Re: KnowBe4 Security & Awareness Training Feedback

["Radhakrishnan, Rashmi" <rradhakrishnan () ALBRIGHT EDU>]

Good morning.
We began our KnowBe4 rollout last year.  Below is the response from the lead on this project -

We began our KnowBe4 campaign last year, targeting our faculty and staff.  We mainly used the video modules offered. 
The feedback we received from faculty and staff is that the content was generally enjoyable and they learned a lot.  
Some members of the community even expressed the desire to have their friends, spouse and family members go through the 
training.  Of course, the licensing does not allow for it. Since its rollout on our campus, more and more of our 
community members are reporting potentially malicious emails and helping us mitigate potential issues.



> From an administrative standpoint: It was easy to use and customize. Depending on which level subscription you go 
> with, there's a good variety of training resources that you can use for your campaigns. They also appear to add 
> content regularly. But, again, availability of the content depends on your subscription level.



We have not yet started our white hat phishing campaign, but we have started to play around with the customization 
options and tailoring different email templates.



When we did have an issue, support was fantastic and took the time to connect and troubleshoot the issue, helping with 
some configuration suggestions.



With regards to the truth in the content: I must admit it has been a bit since my last viewing of the training modules 
that we used, and at the time, I was viewing it under a different lens than I would be now. I do plan to investigate 
the 2019 training modules that appear to have replaced the modules that we used last year.



Thank you,



Ebony Richardson

Infrastructure Architect

Albright College Division of Digital Strategy and Infrastructure (DSI)

Center for Computing & Mathematics

1355 Union St.

Reading, PA 19604

Phone: 610.921.7223




Rashmi Radhakrishnan
Vice President for Digital Strategy and Infrastructure/CIO
Division of Digital Strategy and Infrastructure (DSI)
Albright College
RRadhakrishnan () albright edu<mailto:RRadhakrishnan () albright edu>
www.albright.edu<http://www.albright.edu/>

610-921-7225

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Austin Bollinger 
<austinbollinger () GRCC EDU>
Sent: Friday, March 29, 2019 10:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] KnowBe4 Security & Awareness Training Feedback

CAUTION: This email originated from a Non-Albright email server. Please use caution when interacting and responding to 
the contents.

I hear great things about KnowBe4 which may be a great hands off option. If you want a more affordable and flexible 
option as in free puppy that takes a little extra work, read on.

It all comes down to what resources/tools do you have and is there enough allocated time to make this work - the DIY 
phishing simulator and training. We can thank open source contributions for making this more realistic otherwise we 
would have to program a phishing simulator from scratch - one already exists courtesy of Jordan 
Wright<https://jordan-wright.com/> from Duo Labs!

If you/coworkers are not afraid of or willing to learn certbot and maybe basic Postfix then consider 
https://getgophish.com/ followed by https://github.com/ILiedAboutCake/DirectoryPhish or use PowerShell yourself to pull 
your own AD users out. Import into Gophish via csv which is documented well over here 
https://docs.getgophish.com/user-guide/building-your-first-campaign/importing-groups

Now you have the phishing simulator part done after ideally firewalling off the admin panel (default port for admin is 
3333).

Next step, get your phishing training in working order. Working with a postsecondary facility, there is bound to be LMS 
(Learning Management System)! Good news is there is FREE SCORM compliant training for phishing so you can even track 
grades on-prem. Head over to https://cofense.com/cbfree-download-all/ and at the top left "CBT - English (All Modules)" 
within you will find:
CBT_Advanced_Spear_Phishing_V4_HTML5.zip
CBT_General_Phishing_English_V4_HTML5.zip
CBT_Spear_Phishing_English_V4_HTML5.zip

Good luck and have fun whatever your choice is! If anyone has a question, feel free.



Regards,
Austin Bollinger
IT Security Analyst
IT at Grand Rapids Community College
austinbollinger () grcc edu<mailto:austinbollinger () grcc edu> | 
https://grcc.edu/informationtechnology/informationsecurity

> > > Neal O'Farrell <neal () SCHOOLEDINSECURITY ORG> 3/29/2019 9:30 AM >>>
I'm not in higher education but know KnowBe4 for years and while their products are highly regarded, they are also 
highly generic. Which usually ends up diluting their effectiveness.

I think there's a good opportunity for an immersive awareness program specifically tailored for the needs, challenges, 
and audiences of higher ed.

A good start might be for people to chime in with what they feel they need or are missing, and that current solutions 
don't provide. You can't fill the gaps until you identify them.

Neal.

Neal O'Farrell
Schooled In Security
www.schooledinsecurity.org<http://www.schooledinsecurity.org>
neal () schooledinsecurity org<mailto:neal () schooledinsecurity org>
(925) 914 0248 (EST)

When we say "next generation security," we really mean it!



On Fri, Mar 29, 2019 at 9:15 AM Frank Barton <bartonf () husson edu<mailto:bartonf () husson edu>> wrote:
Jason, I would say that KnowBe4Suffers from the same industry problem - they do try to make the content 
industry-agnostic (and to be honest, while I'm not on the content side, I would like to see the ability for some 
customization to make things more "us")

As to the "bending the truth", I'm not sure I would go that far. There are some nuances that I think are missed, or 
things that might be a bit 'over-generalized' (which leads to the industry-agnostification). Getting the balance right 
between "good - engaging content" and "technical precision" in a field that is very rapidly changing can be very 
difficult. on the whole, I think KnowBe4 gets the balance just about right, and tries to make their content accessible 
to everyone, no matter the technical skill level

We just pushed out our annual Security Awareness Training, and I would say that the content was just about "high 
average" with a focus on social engineering.

Education is somewhat of an 'odd duck' when it comes to some of the ITSEC problems that the industry sees. I wonder if 
maybe EDUCause should work on creating either training content, or (as in a Logical OR) a training platform to provide 
and track training that can be focused to the challenges that we face in Higher Ed (Lets face it... how many other 
businesses need to worry about SmartTVs, XBoxen, and the whole alphabet soup of compliance every day in addition to 
having their customers living on site?)



On Fri, Mar 29, 2019 at 8:57 AM Jason Fried <friedj () sunysuffolk edu<mailto:friedj () sunysuffolk edu>> wrote:
Good morning,
Common feedback - especially from faculty - for our current product is that this is obviously not built for higher ed, 
but is more industry-agnostic. Would those who have or will responded about KnowBe4 provide their thoughts on that, 
along with that 'bending of the truth'? Many thanks...
Regards,
Jay
--
Jason Fried
Information Security Officer
Information Technology Services
Suffolk County Community College
O: 631.451.4291 / M: 631.897.6064
@SuffolkITS
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Frank Barton
Sent: Friday, March 29, 2019 8:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] KnowBe4 Security & Awareness Training Feedback
Joshua,
Another "Hello from up in Maine" We are using KnowBe4 for both their Phishing and user education. We have bee happy 
with it, both from an overall content perspective as well as from a management perspective.
I will echo what Chad said. sometimes there are some "degrees" of truth that might be lost, but overall I have been 
happy with the content.
Frank
On Fri, Mar 29, 2019 at 6:30 AM Chad Tracy <ctracy () bates edu<mailto:ctracy () bates edu>> wrote:
Joshua,
Hello from up in Maine. Nice to see the weather finally getting better up here. I PoC'd KnowBe4 a couple years back... 
in short, it came down to price. I had used Knowbe4 for our Phishing platform, which I loved... very easy to use and 
their support was very easy to work with and they were always immediately available. The ISAT was very well presented 
but I had issues with the content - meaning that I took a few of the training modules and completed the quizzes for 
each module and I actually got many of them wrong... What I know to be true with regard to security and what they know 
to be true... well, we have varying truths...lol. I felt that if I had heartburn over the content than I was sure to 
have a ton of feedback from the community.
For what it's worth, I know of one other institution that is moving away from Knowbe4 and back to SANS STH.
**You heading to the Educause Security Conference this year?
Best,
Chad
On Thu, Mar 28, 2019 at 4:19 PM Gomez, Joshua <J.Gomez () snhu edu<mailto:J.Gomez () snhu edu>> wrote:
Hey There,
Are any other Universities currently a customer of KnowBe4? We are currently considering them for our ISAT content 
provider but wanted to get feedback from an actual customer in Higher Ed. If you feel more comfortable messaging me 
directly, I can be reached at j.gomez () snhu edu<mailto:j.gomez () snhu edu>.
Thanks In advance!
Joshua Gomez | Consultant, Information Security
Information Technology Solutions
[SNHU horizontal logo]

--
Chad Tracy
Director of Information Security, Policy and Compliance
Bates College
207 786-6491

--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University

This email has been received from a sender outside of the GRCC network. Use caution before clicking links/attachments