Introduction
Welcome to TraceEducation!
TraceEducation is a powerful, easy-to-use education platform for all your security awareness training needs.
This user guide introduces TraceEducation and shows how to use the application, building a distribution from start to finish.
Insight User Management
In TraceEducation, user and group management is handled at the TraceInsight level.
On the Users page, you can create individual users, import users from CSV, set up the Active Directory User Sync Tool, and/or enable/disable Multi-Factor Authentication.
Managing Individual Users
Creating Individual Users
To create an individual user, click the Create User button, fill out the required fields, and click Save.
The Email field will serve as the unique identifier for each user. Please double-check the spelling on this field as it cannot be edited after saving the user.
User Roles are optional at this stage, but will come in handy later when you are creating a distribution. TraceSecurity recommends adding the TraceEducationModuleAccess role at this time to ensure proper permissions for the new user you are creating.
Editing Individual Users
To edit an individual user, click the Edit button next to the user. You can make changes to the user's editable fields as well as add or remove Insight User Roles. Click Save when you are finished making your edits.
User Actions
Deactivate
- This action will remove a user from the front-end view of all application modules in TraceInsight.
- You can apply this designation on an individual basis to account for users going on leave or otherwise becoming inapplicable to your TraceEducation distribution needs.
You can view inactive users using the Filters button at the top of the Users page.
You can re-activate users as needed to make them active participants in your education distributions. See View Results for more information on how inactive users will appear in the context of reporting.
Delete
- This action will permanently delete a user from your application.
- You can use this designation to remove a user from history and reporting if you no longer need to retain those records.
Importing Users and Groups from CSV
To Import Users from CSV, download the example CSV file and fill out the necessary fields.
Please note that the following fields are required for each user: firstName, lastName, and email.
The userGroups field is optional at the import stage but will come in handy at the distribution level. See Organizing Users into Groups for notes on User Group setup.
The user import by CSV is subject to a file size limit due to the implementation of Multi-Factor Authentication in TraceInsight. As a result, the CSV is limited to 500 users per import. To import a list of more than 500 users, you must break it up into multiple CSV files. You can still list an identical group name in the "UserGroups" column across different CSV files to import all 500+ users into the same group.
Browse to find your CSV and click Upload File to update your user list.
You should receive a message showing your import was successful; click OK to continue.
If you receive an error message that your import was not successful, try the following troubleshooting tips:
- Check your user information to remove special characters or typos.
- Check your user information to remove duplicate email addresses.
- Check that your column headers match the Required Format.
- Wait a few minutes and check your Users page in TraceInsight to see if the import went through despite the error message you saw earlier.
Managing User Roles
User Roles represent the permissions that should be granted to users by the Company Admin.
Users with the CompanyAdmin User Role may assign the following levels of TraceEducation module access to other users within the organization:
- TraceEducationModuleAccess - this role will grant the assigned user(s) the ability to access the TraceEducation Module. TraceSecurity recommends adding this role to all user accounts who will be included in groups that will be targeted by training distributions.
- TraceEducationModuleAdmin - this role will grant the assigned user(s) administrative access to create distributions, courses, and videos.
Assigning & Removing User Roles
You can assign and remove User Roles on an individual basis in the Edit User dialog box (see Managing Individual Users for more information). You can also proceed to the User Roles page in TraceInsight to assign User Roles in bulk.
Next to the User Role that you are interested in assigning, click the Select Users button.
Under the Selected column, choose the users you wish to assign the User Roles to, and click Save Changes.
You should receive a message indicating successful assignment of the chosen User Role.
Organizing Your Users Into Groups
User Groups are required for scheduled education distributions, and are administered at the Insight level in TraceInsight.
You can create a User Group (and add users to that group) at the CSV import stage, or you can go to User Groups in TraceInsight.
On the User Groups page, you can create a user group, edit an existing group, and add and remove users from a group.
The Everyone group is the Master Group which exists by default when your account is created. You cannot edit or delete the Everyone group.
To create your own group, give it a Name (required) and Description (optional) and click Save.
For any group that you create, you can Edit its settings, Select Users to include in the group, and Delete the group when you are done using it.
To include users in a group, click on the user entry to mark it as Selected. Click Save Changes and then confirm changes. You should receive a message showing your changes were successful; click OK to continue.
Managing Multi-Factor Authentication
TraceInsight now offers the option of enabling multi-factor authentication (MFA) for logins. MFA will work through any one-time password (OTP) application such as Google Authenticator, Microsoft Authenticator, Symantec VIP Access, and more. Email and SMS-based MFA will not be supported.
Any user(s) assigned the CompanyAdmin user role will be able to enable/disable MFA on a company-wide basis by navigating to the Users page in TraceInsight and clicking the Enable/Disable Multi-factor Authentication button as shown here:
When the button is clicked, a confirmation prompt will appear. MFA can be disabled and re-enabled at any time from the Users page.
As previously mentioned, MFA may only be enabled/disabled on a company-wide basis, so it will either be required by all users (including any newly created users regardless of creation method) or by none.
Once MFA is enabled, users will be prompted to set it up upon their next login by scanning a QR code as shown here:
Videos
The Videos page gives you an overview of the training videos available to educate your users.
Basic TraceEducation Videos
All TracePhishing customers are provided with a small selection of curated TraceEducation training videos developed with our industry experience and research in mind. These short videos created in-house represent the distillation of the latest information security topics into concise, easy-to-digest content to disseminate to your end users. These videos can be automatically assigned to users who fail phishing campaigns and/or manually assigned to users on an as-needed basis.
Full TraceEducation Videos
Customers with a full subscription to TraceEducation will have access to a wider variety of educational videos. These three- to six-minute animated videos with voiceover serve as a great topical overview on their own; they are also designed to be stackable so you can group videos together by theme and provide your users with more in-depth exploration of the topic at hand. TraceSecurity will upload new videos on a quarterly basis to cover new and emerging themes in cybersecurity awareness.
If you would like to learn more about the full TraceEducation library, please contact your Account Executive for more information!
Video Upload Option
You may also choose to upload your own videos to further customize your organization's training approach. Click the New Video button to get started.
Give your video a Name (required) and a Description (optional). Click Browse to choose the video file on your computer, then click Save Video to complete the process.
TraceSecurity recommends uploading .mp4 or .webm file types to TraceEducation as these formats are most likely to work across browser and OS versions.
Courses
The Courses page gives you an overview of the training courses available to assign to your users.
Basic TraceEducation Courses
TraceEducation provides you with a selection of curated training content developed with our industry experience and research in mind. TraceSecurity has packaged the content you are familiar with from the Videos page, into easily-distributed courses to be assigned to your end users. By packaging the videos into Courses, TraceEducation is providing you with a three-question quiz at the end of each video. The end user will get real-time feedback as they get answers right or wrong on the quiz. The user must correct any wrong answers to Submit their training assignment and show up as "Completed" on the admin-level reports.
Full TraceEducation Courses
Customers with a full subscription to TraceEducation will see an extended library of additional content. TraceSecurity has packaged the extended video library into Courses for your benefit. Each course has a three-question quiz which requires the end user to prove competence in the material covered by the video.
To preview the extended library course names and descriptions, please proceed to the Full Course Listing page. If you would like to learn more, please contact your Account Executive for more information!
Custom Course Option
If you uploaded your own videos on the Videos page, you must also package those videos into Courses to make them distributable to end users. Click the New Course button to get started.
Give your course a Name (required) and a Description (optional). Choose your previously uploaded Video from the dropdown menu and click Save Course to create your course.
To upload a customized training video, check the Videos section for more information.
Please note that custom courses created by the client are not eligible for quizzes. Any courses that are based on a client-uploaded video will be on an "acceptance-based" model where the user hits the Accept button after they finish watching their custom training assignment.
Distributions
Distributions are the method by which you disseminate training courses to your end users.
You can choose between Scheduled Distributions and Campaign-Based Distributions.
Scheduled Distributions
Create a Scheduled Distribution to send an education course at the time of your choosing to the group(s) of your choosing. Click the button to get started.
In the resulting New Scheduled Distribution window, please note that all fields are required.
Give your distribution a Name, and choose a Start Date and Start Time. Select an End Date and End Time to set a due date for your end users to complete the course.
Reminder emails are configured to send every 7 days based on the End Date of the distribution. To avoid "doubling up" on notification emails, you can select your End Date based on multiples of 7. This will help ensure your users do not receive more than one reminder email per week.
Next, choose one or more Courses from the dropdown menu.
Then, choose one or more Groups from the corresponding dropdown menu.
Once all the fields are completed to your specifications, click Save Distribution to schedule your distribution.
Campaign-Based Distributions
Create a Campaign-Based Distribution to send an education course based on the results of a specific phishing campaign.
The Campaign-Based Distribution will not kick off until the associated phishing campaign is completed.
Click the button to get started.
In the resulting New Campaign-Based Distribution window, please note that all fields are required.
Give your distribution a Name. Select the Campaign that you want the distribution to be based on. Choose from the dropdown menu the User Status you wish to target with training.
Clicked Link - choosing this status will send the course distribution to any user who clicked the link by the time you completed the campaign.
Submitted Data - choosing this status will send the course distribution to any user who submitted data into the landing page by the time you completed the campaign. Remember, your phishing campaign must include a landing page tracking data submission fields in order to utilize this status.
Everyone - choosing this status will send the course distribution to all the users who were targeted in the phishing campaign.
Type in the Days to Complete field to set the due date for your end users to complete the course.
Please note, the Days to Complete number that you type in will start at the time you mark your phishing campaign as completed, not at the current date. If you had marked a previous campaign completed multiple days or weeks ago, you will need to factor that delay into your Days to Complete calculation in order to give your users enough time to access their training.
Next, choose one or more Courses from the dropdown menu.
A completed Campaign-Based Distribution setup will look something like this:
Finally, click Save Distribution to schedule your distribution.
Remember, the course will only distribute once the associated phishing campaign is marked as Complete.
Once you have saved your distribution, proceed to View Results.
View Results
Once you have launched a distribution, as an admin you can view the results to track your end users' progress.
On the Results page for the particular distribution, you can see the details for each course included in the distribution.
You can track users' assignments as they are completed, with the Date and Time Completed tracked accordingly.
Send Reminders
For your users who have not yet completed the assignment, you may want to send them a reminder to jog their memory.
TraceEducation offers a convenient Send Reminders button which you as the distribution admin can use on-demand.
Clicking this button will generate an automatic reminder email from TracePhishing to all pending users in your Distribution. The email will provide the user with instructions to log into TraceInsight. Here is an example of an automatically generated email from TraceEducation:
Alternatively, TraceEducation is programmed to email your pending users every seven days with automatic reminders and fresh hotlinks to access their training. These automatic reminder emails will cease when the user completes their training or when your distribution expires, whichever comes first.
The Is Active? Column, Explained
The Is Active? column refers to the user's status on the Users page in TraceInsight (See Managing Individual Users for more information). If any users who were included in the distribution are marked Inactive by a Company Administrator, you will see the following notification in the Distribution Details:
You can click "Show Inactive Users" to view these users in the Distribution Details.
The Distribution Details will update to show an entry for the inactive user; however, the distribution completion numbers will not reflect the inactive user.
The inactive user will show a No in the Is Active column, and will not count against the completion numbers.
When you are ready to export the results for a distribution, you can choose to export as a CSV or as a PDF.
Assignments
When a Company or Education Administrator assigns a course to an end user, the user will receive a notification email like this:
Please note that TraceSecurity enabled support for Multi-Factor Authentication (MFA) in TraceInsight in August 2023. This conversion has unfortunately removed the capability to offer direct logins (aka hotlinks).
Reminder: Users must have the TraceEducationModuleAccess user role assigned in order to access any assigned training. If this role is not assigned to their Insight user account, they will not be able to access any assigned training upon logging into TraceInsight. For more information on Insight User Roles, please see Managing User Roles.
A reminder email will be sent every 7 days by TraceEducation to all pending users until they complete their assignments. The reminder emails will stop either when the user completes the assignment OR when the expiration date of the distribution arrives (whichever comes first).
Alternatively, the user can log in to TraceInsight, access the TraceEducation module, and proceed to the Assignments page.
The Assignments page shows the end user which distributions and courses are assigned to their account.
The user can click the View Assignment button to access the particular course.
After watching the training video in its entirety, the user must then complete a short quiz to assess their understanding of the training content. For each question, the user must select the most appropriate answer to the question. Once they select their best guesses, they can click Submit to receive instant feedback.
Incorrect answers will change color to red with a small note that "The selected answer is incorrect". The user must then make another guess and Submit their new answer(s) until all the questions are green.
Once the user successfully completes the quiz, they will see a success message at the top of the page:
The user can then click Back to Assignments to see any other courses they need to complete.
For the completed course, the Completed? column will show a Yes and the Date Completed column will show the date and time that the user completed the assignment.
TraceEducation Full Course Listing
This page offers a listing of TraceEducation's extended video library. If you would like to learn more about making these videos available in your account, please contact your Account Executive for more information!
| Video Name | Description | Length | |
|---|---|---|---|
| 1. | Business Email Compromise | Business email compromise (BEC) is the act of a hacker getting into your company email account. BEC scams are typically carried out through phishing attack, such a spear phishing. This course will cover best practices to identify and avoid phishing scams that can lead to Business Email Compromise. | 04:22 |
| 2. | How to Identify a Phishing Email | Phishing emails continue to be one of the easiest ways for hackers to compromise businesses and steal information. This course will cover the most common red flags in phishing emails and how to identify them. | 04:36 |
| 3. | Password Management Best Practices | Password management involves the various ways you authenticate yourself to login to different technology resources. This course will cover the benefits of password management and some general password best practices. | 03:16 |
| 4. | Secure Destruction of Physical & Digital Media | Physical and digital media come in many forms. There are some special ways that media need to be disposed of to truly remove or destroy the data, keeping it away from bad actors. This course will cover the various types of media and the ways in which they are best destroyed. | 04:39 |
| 5. | So You Clicked on a Phishing Link | With how sophisticated phishing attacks have become, it's important to know what to do if you think you've been phished. This course will cover the steps you should take if you think you clicked on a malicious link or attachment. | 04:00 |
| 6. | Social Engineering: The Importance of Being Rude | Social engineering is a great way for hackers to take advantage of your routine and tendency to be polite. When it comes to cybersecurity protections, being too nice can be the very thing that gets you in trouble. This course will cover some common onsite social engineering tactics and how to avoid falling victim to them. | 03:28 |
| 7. | What is Malware? | Malware, short for "malicious software", is any software designed to compromise the security of your computer or device. This course will cover how malware works, how it can affect you, and how to avoid a malware infection. | 03:13 |
| 8. | What is Smishing? | Smishing is a form of social engineering that targets cell phones using malicious SMS text messages. This course will cover best practices for identifying smishing attacks and generally handling unsolicited text messages. | 05:27 |
| 9. | What is Vishing? | Vishing is a form of social engineering that targets individuals over the phone, also called "voice" phishing. This course will cover best practices for identifying vishing attacks in real time and how to handle unsolicited phone calls. | 03:47 |
| 10. | What is Ransomware? | Ransomware is a rapidly growing cybersecurity threat that all employees need to be aware of. This course will cover how ransomware could affect your organization and best practices to avoid falling victim to a ransomware attack. | 03:22 |
| 11. | Social Media Cybersecurity Threats | Social media has become a part of our everyday lives, and hackers are using them for phishing attacks. This course will cover the types of social media phishing to be on the lookout for and tips to avoid exposing your personal information through these sites. | 04:48 |
| 12. | The Importance of Backups | Backing up your files is the best way to make sure you don't lose your personal or company information through a device failure or cybersecurity attack. This course will cover the benefits of keeping backups and best practices for doing so. | 03:54 |
| 13. | Video Call Best Practices | Video calls have become an important form of communication for clients, vendors, coworkers, and even personal use. This course will cover best practices when hosting or joining video calls. | 05:47 |
| 14. | Vishing: How to Verify Users Over the Phone | Vishing, or voice phishing, is a common way that attackers will attempt to get confidential information out of an employee. This course will cover common tactics that they use, how to recognize them, and best practices for what information is not safe to share over the phone. | 03:32 |
| 15. | What to do with a Smishing Text Message | Smishing, or SMS phishing, is a newer attack method targeting both company and personal cell phones. This course will cover how to identify smishing text messages and best practices for what to do when you receive one. | 04:29 |
| 16. | How to Create a Secure Password | Passwords are an important level of security for your accounts, both at work and at home. This course will cover best practices for creating and maintaining passwords, as well as additional security measures you can add to further secure your accounts. | 05:14 |
| 17. | Keeping a Clean Workspace | Keeping a clean workspace is an easy way to keep personal and company information secure, whether you're in office, working from home, or working from a public place. This course will cover what an attacker would look for and best practices for keeping a clean and secure workspace. | 04:30 |
| 18. | WiFi Security & Best Practices | These days, public WiFi is freely available almost anywhere you go. Bad actors can spoof internet connections to steal information from your devices. This course will cover things to look out for and best practices when it comes to using public WiFi. | 05:21 |
| 19. | Less Common Social Engineering Tactics | Social engineers are always trying to fool people into giving them sensitive company information, and they have some creative ways to get past your defenses. This course will cover some less common social engineering attacks to look out for and how to handle them. | 04:15 |
| 20. | IoT Device Security | Internet-connected devices are all around us, from smart TVs to smart speakers to streaming devices, forming what's called the Internet of Things. How can you make sure these IoT devices are secure and safe from unauthorized access? This course will give you some practical tips for at home and in the workplace to make IoT machines as protected as possible from potential attacks. | 05:22 |
| 21. | Lifecycle of an Update | You're constantly getting notifications to update your various devices and applications, whether it's for security patches, bug fixes, or better usability. This course will cover the importance of updates and why they should be treated as time sensitive. | 05:43 |
| 22. | Secure Browsing | The World Wide Web is a wealth of valuable information but also a playground for bad actors looking to compromise your devices and data. One wrong click on a spoofed website or malicious advertisement could open you up to exposure of sensitive data. This course will provide tips and tricks on secure browsing and how to avoid security pitfalls on the public internet. | 05:34 |
| 23. | Social Engineering: Faster Isn't Always Better | In this digital age, speed and efficiency are key factors expected of the modern worker. However, what if hurrying through your daily tasks is opening yourself up to potential cyber threats? This course will inform the user on how to slow down and pay attention to the warning signs of social engineering in a variety of use cases. | 05:53 |
| 24. | Public Info Gathering: What is Out There and Why Is It Important | The average user may not think twice about sharing information on social media and other publicly facing websites. But what happens when malicious actors can locate this information and turn it against you and your organization? This course will instruct the user on the threat of public information gathering and how to guard oneself against data disclosure. | 06:45 |
| 25. | Practical Guide to Device Decommissioning | Our devices are constantly being replaced and upgraded. But what should you do with your old devices? This course will cover some easy (and sometimes profitable) ways you can properly and securely dispose of your decommissioned devices. | 05:10 |
| 26. | RFID Crash Course | Radio Frequency Identification (RFID) technology is all around us but many users may not understand how it works, let alone how bad actors can leverage it against your organization. This course will cover the basics of RFID functionality as well as practical guidance for the user to prevent unauthorized access to RFID badge systems. | 07:06 |
| 27. | QR Code Quirks and Quagmires | QR codes have become a part of our everyday life, at home and at work. While QR codes can be very convenient, there are some security risks associated with them. This course will cover the ways a malicious attacker could use QR codes to trick you and how to verify their legitimacy out in the wild. | 05:14 |
| 28. | The Temptations and Dangers of Shadow IT | Shadow IT is any hardware, software, or device you use with company resources that has not been approved or vetted by your IT department. There's a good chance you're doing this without even realizing. This course will cover the risks of Shadow IT and how to avoid it whenever possible. | 05:03 |