Free Guide: How Organisations Can Create Cyber Superheroes to Take on Cyber-Attacks

When you think of cyber attacks, you might imagine that it’s only tech firms and the banking industry that are targets. However, every organisation in every industry has valuable data to lose.

A 148% surge in global ransomware attacks from 2020 to 2021 is testament to that fact. It’s an increase which has led to many organisations realising the importance of cybersecurity.

Digitisation is leading to better products and a wider consumer reach, but at the same time, providing new opportunities for cybercriminals to exploit. In conjunction with the increased flexibility of our working habits, the avenues of
attack for cybercriminals are greater than ever before.

In our essential free guide, we’ll share the reality of cybercrime in 2023, help you understand the role of people in your organisation’s protection and more, including:

  • The sectors most at risk of a breach
  • The true cost of cybercrime
  • Why every business should train employees to prevent cyber-attacks
  • How to turn a mild-mannered employee into a cyber-superhero!
  • … and much more!

Ready to get started? Interact with the bot below and gain instant access! 👇

Free Guide: Everything You Need to Know About Phishing

Ever received an email that seemed a little fishy? You know, those ones that pretend to be from reputable companies but just don’t feel right?

Well, these are phishing emails; unfortunately, they’re a genuine concern, especially if you fall victim to one.

According to a recent report, phishing and pretexting make up 98% of cyber incidents and 93% of breaches. Shocking, right?

Our free guide “Everything You Need to Know About Phishing” gives you and your staff the knowledge needed to spot and stop phishing emails before they do harm to your organisation.

In this free guide, you’ll learn:

  • What phishing is
  • What the types of phishing attacks are
  • How to spot a phishing email
  • What to do if you click a phishing link
  • How can you stop phishing attacks in your organisation
  • … and more!

Ready to get started? Interact with the bot below to gain instant access now! 👇

Free Guide: Developing Your Perfect Training Programme

An effective training programme can be the difference between a breached business and a secure business.

Whilst there’s no shortage of training solutions out there, ensuring that you’re getting the most from them is a persistent challenge that every business faces.

In this essential free guide, we share what we’ve learned over almost 15 years of creating award-winning training programmes for organisations of all sizes.

In it, you’ll learn:

  • How cyber awareness contributes to your security culture
  • How positivity garners buy-in
  • The common mistakes organisations make
  • How to overcome challenges in your training rollout
  • Best practices to follow to maximise the value of your training output

Ready to get started? Interact with the bot below and gain instant access! 👇

What your personality type says about your cybersecurity

It’s a digital world, and cybersecurity is now a critical concern for businesses of all sizes.

With an increasing number of cyber-attacks hitting organisations of all sizes, it’s imperative for companies to take every available measure to protect their confidential information and sensitive data.

While technical measures such as firewalls, antivirus software, and encryption are important, a company’s cybersecurity is also impacted by its employees’ personality types, as 90% of breaches are caused by human error.

It’s reductive to think of all employees as the same, though. Indeed, some personality types may be more vulnerable to cyber attacks, while others may be better suited to prevent them.

In this blog post, we will explore the role of different personality types in protecting a company’s cybersecurity, focusing on the Myers Briggs personality types.

The Myers Briggs Type Indicator (MBTI) is a widely used personality test that categorises individuals into 16 different personality types based on four dimensions:

  • Extroversion/Introversion
  • Sensing/Intuition
  • Thinking/Feeling
  • Judging/Perceiving

Each personality type has unique characteristics that make them more or less susceptible to cyber-attacks.

Before we begin, it’s worth finding out your own personality type .

It’s also worth considering the different forms of cyber-attack companies face. Cyber attacks can be broadly classified into three categories: social engineering attacks, malware attacks, and physical attacks.

Social engineering attacks are based on psychological manipulation, where attackers use deception to gain access to confidential information. Malware attacks, however, involve the installation of malicious software that can harm the company’s computer systems or steal data. Finally, physical attacks involve physically accessing a company’s computer systems to steal or damage data.

Now, let’s dive into different personality types’ role in protecting a company’s cybersecurity.

How do personality traits affect cybersecurity?

Extroversion/Introversion

Let’s start with extroverts. Extroverts are outgoing and social individuals who enjoy being in the company of others.

However, their openness and willingness to share information can make them vulnerable to social engineering attacks.

Social engineering attacks often involve the attacker posing as a trusted individual and manipulating the victim into sharing sensitive information. Extraverts’ tendency to trust others and disclose information may make them more susceptible to these types of attacks.

Therefore, it’s essential to provide cybersecurity awareness training to extroverts in the company to help them recognise and avoid social engineering attacks.

On the other hand, introverts are more reserved and cautious in their interactions with others.

They are less likely to trust others and are more guarded with their personal information, and this makes them less vulnerable to social engineering attacks.

However, introverts may be more susceptible to malware attacks as they may be less likely to communicate their concerns or report suspicious activity.

As such, it’s essential to encourage introverts to report any unusual activity or suspicious emails to the IT department.

Sensing/Intuition

Now, let’s move on to the sensing/intuition dimension of the MBTI.

Sensors are individuals who rely on their senses to gather information and make decisions. They prefer concrete information and are detail-oriented.

Intuitives, on the other hand, rely on their intuition and imagination to gather information and make decisions. They are big-picture thinkers and are more concerned with possibilities than with details.

Sensors may be more vulnerable to physical attacks as they may be more likely to leave their computer systems unlocked or to write down passwords in plain sight. They are detail-oriented and may focus more on the task at hand than on the security of their computer systems.

For this reason, cybersecurity awareness training can be incredibly valuable for sensors to help them understand the importance of securing their computer systems.

Intuitives, on the other hand, may be more vulnerable to malware attacks as they are more likely to be curious and explore new possibilities.

They may be more likely to click on suspicious links or download unknown software and benefit greatly from training intuitives to help them recognise and avoid malware attacks.

Thinking/Feeling

Moving on to the thinking/feeling dimension, thinkers are individuals who make decisions based on logic and objective analysis. They prioritise rationality and accuracy over emotions.

Feelers, on the other hand, make decisions based on their emotions and values. They prioritise empathy and harmony over logical analysis.

Thinkers may be more vulnerable to social engineering attacks as they may be less attuned to the emotions and motivations of others.

They may be more likely to trust information that appears logical and objective, without considering the possibility of deception. In this case, training thinkers to help them recognise the emotional and psychological tactics utilised in social engineering attacks can be very helpful.

Feelers, on the other hand, may be more vulnerable to social engineering attacks as they may be more susceptible to temptations based on empathy and emotion.

They may be more likely to trust information that appears to align with their values or emotions without considering the possibility of deception and require education to help them recognise when their nature is being used against them in social engineering attacks.

Judging/Perceiving

Finally, let’s turn our attention to the judging/perceiving dimension of the MBTI.

Judgers are individuals who prefer structure and organisation. They are decisive and prefer to plan and execute tasks in a structured manner.

Perceivers, meanwhile, prefer flexibility and spontaneity. They are adaptable and prefer to respond to situations as they arise.

Judgers may be more vulnerable to physical attacks as they may be more likely to adhere to established security protocols without considering the possibility of deviation or innovation.

They may be less likely to adapt to new security threats or situations that require improvisation and need cybersecurity awareness training to help them recognise the importance of adapting to new security threats and situations.

Perceivers may be more vulnerable to malware attacks as they may be more likely to experiment with new software or technology without considering the potential security risks.

They may be less likely to adhere to established security protocols or to recognise the potential risks associated with new software or technology. Therefore, it is helpful to regularly remind them that every piece of software contains risks, and train them to spot them.

How can Bob’s Business help reduce your risk of a breach?

With a deeper understanding of the types of personalities in your organisation, you’re better equipped to take measures to reduce risk, but you’ve only just started on your journey to a cyber-secure workplace.

At Bob’s Business, we build cybersecurity awareness training solutions informed by behavioural psychology to give everyone in your team the tools they need to spot and stop attacks.

We’d love to show you how affordable our proven training solutions can be for your organisation. Book a slot to talk to us now.

Why social media education is more important than ever

Social media has fundamentally altered the way we interact with one another on the internet. From cat pictures to business listings, there’s virtually no aspect of our public and private lives that social media haven’t touched.

Today. social media like Twitter, Facebook, TikTok and Instagram have become omnipresent in our daily lives. From sharing photos of our pets to promoting our businesses, it has changed how we interact and communicate online.

However, while social media has opened up a world of opportunities for organisations, it has also introduced new risks and pitfalls.

Is social media training actually necessary?

Building an online brand creates a level of trust and intimacy that can draw in potential clients and as you are probably aware, social media platforms can greatly improve the success of your company.

However, with the lack of education and ignorance of the power of these tools, social media can and will lead to problems with security if not used properly.

As the use of social media continues to grow, so do the potential risks. In fact, according to a survey by Hootsuite and WeAreSocial, nearly 90% of businesses use social media for marketing purposes, and 81% of those businesses believe that social media is important for their overall business strategy. However, few companies are actually training their team on the subject, instead relying on ‘common sense’ to see them through.

This lack of education can lead to major problems such as hacking, phishing, and identity theft.

In turn, this can lead to huge problems when employees click on malicious links posted by people trying to communicate with your company. Through this, hackers can steal your company’s identity and post unwanted content on your account.

Here are just a few of the reasons why social media education is necessary for your organisation:

Cybersecurity threats: Social media use can expose organisations to cybersecurity threats such as hacking, phishing, and identity theft. By educating employees on the dangers of social media, they can become more aware of the risks and take steps to mitigate them.

  • Brand reputation: Social media can greatly impact an organisation’s reputation, as it’s often one of the first places people go to learn about a company. Employees need to be trained on how to communicate properly with clients and customers and maintain a positive image for the organisation.
  • Effective communication: The fast-paced and informal nature of social media communication can lead to misunderstandings and miscommunications. Education can help employees understand the nuances of social media communication and use it more effectively to build and maintain business relationships.
  • Personal privacy: Employees also need to be aware of the dangers of oversharing personal information on social media, as this can lead to identity theft and other privacy issues.
  • Compliance with company policies: Organisations often have social media policies in place to ensure the responsible use of social media. Education can help employees understand these policies and follow them, which can reduce the risk of legal and ethical issues.

What are the individual risks your team face?

If wider organisation implications aren’t enough for your employees to understand the risks of social media, they should also understand the risks that they can individually face.

It’s essential for employees to be aware of their responsibilities when using social media and to use it responsibly. This includes being mindful of the information they share, being respectful and professional in their online interactions, and taking steps to protect their personal information and privacy.

As an employee, the use of social media can come with a range of risks that need to be addressed. These include:

  • Loss of privacy: Oversharing personal information on social media can put an employee’s privacy at risk. This can lead to identity theft, cyberstalking, or other privacy violations that can have serious consequences.

    A recent example is that of social media app, BeReal. A quick scroll through the BeReal app is enough to see that during the work week, it’s not unusual to see images of people’s computer screens with their email inbox on display or an assignment that person is currently working on, in the background. These sorts of pictures can put an individual’s identity at risk of being stolen.
  • Career damage: Improper use of social media can also harm an employee’s reputation and career prospects. This can include posting inappropriate content, making negative comments about the company or colleagues, or engaging in online arguments with clients or customers.
  • Legal consequences: The use of social media can also lead to legal consequences if an employee posts defamatory or false information, or violates laws related to intellectual property, discrimination, or workplace privacy.
  • Decreased productivity: The time and attention employees spend on social media can take away from their work, leading to decreased productivity and potentially affecting their performance and job satisfaction.

What Are Bob’s Top Social Media Tips?

Our Social Media course is specifically designed to educate your workforce on the correct procedures and tone to adopt when using social media. But what are some tips you can action today to help improve your social media use? Join us as we share our top tips below.

  • Create strong and unique passwords for each of your online accounts, and avoid using easily guessable information like your name, date of birth, or address.
  • Be cautious of emails from unknown senders or those that contain attachments or links. Phishing scams can often look like legitimate emails from banks, social media platforms, or other organisations, so always be wary of these.
  • Regularly update your software, antivirus, and anti-malware protection to ensure you have the latest security measures in place.
  • Be mindful of the information you share on social media and other online platforms. Avoid sharing sensitive information like your Social Security number, financial details, or personal addresses.
  • Utilise the privacy settings on your social media and other online accounts to control who has access to your personal information and activity.
  • Before clicking on any links in emails, messages, or online posts, hover over the link to see where it leads. This can help you avoid falling prey to malicious websites or phishing scams.
  • Be mindful of your online content and be respectful of others in your online interactions. Avoid posting inflammatory or offensive comments or content, and be aware that your online actions can affect your personal and professional life.

To stay protected from social media risks, share this blog post with your employees, so your organisation can stay protected from the potential risks.

Ready to start training your team on social media alongside over sixty other cybersecurity and compliance topics? We have courses designed and tailored towards your organisation. Check out our award-winning cybersecurity training courses here.

Bob’s upcoming events

At Bob’s Business, we’re always popping up at events to share our knowledge, get the next generation involved and speak to potential clients. It’s a busy schedule that means, no matter where you are, you’re never too far away from a member of our team. 

We regularly share where we’ll be on our social media channels (Twitter, Facebook, LinkedIn), but this page is our new permanent home for those looking for our complete schedule. 

Here’s where Bob’s Business will be this month and beyond:

April 2024

UK Cyber Week, April 17-18, Olympia London

The Bob’s Business team will be exhibiting at UK Cyber Week in Olympia London, introducing our award-winning products and services to companies both large and small. Come visit us at stand H13!

This month in data breaches: January edition

Whether your New Year has started with a bang or a whimper, there’s one constant for every organisation: cyber threats never take a break and data breaches can occur anytime.

In January 2023, that’s a lesson several well-known companies and organisations learned as they fell victim to devastating data breaches. These incidents have cost companies and schools hundreds of millions of pounds and damaged customer trust.

But it’s not all bad news! By learning from these incidents, we can prevent similar breaches from happening in the future.

In this blog, we’ll take a closer look at the biggest data breaches of January and explore how they could have been avoided. So, grab a seat and join us as we dive into the world of data breaches and learn how to protect your organisation better.

T-Mobile

It was revealed on January 5th that the US wireless carrier T-Mobile suffered a data breach in which a malicious actor gained access to the company’s systems, and stole personal information from over 37 million customers. It’s their second cyber attack in less than 2 years, coming just two months after they promised to upgrade and strengthen their data security.

A spokesperson said, “Carriers have a unique responsibility to protect customer information. When they fail to do so we will hold them accountable.” T-Mobile was able to contain the breach within a day, but the incident has already cost the company hundreds of millions of dollars and damaged customer trust.

This is not the first time T-Mobile has dealt with a data breach, they also had to pay a $350 million settlement related to an August 2021 incident.

This type of breach could have been prevented with proper employee training and awareness of cybersecurity. By implementing measures such as regularly educating their employees on how to identify and prevent phishing attacks alongside how to handle sensitive information, they could create a culture of security within the organisation.

MailChimp

MailChimp also fell victim to a data breach in the new year due to a social engineering attack that gave unauthorised access to over 133 users on an internal customer support tool.

Hackers gained access to employee information and credentials, but MailChimp has since identified and suspended those accounts.

Again, this is not the first time MailChimp has been hacked, as they also suffered data breaches in April and August of 2022. Such attacks highlight the importance of deploying comprehensive cybersecurity processes and protocols to stop hacking attempts before compromising information multiple times.

Norton Life Lock

Norton Life Lock also suffered a data breach in January 2023, this time due to a “stuffing” attack. Stuffing attacks are when previously compromised passwords are used to hack into accounts that use a shared password, highlighting the importance of multi-factor authentication.

“Systems have not been compromised, and they are safe and operational, but as is all too commonplace in today’s world for bad actors to take credentials found elsewhere, like the dark web, and create automated attacks to gain access to other unrelated accounts,”

Norton’s parent company, Gen Digital, sent notices to the accounts they believed could have been compromised and recommended changing passwords as well as enabling two-factor authentication. It’s a breach that once again highlights the importance of building a cybersecurity culture that extends across your entire organisation, both in the office and at home.

Hull and Yorkshire Schools

Last month saw schools in Hull suffer a major data breach that compromised the sensitive information of students and staff. The breach was caused by a phishing attack in which hackers sent emails to school employees posing as a trusted source, tricking them into revealing their login credentials.

Once the hackers gained access to the employees’ accounts, they were able to steal sensitive information such as names, addresses, and more. This information was then used for malicious purposes, causing harm to both the individuals and the schools.

The breach highlights the importance of proper cybersecurity training and awareness, as well as the need for robust security measures to protect sensitive information. It also highlights the dangers of phishing attacks, which are becoming increasingly sophisticated and challenging to detect.

How to protect your organisation

While different types of cyber attacks caused these data breaches, they all highlight the importance of proper security protocols and the role that human error can play in these incidents.

  • Keep your systems regularly updated to prevent breaches from happening.
  • Implementing multi-factor authentication: Regularly monitoring and testing your security systems are also essential steps organisations like yours can take to prevent data breaches.
  • Invest in cybersecurity training for employees: Cybersecurity is not just the responsibility of IT departments, it is a responsibility that falls on every employee within the organisation.
  • Cybersecurity training should cover a wide range of topics, from how to identify and prevent phishing attacks, using strong passwords, how to handle sensitive information, the list goes on.

At Bob’s Business, we’re building towards a world where everybody is safe online. If you’re ready to start taking cybersecurity seriously, we’re here to help. Give your team the knowledge they need to spot and stop attacks before they damage your business. Book a slot to chat with a member of our team now.

10 essential cybersecurity practices for new employees

Welcome to the wonderful world of cybersecurity! As an employee starting at a new company, it’s vital to understand the importance of good cybersecurity practices. After all, human error is responsible for around 90% of data breaches in organisations.

By following your company’s cybersecurity practices, you’re helping to protect your company’s valuable information and assets from cyber threats, alongside keeping the company’s operations running smoothly and maintaining the trust of customers and partners.

And let’s be honest, following your company’s cybersecurity practices isn’t just a responsibility; they’re an ethical obligation to protect your company and colleagues’ data. If you don’t, it could lead to serious consequences like a data breach, financial losses, and damage to the company’s reputation.

Knowing where to start can feel bewildering, but don’t panic, because in this blog post we’ll be sharing ten cybersecurity practices to adopt to help protect your company.

But first…

Why are positive cybersecurity behaviours important?

Cybersecurity isn’t something that should only concern CEOs and tech team members, it’s something we should all be concerned about and, crucially, something we can all impact in a positive manner.

Human error is responsible for around 90% of data breaches in organisations, and anyone can make a mistake leading to a breach.

This is why it’s crucial for everyone in your business to understand the importance of following the company’s cybersecurity practices and the value of adopting new, secure behaviours.

It isn’t just about keeping cybercriminals out; it’s also about keeping us all accountable and ensuring we all do our part in protecting your company’s information.

Here are our top 10 behavioural practices for new hires:

Use strong and unique passwords

Using strong and unique passwords is one of the most basic, yet essential, cybersecurity practices you can adopt. You would be surprised at how many employees’ passwords are ‘password’. Is this you? If it is, then here are some tips on creating strong passwords.

A strong password should:

  • Be at least 12 characters long
  • Include a combination of letters, numbers, and special characters
  • Avoid using easily guessable information, such as your name, birthdate, or common words.
  • Avoid using the same password for multiple accounts too, as a data breach on one site could lead to a domino effect across all your accounts.

Keep your software and devices up to date

Software and device updates often include security patches to fix known vulnerabilities. If a security vulnerability is discovered, hackers will often try to exploit it before a patch is released. By keeping your software and devices up to date, you can ensure that these vulnerabilities are fixed and your devices are protected.

Be cautious when opening attachments or clicking on links in emails

Phishing scams often use emails to trick people into providing sensitive information or downloading malware. Always be cautious when opening attachments or clicking on links in emails, especially if they are from unknown senders. Take a look at our blog on how to spot a phishing email.

Use a VPN when working remotely or accessing company resources from a public network

A VPN encrypts your internet connection and helps protect your data from hackers. Public Wi-Fi networks are often not secure and can be easily hacked, so it’s essential to use a VPN when working remotely or accessing company resources from a public network.

Avoid using public Wi-Fi networks

Public Wi-Fi networks are often not secure and can be easily hacked. If you need to access company resources or sensitive information while on a public network, use a VPN to encrypt your connection and protect your data.

Use two-factor authentication whenever possible

Two-factor authentication adds an extra layer of security to your accounts by requiring a second form of identification, such as a fingerprint or a code sent to your phone. This makes it much more difficult for hackers to gain access to your account, even if they have your password.

Be mindful of your online presence

Be careful about what you post on social media, and be aware of your privacy settings. Hackers can gather information about you. Be mindful of the information you share online and use privacy settings to control who can see your posts. Take a look at our blog post on how to reduce your digital footprint.

Use anti-virus and anti-malware software

These programs help protect your computer from malware and other malicious software. They work by scanning your computer for known malware and alerting you if it finds anything suspicious. Keep your anti-virus and anti-malware software up to date to ensure that it can protect you from the latest threats.

Be aware of social engineering tactics

Cybercriminals often use tactics such as phishing and pretexting to trick people into providing sensitive information. Be aware of these tactics and be cautious when providing personal information, especially over the phone or online. To learn more about social engineering, look at this blog post.

Report any suspicious activity or breaches immediately

If you suspect your computer or network has been compromised, report it to your IT department immediately. Time is of the essence when it comes to cybersecurity breaches, the faster they are detected and dealt with, the less damage they can cause.

Download your free quick wins checklist

Ready to start reducing cyber risk in your new starters? Click the text below to download your free quick wins checklist, no details required. Alternatively, why not book a quick demo with one of our cyber risk reduction specialists?

Click here to download your quick wins checklist.

What are the cyber risks in the education sector?

The cyber health of educational sector establishments is a growing concern in the UK, and for a good reason. In a recent survey conducted by the UK’s National Cyber Security Centre, 61% of educational institutions reported a cyber-attack in the last 12 months, a figure that rises to 78% when looking at schools alone. That’s an astonishing figure, one which highlights the state of play as we move into 2023

Furthermore, UK government statistics reveal that the education sector is the second most targeted sector for cybercrime in the UK, with incidents of fraud and data breaches reported to be on the rise.

Cases such as the cyber-attack on the University of Greenwich in 2019, which resulted in the personal data of students and staff being compromised, highlight the severity of these risks.

These statistics and cases make it clear that educational institutions must stay informed and take proactive measures to protect organisations and people against cybersecurity risks.

At Bob’s Business, we’re all about cybersecurity education, so join us as we highlight why the education sector is so at risk, and what you can do in your organisation to prevent any cyber-attacks in the future.

Why is the education sector at risk of cyber attacks?

The question of why the educational sector is particularly at risk is an important one. After all, why would a cybercriminal attack a university, foundation or academy?

The education sector is at risk for several reasons. One of the most significant factors is the large amount of personal and sensitive information collected and stored by educational institutions.

This information includes student and staff data, financial information and, often, valuable research data.

Additionally, the increased use of technology in the classroom, such as laptops and tablets, alongside the growing reliance on online platforms and applications, have created more opportunities for cybercriminals to gain access to this information.

Another reason why the education sector is at risk is that many educational institutions dedicate little to no resources to cybersecurity. In turn, this creates a fertile environment for cybercriminals to operate within, making attacks desirable and, frankly, inevitable.

Why every education sector organisation needs a robust cybersecurity programme in place

A data breach in the education sector can have serious consequences, including financial losses, reputational damage, and even legal action.

From students to staff members, the loss of personal and sensitive information can profoundly impact the individuals affected. Here’s what a cyber security programme does for your organisation:

  • Protects sensitive student and staff information: A cybersecurity programme ensures that personal information such as names, addresses, and financial data of students and staff is secure and protected from potential cyber threats.
  • Prevents financial losses: A data breach can cause financial losses for an institution due to potential fines, legal costs along with significant reputational damage.
  • Avoids reputational damage: A data breach can harm an institution’s reputation and lead to loss of trust from students, staff, even the wider community.
  • Mitigates legal action: A data breach can lead to legal action against an institution if regulations are not complied with; a cybersecurity programme helps prevent breaches and ensure compliance with relevant regulations.
  • Ensures the continuity of education: Cyber-attacks on institutions can result in the shutdown of critical systems and resources that support teaching and research.
  • Maintains the privacy and trust of students, staff and their families: A data breach can compromise the privacy and personal information of students, staff and their families.
  • Enables institutions to comply with data protection regulations: Institutions handle large amounts of personal data and are subject to data protection regulations; a robust cybersecurity programme helps institutions to comply with these regulations and avoid potential penalties.
  • Secures the intellectual property and research data of institutions: Educational institutions conduct research and develop intellectual property that needs to be protected.

Don’t believe us? Let’s take a look at a real-life case of an education sector data breach.

The University of Cambridge data breach

The University of Cambridge suffered a data breach in 2019, in which the personal information of staff and students, including names, addresses, and email addresses, were accessed by attackers.

Additionally, sensitive financial information was also compromised. The attack caused the university to shut down its entire IT network, leading to significant disruptions to the day-to-day operations of the institution.

This data breach could have been avoided if the University of Cambridge had provided sufficient cybersecurity training for its staff and students. By educating staff and students on best practices for online security, such as identifying phishing scams and creating strong passwords, the University could have reduced the likelihood of a successful cyber-attack.

Regular cybersecurity training could have ensured that all staff and students were aware of the latest threats and how to protect against them, potentially identifying and stopping the attack before it could do any damage.

How can your educational institution improve its cybersecurity?

Reducing cyber risk and building a security culture within an educational establishment won’t happen overnight, but there are a number of steps you can take today to put you on a cyber-secure footing.

One of the most effective ways is to invest in cybersecurity training for staff and students.

It won’t be breaking news for educators that education is invaluable, but it can’t be overstated how crucial it is in preventing cyber-attacks. Case in point: over 90% of breaches occur as a result of simple human error.

Training staff members and students is the most effective way to reduce the likelihood of a successful breach. However, genuinely successful training only happens when everyone receives equal training on best practices for online security, including how to identify and avoid phishing scams, how to create strong passwords, and how to use security software.

Beyond training, institutions should:

  • Invest in technologies and software to detect and prevent cyber-attacks.
  • Regularly review and update their policies and procedures. This includes creating a comprehensive incident response plan that outlines the steps that should be taken in the event of a cyber-attack.
  • Conduct regular security assessments to identify potential vulnerabilities and take steps to mitigate them.

How can Bob’s Business help your educational institution reduce its cyber risk?

At Bob’s Business, we offer unique and engaging online cybersecurity training that makes reducing risk simple and affordable for every kind of educational sector organisation. Our training is designed to empower everyone in your team to identify and respond to cyber threats, protecting your business from the 90% of breaches that occur due to human error.

Our training is also bite-sized, interactive, and easy to fit into your busy schedule. Plus, it’s engaging, ensuring your team stays motivated and focused throughout the process.

We’ve been helping to deploy cybersecurity training and policy compliance solutions across education sector institutions, such as the University of Northampton and DMAT Schools, for over 14 years.

With features such as in-depth quarterly and annual reporting, built-in policy management, truly engaging short-form training and support for devices of all shapes and sizes, Bob’s Business is uniquely positioned to help you stop cyber-attacks.

Ready to learn more? Click here to discover our range of cybersecurity awareness training products.

Social engineering: everything you need to know

No matter how much you spend on complex hardware and software cybersecurity solutions, they can’t account for the source of 90% of successful breaches: your staff.

Cybercriminals utilise dozens of proven psychological techniques to encourage your staff to give them access to your and your organisation’s data and (in many cases) physical premises. We in the cybersecurity profession refer to these techniques as ‘social engineering’.

But what is social engineering, how do social engineering attacks work, and what are the types of social engineering? Join us as we present our essential guide, updated for 2023.

What is social engineering?

Social engineering is a term that covers a wide variety of attacks that leverage human vulnerability to gain access to sensitive information.

With the risk of being targeted by social engineers growing greater by the day, we must fully understand the different types of social engineering attacks and how best to avoid them.

How do social engineering attacks work?

Whether we like to admit it or not, we’re all creatures of habit.

Modern life is an almost constant blur of mundane tasks and activities. Naturally, we all want to find the easiest and fastest way to accomplish those tasks.

Unfortunately, that often means that we’re lax about security.

Simple things like using the same password across multiple accounts can make your life easier, but it leaves the door wide open to social engineers.

Social engineers find the gaps in our security habits and utilise emotional manipulation techniques to access sensitive information.

How is shoulder surfing used?

Shoulder surfing enables social engineers to see what services you use, your contacts, and most importantly, your passwords. After making a note of these, the shoulder surfer can then try to access your systems remotely or even impersonate you to gain access to confidential information.

Social engineering attacks come in all sorts of shapes and sizes, but the three most common ones to watch out for are:

Examples of social engineering

Social engineering attacks come in all sorts of shapes and sizes, but the five most common ones to watch out for are:

Phishing

Phishing attacks are a common form of social engineering that involves sending fake emails or texts, often claiming to be from a legitimate company or individual, to trick the recipient into revealing sensitive information such as login credentials or financial information.

To avoid falling victim to a phishing attack, it is important to be cautious of unsolicited communication and verify the sender’s identity before clicking on any links or providing personal information. You can also protect yourself by using spam filters and keeping your security software up to date.

A more advanced form of phishing is called spear phishing. This is when a social engineer goes the extra mile to tailor the email to their target after conducting extensive research on, or data-mining, their target. This results in more effective phishing attempts, which are harder to spot.

Baiting

Baiting is another form of social engineering that involves offering something desirable, such as a free gift or access to ‘exclusive’ content, in order to lure the victim into revealing sensitive information or performing a specific action.

To avoid falling for a baiting scam, it is important to be sceptical of anything that seems too good to be true and to be cautious of offers that require you to provide personal information or take specific actions.

Scareware

Scareware is a type of social engineering that involves tricking the victim into believing that their computer has a serious problem, such as a virus, and offering a solution for a fee. The “solution” is often unnecessary or ineffective, and the victim is scammed out of their money.

To avoid falling victim to scareware, it is vital to be aware of the signs of this type of scam, such as unexpected pop-up windows or warning messages, and to be cautious of any offer to fix a problem for a fee.

Pretexting

Pretexting is a form of social engineering that involves creating a fake identity or scenario to obtain sensitive information from the victim.

This can involve pretending to be a representative of a legitimate company or government agency to obtain personal information such as a social security number or bank account information.

To avoid falling victim to pretexting, stay cautious of anyone who asks for personal information and to verify the identity of the person before providing any sensitive information.

Impersonation

Impersonation is a type of social engineering involving pretending to be someone else to gain access to restricted areas or information.

This can involve pretending to be a co-worker, a maintenance worker, or someone else with legitimate access to gain entry to a secure area or obtain sensitive information.

Avoiding falling victim to impersonation isn’t easy, but by maintaining an awareness of your surroundings and being cautious of anyone who does not have proper identification or seems out of place you can increase your chances.

It is also a good idea to verify the identity of anyone who claims to be a co-worker or representative of a company before providing any sensitive information or allowing them access to restricted areas.

Is tailgating a form of social engineering?

Yes! The purpose of tailgating (also known as piggybacking) is to gain access to an unauthorised area.

Typically, this is achieved by an unauthorised person following closely behind an authorised individual and getting the authorised individual to give them access.

This might include following someone into a lift requiring a security key, often with some excuse like holding a large delivery or simply forgetting their key.

Social engineers rely on people’s instinct to be helpful, so the next time you open the door to someone you don’t recognise, don’t be afraid to question them.

What is Shoulder Surfing?

Shoulder surfing is another physical form of social engineering that criminals use to gather information. When people work on the go, they lull themselves into a false sense of security and don’t realise they could be being watched.

Criminals will look to identify people who work on the go either on their laptop or phone, follow them to a place that they might like to work, like a coffee shop, and get into a position where they can see what’s on the screen.

Is social engineering a cybersecurity threat?

While social engineering may seem simple, it represents a significant cybersecurity threat to organisations. While companies continue to invest in technological solutions to stay secure, they don’t fix the vulnerabilities social engineers look to exploit – people’s behaviour, habits and emotions.

Suppose a user is tricked into revealing details that can help an attacker through your defences, or tricked into allowing someone unauthorised access. In that case, all the technology in the world would be unable to help you!

Real-life examples of social engineering attacks

Marriott International

In 2018, the hotel company Marriott International reported that its subsidiary Starwood Hotels & Resorts’ reservation system had been breached, exposing the personal information of up to 500 million visitors. The hackers had gained access to the system by using social engineering tactics to obtain login credentials from an employee at a third-party vendor.

The attack began in 2014 and went undetected for four years. During that time, the hackers used the access they had gained to the system to collect guests’ personal information, including names, mailing addresses, phone numbers, passport numbers, and payment card information. The breach was only discovered in 2018 when Marriott received an alert from an internal security tool.

The attack was a sophisticated example of social engineering, as the hackers had been able to gain the trust of an employee at a vendor and obtain sensitive login credentials through seemingly legitimate means.

Hackers often use social engineering tactics to target employees at companies or organisations that have access to sensitive information, as these employees may have weaker security protocols in place and may be more likely to fall for scams or phishing attacks.

DHL

Another example of a social engineering attack in the UK occurred in 2018, when hackers targeted the courier company DHL Supply Chain. The hackers used ‘pretexting’ to obtain login credentials from an employee at the company and used those credentials to access the company’s systems. Once inside the system, the hackers were able to steal sensitive customer information, including names, addresses, and payment card details.

The attack was discovered when DHL received reports from customers that they had received spam emails claiming to be from the company. Upon investigation, DHL discovered that the hackers had gained access to its systems and had been able to collect customer information. The company promptly notified affected customers and implemented additional security measures to prevent further breaches.

This attack was a reminder of the importance of strong security protocols and the need to be vigilant against social engineering attacks. It is essential for companies and organisations to educate their employees about the risks of social engineering and to implement strong security measures to protect against these types of attacks.

LinkedIn
In 2016, the social media giant LinkedIn announced that it had discovered that a hacker had gained access to the passwords of 117 million of its users.

The hacker had used social engineering tactics to obtain an employee’s login credentials at LinkedIn and then used those credentials to access the user data. The data was later sold on the dark web, and many LinkedIn users reported that they had received spam emails or had their accounts compromised as a result of the breach.

The attack was a sophisticated example of social engineering, as the hacker had been able to gain an employee’s trust at LinkedIn and obtain sensitive login credentials through seemingly legitimate means.

In this case, the hacker had used a phishing attack to obtain an employee’s login credentials and then used those credentials to access the user data.

The attack was discovered when LinkedIn received reports from a number of users that they were receiving spam emails that appeared to be coming from their LinkedIn accounts. Upon investigation, LinkedIn discovered that the hacker had gained access to the passwords of a large number of its users.

The attack was a reminder of the importance of strong security protocols and the need to be vigilant against social engineering attacks. With sufficient cybersecurity awareness training, attacks like this can be prevented.

How to defend against social engineering attacks

Defence against social engineers largely depends on awareness and ensuring that you and your workforce know what to be wary of.

Even the very best security technology can be overcome by a clever social engineer, which is why security awareness training is so essential.

Teaching your staff about the dangers of social engineering with engaging, jargon-free training is the most effective way of protecting your organisation.

To help you safeguard against some of these attacks, your staff should:

  • Adopt a suspicion-first mindset
  • Complete training to learn spot the signs of phishing emails
  • Maintain a clear desk
  • Understand your organisation’s privacy policies
  • Protect themselves from malware through awareness
  • Treat any offers or requests from unknown people with suspicion