Another month, another litany of breaches to discuss. We join you at the end of September 2022, which, even by modern standards, has offered tough lessons for organisations large and small in being careful with whom you provide sensitive information.

We’ve got a lot of ground to cover, so let’s get started examining September in data breaches.

Uber

When it comes to breaches, they don’t get any more high-profile than Uber.

According to reports, a 17-year-old hacker was able to access user data, vulnerabilities reported to Uber’s HackerOne account, and Uber’s IT infrastructure.

The attacker most likely obtained a corporate password of an Uber contractor and, from there, gained access to a host of internal systems.

There are some intriguing aspects of the attack itself that cybersecurity experts and organisations may learn from. The human element, including social engineering and multi-factor authentication fatigue, has received much attention. Lapsus$ was identified in Uber’s security update as a potential attacker group of interest, which has provided some answers.

Credential theft continues to pose the most significant risk in this case and many others. As we’ve lately noticed, hackers are getting better at bypassing MFA by using a variety of channels and techniques. In fact, there are numerous MFA compromises in the Uber story.

Since your employees are your gatekeepers, regularly train them on how to spot and report phishing to help prevent identity theft. Take a look at our identity theft course here.

Rockstar Games

The individuals behind the Uber hack struck again in September, claiming responsibility for hacking gaming giant Rockstar Games after targeting mega-brands like Microsoft, Cisco, Samsung, Nvidia, Okta and as previously mentioned, Uber.

Arguably the most anticipated video game in history, Grand Theft Auto 6, had been kept well under wraps by studio Rockstar Games. That was until roughly 90 videos showing in-development gameplay footage appeared on GTAForums from an account with the user name “teapotuberhacker”.

The videos, which had a total runtime of about 50 minutes, were shared on social media and reported widely.

Teapotuberhacker claimed they planned to “negotiate a deal” with the game publisher to return unpublished data, including the source code for Grand Theft Auto 5 and the in-development version of Grand Theft Auto 6, after publishing the allegedly in-development video on September 18, 2022.

Similar to Uber, an employee password was obtained and then Slack was used, where it’s likely that information shared between staff members was used to gain further access to sensitive data.

TikTok

Early in September, security experts found a critical TikTok vulnerability that would have allowed users to be exploited for a one-click account takeover. On September 3rd, the Breach Forums message board posted the initial claims of an alleged hack.

Screenshots from a TikTok and WeChat breach were purportedly released by a user going by the username AgainstTheWest. The user claimed to have yet to decide whether they wanted to sell or make the allegedly stolen material available to the public in that posting.

In addition to a video displaying one set of database tables, two links to samples of the data were also made public. The ad goes on to say that they have taken 2 billion records from the database.

BlueHornet|AgainstTheWest, a Twitter user, also claims to have taken “internal backend source code” in a tweet.

According to a spokesman for TikTok, no proof of a security vulnerability has been discovered. Out of an excess of caution, we advise all TikTok users and organisations in their everyday accounts to always make sure two-factor authentication (2FA) is turned on.

Revolut

Customers of Revolut first noticed something was amiss on September 11th, when reports of “inappropriate wording via chat” surfaced. A few days later, some users received an email notification stating that a cyberattack had affected their accounts.

Revolut reported that while the attackers were unable to access funds, credit card information, PINs, or passwords, they did have access to the personal information of the impacted users.

The State Data Protection Inspectorate of Lithuania disclosed that Revolut Bank had experienced a data breach, that social engineering techniques were used to gain access to the database, and that 50,150 customers’ data from all over the world may have been compromised. This data included names, addresses, email addresses, telephone numbers, part of the payment card data, and account details.

Revolut emphasised to users after this event that “We will never ask you for your details or passwords,” however only a few days later, clients began receiving SMS phishing (smishing) messages, but they don’t seem to be specifically targeted at individuals who were compromised.

They were then taken through a set of well-crafted pages asking them to log into Revolut by entering their phone number, passcode, full name, email address, date of birth, and the info related to the debit card attached to their account.

This data breach highlights the risks of smishing and the effect it can have on a whole organisation. Our brand-new course, Hook, Line and Sinker: The Game, gives employees smishing and phishing training on how to can spot the early signs, view the course here.

So, what can we learn from this?

Looking closely at these breaches, you’ll note that a pattern emerges, namely, the use of social engineering techniques to trick users into giving out personal information.

Whilst human error is unavoidable and largely inevitable, the damage from those errors can be controlled and limited.

Indeed, the type of password-based attacks described in the Uber and Rockstar Games breaches could have been stopped entirely if multi-factor authentication was in place across all organisation members – especially those with access to privileged information.

There are no shortage of threats which can seriously harm your business, but there is hope. Cybersecurity awareness training is a proven method to reduce your risk of breach and give your team the skills required to spot the telltale signs of potential threats. Start training your team today.

It’s no secret that cybercrime has become a key issue for businesses, with nearly all criminal activities having some sort of online component. Post-pandemic, cyber threats have increased by 81%, showing no signs of slowing down.

At Bob’s Business, we’re at the forefront of cyber-risk reduction by putting people first and positive cybersecurity behaviours at the heart of everything.

Critical to our cutting-edge thinking is understanding the broader cyber landscape. That’s why, on September 15th, we attended the Future of Cybersecurity 2022 Conference.

In this blog, we’ll share some of the remarkable findings and what they might mean for your business. Let’s get started.

Threat Intelligence

• Organisations have been attacked 777 times per week in the last six months.
• 79% of malicious files came in via email in the last 30 days.
• PDFs are the most common malicious file types sent via email.
• Only 4/10 UK businesses have an external cyber security training provider.
• Software supply chain attacks increased 650% in 2021.
• Most attacks targeted software code.
• 70% of companies allow access to corporate assets from personal laptops and mobiles.

Preparing for the new generation of security challenges

• Gartner predicts we will have 12 billion IoT devices connected to our networks by 2025. Transitioning to Zero trust is a journey; there is no silver bullet solution, and we should implement it gradually as our attack surface increases.
• Employee hiring budgets are low, but retention budgets are even lower.
• Staff are missing severe security threats because analysts are so overworked.
• 85% of attacks target humans.
• By 2025, 70% of organisations will consolidate the number of vendors needed to secure the lifecycle of cloud-native applications, down to a maximum of 3 vendors.

Jobs in cybersecurity

• There has been a 31% increase in job vacancies in cyber security compared to the average of 4% for other industries.
• We should see neurodiverse people as a gift. Instead of ‘learning difficulties’, we should see ‘unique learning abilities’. We need to challenge the traditional perception of neurodiversity in the workforce.
• Threats are so diverse our workforce should be too.

What does this mean for your business?

So, how does all of this apply to your business? The throughline through the majority of these statistics is the importance of staffing and employee responsibility in cybersecurity.

No matter how the industry and threat landscape evolves, it remains your staff who are most important, as people are at the heart of the most damaging statistics.

With 85% of cyber attacks targeting humans, providing employees with a comprehensive understanding of cybersecurity will be critical to determining organisational success in the future.

That’s why, at Bob’s Business, we put your employees at the forefront of our cybersecurity awareness training, ensuring that your organisation is armed and ready for any threats that will inevitably emerge.

Are you ready to start training your team? Book a demo with one of our experts today.

We’re delighted to announce our latest webinar ‘Five simple steps to reduce your cybersecurity risk, with Melanie Oldham OBE’ is coming to a screen near you soon.

Join Melanie on Friday, October 21st, 2022 at 11 am as she reveals the research showing the changing face of cybersecurity and shares the five simple steps you can take to reduce cyber risk and protect your organisation.

Aimed at any organisation, you will learn simple, actionable ways you can strengthen your cybersecurity and protect your data.

Even better, event attendees will get access to our exclusive gamified Hook, Line and Sinker: The Game course to share with your team and reduce your risk further. So why wait? Book your free slot today!

Get your free ticket here.

Data breaches are no longer the rarity that they once were. In fact, each day, 30,000 websites are hacked globally. It’s an epidemic that continues to affect organisations of all sizes, but the smaller breaches rarely make the news.

Indeed, attacks are now so frequent that it can be hard to keep up with them. That’s why we’ve launched a monthly blog series looking at the most significant breaches of the last 30 days and sharing what your team can learn from them.

So, join us below as we share the most significant breaches reported in the media in August 2022.

LastPass

In an ironic opening to our round-up, it appears that the widely used password manager, LastPass, was caught in a security breach.

LastPass reported the attacks “took portions of source code and some proprietary LastPass technical information.” The company assured customers that this took place in its development environment, that no customer details were at risk, and that no passwords were taken.

Nevertheless, users are understandably concerned that a company that takes pride in providing tools to secure personal and corporate information cannot secure its intellectual property. It highlights that unique, secure passwords for each service are the only genuinely secure password protection method.

Check out our Perfect Passwords course to learn more about how you can protect your organisation’s passwords.

Plex

Streaming media platform Plex sent out an email to its customers notifying them of a security breach that may have compromised account information, including usernames, email addresses, and passwords.

The email stated, “Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords.”

This breach serves as yet another reminder to enable two-factor authentication if you haven’t already. Furthermore, you should use a password manager, either free or paid, to easily manage unique, difficult-to-guess passwords and 2FA codes across all of your apps, services, and websites.

DESFA

DESFA, Greece’s largest natural gas distributor, confirmed a limited scope data breach and IT system outage due to a ransomware-based cyberattack. DESFA explained that hackers attempted to infiltrate its network but were foiled by the IT team’s quick response.

However, some files and data were accessed and possibly “leaked,” indicating a network intrusion, albeit a minor one.

If the victimised organisation does not meet their demands, the ransomware actors threaten to publish all files associated with the file tree. This attack comes at a difficult time for European gas suppliers, as most countries abruptly reduced their reliance on Russian natural gas, which inevitably caused problems.

Ransomware attacks have become a common theme for businesses, locking down their data and demanding cash for their release. With the vast majority of attacks occurring through malware-infected phishing emails, training your team on phishing awareness is of vital importance.

Cisco

Networking giant, Cisco Talos confirmed a network breach after it was discovered that an employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser was being synchronised, wrote Cisco Talos in a detailed description of the attack.

In response to the attack, Cisco Talos themselves wrote, “Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organisations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information.”

Equipping your employees with vital cybersecurity awareness knowledge is no longer a tick box solution but an imperative skill to keep your organisation alive. Explore our range of training solutions that will actually engage your employees, so you don’t need to worry about when your next data breach will be.

It’s 2022 and ‘cybersecurity awareness training’ has entered the lexicon for businesses of all sizes. That growing awareness is a result, largely, of highly publicised attacks involving human error.

Whilst many might have heard of the term ‘cybersecurity awareness training’, understanding the fundamentals of cybersecurity awareness remains low for many.

That’s why we’ve put together this guide, wherein we answer the most frequently asked questions about cybersecurity awareness training procedures. Let’s get started!

Your biggest cybersecurity questions… Answered!

What is cybersecurity awareness training?

Put simply, cybersecurity awareness training aims to educate employees about a wide range of online threats that they will encounter, as well as how they can prevent such attacks that jeopardise their organisation’s security.

90% of breaches occur as a result of human error, and through cybersecurity awareness training programmes you effectively reduce this risk – protecting your organisation and putting your workforce at the heart of your security.

Who is responsible for cybersecurity in your company?

Most organisations have a widespread misconception that CIOs and CISOs are the only people held accountable for cybersecurity; however, the fact that 90% of data breaches are caused by human error suggests otherwise.

Because it can happen to anyone, cybersecurity is the responsibility of the entire organisation and every employee. Indeed, the only way to build a truly secure organisation is to empower your employees to take ownership of their data security!

Why are employees targeted in cyber attacks?

Employees at all levels are frequently the main target of cyber attacks. Why? In this case, the simple answer is the most obvious one: without training, few employees see themselves as a target.

As such, most employees think quickly and carelessly about their data security. From there, it only takes one successful phishing attempt to get into your systems and wreak havoc on your data.

How can employees help to prevent cyber attacks?

Employees in your organisation can prevent cyber attacks in a variety of ways, from ensuring they use strong and secure passwords to being able to spot and stop phishing attacks.

Does working from home increase the risk of cyber-attacks?

Working from home is the new normal, but it’s not without its risks. A recent Tenable study found that 74% of organisations link recent business-impacting cyber attacks to remote work tech vulnerabilities. Other studies and reports on the practices of organisations adopting remote or hybrid work continue to shed light on cybersecurity concerns.

Whilst the pandemic is now largely behind us, almost half of the country were encouraged to work from home as a result of COVID-19, and many have never returned to the office.

Want to train your team on the risks of working from home? Our home working course gives your team everything they need to stay secure and thrive.

How can we protect remote employees from cyber-attacks?

Worryingly, the number of organisations using third-party cybersecurity tools has decreased by 10%, and the number of organisations using any form of cybersecurity monitoring has decreased by 6%. The real threat, however, stems from a lack of team training.

Cybersecurity awareness training is frequently overlooked as a critical component of any successful cyber attack mitigation strategy. In 2022, the importance of cybersecurity awareness cannot be overstated.

How can you encourage employees to complete their training?

For many years, the word “training” alone has made workers fearful, bringing to mind endless days in conference rooms, slide shows and dull speakers.

However, it’s not the only way. It isn’t that your employees are allergic to training, it’s that traditional training puts teams to sleep.

Instead, invest in training that foregrounds short-form content, entertaining courses and reinforcement. Only with that can you build a culture where teams actually look forward to training.

How can you promote cybersecurity awareness in the workplace?

Investing in cybersecurity awareness training is one thing, but these messages need to be reinforced within the workplace in the correct way.

Fear of repercussion is the leading reason why teams don’t report breaches or suspicious activity. When breaches don’t get reported they don’t get spotted until it’s too late, and the opportunity to correct mistakes passes by.

A positive reinforcement culture within a business means that when a mistake inevitably occurs, that person feels empowered to come forward and discuss it. The case can be shared with the team and even turned into a positive learning experience for everyone. After all, the best lessons are the ones we learn from real life.

What should cybersecurity training include?

Cybersecurity training in the workplace should take a holistic approach that addresses people, technology and skills. As human error is the leading cause of breaches, employees can be equipped with the knowledge to tackle a number of topics that should be included in a security awareness programme.

Security awareness training should include, but not be limited to:

• Email scams
• Malware
• Password security
• Social networking dangers
• Social engineering
• Data protection
• Working from home

How often should employees be trained in cybersecurity?

It’s a widespread misconception that security training is complete as soon as staff have undergone it.

Training should be a continuous, low-level process. We recommend deploying at least one course to your teams per month, then reinforcing the lessons of that course with materials like wallpapers, blogs and emails.

That is why each one of our courses comes with a Reinforcement Pack, which contains everything you need to lock in knowledge and change cultures for good.

How long does cyber awareness training take?

Cybersecurity training needs to be a continuous process in order to change behaviours. Individual courses from some providers can take up to an hour to complete. However, short-form training has been proven to be the most effective type of training, which is why our courses are designed to be completed within 15 minutes.

Our training is continuously updated to keep employees up-to-date on the latest cyber attack techniques as risks develop, enabling them to quickly recognise dangers and take the necessary precautions to protect your company.

Ready to learn more about our training? Click here to learn about our cyber awareness training solutions.

At Bob’s Business, we’re always working to improve our products for our clients. But what features for Bob’s Culture and Bob’s Compliance have we included in our latest drop? Join us as we share everything you and your team can look forward to.

Ready to get your team started with Bob’s Business? Book a demo with one of our experts today! Want to stay up to date with every release? Check out our What’s New page.

Here’s what we’ve released in our latest batch of features

Weekly Email Reports, Promotional Emails & Email Editing

We know that communication is key. That’s why we’ve overhauled our emails to help you make the most of your Bob’s Culture or Bob’s Compliance package.

First up are automatic weekly reports for Reporter and Owner-level individuals. These reports offer an at-a-glance view of progress on all open assignments.

Additionally, managers now have the functionality to create customisable “promotional” emails for assignments and specify send dates.

Finally, organisations can now edit all email templates to customise them for their organisation.

Multi Module Courses

Want to bundle together several of Bob’s Modules and assign them as a single course to your team? Your time is now!

Those with Owner or Manager-tier privileges can now build and assign multi-module courses to their team, perfect for speeding up training and ensuring quick compliance.

Embedded Content Courses

Introducing a brand-new way to create courses within Bob’s Culture and Bob’s Courses: embedded content courses. Now you can create courses from embedded content; anything with an iframe will do!

Imagine creating a course with an instructional YouTube Video or out of a SurveyMonkey survey. The possibilities are endless, and we can’t wait to hear what you create.

At Bob’s Business, we don’t believe in standing still; especially when the needs of our clients are ever-growing. That’s why we work tirelessly to create brand-new courses that help our clients reduce their risk and tackle compliance issues with ease.

Ready to get your team started with Bob’s Business? Book a demo with one of our experts today! Want to stay up to date with every release? Check out our What’s New page.

Here’s what we’ve released in our latest batch of courses.

New Course: NIST

The NIST Cybersecurity Framework has become one of the most widely used cybersecurity guides in the world, used by organisations of all sizes and industries. Designed to help you not only identify and manage risks, it also helps you develop and strengthen your defences against potential attacks.

Our new exclusive NIST course gives your team the knowledge they need to correctly implement the NIST Cybersecurity Framework within your organisation and reduce your risk.

New Course: OWASP

The Open Web Application Security Project (OWASP) is a not-for-profit organisation on a mission to make software security open and visible for us all. They believe in security by design, and putting security first rather than patching it in at a later date.

Our exclusive OWASP course gives your team the tools they need to recognise the 10 design principles laid out by the Open Web Application Security Project, helping them create safe and secure applications for your organisation.

New Course: Corporate Sustainability

Climate change isn’t the latest trend, it’s one of the biggest issues facing our planet. In this course, we will show simple and effective ways to reduce not only your organisation’s carbon footprint but to help reduce your own emissions as well.

What is corporate sustainability, and how does it reduce emissions and costs while improving our organisation’s efficiency? In this exclusive course, we lay out everything that you – and your team – need to know.

In our ever-advancing technological age, we are constantly reminded of the importance of having strong passwords.

With an uppercase letter here and a unique character there, you would think that with the many requirements needed just to have a password approved, nowadays, passwords wouldn’t be so simplistic or easy to guess.

And yet, they remain one of the most glaring weaknesses in our cybersecurity armour, giving even the laziest cybercriminals all they need to steal our data and, often, our money.

So what are the most common passwords in use in 2022, what’s the psychology behind them and what can you do to reduce your risk? Join us as we take a look.

What are the most common passwords of 2022?

2021 research from Nordpass found that in the United Kingdom, the top 5 passwords were as follows:

• 123456
• password
• liverpool
• password1
• 123456789

If you compare these passwords to those in our blog post from 2021, you will find that many of these remain the same.

This suggests that human behaviour remains stubbornly resistant to change despite an increase and evolution in cyber threats and attacks (especially during the Covid-19 pandemic).

Awareness of the requirement for ‘strong passwords’ is high, however, with the top 5 passwords staying virtually identical, there’s work to be done to raise awareness of the risks that simple passwords bring.

Why do we create weak passwords?

If we really want to tackle the weak password epidemic, it’s worth thinking about why we create weak passwords in the first place.

As with most of our everyday behaviour, the answer is simple: it’s the path of least resistance. Put simply, many of us choose simple, weak passwords because they’re easy for us to remember.

Patterns of letters or numbers, football teams, superheroes and other fictional characters proliferate the top 100 list of passwords. What this tells us is that when it comes to passwords, most of us simply want something that doesn’t leave our heads at the first chance. But how much threat can a bad password pose?

How much damage can weak or reused passwords pose?

The problem with simple passwords is that they are too weak and can be easily cracked by automated tools. But that’s far from the only issue.
The National Cyber Security Centre (NCSC) found that 23.3 million breached accounts used ‘123456’ as a password.

The average person has 100 passwords, so it is understandable why many choose simple passwords or make slight variations of the same passwords. However, these can be easy for hackers to guess, enabling them to access personal data and accounts with ease.

Worse still, reused passwords enable a single breach to cause a chain reaction of breaches on every account you use the same password for. A Google study found that an astonishing 65% of people reuse the same password across multiple – if not all – accounts.

Curious to see whether any of your accounts have been breached? Check if your password has been exposed or breached by using websites such as ‘Have I Been Pwned?’

How to create stronger passwords

Passwords are your first line of defence, which is why weak and simplistic passwords are frequently responsible for data breaches.

• Pick three memorable words. A quick, unique and secure password starts with three random words. Pick words that aren’t related to your hobbies, family life or passions, so that your passwords are truly impossible to guess. Take ‘tree’, ‘grate’ and ‘cookie’, for example. Combine those with numbers and characters like ‘Tree8Grate!Cookie’ and you’ve got a truly memorable and virtually impossible to crack password.
• Create different passwords for every website or service you use. The temptation to use the same password everywhere is strong, but doing so means that a single breach on any service could compromise all of your accounts.
• Check to see if any of your accounts have been breached. By checking websites such as “Have I Been Pwned?” you can see whether any of your details have been breached and released. It should go without saying, but these passwords should be changed as soon as possible.
• Make use of a password manager. Password managers ensure that no matter how unique your passwords get, you never forget about them. Most modern web browsers have password managers built-in, but there are free solutions available also, which are compatible with most devices.

How can organisations educate their employees?

Like many things, human error plays a pivotal role in cybersecurity breaches with Nordpass research finding Fortune 500 companies were affected by 15,603,438 password breaches.

Employees are the front line of all businesses, so ensuring they are adequately trained and educated in the importance of password security is crucial.

Password security is no joke, especially when simplistic passwords can potentially cause massive data breaches for businesses.

At Bob’s Business, we can provide you and your employees with the awareness and training needed to take cybersecurity seriously.

Don’t believe us? After just one year of Bob’s Culture, our clients have seen password sharing fall by 39% and password reuse fall by 13%, highlighting just how effective the right kind of training can be.

With hundreds of engaging and interactive courses, it is why thousands of companies choose Bob’s Business to boost their knowledge and empower their teams.

Learn more about our cybersecurity awareness courses, which cover everything from making the perfect password to GDPR compliance, and view our full course catalogue here.