating, Configuring, and Sending Questionnaires article.

The Schedules tab allows you to see all of the questionnaires you've scheduled to send to this vendor on a reoccurring frequency. You'll find the questionnaires that were sent only one time under the Assigned Questionnaires tab.

The table will show the Start Date and theEnd Date that was set when scheduling the questionnaire.

The Frequency column represents how often the questionnaire is scheduled to be sent.

If applicable, the Due After column represents the number of days you've requested the assessment to be completed in.

Click the cancel icon to cancel all future iterations of this questionnaire schedule.

Click the eyeball icon (or the expand/collapse arrow on the left-hand side) to expand the table and view all iterations of this questionnaire schedule.

For more information about questionnaire schedules, please see our Creating, Configuring, and Sending Questionnaires article.

The Assigned Questionnaires tab shows you the questionnaires that have already been sent to the vendor user's account.

When the questionnaire is complete, click the questionnaire name link listed under the Name column to open and review the questionnaire.

The questionnaire Status can be one of the following:

Sent: The questionnaire has been sent to the vendor. If the vendor has begun working on the questionnaire, their progress will be represented by blue in the progress bar, under the Progress column.

Pending Review: The questionnaire has been finalized by the vendor user, but the KCM administrator has not begun the review process.

In Review: The KCM administrator has begun, but not finished the review process for this questionnaire.

Reviewed: The KCM administrator has completed reviewing this questionnaire.

Use the Nudge Vendor button to send a reminder email from KCM GRC.

Use the Send Link button to open your native mail client program and draft an email to send to your vendor user.

Click the Cancel button to cancel the questionnaire and remove it from the vendor user's account. Note, if the questionnaire is canceled all progress will be lost.

Use the Export button to download a CSV file containing the questionnaire details.

For more information about reviewing questionnaires in your VRM module, please see our Reviewing Questionnaires and Creating Issues article.

If your vendor provided an undesirable answer to one or more questions in your assessment, an "issue" can be created to request additional information or to discuss the concern with your vendor.

All of the issues you've created with this vendor will show under the Issues tab. To open an existing issue, click the description from the Issue Description column.

For more information about working with issues in your VRM module, see this article: Reviewing Questionnaires and Creating Issues.

If you have files to share with your vendor, use the Attachments tab to add the files to the vendor user's(vendor contact's) vendor portal.

Use the Upload New Attachment interface to drag and drop or click browse to navigate to the desired file on your computer. Once the file has been uploaded, it will be immediately available in the vendor user's KCM account.

Click the trash can button under the Actions column to remove the file from the vendor portal and your KCM account.

Before you can send a questionnaire to your vendor you'll add a user account for the individual who will be taking the assessment. Use the Create Vendor Contact button to add a new "Vendor User" account. For more information and further instruction, see the above section: Adding User Accounts for Vendor Contacts.

How Do I Confirm My Account, Complete Questionnaires, and Respond to Issues?

If your client is using the KCM Governance, Risk, and Compliance (GRC) platform to manage their third-party or vendor assessments, they will create a user account for you to use when completing their questionnaire assessments.

Use this guide for help with activating your new account, completing questionnaires, and addressing any "issues" created by your client.

Jump to:

Activating Your User Account

Completing Questionnaires

Tips for Answering Questions Individually

Importing Answer Files

Responding to Issues

Activating YourUser Account

When your client adds your user account to their platform, you'll receive an email inviting you to activate your account. The email will look similar to the image shown below.

Email: Please Confirm Your New KCM Account

Back to top

Follow the steps below to activate your KCM user account.

Click the Activate Your Account link in the body of the email. As a safety precaution, always hover over email links before clicking them to ensure the link is taking you to a safe website. If you don't feel comfortable using the email link, you can reach out to your client for the URL.

From the Activate User page, enter the unique Activation Code provided in your email.

Create a password, then re-type the password in the second field to confirm.

You'll be redirected to the KCM login page where you'll enter your email address and password. However, if your client has not assigned a questionnaire at this time, there's no need to sign in to your account. You'll receive another email once a questionnaire has been assigned to you.

See the next section for details about completing questionnaires in the KCM GRC Vendor Portal.

Back to top

Completing Questionnaires

Once your client has sent a questionnaire to your KCM GRC portal, you'll receive an email notification ( click to view an example ). Use the link in this email to log in to your portal and complete the questionnaire.

Tip:

If you haven't received a questionnaire email notification from KCM GRC, ask your client to send you a link to log in to your vendor portal.

If your organization typically uses answer templates from an industry-standard questionnaire tool such as CAIQ (Consensus Assessments Initiative Questionnaire) or SIG (Standardized Information Gathering Questionnaire), you'll have the ability to upload this spreadsheet file to automate your assessment responses.

"A new Questionnaire has been assigned" Email

Close

Follow the steps below to access your questionnaire in the Vendor Portal.

Use the link in your notification email to log in to your account. Alternatively, your client can provide the link to log in to your account.

Once logged in, you're brought to the Vendor Portal Dashboard. Here you can find the questionnaires your client has assigned, see any issues created as a result of your assessment responses, and view any documents that you've supplied with your assessment responses. To begin the assessment, click the Questionnaire name from the Questionnaires portion of theVendor Portal Dashboard, as shown below.

Depending on whether your client has used aquestionnaire template (such as CAIQ or SIG), you may have two options for answering the questions. See the applicable section below to learn more:

Tips for Answering Questions Individually

Importing Answer Files (for SIG or CAIQ template answers)

Back to top

Tips for Answering Questions Individually

See below for helpful tips for responding to your questionnaire assessments.

Tip #1:IMPORTANT: As you respond to questions, you must use the Save Answer button to save each of your answers. You will not be able to finalize or submit your questionnaire until you've saved each response. Also, if you need to finish the assessment at a later time, only the saved answers will be saved for your progress.

Tip #2:Use the Add Comment and Attach File buttons to add additional notes or supporting files to your responses.

Please note that comments are limited to 1000 characters. Please note the file limitations for files attached to individual questions:

File Size: Maximum of 5 MB (not applicable for imported responses )

File Name: Maximum of 250 characters (including the file extension)

Accepted File Types: .png, .jpg, .jpeg, .gif, .bmp, .tif, .tiff, .pdf, .txt, .rtf, .eml, .msg, .csv, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .zip, .gzip, .7z, .gz, .tar, .tgz, .nrl

Tip #3: To replace or remove an attachment, or to edit a comment you've added, click the Edit button, then click Yes when prompted.

Tip #4: To ensure you've addressed all of the assessment questions, toggle between the question sets using the Sections menu on the right-hand side, as shown below.

The fraction to the left of each section represents the questions you've answered/total questions in the section.

Tip #5: Questions with answers presented in a checkbox format allow you to choose more than one answer.

Example: Checkbox Answer Format

Tip #6:The free-form answer fields hold a maximum of 1000 characters. If you need additional room for your answer, click the Add Comment button to add a comment with more information.

Example: Free-form Answer Format

Tip #7:Once you're finished, you must click the Finalize Questionnaire buttonto submit your questionnaire. Once you've clicked this button, your client will receive an email letting them know you've completed the assessment.

Example: Finalize Questionnaire Button

Back to top

Importing Answer Files

If your organization typically uses an assessment management tool to respond to industry questionnaires such as CAIQ (Consensus Assessments Initiative Questionnaire) or SIG (Standardized Information Gathering Questionnaire), you'll have the ability to upload this file to automate your assessment responses.

Follow the steps below to complete your questionnaire using an answer template:

From the Questionnaire Submission page, click the Import Answers button toward the top-right.

From the Import Answers window, select the appropriate questionnaire from the Questionnaire Type drop-down menu.

Then, use the Click to Upload button to locate the answer template in your local files.

Note:

When importing answers the file must be an official assessment management tool spreadsheet produced by one of the following sources:

Standardized Information Gathering (SIG) questionnaire

Consensus Assessments Initiative Questionnaire (CAIQ)

All of the questions you've addressed in your answer template spreadsheet will populate in the Import Answers window (shown below). You can use the Click to Upload buttons if you need toupload a file to support your response to a question. Click the trash can icon button to delete any answers you don't want to import. If you've added comments to your answer template they will transfer to the KCM portal.

Once you're satisfied with the answers you're uploading, click the Save button at the bottom of the window.

Tip:

After you've uploaded responses, if you need to edit an answer, add comments, or attach a file to a response: Make the necessary changes in your answer template, then re-import the file. From the Import Answers window, use the Click to Upload buttons to attach files to your answers.

Once all of your answers have been imported, or manually addressed, click the Finalize Questionnaire button at the bottom of the page to submit your assessment. Your client will receive an email at this time, letting them know the questionnaire is ready for review.

Back to top

Responding to Issues

Your client can create "issues" for your assessment responses if they are unsatisfied with your answer or if they need more information. The purpose of an issue is for further communication with your client.

You'll receive an email notification if issues are created for one or more of your questionnaire responses.

See the instructions below for responding to issues:

Log in to your KCM account using the link in the email notification you received when your client created an issue.

You cansee the open issues from theVendor Dashboard or by clicking Issues from the navigation panel on the left-hand side of your account, as shown below.

All open issues will be listed. Click on the issue description to open the issue.

Note:

Each issue will have one of the following priorities: Minor, Moderate, High, or Critical.

From the Issue Details page, read the client's Issue Description. Below this description, you'll see the original assessment question that is being referenced in the issue.

Use the Response field to type your response to the Issue Description. Responses have 255 character maximum.

Then, click the Save Response button to submit your response.

If you need to provide a file to satisfy the issue, use the Click to Upload button on the left-hand side of the Issue Details page. Please note, any files you've previously supplied for this assessment question will be replaced.

Once you submit your issue response, your client will receive an email notification letting them know you've responded. You will also receive an email each time your client sends a subsequent response for the issue.

Continue to communicate with your client until they close the issue. You can see closed issues from the Issues section of your console, under the Closed Issues (#) tab, as shown below.