Service description

Updated: 1 February 2021

1    Introduction

This appendix to the service terms describes features and functionality which is made available for subscription through various pricing plans.

The description of a service component in this document does however not grant any rights for the customer to access or use this service component, unless such inclusion has been made by reference in the service agreement.

New functionality may be introduced and accordingly described in this document at any time without further notice to the customer, unless the new functionality is already included in the service agreement.

2    MailRisk add-in for Outlook

A button which any licensed email user can use directly insider their email client (see supported clients below) to invoke a security analysis of the currently opened email, and communicate this to the end-user in an educational fashion.

Through the add-in interface, users may also report their suspicion so that IT administrators may be notified according to individual preferences for such notifications, or request a manual risk assessment of the email if the automated analysis does not satisfy the user's needs.

The analysis is performed as a combination of heuristics and signatures available through the service, machine learning (see description below), plus several other data sources (including external ones) which are checked for matches against known threats. No data will however be automatically shared or transferred to third parties during automated analysis unless otherwise requested by the customer, except to an authorized partner in the case where the service agreement is owned by the partner who is already acting as a processor for the customer, and the provider is accordingly defined as a sub-processor in relation to the customer.

3    Machine learning threat detection

When the MailRisk add-in invokes an analysis of an email, the service will at the same time perform correlation with other emails and attempt to classify the analyzed email through use of machine learning.

The use of such automated analysis will reduce the need for manually assessing the risk of similar emails, and to a larger extent be able to notify both the end-user as well as IT administrators who subscribe for such alerts whenever a particular risk threshold has been exceeded.

4    Portal for analysis and response

IT administrators can access the data collected by the MailRisk add-in through a web based customer portal. This includes both email metadata and full contents, including attachments, as well as results from automated lookups and analyses performed for threat detection.

The customer portal is where feedback can be sent to end-users who have requested manual analysis, and where administrators can set their notification preferences to be made aware of pending requests and detected threats. Administrators are also provided an opportunity to remove analyzed data from the service, in order to exercise control over personal data processed under the service agreement.

In addition, the customer portal facilitates creation and review of signatures which form the basis for further automation in the feedback to end-users, as well as further use of qualified data in response to the detection of threats which happens outside of scope for the provided services.

5    Managed analysis of suspicious emails

For customers who prefer not to perform any manual analysis of suspicious emails on its own, this service add-on ensures qualified investigation of any emails which end-users request feedback on through MailRisk, with a timely response even if manual analysis is necessary.

This service add-on can be purchased from Secure Practice with a guaranteed response time of less than 4 hours within office hours (Monday through Friday, 08:00-16:00 CET).

This service add-on may also be purchased through another managed (security) services partner authorized by Secure Practice, under the partner's own specification, pricing and agreement directly with the customer.

6    Statistics for suspicious emails

Through the customer portal, IT administrators can access advanced metrics for both operational analysis and retrospective review, based on data from collected emails and analyses performed on these.

The metrics are also available through querying the API (see below), and can be filtered on date range along with several dimensions of metrics including risk and usage.

7    API / Azure AD sync

IT administrators can choose to access customer data and perform a range of actions programmatically through documented Application Programming Interfaces (APIs), including automatic synchronization of users and groups from Azure AD through a few simple configuration steps.

Authenticated API access is also an enabler for custom integrations with other software, and customers can manage their authentication keys on a self-service basis in the customer portal.

8    Posters for awareness (PDF)

In order to facilitate security awareness and service adoption among end-users, the customer is licensed to access and use a number of relevant resources in high-quality PDF documents.

By uploading the customer's company logo via the customer portal, posters can automatically include this logo in the print-ready PDF.

9    Simulated phishing (templates)

The phishing simulator can be used to create awareness and train desired habits for safe handling of suspicious emails, by having an IT administrator or authorized partner facilitate sending simulated phishing content, to a specified list of end-user recipients inside the customer's organization.

Phishing simulations based on a selection of pre-defined templates will typically contain a given email which contains a link or other content which leads the recipient to a simulated phishing website, called the landing page. The landing page may for instance try to collect information or mislead the user to download content which under other circumstances would be considered a breach, optionally revealing what is called the debriefing page which contains information to the user that this was a rehearsal, and possibly (link to) some further training content.

IT administrators can access statistics for how many users visited the landing and debriefing pages, and also how many recipients used the MailRisk add-in in conjunction with the simulated phishing email.

10    Simulated phishing (customized)

The phishing simulator is extended with functionality for manually editing the content of emails and messages, landing pages and debriefing pages.

This also includes the possibility to simply composing brand new simulated phishing campaigns from the bottom up, if the pre-defined phishing templates do not suffice.

11    Simulated phishing (automated)

Instead of sending simulated phishing campaigns manually on a case-by-case basis, the automated simulation functionality allows a number of templates to be scheduled for sending over a longer period i time, either based on complete automation, or with some manually configured parameters.

Each participant will follow their own individual progress, based on their ability to perform desired actions in relation to each simulation they receive, and new participants can be added to start their own progress at any time.

12    Multi-platform support

The MailRisk plugin (add-in) for Outlook requires the customer's email to be hosted in either Office 365, or an on-premise installation of Exchange Server 2013 or newer. Supported clients include Outlook 2013 or newer on PC, Outlook 2016 or newer on Mac, and Outlook Web Access (OWA) via any OWA-supported web browser. On mobile devices, the add-in is available through the Outlook app on iOS and Android, but only for customers using Office 365.

Any other service components require only a modern web browser for access.

13    Single sign-on with Azure AD

Microsoft Azure AD can be used to replace the authentication front-end for both the customer portal and the employee security portal. This allows the customer to independently configure and enforce their own access policies, and relieve users from maintaining a separate user profile and password when using Secure Practice services.

When the customer has enabled single sign-on through the customer portal, the use of an additional data processor for exclusively sending single-use login codes via SMS is also avoided.

14    Employee security portal

To support ongoing awareness and training efforts, we provide a portal where employee end-users may access their personal profile, available training content, security bulletins, surveys and other end-user facing functionality, as it may be included in the service agreement.

End-users can access the portal via email invites to specific content, but the portal can also be used anywhere on any device using a modern web browser.

15    Essential e-learning courses

Access our pre-made e-learning content to ensure an essential minimum of security awareness and risk understanding in your workforce.

The introductory learning courses cover topics like how to discover attempts of social engineering, and what everyone can do to be an active part in your organization's cyber defense.

16    Gamified e-learning platform

Extend the use our e-learning platform beyond introductory courses, to customize any pre-made learning content or create your own content from scratch.

Organize content in gamified courses with points and progress for end-users, and monitor progress with rich statistics. Our editor also supports several layouts and content types, including images, videos and interactive quizzes.

17    Multi-lingual content support

Pre-made content is available in multiple languages, both for simulated phishing, e-learning and surveys. If you create custom content yourself, or the provided translations do not suffice to your needs, you can create your own translation with ease.

18    Course certificates (PDF)

Allow your colleagues to build social capital and show their security interest and learning progress to their world. Course certificates can automatically include your company logo in the print-ready PDF.

19    Security blog and guides tool

Share relevant security bulletins through the employee security portal with ease, using our versatile blog and guides tool, including several other content types such as policies, frequently asked questions, threat advisories and cyber dictionary articles.

While you can always create and publish your own internal content here, we also offer an ongoing stream of ready-made content in several languages, to keep things fresh.

20    Employee security surveys

Collect detailed data about the security culture, skills and behavior among your colleagues with our integrated survey tool. Our pre-defined surveys are developed to specifically measure KPIs that are useful in describing and reducing human risk.

The survey tool supports various types of questions, including multiple choice and free text, where every response can be associated with a particular risk and severity.

Results from the surveys can be reviewed on an individual per-question basis, but also serve to populate our data-model on human cyber risk in the organization.

21    Metrics for human cyber risk

Measure your organization's journey towards secure behavior, based on the data we collect from employee security surveys along with e-learning progress, quiz results, MailRisk usage and reporting of all incident types.

Our metrics dashboard provides opportunity of detailed drill-down analysis, which serves to make the right priorities in your security program and track changes over time.

22    Reporting for all incident types

Incident reporting is an important part of continuous improvement, and includes many different types of cases worth reporting like scam phone calls, SMS-es, strangers in restricted areas, policy violations, etc.

Through a user friendly form in the employee security portal, employees are enabled to report on any such incidents in a streamlined fashion which facilitates effective follow-up from administrators.

23    Advanced content targeting

Target your training with additional controls for personalization towards end-users. Allow each employee to be assigned appropriate groups and roles, and tailor your security training and communications for higher impact and learning retention.

Select target groups from either synchronized AD groups, or a number of dynamic groups we generate, such as users who have not yet used the MailRisk button, users who failed or succeeded phishing simulations, or users who have not responded to your security survey.

24    Security bulletin newsletter

Reach employees with security communications directly to their inbox. Our unique newsletter composer allows you to simply pick and choose from already made bulletins, and add your personal touch if needed.

Especially powerful in combination with the advanced content targeting tool, the newsletter allows you to reach very specific yet dynamic groups of people with your communications.

25    SMS phishing

Take phishing simulations to the next level with SMS based phishing. Add an SMS message to the simulation, either on its own, or in combination with a phishing email, to your recipients.

Note that any use of this service component is subject to transaction based pricing (per SMS), a separate agreement may be required for activation, and other limitations such as number of recipients per simulation may occur.