This month in data breaches: November edition

The season of good cheer is upon us, but not for every company.

Even as many businesses start to wind down and Christmas parties get into full swing, careless errors can still cost your company thousands.

Throughout November, social media platforms and public services suffered significantly from these data breaches. Curious? Read on to see the big names breached, and to discover how these breaches could have been prevented.

Meta

Following a breach that resulted in the online publication of more than 500 million user identities, Facebook’s owner was fined £230 million by the Irish data authority.

After scraping information from global Facebook users’ public profiles in 2018 and 2019, the Data Protection Commission (DPC) claimed Meta had violated two provisions of the EU’s data protection rules.

Since September of last year, Meta has been subject to roughly €1 billion in fines from the DPC. While the watchdog fined Meta €17 million in March for additional GDPR violations and €225 million to Meta’s WhatsApp in September of last year for “severe” and “serious” GDPR violations, Meta was hit with a €405 million fine in September for allowing teenagers to create Instagram accounts that publicly displayed their phone numbers and email addresses.

The General Data Protection Regulation (GDPR) is an EU law that makes organisations that hold the personal data of EU citizens accountable for its use. Every organisation needs to be aware of data protection laws in order to avoid fines, protect the privacy of their consumers, and maintain their reputation.

Twitter

It has been a wild couple of months for Twitter recently, with new rules, a new owner, and two data breaches arriving in short order!

Last year a Twitter vulnerability allowed hackers to acquire Twitter IDs, names, login names, locations and verified status; it also included private information, such as phone numbers and email addresses, even if the user had hidden these fields in the privacy settings.

The bug was reportedly specific to Twitter’s Android client and occurred with Twitter’s API.
The vulnerability had already been patched by Twitter in January 2022.

In November 2022, though, after this stolen data was made public online, last year’s breach has returned to haunt Elon Musk’s platform.

According to BleepingComputer, security expert Chad Loder, who first broke the story on Twitter and was removed shortly after publishing it, was the source of information about this more serious data leak. Following Elon Musk’s takeover of Twitter, Loder shared a redacted excerpt of this broader data breach on Mastodon, a social media platform many former Twitter users migrated towards.

Hereford School

A Herefordshire School has been the victim of a recent data leak, but what can we learn from it?

It was revealed that hackers had stolen students’ personal information, including names, ages and addresses, and have since published this on the dark web.

Although the root cause of the data breach is unknown at present, the Executive Head has announced extra measures to counteract such attacks in the future by introducing “two-factor authentication, robust passwords and antivirus software, in place to try and avoid the attacks.”

It’s just another example of a data breach highlighting the need for a robust cybersecurity awareness training programme within organisations big and small.

Reading GP

An NHS review has been prompted by a Reading GP clinic’s “major data leak” that exposed nearly 300 private email accounts.

The South Reading & Shinfield Group Medical Practice sent out an email to clients inviting them to a patient involvement group meeting. In this email, 288 email addresses were carbon copied (CCd) into the invitation, but they were not blind CC’d by the sender (BCC).

The inclusion of email addresses in the standard CC created the risk of disclosing personal information to individuals who did not know one another, which amounted to a personal data breach.

One of the recipients replied, “Probably not the best to have everyone’s email public here. I’m replying all just to let people know.”

In May 2020, at the start of the Coronavirus pandemic, an outsourcing business named Serco made a mistake similar to this one by mistakenly disclosing the email addresses of 300 persons who were undergoing training to support the government’s “track and trace” service.

A staff member sent an email to recipients requesting that they not contact the help desk for information regarding their training; however, all personal email addresses were included in the CC area rather than the BCC section. This led to the breach. That implied that everyone who got the email could clearly see the personal email addresses of all the other trainees.

This is a perfect example of a workplace mistake that may have been easily prevented. It’s easy to assume that all employees automatically understand email etiquette in the workplace when the reality is often the opposite.

It’s yet another reason why cybersecurity and compliance training is essential for every organisation – no matter their size. Ready to deploy training your team actually want to take? Check out our product range here.

5 cybersecurity trends every CISO must prepare for in 2023

Recent years have seen the conversation about cybersecurity move from the IT department to the board room. Cybersecurity is now a top priority at every organisational level, with the number of attacks and potential penalties, both regulatory and in terms of loss of customer trust, increasing.

The potential surface area for an attack has grown rapidly thanks to the complications and costs driven by the Covid-19 pandemic-related shift to a culture of home and remote working that has persisted in many organisations as well as the internet of things (IoT) spreading into every sector of business and society.

Cybersecurity never stands still, however, and with 2023 on the horizon, we thought it valuable to look ahead and predict some of the major trends we foresee playing a role in the next 12 months. Let’s get started:

Recent years have seen the conversation about cybersecurity move from the IT department to the board room. Cybersecurity is now a top priority at every organisational level, with the number of attacks and potential penalties, both regulatory and in terms of loss of customer trust, increasing.

The potential surface area for an attack has grown rapidly thanks to the complications and costs driven by the Covid-19 pandemic-related shift to a culture of home and remote working that has persisted in many organisations as well as the internet of things (IoT) spreading into every sector of business and society.

Cybersecurity never stands still, however, and with 2023 on the horizon, we thought it valuable to look ahead and predict some of the major trends we foresee playing a role in the next 12 months. Let’s get started:

The 5 trends every CISO needs to look out for in 2023

Artificial intelligence (AI) will play an increasingly prominent role in cybersecurity

We’re all only human, and as such, there’s a limit to what we can see, process and respond to.

Human cybersecurity experts are finding it increasingly difficult to respond to all attempted cyberattacks and predict where the most dangerous attacks will occur next, as they have multiplied rapidly.

As such, artificial intelligence (AI) may prove to be an increasingly valuable tool. Machine learning algorithms can study the massive amounts of data flowing across networks in real-time more efficiently than humans can and learn to spot patterns that indicate a threat.

Unfortunately, hackers and criminals are growing more skilled at exploiting AI as it becomes more readily available. Just as security experts can utilise AI for good, so can criminals.

Bad actors use artificial intelligence algorithms to find vulnerable systems or networks among the millions of computers and networks linked to the internet. The ability to automate the mass production of personalised phishing emails has been another significant use, and such emails are getting better at dodging automatic email defence systems too.

The use of AI in cybersecurity has even been given its own name and is commonly referred to as an ‘arms race’ as hackers and cyber professionals race to ensure the newest and most sophisticated algorithms are working on their side as opposed to against them.

It’s been predicted that by 2030 the market for AI cybersecurity products will be worth close to $139 billion – a ten times increase on the value of the 2021 market.

Building a security-aware culture will be more vital than ever

Developing and fostering a culture of awareness around cybersecurity risks is the most crucial measure that can be made at any organisation. Employers and employees can no longer simply consider cybersecurity to be an issue that the IT department should handle.

In reality, everyone’s work description in 2023 should include developing an awareness of the threats and taking basic precautions to ensure safety!

Phishing attacks use social engineering techniques to trick victims into disclosing sensitive information or installing malware on their computers.

Even without technical expertise, anyone can learn to recognise these types of attacks and take simple safety precautions to protect themselves. That’s why implementing cybersecurity awareness training within every organisation, irrespective of size will be fundamental for the success of any organisation in 2023.

Similarly, fundamental security skills such as secure password usage and understanding two-factor authentication (2FA) should be taught to everyone and regularly updated. Taking simple safeguards like these to promote a culture of cybersecurity awareness should be a major component of business strategy if an organisation wants to ensure that they create resilience and preparation over the next 12 months.

Increased accountability will be demanded supply chain

Customers’ inspection of the security supply chain will intensify in 2023. The Cyber Resiliency Act is already in effect in Europe, and a modification to the NIST framework is being proposed in the UK to transfer some accountability to the providers.

Due to the growing risk of fines, rising costs and the complexity of cyber insurance, businesses will under increased pressure from both customers and authorities to offer security solutions that have been accredited. Expect a 9% increase in 2023 in the number of UK companies being penalised for failing to protect sensitive information and personal data.

Curious to discover more about how to defend your organisation against supply chain attacks? Read our blog on supply chain attacks here.

Mobile will be the new target

In 2019, mobile banking malware or attacks are expected to expand significantly, by as much as 50%, making our handheld devices a seriously viable target for hackers.

With personal computing shifting away from the laptop and desktop PC, it’s no surprise to hear that our phones are the new frontier. Keep a close eye out for stories around smartphone security, with malware or viruses specifically designed to affect smartphones in 2023.

IoT on 5G networks will be under the magnifying glass

With the launch and expansion of 5G networks, the Internet of Things will usher in a new era of interconnectivity (IoT). Additionally, because of the connectivity between numerous devices, they are vulnerable to outside interference, attacks, or unidentified software bugs.

Even Chrome, the most popular browser in the world, has been found to contain significant security faults over the years. Because 5G architecture is still relatively new in the market, extensive study is needed to identify vulnerabilities and strengthen the system’s defences against outside attacks. The 5G network may experience several network attacks at every stage that we are unaware of.

Why organisations need to prepare for the Metaverse’s security risks

You might have heard a little bit about the Metaverse. Whether that’s Facebook’s $15 billion spent on the project so far, the giddy sounds of advertisers or users’ apparent limited enthusiasm to date, it’s almost certain you’ve heard something about the project by now. But what is the metaverse, actually?

In essence, Facebook argues that the metaverse Facebook is a new and “improved” form of the internet that combines augmented reality (AR) and virtual reality (VR) to provide a completely immersive online experience.

In other words, it’s a version of the web in which “you”, represented by your online avatar, can work, play, study, shop, and interact with friends while feeling as if you’re truly present.

Although the word “Metaverse” has been floating around since the early 90s, the term didn’t truly catch on until Facebook changed its name to Meta in October 2021. At that time, the company disclosed plans to invest $10 billion in technology over the following year in order to realise its metaverse goal of a Facebook-controlled online ‘everything’ platform.

While the metaverse might bring benefits to users, like any other internet-connected innovation, there will be cyber criminals, fraudsters and scammers who will be looking to exploit it – and that’s going to create cybersecurity and privacy challenges from the beginning.

Why do I need to worry?

Cybercriminals are nothing if not opportunistic. The pandemic’s massive shift to remote working saw a significant increase in cybercrime as criminals took advantage of the uncertainty and change.

The metaverse’s big sales pitch is that it’s an entirely new way to interact, work and play online. Naturally, then, where people are learning how to behave and what to do, criminals will be out in force. It’s not speculation on our behalf either, with a survey of 100 senior security experts found that 91.5% are concerned with the potential security risks of the Metaverse itself.

What are the concerns around Metaverse security?

It’s easier than ever to impersonate somebody

One of the key aspects of the metaverse is that users are represented in virtual environments by customised avatars – but how will you be able to tell the person you’re interacting with is really who they say they are?

“I can go into the metaverse, I can make an avatar that looks like you, and I can give it a name that says it’s the real you – and I will probably trick some people into thinking that it’s you,” says Caroline Wong, chief strategy officer at Cobalt, a cybersecurity and penetration-testing company.

Cybercriminals use social engineering to steal passwords, personal information, and money through phishing emails and messaging scams, which are already highly successful on the internet as it is today.

That might be even simpler in the metaverse, especially if individuals mistakenly believe they are communicating with the physical representation of an individual or company they know and trust when in fact, they are communicating with someone else entirely.

For organisations, if it’s possible that a fraudster could create an avatar that looks like you, then uses that to help conduct attacks against your friends or colleagues – or as with any other online account, they could just hack into the real one.

If you are doing business with someone in a virtual world and someone else can take over their account, it could be very hard to spot.

Privacy remains an issue

For organisations, privacy is a major topic of concern. Metaverse businesses must protect critical and sensitive user and transactional data.

More user data than ever before will undoubtedly be gathered as a result of the development of a more customised and immersive experience, which makes for a more attractive target for cybercriminals.

Indeed, the emerging nature of the metaverse means that there are questions about whether existing governance and oversight are sufficient for what the metaverse is and may become.

What can your organisation do?

The metaverse is currently only a small part of how we use the internet, but the money that’s being invested into it suggests a high degree of confidence that it may eventually become a major part of our lives.

If Facebook and their partners get their way, the metaverse may potentially change the way we work, socialise, and play online in the future. The potential for good is huge, however, there will always be those attempting to take advantage of social environments on the internet. That’s why we recommend that organisations that wish to participate in the Metaverse take precautions to be secure. Here are our top recommendations.

Always use a VPN

VR technology can acquire a large amount of biometrically inferred data, even down the movement of your eyes. Moreover, an app may reveal your physical location when using the Metaverse. You may feel more comfortable using a VPN to keep your whereabouts hidden.

A few ways that a VPN may be desirable include:

Keep your IP address hidden: When you’re in the Metaverse, you may want your IP address hidden. A VPN can help ensure your privacy and keep your identity protected.

Access blocked websites and content: Some websites and content are blocked in specific regions or countries. A VPN can help you access this content no matter where you are in the world.

Multi-factor authentication

Any account that is used to access the metaverse should be secured with multi-factor authentication to provide an additional barrier to accounts being taken over. It’s also recommended that applications are downloaded and installed from official sources to reduce the prospect of malicious software being installed on your device.

The last thing any organisation wants is a cybercriminal posing as a legitimate member of their team.

Train your team

The most practical step for any organisation is implementing robust cybersecurity awareness training for all staff. In a blog post, the co-founder of Microsoft, Bill Gates, predicted that within the next two to three years, most virtual meetings will move to the metaverse. For businesses to safely operate in the metaverse, he said, it’s important to train staff well as “The weakest point in any organisation from a cybersecurity perspective is the user,”.

Here at Bob’s Business, we train your employees to be the heart of your cybersecurity and to protect your organisation through positive behaviours. Curious to learn more? Discover Bob’s Culture, our flagship cultural change solution which uses a Phishing Baseline and Awareness Questionnaire to determine your organisation’s blind spots and create your tailored course rollout plan.

How to spot a phishing email

Have you ever received an email that didn’t feel right? Like a receipt for an online order you didn’t place or a poorly worded email saying you’ve got money back from an annual tax return?

Don’t be fooled by their quirkiness; these are phishing emails, and they are a genuine concern, particularly those unaware of the threats they pose.

In a recent report, it was found that phishing and pretexting (a form of social engineering) represent 98% of social incidents and 93% of breaches, with organisations nearly three times more likely to be breached by social attacks than via technical vulnerabilities.

Recent reports have found that an astonishing 3.4 billion phishing emails are sent per day. Now that’s a lot of emails to avoid!

Spam filters are designed to do what their name suggests and block spam messages! However, according to research from Plymouth’s Centre for Security, Communications and Network (CSCAN), 75% of phishing emails without links and 64% of those with links made their way past spam filters and into the target inboxes. Even worse, only 6% of those emails were marked as malicious by email clients.

As we approach the end of 2022, 39% of UK businesses who have identified cyber attacks identified phishing attempts as their most common vector – A massive rise from 72% in 2017, to 83% to date.

Then it comes down to the person receiving the phishing email. They are the next and in most cases the last filter stopping unwanted intruders from breaking into your data.

So, what can you do to prevent you or anyone in your organisation from taking the bait? Here’s how to spot a phishing email, and how you can reduce organisational risk too.

How can you spot a phishing email?

As humans, we’re not always the best when it comes to judging risk. Some of us receive hundreds of emails a week, with many perfectly legitimate, which can lull each of us into a false sense of security, assuming that every email that we receive is to be trusted.

Making small changes to your habits so that you treat every incoming email with suspicion can make a significant difference when it comes to preventing a potential breach

7 signs to look out for when spotting a phishing email 

The sender’s address doesn’t seem right

When you open an email, always check the email address of the sender first. If an email claims to be from a company you know, but the sender’s email address doesn’t match up, then that’s a sign something isn’t right.

Emails from addresses such as ‘1253628uwhdnwd@hotmail.co.uk’ or ‘info@amazen.co.uk’ are early telltale signs that the email is not to be trusted.

The email has poor spelling and grammar

When you’re reading an email, look out for any spelling or grammar errors, and also consider how well-written the email is. Official emails will usually contain no spelling or grammatical errors, typically because professionals wrote them. Criminals, however, tend to cut corners.

So, for example, if you receive an email trying to pass off as legitimate but it reads like this:
“Dear {{.FirstName}}

Someone has sent your an email uing Mail Lock the UK’s most scure email platform.
To see your mail, please, click here

This email link will expier 24 hours after you have redd this notification emai.
After this time the link message will be held securely until you get a replacement link messgae sent securly from the sender

Regards,

The Maillock Team”

Then you need to start asking questions!

The email has an odd use of imagery

Some phishing emails will often use attractive imagery and graphics such as photographs or company logos to make them look more like emails you’d get from a marketing team.
Remember to bare in mind, that just because the email contains nice pictures and looks like it’s laid out professionally doesn’t mean it might not be a phishing email.

Check the logos and images, if they’re blurry, of poor quality or look stretched out, that’s a dead giveaway that somebody has taken it from a quick Google search.

The email is designed to make you panic or make a hasty decision

Many phishing emails are designed to create a sense of urgency or make you panic, such as time-sensitive offers and situations that prompt you to act immediately and make impulsive decisions without thinking.

You might receive an email claiming to be from one of the systems that you use telling you that your account will be deleted if you don’t confirm your email address within an hour. This is a tactic designed to make you panic and throw caution to the wind.

Our research has found that combining a sense of danger with the appearance of an internal email can result in 94% click effectiveness, highlighting just how potent these psychological principles can be.

The email sounds too good to be true

“Good news. Having looked at your tax payments for 2018, you overpaid by £157. Click here to start processing your claim.”

At a glance, you’d probably think it was a nice quick win for your bank account.

Unfortunately, phishing emails usually offer attractive incentives like this so that you rush into getting your hands on it without a second thought. Whenever there’s an incentive in an email, always think twice. Remember, if it reads too good to be true, it probably is!

The URL you’re being linked to isn’t legit

Hiding a link in an email is easy. Some phishing emails will place links on bits of text or buttons so it doesn’t have to reveal a URL.

But you can check out where a link will take you by hovering your mouse over the text. Take note of the URL and ensure it matches the website you expect before clicking! If the URL doesn’t match, then it’s probably a phishing email.

For example:
Link Text: Click Here to Update Your Paypal Detail
URL: http://Paypals.com

Another good practice when checking the validity of a link is to look out for an SSL certificate at the beginning of the URL. This will show as https as opposed to just http. When installed on a web server, an SSL (Secure Sockets Layer) allows secure connections from a web server to a browser.

Check the company branding in the email

Phishing emails will try to mimic well-known brands to gain your trust and get you to let your guard down, whether you use those services or not.

If you receive an email from a company that you haven’t subscribed to, that’s probably because it’s a phishing email trying to impersonate that company.

You can easily catch these emails out by comparing them to ones you’ve received before from the company, do the logos match up? Are there glaring differences between the two?

What to do if you click on a phishing email

These are the steps that need to be taken after clicking a phishing link:

– Report the incident to your tech team as soon as possible

– Change login passwords

– Investigate the attack

– Inform the regulators and law authority

Take a look at some of our past blogs to learn more:

What to do if you click a phishing link

What are the different types of phishing?

How to spot and prevent malicious emails

How does our phishing training help secure your organisation?

In a recent study, GOV UK found that cyber attacks were better avoided with gradual change within organisations, including communications via email, mock phishing exercises, conversations with specialist staff and informal and formal training. This means that staff are continuously kept interested in and alert to cyber threats.

Our award-winning Bob’s Phishing simulated phishing training is an effective way of teaching your employees about the dangers of phishing emails and how to avoid becoming a victim.

The simulated phishing campaigns allow you to evaluate the threat level phishing could pose to your organisation through the use of tailored phishing exercises and our engaging training courses and awareness materials that reinforce all the key learning points.
You can find out more about our phishing training here.

National Tree Week at Bob’s Business

It’s National Tree Week from November 27 to December 5 in the UK, and at Bob’s Business, we wanted to do something special that helps reduce cyber risk and protect the environment 🌳. 

That’s why for the entirety of November we’re going to be planting trees across the 🌍, in association with our ecology partner Ecologi.

How can you get involved? Read on to find out.

Book a demo & we’ll plant 10 trees

In November, every single organisation that books in for a demo of our engaging and effective cybersecurity awareness training will see us plant 10 trees! That’s enough trees to mitigate over 5,300 hours of Bob’s Business training per year!

Ready to find out how Bob’s Business can help increase cyber policy adherence by up to 45%? Click here to book your web demo.  

Sign up for Bob’s Compliance, get 25% off and plant 25 trees

Bob’s Compliance is the fastest and most affordable way to get access to our 60+ cybersecurity and compliance course catalogue for your organisation, and this month it’s even cheaper!

For National Tree Week, we’re knocking 25% off the cost of a Bob’s Compliance monthly or annual subscription and planting 25 trees too. That’s enough trees to cover over 13,200 hours of training each and every year. 

Click here to take advantage of our incredible offer.

Become a Bob’s Culture customer & we’ll plant 100 trees

We’ve saved the best to last – each and every organisation that takes our comprehensive and innovative Bob’s Culture plan will see us plant 100 trees in their name.

That’s 2,500kg of carbon removed from the environment, equivalent to over 53,000 hours of training! 

Ready to learn more about how the advanced features of Bob’s Culture make your business more secure? Speak to one of our experts today.

How to stay safe online this Black Friday and Cyber Monday

With Black Friday and Cyber Monday just around the corner and Christmas rapidly approaching, there’s no doubt it’s the season for lighter wallets.

But whilst riding the sales on Black Friday and Cyber Monday can land you a fantastic deal, they’re also a beacon that attracts scam artists, fraudsters, and crooks.

This is more prevalent than ever in the current cost-of-living crisis, with scammers preying on anxiety and fear of missing out – something we covered in our latest blog post.

That’s why we’re stepping up to help empower you to be vigilant online, here are our top tips.

Don’t get caught on dodgy domains.

Fake, quickly assembled websites are a classic tool of fraudsters and a vital tool for duping customers into handing over their details. However, they can be spotted. Here’s what to look out for.

  • Websites with familiar names, but unfamiliar domains, like .org, .biz or .co
  • Blurry or pixelated images
  • Unusual or incorrect site addresses, like amazong.com
  • Poor spelling & grammar
  • Unsecured connections

You can avoid shady websites by keeping an eye out for these elements.

If it looks too good to be true, then it probably is.

Cybercriminals like to play on our deal-hunting instincts, especially on Black Friday and Cyber Monday and in our current economic climate. Be aware that whilst crazy deals are tempting; they might not even be real!

You can use your common sense here; if an £8,000 TV has been reduced to £1,500, something may be afoot.

It’s important to do some research on the seller. If possible, check reviews from other buyers. Look up the company on the Better Business Bureau website, and check that site’s Scam Tracker for any reports.

However, if you didn’t find anything, that may be a red flag, too. Even the most trusted online stores have bad reviews.

Again if it seems too good to be true, it probably isn’t true. Researching the offer carefully lets you redeem the sweet Black Friday deals without getting fooled by fakes.

Stick with what you know.

Stick with big, reputable online retailers for the safest shopping experience. Although purchasing from Amazon may aid in their efforts for world domination, at least you’re safe in the knowledge that you aren’t putting yourself at risk.

More than merely relying on a proven name might be required, however.

Watch out for typos in URLs, because your ‘legitimate’ page might be built by a scammer to closely resemble the real thing. Think “ammazon.com”, rather than “amazon.co.uk. Although many big online stores try to buy up as many common typo domains and redirect them to the real site, such as Amazno.com, Amazzon.com, or Ammazon.com, they can’t catch them all.

Unsecure website? Run

There has been a global push to standardise the usage of secure HTTPS connections on every website in recent years. Undoubtedly, HTTPS has been a positive for commercial websites, highlighting those with a secure connection by showing a small padlock icon in the address bar.

This lock doesn’t ensure the page isn’t a scam site, however, it simply means your connection is secured, and nobody can snoop on your transaction.

Some browsers even go so far as to label sites without the lock as “not secure” such as Chrome. There is no point in risking it if you can’t see the lock!

Perfect your passwords.

We’re sure you’ve heard us talk about passwords many times before (after all, we’ve got a whole blog about how to make the perfect one) but creating a robust and unique password is the easiest way to protect yourself from cybercriminals.

If you don’t have time to read our full blog, here are some tips on creating a perfect password;

  • Use a collection of random but memorable words.
  • Never use a password that’s easy to guess, or based on keyboard patterns.
  • Always use unique passwords for every service.
  • Enable two-factor authentication if supported.
  • Use a password manager to save your passwords automatically.

Be wary of social media scams.

As shopping through social media rises, so do social media scams. Cybercriminals leverage the popularity of social media to lull people into confidence regarding deals and offers which don’t stand up to scrutiny.

Be careful when clicking and following links on social media, as you may be directed to fake websites that will encourage you to enter personal details. From there, it’s easy for fraudsters to steal your money or commit identity fraud.

Another major social media threat you should look out for are posts that encourage users to like or share their posts (gaining a wider audience), as these lend legitimacy to fraudsters who later use the profiles to propagate scams.

This month in data breaches: October edition

When you think of October, you might picture pumpkins, sweets and scary movies. However, for many organisations this month, October has been frightening for all the wrong reasons.

Last year, Q4 saw a rise in the number of attacks increased by 7.2 per cent against the previous quarter, which was caused by a rise in the number of ransomware attacks after a decline in Q3. Will 2022 follow a similar pattern? Join us as we dig into October’s biggest breaches.

Microsoft

This month found Microsoft embroiled in a contested data breach, with the tech giant acknowledging a breach whilst calling into out the firm that reported the event and claiming inflated numbers.

Here’s what threat intelligence firm SOCRadar claims: several improperly designed cloud storage systems, including six big buckets containing information on 150,000 businesses in 123 different countries were found.

The company referred to these buckets as BlueBleed, and they contained an improperly configured Azure Blob Storage instance that allegedly had information on more than 65,000 entities in 111 different countries. SOCRadar deemed it “one of the most significant B2B leaks.”

In a heated statement published on the MSRC blog, Microsoft attacked SOCRadar and claimed that the threat intelligence company had “greatly overstated the severity of this issue.”

Although the extent and cause of this breach is currently unknown, it highlights the fact that even tech giants like Microsoft are susceptible to data breaches.

See Tickets

Customers have been informed of a serious breach of their financial and personal information that lasted for more than two and a half years by the world’s largest ticket seller, See Tickets.

The business said that it took a coordinated investigation with a forensics company nine full months following the original notice to completely stop the illicit activities.

When the company finally realised that customer credit card information had been hacked, it took them another eight months.

The evidence revealed so far potentially suggests the presence of card data-stealing “skimmer” malware on See Tickets systems during a 2.5-year period, even if the details of the incident have not yet been confirmed. Several years ago, a Magecart crew notably infiltrated the company’s adversary Ticketmaster in this manner.

Verizon

After multiple T-Mobile USA breaches this year, it is now Verizon’s turn to draw public outrage and cause significant alarm among its customers over its failure to protect those customers’ personal information from the mayhem-causing activities of “bad actors.”

One such “third party actor,” whose identity is either concealed or has not yet been made public, managed to hack “approximately” 250 prepaid wireless accounts.

Verizon alerted a number of customers that hackers had gained access to their accounts and were utilising SIM switching attacks to take advantage of the exposed credit card information. According to Verizon, the final four digits of the credit card that was used to make automatic payments on consumer accounts were accessed by a third-party actor.

In the weeks since, Verizon has moved to undo any SIM card changes that could have taken place, stopping the bleeding but not the reputational damage.

Medibank

This month, Medibank, the largest health insurer in Australia, disclosed that 100 of its 4 million clients’ sensitive health information had been taken by a hacker, who then requested payment to return the information. The thief possessed data on an additional 1,000 users, according to Medibank.

According to Medibank, the hack will probably cost the corporation at least $25 million and $35 million. This is because Medibank lacks cyber-attack insurance, and the anticipated cost does not account for customer compensation, regulatory fees, or potential litigation or other costs incurred by the corporation.

Although Medibank is in contact with the hacker, who acquired the compromised credentials from another hacker on a Russian cybercrime site, the corporation has not said if it will comply with any ransom requests.

What can we learn this month?

The word on everyone’s lips this month seems to be ‘ransomware’. While ransomware is not a new cybersecurity risk, it has recently drawn attention from the highest levels of government. People’s access to medical treatment, fuel for their cars, and grocery shopping were all impacted by ransomware – far from ideal in a cost-of-living crisis.

Ransomware is a real threat to organisations of all sizes, but it’s not impossible to stop. Here are the steps you can take to resist ransomware attacks.

How to protect your organisation against ransomware attacks

Maintain a defence-in-depth security program

  • Having multiple layers of defence is a key best practice. Many data backup companies now have options for multi-layer backups which can protect your organisation.

Perform frequent backups of critical data

  • Ransomware’s biggest target is data. By having reliable backups, the risk of losing data can be minimised.

Educate employees about the risks of social engineering

  • Employees are frequently the main cause of issues when they click on phishing sites or other social engineering tactics, but risk may be considerably reduced with the right cybersecurity awareness training.

90% of successful data breaches result from phishing attempts, which continue to be one of the most destructive attacks against any organisation. Our affordable simulated phishing training program equips your staff to recognise and thwart phishing attempts before they cause harm.

How to manage risk in your organisation

Risks exist everywhere, and we face them every day. Whether taking on a new client, moving into a new office building or just crossing the road, risk must be managed appropriately to minimise potential issues and maximise gain.

In an ideal world, we’d make decisions with all facts available. However, life doesn’t often hand us those opportunities and decisions must always be made. The severity and likelihood of risks can vary, and so should your responses. Therefore, you must familiarise yourself with your organisation’s policies and procedures concerning risk management.

The following blog will take you through everything you need to know about risk management, including identification, assessment and response.

Identifying and assessing risks

You can’t fix something you don’t know is broken, meaning that the first thing to do when it comes to risks is to identify them.

For example, you may identify the risk of ‘teething problems’ when switching to a new Customer Relationship Management (CRM) system.

Once you’ve identified the risk, you should assess it based on likelihood and impact. Put simply, these two elements determine how likely a consequence of the risk is and how much of an impact the consequence could have. A common way of measuring this is on a scale of one to four.

For example, the risk of ‘teething problems’ with a new CRM could have a likelihood score of ‘two’ but an impact score of ‘four’.

Simply formalising that process and being able to use your resources more wisely are the goals of developing a risk management plan. Identifying your risks is the first and most crucial stage in this approach.

You must compile a list of all the unique dangers that can affect your business. This can be a difficult task, especially for startup companies without a track record or years of expertise to draw from. Fortunately, there are certain methods you can use to help:

1: Break down the big picture

When beginning the risk management process, identifying risks can be overwhelming. Start with a broad analysis. What are the most obvious potential problems for your business or sector? These may be based on your daily routine and business strategy.

Risk comes in many forms. There are numerous categories, including financial, operational, technological, legal, political, safe, and reputational. Consider your organisation’s vulnerabilities in each of these categories when you break it down by department.

Asking yourself insightful questions can reveal weaknesses in your organisation that you may not have considered. Is your manufacturing process, for instance, completely secure? Are all of your staff members qualified? What would happen if your greatest client disappeared? Would you know what to do and who to blame if a catastrophic incident happened? If you can’t provide an answer to a query like this, it indicates a risk that needs to be addressed.

2. Try and take a glass-half-empty approach (momentarily)

What is the worst possible scenario for your company? What would the course of events be if there was a day when everything went wrong? Being extremely pessimistic may not be the ideal strategy for managing a company, but it’s quite useful for recognising hazards.

Avoiding arrogance and believing anything ‘can’t’ or ‘won’t’ happen at this point is crucial. Challenge every one of your beliefs regarding potential threats, and be ready for any or all of them to materialise.

3. Train your employees

Everyone will view the organisation and the hazards they face while doing their jobs differently, from the CEO to the front-line employees. Employees are, therefore, one of the most important resources for spotting dangers.

You can ask for anonymous input from employees, one-on-one interviews, or group discussions. While group talks may improve the amount of brainstorming and result in a higher number of identified hazards, allowing anonymous incident reporting may raise the possibility that employees who are concerned about the consequences from speaking up will respond.

Third-parties providers Bob’s Business can also offer compliance training solutions, so your employees know how to recognise and report risks when needed in your organisation. When deployed into your teams and appropriately reinforced, these courses can help increase policy adoption in your business by an average of 45%!

How to respond to risks

Your assessment will dictate the manner in which you respond to each risk. You can easily remember the different responses to risks by remembering the ‘four Ts’.

Tolerate

If a risk has a low likelihood and impact score, you may decide to tolerate the risk. This is not the same as ignoring it! Tolerating a risk is about acknowledging the potential consequences but deciding that they are not severe enough to warrant avoiding the risk entirely.

Transfer

There are a number of reasons why a risk might be transferred. Transferring a risk does not necessarily mean passing it over to someone else because of apathy. A colleague may simply be better placed to deal with the risk due to a greater level of experience or knowledge.

Treat

A medium-to-high score on the likelihood and impact scale may result in you treating the risk, or lowering its potential likelihood or impact. For example, if you identify a trip hazard that you cannot fix until a later date, then an acceptable response could be to treat the risk by cordoning off the area.

Terminate

If a risk has a high likelihood and impact, but cannot be treated, then the appropriate response would be to terminate it.

For example, if you research the new CRM you’re looking to implement only to find that they have several legal cases pending and scathing customer reviews in relation to information security, then you may decide to terminate the risk by not pursuing the new system.

Top tips for risk management in your organisation

We’ve amassed a number of simple, top tips that should help you remember the essentials of risk management.

  • Identify risks as early as possible.
  • View everything with a glass-half-empty mindset.
  • Describe risks appropriately.
  • Estimate and prioritise risk.
  • Take responsibility and ownership.
  • Learn from past mistakes.
  • Use appropriate strategies to manage risk.
  • Keep monitoring & reviewing.
  • Make sure your employees are trained and kept up to date.
  • Remember the four Ts of risk response: tolerate, transfer, treat and terminate.

Ready to start taking compliance seriously? Check out Bob’s Culture, our fully-managed compliance and cybersecurity training programme to reduce your risk of breach and noncompliance in one fell swoop.

The cost of living crisis: scams to watch out for

Almost every aspect of daily life has been impacted by the recent cost-of-living crisis, from gas prices to our weekly food shops. However, as the cost-of-living issue takes root, millions more people have been targeted by scammers, according to new data from Citizens Advice. That’s an increase of 14% from last year, and more than 75% of UK people indicated they have been the target of a scammer this year.

We have seen a staggering 170% growth in loan scams, a 131% growth in job fraud, a 128% growth in investment scams and a considerable increase in scam messages relating to energy bills over the last three months.

“We know that scammers prey on our worries and fears, and the cost of living crisis is no exception”, warns Dame Claire Moriarty, CEO of Citizens Advice.

At Bob’s Business, we aim to build a world where everyone feels safe online. As part of that mission, we have pulled together a list of some of the most prominent scams targeting individuals today, alongside advice on what to do if you fall victim. Let’s get started.

Scam type 1: Cost-of-living help

Here are the facts: the Government has announced its intention to provide a £400 non-repayable discount to households with a domestic electricity meter, to help with energy bills throughout the winter months.

The discount will be administered by energy suppliers and paid to consumers in instalments over six months, with payments starting from October 2022.

However, as householders wait for the cost of living payments to be applied to energy bill accounts, scammers are targeting individuals with texts claiming to be from Ofgem, asking people to apply for their £400 rebate. If the victim clicks on a link to enter their bank details, they could risk losing all of their bank balance.

Needless to say, these texts are fake. There are a few ways to spot this, such as the standard mobile phone number and the URL, which isn’t from a gov.uk address.

To ease confusion, here’s what you need to know about the scheme, according to the DWP:

  • You do not need to apply for the payment.
  • You do not need to call them.
  • Payment is automatic.
  • They will never ask for personal details by SMS or email.

Scam 2: Pension attacks

According to a recent study, a quarter of Brits would contemplate taking cash out of their pension account sooner than expected due to the cost-of-living crisis.

In comparison to the previous year, the number of pension pots accessed for the first time increased by 18% to 705,666 in 2021/22, according to the UK’s finance watchdog. Sadly, scammers are utilising this climate to drain people of their hard-earned money.

Be cautious if you get an unexpected text, call, email, or letter in the mail offering you something free, such as a pension review; it could be a scam. Scammers will exploit their victims’ knowledge of how pension savings work after successfully distracting their victims, in order to get their hard-earned money.

Watch out for these commonly used tactics of pension scammers and make sure you keep your pension pots safe:

  • The offer of a free pension review – This can be tempting, but it could prove to be a scam and result in you losing your pension.
  • Higher returns – Where scammers will guarantee they can get you better returns on your pension savings.
  • Under 55 cash release – An offer to release funds before age 55 is highly likely to be a scam and has significant tax implications.
  • High-pressure sales tactics – Scammers may try to pressure you with “time-limited offers” or even send a courier to your door to wait while you sign documents.
  • Unusual investments – These tend to be unregulated and high-risk, they may be difficult to sell if you need access to your money.

Scam 3: Fake bank refunds

Scammers are also taking to social media to offer fake bank refunds. This scam shares a fraudulent screenshot showing amounts from £1,289 to £1,855 being deposited into someone’s account.

This scam tempts you into parting with your bank details. The scammer will use your details to set up your account on their device, giving them access to your bank account. They then use the banking app to dispute a transaction and get a refund.

What to do if you think you’ve been scammed

  • Talk to your bank or card company immediately if you’ve handed over any financial or sensitive information or made a payment.
  • Report the scam to Citizens Advice. Offline scams, like telephone, post and doorstep. Report on the Citizens Advice website or by calling 0808 223 1133. Report online scams to the dedicated Scams Action service either online or on 0808 250 5050.
  • Text scams can be reported to your mobile phone provider by forwarding them to 7726.
  • Report the scam to Action Fraud on 0300 123 2040.

How to avoid getting caught by scammers.

  • Don’t send money to anyone you don’t know, and don’t buy anything you aren’t completely sure of.
  • Offers that seem too good to be true often are. The Financial Conduct Authority website has a list of genuine companies whose details you can check.
  • Watch out for spelling and grammatical mistakes, inappropriate or informal greetings, and sloppy layouts in texts and emails.
  • Don’t download files or attachments from suspicious sources, make sure your antivirus software is up to date and run a scan before opening anything you’re suspicious of.
  • Do not call unknown phone numbers from such emails, especially if they appear to be premium rate numbers. Remember, you can contact your service provider to check the cost of dialling particular numbers.
  • Fraud can also happen in person, so don’t allow doorsteps or anyone you feel uncomfortable with into your home.

Finally – do not be ashamed. Anyone can be a victim of fraud. Be honest with yourself and ask for help, it’s the fastest way to get to a solution.

Keeping your organisation secure

Whilst these cost-of-living scams target individuals, businesses are just as liable to be attacked – especially with inflationary pressures coming to bear on companies.

That’s why it’s more important than ever to ensure you’re giving your team amazing cybersecurity awareness training to help reduce their risk of falling victim to an attack – both at home and in the office. Start training your employees today.

Cybersecurity Awareness Month at Bob’s Business

Every October, governments and private organisations alike collaborate to raise awareness of digital security.

It’s called Cybersecurity Awareness Month and its goal is to empower everyone to protect their data from cybercrime.

Launched in 2004 by the National Cyber Security Alliance and the Department of Homeland Security (DHS), this month is dedicated to providing people with online safety resources while emphasising the significance of taking the necessary steps to improve cybersecurity on university campuses, workplaces, and homes.

In this blog, we’ll dig into this year’s theme, take a look at the last 12 months in breaches and share our four key behaviours everyone

See Yourself in Cyber

This year’s Cybersecurity Awareness Month campaign theme is “See Yourself in Cyber,” and it represents the simple truth that cybersecurity is ultimately about people, which means seeing yourself in cyber regardless of your role.

According to the Cybersecurity and Infrastructure Security Agency (CISA) website, “this year’s campaign theme demonstrates that while cybersecurity may appear to be a complex subject, it’s ultimately all about people.”

The CISA will highlight key actions people should take through this campaign, such as enabling multi-factor authentication, using strong passwords, recognising and reporting phishing, and keeping your software up to date.

What we can learn from the last twelve months of data breaches?

Since the last cybersecurity awareness month, we’ve witnessed an abundance of data breaches in all shapes and sizes. What’s notable, however, is how many of these breaches related to this year’s theme of the human element in cybersecurity.

Last month saw the well-documented data breach from ride-hailing giant, Uber. The most significant elements from the breach focused on the human element, including social engineering and multi-factor authentication violations. A year ago, two-factor authentication was the phrase on everyone’s lips, but now hackers are becoming more adept at getting around what is known as multi-factor authentication by exploiting a variety of channels and methods.

Ironically, popular password manager LastPass experienced a major data breach earlier in the year. Customers and a wider audience were naturally worried, as the organisation takes pride in offering tools to protect passwords but couldn’t secure their own information. As it is a theme in every cybersecurity awareness month, this breach emphasised that the most effective way of keeping passwords secure is to use different passwords for each service, by using a random generator tool.

Probably the most prominent since last October, Russia’s war with Ukraine has introduced another level of threat to organisations. The National Cyber Security Centre (NCSC) told UK organisations to buckle up and prepare for the long haul. This year’s updated guidance drew inspiration from getting back to the fundamentals. They noted that organisations must focus on security basics, empower staff, and accelerate any planned action to harden networks and strengthen defences.

Four key behaviours to reduce your cyber risk.

Enable multi-factor authentication

Enabling multi-factor authentication adds a second layer of security to your online accounts by requiring an additional verification step after you provide your correct username and password.

Enabling MFA is an easy way to protect your accounts and personal information. In fact, according to the National Cybersecurity Alliance, 99.9% of account hacks could have been prevented by using MFA.

Use strong passwords and a password manager

Making sure your employees receive clear, actionable instructions on creating strong passwords is key whether you are in charge of IT within your company or a senior member.

Passwords should be simple to remember yet challenging for others to guess. A smart tip to follow is to ensure that your password can’t be guessed after 20 attempts by someone who knows you well. Our dedicated password training course is designed to help you do this, to help your staff prevent the loss of critical data and the NCSC also has some useful advice on choosing a hard-to-guess password.

Update software

Your organisation’s operating system is a tempting target for hackers as it controls every function on your computer. However, despite built-in limited virus protection, no operating system is without security gaps.

That’s where regular patches and updates from the software makers come into play. These updates resolve those issues and make you safer. So, the next time that you’re prompted to update your software – do it.

Recognise and report phishing attempts

At the core of most cyber attacks, in the last year and others prior, is social engineering and teaching your employees to recognise and stop phishing attacks is vital. As phishing attacks remain at 90% of successful data breaches, the best way to stop cybercriminals is to beat them at their own game.

You can train your employees with our phishing simulations, which teach employees how to spot phishing attacks and correctly report and dispose of them without giving the cybercriminals the information and access they want.

How your organisation can get involved in Cybersecurity Awareness Month

Throughout this month, we will be hosting polls across our social media. Get your employees involved and create your own competition!

However, the best way you can get involved in cybersecurity awareness month is by starting your employees on their training journey. Let Bob’s Business do the leg work for you this October, and start training your team today.