Data breaches are an ever-present threat to organisations. Despite advances in cybersecurity measures, the number of reported data breaches continues to rise yearly.

So far, 2023 has continued the pattern. As the calendar flipped to February, several data breaches were reported, including those affecting the NHS, Reddit, Arnold Clark, and Pepsi.

Let’s take a closer look at these data breaches and highlight how human error may have contributed to each incident.

NHS

Last month, news broke that thousands of NHS patients had their personal data leaked in a data breach.

The breach was caused by a phishing attack where an attacker accessed an employee’s email account containing confidential patient information.

The data stolen included patient names, addresses, phone numbers, medical information, as well as diagnoses and treatment details. The attacker then used this information to launch a spear-phishing attack on other NHS employees.

NHS has confirmed that the breach affected thousands of patients, and they are taking steps to prevent any further attacks.

This breach highlights the need for strong cybersecurity measures, including training for contractors and employees working with sensitive data. It also highlights the importance of regularly reviewing security policies and procedures to minimise the risk of such errors.

Reddit

In another incident, social media giant Reddit suffered a data breach in February 2023 that exposed users’ personal data, including email addresses and passwords.

The breach was caused by a third-party vendor who had access to Reddit’s systems. The attacker could gain access to the vendor’s system by using a compromised login.

Reddit quickly detected the breach and immediately reset affected users’ passwords and notified them of the breach.

As with many breaches, the Reddit breach shows just how dangerous a compromised login can be. Alongside maintaining strong vendor management practices and conducting regular security audits, all employees should be trained to build strong, unique passwords for every account.

Arnold Clark

Last month, Arnold Clark, the UK’s largest car dealership, suffered a data breach that exposed customer data. The breach occurred due to a misconfigured server, allowing unauthorised customer data access.

The breach was caused by an unsecured database that was left exposed online and affected over 2 million customers; with data including names, addresses, and vehicle registration details being exposed.

It was discovered by a security researcher who notified Arnold Clark of the vulnerability. Arnold Clark immediately secured the database and notified affected customers.

No financial information was exposed, but the incident shows the importance of properly securing and monitoring databases. Curious to know more? Read our latest blog about cybersecurity risks in the automotive sector!

Pepsi

In another incident, Pepsi suffered a data breach in February 2023 that exposed customer data. It was reported that Pepsi Bottling Ventures (PBV), a subsidiary of PepsiCo, suffered a data breach that exposed employee information.

The breach was caused by a malware attack that targeted PBV’s payroll systems. The attacker gained access to employee data, including names, social security numbers, and payroll information.

PBV quickly detected the breach and took immediate action to prevent further damage. This highlights the importance of maintaining up-to-date malware protection and monitoring payroll systems for unusual activity.

What can you learn from these breaches?

The four data breaches that occurred in February 2023 highlight the ongoing importance of maintaining robust security practices in the face of persistent cyber threats.

Organisations must take steps to prevent data breaches by implementing effective security measures, regularly conducting security audits, and training employees to detect and avoid potential attacks.

As technology continues to evolve, the threat of data breaches will continue to grow, making it essential for organisations to remain vigilant and proactive in protecting their sensitive data.

How Bob’s Business can help protect your organisation

With the increasing frequency and sophistication of cyber threats, it’s essential to have proper training and awareness around cybersecurity for all employees in an organisation.

Bob’s Business is an award-winning training provider that offers engaging and interactive e-learning modules, helping organisations of all sizes educate and train their employees on cybersecurity best practices. Get in touch today to find out more about how we can help protect your organisation from the devastating impact of a data breach.

Are you ready to revolutionise your company’s onboarding process and instil a culture of cybersecurity from day one? Look no further than our free guide, “The Ultimate Guide to Cybersecurity Onboarding.”

Designed specifically for companies welcoming new staff, this comprehensive resource outlines the importance of cultivating positive cybersecurity behaviours early on and provides invaluable strategies for achieving that.

In today’s digital landscape, where threats lurk around every corner, instilling a security-conscious mindset is crucial. By incorporating cybersecurity principles into your onboarding program, you lay a solid foundation for your employees to navigate the intricate world of digital security confidently.

In this free guide, you’ll learn:

• Why cybersecurity is an onboarding essential
• How to embed cybersecurity in your onboarding
• Ten ‘quick cybersecurity wins’ for your new team member
• … and more!

Ready to get started? Interact with the bot below to gain instant access now! 👇

Think cybersecurity is dull? Think again!

Join us as we dive into some of the weird, wonderful and amazing facts from across the world of cybersecurity. We’ll share some of the barely unbelievable realities surrounding us and show you (and your team!) how it relates to your personal and organisational cybersecurity.

In this free guide, you’ll learn:

• How a fish tank hacked a casino
• Why millennials are the most likely to fall victim to an attack
• The history of the first-ever virus
• … and more!

Ready to get started? Interact with the bot below to gain instant access now! 👇

The automotive industry is, at once, both at the forefront of technological innovation and wedded to old ways of working.

There has been a tremendous transformation over recent years, with rapid advancements in technology bringing about connected cars, electric vehicles, and autonomous driving.

However, as an industry, many classic ways of working are still in place – leaving the sector particularly vulnerable to cyber-attacks.

As such, one of the biggest risks facing the automotive industry today is cybersecurity.

Cybercriminals are increasingly targeting the industry, taking advantage of the high staff turnover, large amounts of data collected, and high-value assets.

In this blog, we will explore the cyber risks in the automotive industry, why the sector needs a solid cybersecurity programme, and how your automotive organisation can protect itself.

Let’s dive in.

Why is the automotive industry so at risk?

Collection of sensitive data

As previously mentioned, the automotive industry collects significant sensitive data from its customers, including personal and financial information. This makes it an attractive target for cybercriminals who seek to steal and sell this information on the dark web or use it for identity theft.

For example, car manufacturers collect customer data such as name, address, phone number, credit card details, and personal health information. Dealerships, leasing companies, and rental firms collect driver’s licence information, insurance data, and credit card details – in many cases, these are maintained in databases with shared passwords.

Additionally, cars have become more connected, with many new vehicles equipped with advanced infotainment systems, GPS trackers, and other technology vulnerable to cyberattacks. Such valuable data is a highly attractive target if not properly protected at every level.

Rapidly evolving technology

The automotive industry is constantly evolving, with new technologies being introduced regularly. However, this can also make it difficult for organisations to keep up with the latest security measures and stay protected against new cyber threats.

Connected vehicles

The automotive industry deals with high-value assets such as cars, which can be targeted by cybercriminals seeking to steal or damage them. In addition, connected cars with advanced technology can be remotely hacked, potentially risking lives.

High staff turnover

The automotive industry – particularly customer-facing roles, such as those in dealerships – often experiences high staff turnover, leaving organisations vulnerable to cyber attacks due to lost knowledge and experience.

Additionally, employees leaving without properly securing their devices or changing their passwords creates opportunities for cybercriminals to gain unauthorised access to sensitive data or systems.

Why does the automotive sector need a cybersecurity programme in place?

As we’ve established, it’s clear that the automotive industry is a high-risk sector for cyber attacks, given the sensitive data it collects, the rapidly evolving technology it uses, the high-value assets it deals with, and the high staff turnover rates it experiences.

Therefore, every automotive sector organisation needs a robust cybersecurity programme in place to protect itself from these threats. Here are some reasons why:

• Protection of sensitive data: A cybersecurity programme can help protect sensitive data such as customer information and financial records. Organisations can prevent unauthorised access, theft, or misuse of sensitive data by implementing proper security measures such as firewalls, encryption, and access controls.
• Minimisation of cyber attacks: A cybersecurity programme can help detect and mitigate cyber attacks, minimising the impact of a potential breach. Organisations can identify and address vulnerabilities in their systems by conducting regular vulnerability assessments and penetration testing, before attackers can exploit them.
• Compliance with regulations: The automotive industry is subject to various data privacy and security regulations, such as the General Data Protection Regulation (GDPR); a cybersecurity programme can help organisations comply with these regulations, avoiding costly fines and legal penalties.
• Protection of reputation: A cyber attack can damage an organisation’s reputation, erode customer trust, and lead to a loss of business. By implementing a cybersecurity programme, organisations can demonstrate their commitment to protecting customer data and maintaining a secure online presence, enhancing their reputation in the market.
• Prevention of financial loss: Cyber attacks can lead to financial losses for organisations, including the cost of investigating and remediating the attack, legal fees, and compensation for affected customers. A cybersecurity programme can help prevent these losses by reducing the risk of a successful attack, minimising the damage in case of a breach, while also providing insurance coverage for cyber incidents.

The Arnold Clark data breach

UK car dealership Arnold Clark suffered a data breach in December 2022, which led to the company bringing its systems offline, including dealerships and third-party connections. The company has confirmed that specific customer details had been compromised in the breach, including names, contact details, dates of birth, vehicle details, ID documents, National Insurance numbers, and bank account details.

The incident highlighted the importance of protecting customer data in the automotive industry, which collects sensitive, personally identifiable information that threat actors target.

Companies in the automotive industry must implement suitable methods to guard sensitive data, such as data-centric security like format-preserving encryption.

Small or medium-sized organisations are just as vulnerable to large-scale attacks on their data. A smart, data-centric security strategy is critical to mitigating the devastating consequences of such attacks.

Arnold Clark has warned its customers of potential phishing attacks as it continues investigating the breach.

This attack against Arnold Clark is not the first one targeting the automotive industry. General Motors suffered a credential-stuffing attack in May 2022, and Holdcroft Motor Group was presented with a ransom demand after hackers stole two years’ worth of data.

How can your automotive organisation protect itself?

There are several steps your automotive organisation can take to protect itself from cyber risks:

• Prioritise cybersecurity training for all employees: From top-level executives to entry-level staff, ensure that they understand the importance of cybersecurity and their role in protecting the organisation. Cybersecurity awareness training should include awareness of common cyber threats, such as phishing attacks and malware, and best practices for password management, data protection, and incident response.
• Implement a strong password policy: A strong password policy can help prevent unauthorised access to sensitive information. Passwords should be complex, unique, and changed regularly. Read our blog on creating strong passwords here.
• Use multi-factor authentication (MFA): MFA provides an additional layer of security by requiring users to provide two or more forms of authentication, such as a password and a fingerprint or facial recognition scan.
• Limit access to sensitive information: Access to sensitive information should be limited to only those who require it to perform their job functions. This can help prevent accidental or intentional data breaches.
• Regularly update software: Regular updates can help ensure that software is up-to-date and free of known vulnerabilities.
• Implement data encryption: Data encryption can help protect sensitive information from unauthorised access.
• Have a cybersecurity incident response plan: A cybersecurity incident response plan should be in place in case of a cyber attack. This can help mitigate the damage and minimise downtime.

How can Bob’s Business help your automotive organisation reduce its cyber risk?

At Bob’s Business, we understand the importance of cybersecurity for all industries, including the automotive sector.

That’s why we offer unique and engaging online cybersecurity training designed to empower everyone in your team to identify and respond to cyber threats, protecting your business from the 90% of breaches that occur due to human error.

Our training is bite-sized, interactive, and easily fits your busy schedule. Plus, it’s engaging, ensuring your team stays motivated and focused throughout the process.

With over 14 years of experience deploying cybersecurity training and policy compliance solutions across various automotive sector organisations, including Motability, FixAuto and SMH Fleets, Bob’s Business is uniquely positioned to help you stop cyber attacks.

Take action now to protect your business and your customers from cyber threats. Click here to discover our range of cybersecurity awareness training products and start reducing your risk today.

Passwords are the backbone of modern Internet security – but that doesn’t mean they’re protecting us. In fact, a shocking number of us exhibit password behaviours that put us (and our companies) at severe risk of a breach!

Unlock the secrets to strong password security! Download our free guide, “Everything You (And Your Team!) Need to Know About Passwords,” and safeguard your digital assets.

In it, you’ll discover:

• What the most common passwords in use are today
• What makes us use weak passwords
• How to create strong, secure passwords
• Whether you should trust password managers
• The four steps you can take to reduce your organisational risks from password misuse
• … and more!

Ready to get started? Interact with the bot below to gain instant access now! 👇

When you think of cyber attacks, you might imagine that it’s only tech firms and the banking industry that are targets. However, every organisation in every industry has valuable data to lose.

A 148% surge in global ransomware attacks from 2020 to 2021 is testament to that fact. It’s an increase which has led to many organisations realising the importance of cybersecurity.

Digitisation is leading to better products and a wider consumer reach, but at the same time, providing new opportunities for cybercriminals to exploit. In conjunction with the increased flexibility of our working habits, the avenues of
attack for cybercriminals are greater than ever before.

In our essential free guide, we’ll share the reality of cybercrime in 2023, help you understand the role of people in your organisation’s protection and more, including:

• The sectors most at risk of a breach
• The true cost of cybercrime
• Why every business should train employees to prevent cyber-attacks
• How to turn a mild-mannered employee into a cyber-superhero!
• … and much more!

Ready to get started? Interact with the bot below and gain instant access! 👇

Ever received an email that seemed a little fishy? You know, those ones that pretend to be from reputable companies but just don’t feel right?

Well, these are phishing emails; unfortunately, they’re a genuine concern, especially if you fall victim to one.

According to a recent report, phishing and pretexting make up 98% of cyber incidents and 93% of breaches. Shocking, right?

Our free guide “Everything You Need to Know About Phishing” gives you and your staff the knowledge needed to spot and stop phishing emails before they do harm to your organisation.

In this free guide, you’ll learn:

• What phishing is
• What the types of phishing attacks are
• How to spot a phishing email
• What to do if you click a phishing link
• How can you stop phishing attacks in your organisation
• … and more!

Ready to get started? Interact with the bot below to gain instant access now! 👇

An effective training programme can be the difference between a breached business and a secure business.

Whilst there’s no shortage of training solutions out there, ensuring that you’re getting the most from them is a persistent challenge that every business faces.

In this essential free guide, we share what we’ve learned over almost 15 years of creating award-winning training programmes for organisations of all sizes.

In it, you’ll learn:

• How cyber awareness contributes to your security culture
• How positivity garners buy-in
• The common mistakes organisations make
• How to overcome challenges in your training rollout
• Best practices to follow to maximise the value of your training output

Ready to get started? Interact with the bot below and gain instant access! 👇

It’s a digital world, and cybersecurity is now a critical concern for businesses of all sizes.

With an increasing number of cyber-attacks hitting organisations of all sizes, it’s imperative for companies to take every available measure to protect their confidential information and sensitive data.

While technical measures such as firewalls, antivirus software, and encryption are important, a company’s cybersecurity is also impacted by its employees’ personality types, as 90% of breaches are caused by human error.

It’s reductive to think of all employees as the same, though. Indeed, some personality types may be more vulnerable to cyber attacks, while others may be better suited to prevent them.

In this blog post, we will explore the role of different personality types in protecting a company’s cybersecurity, focusing on the Myers Briggs personality types.

The Myers Briggs Type Indicator (MBTI) is a widely used personality test that categorises individuals into 16 different personality types based on four dimensions:

• Extroversion/Introversion
• Sensing/Intuition
• Thinking/Feeling
• Judging/Perceiving

Each personality type has unique characteristics that make them more or less susceptible to cyber-attacks.

Before we begin, it’s worth finding out your own personality type .

It’s also worth considering the different forms of cyber-attack companies face. Cyber attacks can be broadly classified into three categories: social engineering attacks, malware attacks, and physical attacks.

Social engineering attacks are based on psychological manipulation, where attackers use deception to gain access to confidential information. Malware attacks, however, involve the installation of malicious software that can harm the company’s computer systems or steal data. Finally, physical attacks involve physically accessing a company’s computer systems to steal or damage data.

Now, let’s dive into different personality types’ role in protecting a company’s cybersecurity.

How do personality traits affect cybersecurity?

Extroversion/Introversion

Let’s start with extroverts. Extroverts are outgoing and social individuals who enjoy being in the company of others.

However, their openness and willingness to share information can make them vulnerable to social engineering attacks.

Social engineering attacks often involve the attacker posing as a trusted individual and manipulating the victim into sharing sensitive information. Extraverts’ tendency to trust others and disclose information may make them more susceptible to these types of attacks.

Therefore, it’s essential to provide cybersecurity awareness training to extroverts in the company to help them recognise and avoid social engineering attacks.

On the other hand, introverts are more reserved and cautious in their interactions with others.

They are less likely to trust others and are more guarded with their personal information, and this makes them less vulnerable to social engineering attacks.

However, introverts may be more susceptible to malware attacks as they may be less likely to communicate their concerns or report suspicious activity.

As such, it’s essential to encourage introverts to report any unusual activity or suspicious emails to the IT department.

Sensing/Intuition

Now, let’s move on to the sensing/intuition dimension of the MBTI.

Sensors are individuals who rely on their senses to gather information and make decisions. They prefer concrete information and are detail-oriented.

Intuitives, on the other hand, rely on their intuition and imagination to gather information and make decisions. They are big-picture thinkers and are more concerned with possibilities than with details.

Sensors may be more vulnerable to physical attacks as they may be more likely to leave their computer systems unlocked or to write down passwords in plain sight. They are detail-oriented and may focus more on the task at hand than on the security of their computer systems.

For this reason, cybersecurity awareness training can be incredibly valuable for sensors to help them understand the importance of securing their computer systems.

Intuitives, on the other hand, may be more vulnerable to malware attacks as they are more likely to be curious and explore new possibilities.

They may be more likely to click on suspicious links or download unknown software and benefit greatly from training intuitives to help them recognise and avoid malware attacks.

Thinking/Feeling

Moving on to the thinking/feeling dimension, thinkers are individuals who make decisions based on logic and objective analysis. They prioritise rationality and accuracy over emotions.

Feelers, on the other hand, make decisions based on their emotions and values. They prioritise empathy and harmony over logical analysis.

Thinkers may be more vulnerable to social engineering attacks as they may be less attuned to the emotions and motivations of others.

They may be more likely to trust information that appears logical and objective, without considering the possibility of deception. In this case, training thinkers to help them recognise the emotional and psychological tactics utilised in social engineering attacks can be very helpful.

Feelers, on the other hand, may be more vulnerable to social engineering attacks as they may be more susceptible to temptations based on empathy and emotion.

They may be more likely to trust information that appears to align with their values or emotions without considering the possibility of deception and require education to help them recognise when their nature is being used against them in social engineering attacks.

Judging/Perceiving

Finally, let’s turn our attention to the judging/perceiving dimension of the MBTI.

Judgers are individuals who prefer structure and organisation. They are decisive and prefer to plan and execute tasks in a structured manner.

Perceivers, meanwhile, prefer flexibility and spontaneity. They are adaptable and prefer to respond to situations as they arise.

Judgers may be more vulnerable to physical attacks as they may be more likely to adhere to established security protocols without considering the possibility of deviation or innovation.

They may be less likely to adapt to new security threats or situations that require improvisation and need cybersecurity awareness training to help them recognise the importance of adapting to new security threats and situations.

Perceivers may be more vulnerable to malware attacks as they may be more likely to experiment with new software or technology without considering the potential security risks.

They may be less likely to adhere to established security protocols or to recognise the potential risks associated with new software or technology. Therefore, it is helpful to regularly remind them that every piece of software contains risks, and train them to spot them.

How can Bob’s Business help reduce your risk of a breach?

With a deeper understanding of the types of personalities in your organisation, you’re better equipped to take measures to reduce risk, but you’ve only just started on your journey to a cyber-secure workplace.

At Bob’s Business, we build cybersecurity awareness training solutions informed by behavioural psychology to give everyone in your team the tools they need to spot and stop attacks.

We’d love to show you how affordable our proven training solutions can be for your organisation. Book a slot to talk to us now.