How to stay safe online this Black Friday and Cyber Monday

With Black Friday and Cyber Monday just around the corner and Christmas rapidly approaching, there’s no doubt it’s the season for lighter wallets.

But whilst riding the sales on Black Friday and Cyber Monday can land you a fantastic deal, they’re also a beacon that attracts scam artists, fraudsters, and crooks.

This is more prevalent than ever in the current cost-of-living crisis, with scammers preying on anxiety and fear of missing out – something we covered in our latest blog post.

That’s why we’re stepping up to help empower you to be vigilant online, here are our top tips.

Don’t get caught on dodgy domains.

Fake, quickly assembled websites are a classic tool of fraudsters and a vital tool for duping customers into handing over their details. However, they can be spotted. Here’s what to look out for.

  • Websites with familiar names, but unfamiliar domains, like .org, .biz or .co
  • Blurry or pixelated images
  • Unusual or incorrect site addresses, like amazong.com
  • Poor spelling & grammar
  • Unsecured connections

You can avoid shady websites by keeping an eye out for these elements.

If it looks too good to be true, then it probably is.

Cybercriminals like to play on our deal-hunting instincts, especially on Black Friday and Cyber Monday and in our current economic climate. Be aware that whilst crazy deals are tempting; they might not even be real!

You can use your common sense here; if an £8,000 TV has been reduced to £1,500, something may be afoot.

It’s important to do some research on the seller. If possible, check reviews from other buyers. Look up the company on the Better Business Bureau website, and check that site’s Scam Tracker for any reports.

However, if you didn’t find anything, that may be a red flag, too. Even the most trusted online stores have bad reviews.

Again if it seems too good to be true, it probably isn’t true. Researching the offer carefully lets you redeem the sweet Black Friday deals without getting fooled by fakes.

Stick with what you know.

Stick with big, reputable online retailers for the safest shopping experience. Although purchasing from Amazon may aid in their efforts for world domination, at least you’re safe in the knowledge that you aren’t putting yourself at risk.

More than merely relying on a proven name might be required, however.

Watch out for typos in URLs, because your ‘legitimate’ page might be built by a scammer to closely resemble the real thing. Think “ammazon.com”, rather than “amazon.co.uk. Although many big online stores try to buy up as many common typo domains and redirect them to the real site, such as Amazno.com, Amazzon.com, or Ammazon.com, they can’t catch them all.

Unsecure website? Run

There has been a global push to standardise the usage of secure HTTPS connections on every website in recent years. Undoubtedly, HTTPS has been a positive for commercial websites, highlighting those with a secure connection by showing a small padlock icon in the address bar.

This lock doesn’t ensure the page isn’t a scam site, however, it simply means your connection is secured, and nobody can snoop on your transaction.

Some browsers even go so far as to label sites without the lock as “not secure” such as Chrome. There is no point in risking it if you can’t see the lock!

Perfect your passwords.

We’re sure you’ve heard us talk about passwords many times before (after all, we’ve got a whole blog about how to make the perfect one) but creating a robust and unique password is the easiest way to protect yourself from cybercriminals.

If you don’t have time to read our full blog, here are some tips on creating a perfect password;

  • Use a collection of random but memorable words.
  • Never use a password that’s easy to guess, or based on keyboard patterns.
  • Always use unique passwords for every service.
  • Enable two-factor authentication if supported.
  • Use a password manager to save your passwords automatically.

Be wary of social media scams.

As shopping through social media rises, so do social media scams. Cybercriminals leverage the popularity of social media to lull people into confidence regarding deals and offers which don’t stand up to scrutiny.

Be careful when clicking and following links on social media, as you may be directed to fake websites that will encourage you to enter personal details. From there, it’s easy for fraudsters to steal your money or commit identity fraud.

Another major social media threat you should look out for are posts that encourage users to like or share their posts (gaining a wider audience), as these lend legitimacy to fraudsters who later use the profiles to propagate scams.

This month in data breaches: October edition

When you think of October, you might picture pumpkins, sweets and scary movies. However, for many organisations this month, October has been frightening for all the wrong reasons.

Last year, Q4 saw a rise in the number of attacks increased by 7.2 per cent against the previous quarter, which was caused by a rise in the number of ransomware attacks after a decline in Q3. Will 2022 follow a similar pattern? Join us as we dig into October’s biggest breaches.

Microsoft

This month found Microsoft embroiled in a contested data breach, with the tech giant acknowledging a breach whilst calling into out the firm that reported the event and claiming inflated numbers.

Here’s what threat intelligence firm SOCRadar claims: several improperly designed cloud storage systems, including six big buckets containing information on 150,000 businesses in 123 different countries were found.

The company referred to these buckets as BlueBleed, and they contained an improperly configured Azure Blob Storage instance that allegedly had information on more than 65,000 entities in 111 different countries. SOCRadar deemed it “one of the most significant B2B leaks.”

In a heated statement published on the MSRC blog, Microsoft attacked SOCRadar and claimed that the threat intelligence company had “greatly overstated the severity of this issue.”

Although the extent and cause of this breach is currently unknown, it highlights the fact that even tech giants like Microsoft are susceptible to data breaches.

See Tickets

Customers have been informed of a serious breach of their financial and personal information that lasted for more than two and a half years by the world’s largest ticket seller, See Tickets.

The business said that it took a coordinated investigation with a forensics company nine full months following the original notice to completely stop the illicit activities.

When the company finally realised that customer credit card information had been hacked, it took them another eight months.

The evidence revealed so far potentially suggests the presence of card data-stealing “skimmer” malware on See Tickets systems during a 2.5-year period, even if the details of the incident have not yet been confirmed. Several years ago, a Magecart crew notably infiltrated the company’s adversary Ticketmaster in this manner.

Verizon

After multiple T-Mobile USA breaches this year, it is now Verizon’s turn to draw public outrage and cause significant alarm among its customers over its failure to protect those customers’ personal information from the mayhem-causing activities of “bad actors.”

One such “third party actor,” whose identity is either concealed or has not yet been made public, managed to hack “approximately” 250 prepaid wireless accounts.

Verizon alerted a number of customers that hackers had gained access to their accounts and were utilising SIM switching attacks to take advantage of the exposed credit card information. According to Verizon, the final four digits of the credit card that was used to make automatic payments on consumer accounts were accessed by a third-party actor.

In the weeks since, Verizon has moved to undo any SIM card changes that could have taken place, stopping the bleeding but not the reputational damage.

Medibank

This month, Medibank, the largest health insurer in Australia, disclosed that 100 of its 4 million clients’ sensitive health information had been taken by a hacker, who then requested payment to return the information. The thief possessed data on an additional 1,000 users, according to Medibank.

According to Medibank, the hack will probably cost the corporation at least $25 million and $35 million. This is because Medibank lacks cyber-attack insurance, and the anticipated cost does not account for customer compensation, regulatory fees, or potential litigation or other costs incurred by the corporation.

Although Medibank is in contact with the hacker, who acquired the compromised credentials from another hacker on a Russian cybercrime site, the corporation has not said if it will comply with any ransom requests.

What can we learn this month?

The word on everyone’s lips this month seems to be ‘ransomware’. While ransomware is not a new cybersecurity risk, it has recently drawn attention from the highest levels of government. People’s access to medical treatment, fuel for their cars, and grocery shopping were all impacted by ransomware – far from ideal in a cost-of-living crisis.

Ransomware is a real threat to organisations of all sizes, but it’s not impossible to stop. Here are the steps you can take to resist ransomware attacks.

How to protect your organisation against ransomware attacks

Maintain a defence-in-depth security program

  • Having multiple layers of defence is a key best practice. Many data backup companies now have options for multi-layer backups which can protect your organisation.

Perform frequent backups of critical data

  • Ransomware’s biggest target is data. By having reliable backups, the risk of losing data can be minimised.

Educate employees about the risks of social engineering

  • Employees are frequently the main cause of issues when they click on phishing sites or other social engineering tactics, but risk may be considerably reduced with the right cybersecurity awareness training.

90% of successful data breaches result from phishing attempts, which continue to be one of the most destructive attacks against any organisation. Our affordable simulated phishing training program equips your staff to recognise and thwart phishing attempts before they cause harm.

How to manage risk in your organisation

Risks exist everywhere, and we face them every day. Whether taking on a new client, moving into a new office building or just crossing the road, risk must be managed appropriately to minimise potential issues and maximise gain.

In an ideal world, we’d make decisions with all facts available. However, life doesn’t often hand us those opportunities and decisions must always be made. The severity and likelihood of risks can vary, and so should your responses. Therefore, you must familiarise yourself with your organisation’s policies and procedures concerning risk management.

The following blog will take you through everything you need to know about risk management, including identification, assessment and response.

Identifying and assessing risks

You can’t fix something you don’t know is broken, meaning that the first thing to do when it comes to risks is to identify them.

For example, you may identify the risk of ‘teething problems’ when switching to a new Customer Relationship Management (CRM) system.

Once you’ve identified the risk, you should assess it based on likelihood and impact. Put simply, these two elements determine how likely a consequence of the risk is and how much of an impact the consequence could have. A common way of measuring this is on a scale of one to four.

For example, the risk of ‘teething problems’ with a new CRM could have a likelihood score of ‘two’ but an impact score of ‘four’.

Simply formalising that process and being able to use your resources more wisely are the goals of developing a risk management plan. Identifying your risks is the first and most crucial stage in this approach.

You must compile a list of all the unique dangers that can affect your business. This can be a difficult task, especially for startup companies without a track record or years of expertise to draw from. Fortunately, there are certain methods you can use to help:

1: Break down the big picture

When beginning the risk management process, identifying risks can be overwhelming. Start with a broad analysis. What are the most obvious potential problems for your business or sector? These may be based on your daily routine and business strategy.

Risk comes in many forms. There are numerous categories, including financial, operational, technological, legal, political, safe, and reputational. Consider your organisation’s vulnerabilities in each of these categories when you break it down by department.

Asking yourself insightful questions can reveal weaknesses in your organisation that you may not have considered. Is your manufacturing process, for instance, completely secure? Are all of your staff members qualified? What would happen if your greatest client disappeared? Would you know what to do and who to blame if a catastrophic incident happened? If you can’t provide an answer to a query like this, it indicates a risk that needs to be addressed.

2. Try and take a glass-half-empty approach (momentarily)

What is the worst possible scenario for your company? What would the course of events be if there was a day when everything went wrong? Being extremely pessimistic may not be the ideal strategy for managing a company, but it’s quite useful for recognising hazards.

Avoiding arrogance and believing anything ‘can’t’ or ‘won’t’ happen at this point is crucial. Challenge every one of your beliefs regarding potential threats, and be ready for any or all of them to materialise.

3. Train your employees

Everyone will view the organisation and the hazards they face while doing their jobs differently, from the CEO to the front-line employees. Employees are, therefore, one of the most important resources for spotting dangers.

You can ask for anonymous input from employees, one-on-one interviews, or group discussions. While group talks may improve the amount of brainstorming and result in a higher number of identified hazards, allowing anonymous incident reporting may raise the possibility that employees who are concerned about the consequences from speaking up will respond.

Third-parties providers Bob’s Business can also offer compliance training solutions, so your employees know how to recognise and report risks when needed in your organisation. When deployed into your teams and appropriately reinforced, these courses can help increase policy adoption in your business by an average of 45%!

How to respond to risks

Your assessment will dictate the manner in which you respond to each risk. You can easily remember the different responses to risks by remembering the ‘four Ts’.

Tolerate

If a risk has a low likelihood and impact score, you may decide to tolerate the risk. This is not the same as ignoring it! Tolerating a risk is about acknowledging the potential consequences but deciding that they are not severe enough to warrant avoiding the risk entirely.

Transfer

There are a number of reasons why a risk might be transferred. Transferring a risk does not necessarily mean passing it over to someone else because of apathy. A colleague may simply be better placed to deal with the risk due to a greater level of experience or knowledge.

Treat

A medium-to-high score on the likelihood and impact scale may result in you treating the risk, or lowering its potential likelihood or impact. For example, if you identify a trip hazard that you cannot fix until a later date, then an acceptable response could be to treat the risk by cordoning off the area.

Terminate

If a risk has a high likelihood and impact, but cannot be treated, then the appropriate response would be to terminate it.

For example, if you research the new CRM you’re looking to implement only to find that they have several legal cases pending and scathing customer reviews in relation to information security, then you may decide to terminate the risk by not pursuing the new system.

Top tips for risk management in your organisation

We’ve amassed a number of simple, top tips that should help you remember the essentials of risk management.

  • Identify risks as early as possible.
  • View everything with a glass-half-empty mindset.
  • Describe risks appropriately.
  • Estimate and prioritise risk.
  • Take responsibility and ownership.
  • Learn from past mistakes.
  • Use appropriate strategies to manage risk.
  • Keep monitoring & reviewing.
  • Make sure your employees are trained and kept up to date.
  • Remember the four Ts of risk response: tolerate, transfer, treat and terminate.

Ready to start taking compliance seriously? Check out Bob’s Culture, our fully-managed compliance and cybersecurity training programme to reduce your risk of breach and noncompliance in one fell swoop.

The cost of living crisis: scams to watch out for

Almost every aspect of daily life has been impacted by the recent cost-of-living crisis, from gas prices to our weekly food shops. However, as the cost-of-living issue takes root, millions more people have been targeted by scammers, according to new data from Citizens Advice. That’s an increase of 14% from last year, and more than 75% of UK people indicated they have been the target of a scammer this year.

We have seen a staggering 170% growth in loan scams, a 131% growth in job fraud, a 128% growth in investment scams and a considerable increase in scam messages relating to energy bills over the last three months.

“We know that scammers prey on our worries and fears, and the cost of living crisis is no exception”, warns Dame Claire Moriarty, CEO of Citizens Advice.

At Bob’s Business, we aim to build a world where everyone feels safe online. As part of that mission, we have pulled together a list of some of the most prominent scams targeting individuals today, alongside advice on what to do if you fall victim. Let’s get started.

Scam type 1: Cost-of-living help

Here are the facts: the Government has announced its intention to provide a £400 non-repayable discount to households with a domestic electricity meter, to help with energy bills throughout the winter months.

The discount will be administered by energy suppliers and paid to consumers in instalments over six months, with payments starting from October 2022.

However, as householders wait for the cost of living payments to be applied to energy bill accounts, scammers are targeting individuals with texts claiming to be from Ofgem, asking people to apply for their £400 rebate. If the victim clicks on a link to enter their bank details, they could risk losing all of their bank balance.

Needless to say, these texts are fake. There are a few ways to spot this, such as the standard mobile phone number and the URL, which isn’t from a gov.uk address.

To ease confusion, here’s what you need to know about the scheme, according to the DWP:

  • You do not need to apply for the payment.
  • You do not need to call them.
  • Payment is automatic.
  • They will never ask for personal details by SMS or email.

Scam 2: Pension attacks

According to a recent study, a quarter of Brits would contemplate taking cash out of their pension account sooner than expected due to the cost-of-living crisis.

In comparison to the previous year, the number of pension pots accessed for the first time increased by 18% to 705,666 in 2021/22, according to the UK’s finance watchdog. Sadly, scammers are utilising this climate to drain people of their hard-earned money.

Be cautious if you get an unexpected text, call, email, or letter in the mail offering you something free, such as a pension review; it could be a scam. Scammers will exploit their victims’ knowledge of how pension savings work after successfully distracting their victims, in order to get their hard-earned money.

Watch out for these commonly used tactics of pension scammers and make sure you keep your pension pots safe:

  • The offer of a free pension review – This can be tempting, but it could prove to be a scam and result in you losing your pension.
  • Higher returns – Where scammers will guarantee they can get you better returns on your pension savings.
  • Under 55 cash release – An offer to release funds before age 55 is highly likely to be a scam and has significant tax implications.
  • High-pressure sales tactics – Scammers may try to pressure you with “time-limited offers” or even send a courier to your door to wait while you sign documents.
  • Unusual investments – These tend to be unregulated and high-risk, they may be difficult to sell if you need access to your money.

Scam 3: Fake bank refunds

Scammers are also taking to social media to offer fake bank refunds. This scam shares a fraudulent screenshot showing amounts from £1,289 to £1,855 being deposited into someone’s account.

This scam tempts you into parting with your bank details. The scammer will use your details to set up your account on their device, giving them access to your bank account. They then use the banking app to dispute a transaction and get a refund.

What to do if you think you’ve been scammed

  • Talk to your bank or card company immediately if you’ve handed over any financial or sensitive information or made a payment.
  • Report the scam to Citizens Advice. Offline scams, like telephone, post and doorstep. Report on the Citizens Advice website or by calling 0808 223 1133. Report online scams to the dedicated Scams Action service either online or on 0808 250 5050.
  • Text scams can be reported to your mobile phone provider by forwarding them to 7726.
  • Report the scam to Action Fraud on 0300 123 2040.

How to avoid getting caught by scammers.

  • Don’t send money to anyone you don’t know, and don’t buy anything you aren’t completely sure of.
  • Offers that seem too good to be true often are. The Financial Conduct Authority website has a list of genuine companies whose details you can check.
  • Watch out for spelling and grammatical mistakes, inappropriate or informal greetings, and sloppy layouts in texts and emails.
  • Don’t download files or attachments from suspicious sources, make sure your antivirus software is up to date and run a scan before opening anything you’re suspicious of.
  • Do not call unknown phone numbers from such emails, especially if they appear to be premium rate numbers. Remember, you can contact your service provider to check the cost of dialling particular numbers.
  • Fraud can also happen in person, so don’t allow doorsteps or anyone you feel uncomfortable with into your home.

Finally – do not be ashamed. Anyone can be a victim of fraud. Be honest with yourself and ask for help, it’s the fastest way to get to a solution.

Keeping your organisation secure

Whilst these cost-of-living scams target individuals, businesses are just as liable to be attacked – especially with inflationary pressures coming to bear on companies.

That’s why it’s more important than ever to ensure you’re giving your team amazing cybersecurity awareness training to help reduce their risk of falling victim to an attack – both at home and in the office. Start training your employees today.

Cybersecurity Awareness Month at Bob’s Business

Every October, governments and private organisations alike collaborate to raise awareness of digital security.

It’s called Cybersecurity Awareness Month and its goal is to empower everyone to protect their data from cybercrime.

Launched in 2004 by the National Cyber Security Alliance and the Department of Homeland Security (DHS), this month is dedicated to providing people with online safety resources while emphasising the significance of taking the necessary steps to improve cybersecurity on university campuses, workplaces, and homes.

In this blog, we’ll dig into this year’s theme, take a look at the last 12 months in breaches and share our four key behaviours everyone

See Yourself in Cyber

This year’s Cybersecurity Awareness Month campaign theme is “See Yourself in Cyber,” and it represents the simple truth that cybersecurity is ultimately about people, which means seeing yourself in cyber regardless of your role.

According to the Cybersecurity and Infrastructure Security Agency (CISA) website, “this year’s campaign theme demonstrates that while cybersecurity may appear to be a complex subject, it’s ultimately all about people.”

The CISA will highlight key actions people should take through this campaign, such as enabling multi-factor authentication, using strong passwords, recognising and reporting phishing, and keeping your software up to date.

What we can learn from the last twelve months of data breaches?

Since the last cybersecurity awareness month, we’ve witnessed an abundance of data breaches in all shapes and sizes. What’s notable, however, is how many of these breaches related to this year’s theme of the human element in cybersecurity.

Last month saw the well-documented data breach from ride-hailing giant, Uber. The most significant elements from the breach focused on the human element, including social engineering and multi-factor authentication violations. A year ago, two-factor authentication was the phrase on everyone’s lips, but now hackers are becoming more adept at getting around what is known as multi-factor authentication by exploiting a variety of channels and methods.

Ironically, popular password manager LastPass experienced a major data breach earlier in the year. Customers and a wider audience were naturally worried, as the organisation takes pride in offering tools to protect passwords but couldn’t secure their own information. As it is a theme in every cybersecurity awareness month, this breach emphasised that the most effective way of keeping passwords secure is to use different passwords for each service, by using a random generator tool.

Probably the most prominent since last October, Russia’s war with Ukraine has introduced another level of threat to organisations. The National Cyber Security Centre (NCSC) told UK organisations to buckle up and prepare for the long haul. This year’s updated guidance drew inspiration from getting back to the fundamentals. They noted that organisations must focus on security basics, empower staff, and accelerate any planned action to harden networks and strengthen defences.

Four key behaviours to reduce your cyber risk.

Enable multi-factor authentication

Enabling multi-factor authentication adds a second layer of security to your online accounts by requiring an additional verification step after you provide your correct username and password.

Enabling MFA is an easy way to protect your accounts and personal information. In fact, according to the National Cybersecurity Alliance, 99.9% of account hacks could have been prevented by using MFA.

Use strong passwords and a password manager

Making sure your employees receive clear, actionable instructions on creating strong passwords is key whether you are in charge of IT within your company or a senior member.

Passwords should be simple to remember yet challenging for others to guess. A smart tip to follow is to ensure that your password can’t be guessed after 20 attempts by someone who knows you well. Our dedicated password training course is designed to help you do this, to help your staff prevent the loss of critical data and the NCSC also has some useful advice on choosing a hard-to-guess password.

Update software

Your organisation’s operating system is a tempting target for hackers as it controls every function on your computer. However, despite built-in limited virus protection, no operating system is without security gaps.

That’s where regular patches and updates from the software makers come into play. These updates resolve those issues and make you safer. So, the next time that you’re prompted to update your software – do it.

Recognise and report phishing attempts

At the core of most cyber attacks, in the last year and others prior, is social engineering and teaching your employees to recognise and stop phishing attacks is vital. As phishing attacks remain at 90% of successful data breaches, the best way to stop cybercriminals is to beat them at their own game.

You can train your employees with our phishing simulations, which teach employees how to spot phishing attacks and correctly report and dispose of them without giving the cybercriminals the information and access they want.

How your organisation can get involved in Cybersecurity Awareness Month

Throughout this month, we will be hosting polls across our social media. Get your employees involved and create your own competition!

However, the best way you can get involved in cybersecurity awareness month is by starting your employees on their training journey. Let Bob’s Business do the leg work for you this October, and start training your team today.

This month in data breaches: September edition

Another month, another litany of breaches to discuss. We join you at the end of September 2022, which, even by modern standards, has offered tough lessons for organisations large and small in being careful with whom you provide sensitive information.

We’ve got a lot of ground to cover, so let’s get started examining September in data breaches.

Uber

When it comes to breaches, they don’t get any more high-profile than Uber.

According to reports, a 17-year-old hacker was able to access user data, vulnerabilities reported to Uber’s HackerOne account, and Uber’s IT infrastructure.

The attacker most likely obtained a corporate password of an Uber contractor and, from there, gained access to a host of internal systems.

There are some intriguing aspects of the attack itself that cybersecurity experts and organisations may learn from. The human element, including social engineering and multi-factor authentication fatigue, has received much attention. Lapsus$ was identified in Uber’s security update as a potential attacker group of interest, which has provided some answers.

Credential theft continues to pose the most significant risk in this case and many others. As we’ve lately noticed, hackers are getting better at bypassing MFA by using a variety of channels and techniques. In fact, there are numerous MFA compromises in the Uber story.

Since your employees are your gatekeepers, regularly train them on how to spot and report phishing to help prevent identity theft. Take a look at our identity theft course here.

Rockstar Games

The individuals behind the Uber hack struck again in September, claiming responsibility for hacking gaming giant Rockstar Games after targeting mega-brands like Microsoft, Cisco, Samsung, Nvidia, Okta and as previously mentioned, Uber.

Arguably the most anticipated video game in history, Grand Theft Auto 6, had been kept well under wraps by studio Rockstar Games. That was until roughly 90 videos showing in-development gameplay footage appeared on GTAForums from an account with the user name “teapotuberhacker”.

The videos, which had a total runtime of about 50 minutes, were shared on social media and reported widely.

Teapotuberhacker claimed they planned to “negotiate a deal” with the game publisher to return unpublished data, including the source code for Grand Theft Auto 5 and the in-development version of Grand Theft Auto 6, after publishing the allegedly in-development video on September 18, 2022.

Similar to Uber, an employee password was obtained and then Slack was used, where it’s likely that information shared between staff members was used to gain further access to sensitive data.

TikTok

Early in September, security experts found a critical TikTok vulnerability that would have allowed users to be exploited for a one-click account takeover. On September 3rd, the Breach Forums message board posted the initial claims of an alleged hack.

Screenshots from a TikTok and WeChat breach were purportedly released by a user going by the username AgainstTheWest. The user claimed to have yet to decide whether they wanted to sell or make the allegedly stolen material available to the public in that posting.

In addition to a video displaying one set of database tables, two links to samples of the data were also made public. The ad goes on to say that they have taken 2 billion records from the database.

BlueHornet|AgainstTheWest, a Twitter user, also claims to have taken “internal backend source code” in a tweet.

According to a spokesman for TikTok, no proof of a security vulnerability has been discovered. Out of an excess of caution, we advise all TikTok users and organisations in their everyday accounts to always make sure two-factor authentication (2FA) is turned on.

Revolut

Customers of Revolut first noticed something was amiss on September 11th, when reports of “inappropriate wording via chat” surfaced. A few days later, some users received an email notification stating that a cyberattack had affected their accounts.

Revolut reported that while the attackers were unable to access funds, credit card information, PINs, or passwords, they did have access to the personal information of the impacted users.

The State Data Protection Inspectorate of Lithuania disclosed that Revolut Bank had experienced a data breach, that social engineering techniques were used to gain access to the database, and that 50,150 customers’ data from all over the world may have been compromised. This data included names, addresses, email addresses, telephone numbers, part of the payment card data, and account details.

Revolut emphasised to users after this event that “We will never ask you for your details or passwords,” however only a few days later, clients began receiving SMS phishing (smishing) messages, but they don’t seem to be specifically targeted at individuals who were compromised.

They were then taken through a set of well-crafted pages asking them to log into Revolut by entering their phone number, passcode, full name, email address, date of birth, and the info related to the debit card attached to their account.

This data breach highlights the risks of smishing and the effect it can have on a whole organisation. Our brand-new course, Hook, Line and Sinker: The Game, gives employees smishing and phishing training on how to can spot the early signs, view the course here.

So, what can we learn from this?

Looking closely at these breaches, you’ll note that a pattern emerges, namely, the use of social engineering techniques to trick users into giving out personal information.

Whilst human error is unavoidable and largely inevitable, the damage from those errors can be controlled and limited.

Indeed, the type of password-based attacks described in the Uber and Rockstar Games breaches could have been stopped entirely if multi-factor authentication was in place across all organisation members – especially those with access to privileged information.

There are no shortage of threats which can seriously harm your business, but there is hope. Cybersecurity awareness training is a proven method to reduce your risk of breach and give your team the skills required to spot the telltale signs of potential threats. Start training your team today.

The Future of Cybersecurity 2022: The most remarkable statistics

It’s no secret that cybercrime has become a key issue for businesses, with nearly all criminal activities having some sort of online component. Post-pandemic, cyber threats have increased by 81%, showing no signs of slowing down.

At Bob’s Business, we’re at the forefront of cyber-risk reduction by putting people first and positive cybersecurity behaviours at the heart of everything.

Critical to our cutting-edge thinking is understanding the broader cyber landscape. That’s why, on September 15th, we attended the Future of Cybersecurity 2022 Conference.

In this blog, we’ll share some of the remarkable findings and what they might mean for your business. Let’s get started.

Threat Intelligence

  • Organisations have been attacked 777 times per week in the last six months.
  • 79% of malicious files came in via email in the last 30 days.
  • PDFs are the most common malicious file types sent via email.
  • Only 4/10 UK businesses have an external cyber security training provider.
  • Software supply chain attacks increased 650% in 2021.
  • Most attacks targeted software code.
  • 70% of companies allow access to corporate assets from personal laptops and mobiles.

Preparing for the new generation of security challenges

  • Gartner predicts we will have 12 billion IoT devices connected to our networks by 2025. Transitioning to Zero trust is a journey; there is no silver bullet solution, and we should implement it gradually as our attack surface increases.
  • Employee hiring budgets are low, but retention budgets are even lower.
  • Staff are missing severe security threats because analysts are so overworked.
  • 85% of attacks target humans.
  • By 2025, 70% of organisations will consolidate the number of vendors needed to secure the lifecycle of cloud-native applications, down to a maximum of 3 vendors.

Jobs in cybersecurity

  • There has been a 31% increase in job vacancies in cyber security compared to the average of 4% for other industries.
  • We should see neurodiverse people as a gift. Instead of ‘learning difficulties’, we should see ‘unique learning abilities’. We need to challenge the traditional perception of neurodiversity in the workforce.
  • Threats are so diverse our workforce should be too.

What does this mean for your business?

So, how does all of this apply to your business? The throughline through the majority of these statistics is the importance of staffing and employee responsibility in cybersecurity.

No matter how the industry and threat landscape evolves, it remains your staff who are most important, as people are at the heart of the most damaging statistics.

With 85% of cyber attacks targeting humans, providing employees with a comprehensive understanding of cybersecurity will be critical to determining organisational success in the future.

That’s why, at Bob’s Business, we put your employees at the forefront of our cybersecurity awareness training, ensuring that your organisation is armed and ready for any threats that will inevitably emerge.

Are you ready to start training your team? Book a demo with one of our experts today.

Why cybersecurity is important for small businesses

Today it’s not uncommon to see in the news that organisations as large and varied as Adidas and the NHS have become victims of large-scale cyber attacks.

The reason why is obvious; hackers go after the big fish because the potential returns can be gigantic. But what about the small businesses, are they also targeted?

The answer is yes. An astonishing 43% of cyber-attacks target SME businesses, and 60% of those SMEs that are victims of cyber-attacks go out of business within six months. As such, you’d think that all SMEs would have a cybersecurity training programme in place.

However, 32% of managers stated that their company does not have a cybersecurity programme, and 50% of SMEs have no formal cybersecurity incident response plans in place.

Here are a few reasons why SMEs are such attractive targets for cybercriminals:

  • Shortage of expertise, training and budgets to provide a thorough security defence
  • Lack or no dedicated cybersecurity specialists on the payroll
  • Limited security awareness in employees
  • Security defences may be implemented but are not always kept up to date
  • Lack of risk awareness and risk management policy and procedure
  • Failure to secure endpoints

Considering these points, let’s look at why your SME needs a robust cybersecurity programme in place.

The information your business has is invaluable

Even though they might not face the same threats as large organisations, small firms and start-ups do hold sensitive employee and customer data. Small businesses are prime targets for hackers interested in obtaining personal or financial information like social security numbers or banking information or know that holding that data to ransom could make them quick cash.

A cyber-attack can destroy your startup

Startups and recently founded companies can be extremely volatile. To succeed and develop into a reputable company that clients and customers can trust, they must equip themselves against potential data breaches. Suppose your company has a data breach in its early stages. In that case, it could have a significant financial impact in addition to causing severe reputational damage, which could have been easily prevented.

Partners and customers can feel hesitant to work with you

Customers and other parties outside of your organisation can become wary of doing business with you if they discover that your employees are not undergoing cybersecurity awareness training.

A potential partner won’t want to collaborate with a company that may jeopardise its assets and harm its business due to bad cybersecurity practices. They will always see you as a risk.

How can I improve my business’ cybersecurity?

Many people think that the best way to improve security is simply downloading anti-virus and firewall programs, assuming that’s good enough to keep the business watertight.

While these steps may be the simplest to implement, they don’t cover the biggest weakness in your security strategy. People remain one of the biggest vulnerabilities to security, and one of the challenges that many small businesses will face is how to keep this vulnerability to a minimum.

Some ways that you can improve your business’ security can include:

  • Improve staff awareness with bite-sized learning courses that teach them the essentials of cybersecurity, like our industry-leading cybersecurity eLearning courses.
  • Creating policies and procedures for your staff to follow to reduce the chances of a security breach.
  • Creating backups of your system data to reduce the damage of cyber attacks.
  • Use your small business environment to your advantage; encourage your staff to talk about security and share stories about security breaches so it’s always in the back of their minds.

Cybersecurity is a serious threat for small businesses that is too often overlooked.

Fortunately, there is a lot that small businesses can do to lower the risks of cyberattacks. Something as simple as training staff can help reduce your risk of being hacked. In many cases, cyber-attacks are preventable and often easy to spot if you know what you’re looking for.

Want to get started with your teams training? Discover Bob’s Compliance, our ultra-affordable training solution for small business!

Webinar: Five simple steps to reduce your cybersecurity risk, with Melanie Oldham OBE

We’re delighted to announce our latest webinar ‘Five simple steps to reduce your cybersecurity risk, with Melanie Oldham OBE’ is coming to a screen near you soon.

Join Melanie on Friday, October 21st, 2022 at 11 am as she reveals the research showing the changing face of cybersecurity and shares the five simple steps you can take to reduce cyber risk and protect your organisation.

Aimed at any organisation, you will learn simple, actionable ways you can strengthen your cybersecurity and protect your data.

Even better, event attendees will get access to our exclusive gamified Hook, Line and Sinker: The Game course to share with your team and reduce your risk further. So why wait? Book your free slot today!

Get your free ticket here.

This month in data breaches: August edition

Data breaches are no longer the rarity that they once were. In fact, each day, 30,000 websites are hacked globally. It’s an epidemic that continues to affect organisations of all sizes, but the smaller breaches rarely make the news.

Indeed, attacks are now so frequent that it can be hard to keep up with them. That’s why we’ve launched a monthly blog series looking at the most significant breaches of the last 30 days and sharing what your team can learn from them.

So, join us below as we share the most significant breaches reported in the media in August 2022.

LastPass

In an ironic opening to our round-up, it appears that the widely used password manager, LastPass, was caught in a security breach.

LastPass reported the attacks “took portions of source code and some proprietary LastPass technical information.” The company assured customers that this took place in its development environment, that no customer details were at risk, and that no passwords were taken.

Nevertheless, users are understandably concerned that a company that takes pride in providing tools to secure personal and corporate information cannot secure its intellectual property. It highlights that unique, secure passwords for each service are the only genuinely secure password protection method.

Check out our Perfect Passwords course to learn more about how you can protect your organisation’s passwords.

Plex

Streaming media platform Plex sent out an email to its customers notifying them of a security breach that may have compromised account information, including usernames, email addresses, and passwords.

The email stated, “Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.”

This breach serves as yet another reminder to enable two-factor authentication if you haven’t already. Furthermore, you should use a password manager, either free or paid, to easily manage unique, difficult-to-guess passwords and 2FA codes across all of your apps, services, and websites.

DESFA

DESFA, Greece’s largest natural gas distributor, confirmed a limited scope data breach and IT system outage due to a ransomware-based cyberattack. DESFA explained that hackers attempted to infiltrate its network but were foiled by the IT team’s quick response.

However, some files and data were accessed and possibly “leaked,” indicating a network intrusion, albeit a minor one.

If the victimised organisation does not meet their demands, the ransomware actors threaten to publish all files associated with the file tree. This attack comes at a difficult time for European gas suppliers, as most countries abruptly reduced their reliance on Russian natural gas, which inevitably caused problems.

Ransomware attacks have become a common theme for businesses, locking down their data and demanding cash for their release. With the vast majority of attacks occurring through malware-infected phishing emails, training your team on phishing awareness is of vital importance.

Cisco

Networking giant, Cisco Talos confirmed a network breach after it was discovered that an employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser was being synchronised, wrote Cisco Talos in a detailed description of the attack.

In response to the attack, Cisco Talos themselves wrote, “Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organisations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information.”

Equipping your employees with vital cybersecurity awareness knowledge is no longer a tick box solution but an imperative skill to keep your organisation alive. Explore our range of training solutions that will actually engage your employees, so you don’t need to worry about when your next data breach will be.