At Bob’s Business, we don’t believe in standing still; especially when the needs of our clients are ever-growing. That’s why we work tirelessly to create brand-new courses that help our clients reduce their risk and tackle compliance issues with ease.
Here’s what we’ve released in our latest batch of courses.
New Course: NIST
The NIST Cybersecurity Framework has become one of the most widely used cybersecurity guides in the world, used by organisations of all sizes and industries. Designed to help you not only identify and manage risks, it also helps you develop and strengthen your defences against potential attacks.
Our new exclusive NIST course gives your team the knowledge they need to correctly implement the NIST Cybersecurity Framework within your organisation and reduce your risk.
New Course: OWASP
The Open Web Application Security Project (OWASP) is a not-for-profit organisation on a mission to make software security open and visible for us all. They believe in security by design, and putting security first rather than patching it in at a later date.
Our exclusive OWASP course gives your team the tools they need to recognise the 10 design principles laid out by the Open Web Application Security Project, helping them create safe and secure applications for your organisation.
New Course: Corporate Sustainability
Climate change isn’t the latest trend, it’s one of the biggest issues facing our planet. In this course, we will show simple and effective ways to reduce not only your organisation’s carbon footprint but to help reduce your own emissions as well.
What is corporate sustainability, and how does it reduce emissions and costs while improving our organisation’s efficiency? In this exclusive course, we lay out everything that you – and your team – need to know.
In our ever-advancing technological age, we are constantly reminded of the importance of having strong passwords.
With an uppercase letter here and a unique character there, you would think that with the many requirements needed just to have a password approved, nowadays, passwords wouldn’t be so simplistic or easy to guess.
And yet, they remain one of the most glaring weaknesses in our cybersecurity armour, giving even the laziest cybercriminals all they need to steal our data and, often, our money.
So what are the most common passwords in use in 2022, what’s the psychology behind them and what can you do to reduce your risk? Join us as we take a look.
If you compare these passwords to those in our blog post from 2021, you will find that many of these remain the same.
This suggests that human behaviour remains stubbornly resistant to change despite an increase and evolution in cyber threats and attacks (especially during the Covid-19 pandemic).
Awareness of the requirement for ‘strong passwords’ is high, however, with the top 5 passwords staying virtually identical, there’s work to be done to raise awareness of the risks that simple passwords bring.
Why do we create weak passwords?
If we really want to tackle the weak password epidemic, it’s worth thinking about why we create weak passwords in the first place.
As with most of our everyday behaviour, the answer is simple: it’s the path of least resistance. Put simply, many of us choose simple, weak passwords because they’re easy for us to remember.
Patterns of letters or numbers, football teams, superheroes and other fictional characters proliferate the top 100 list of passwords. What this tells us is that when it comes to passwords, most of us simply want something that doesn’t leave our heads at the first chance. But how much threat can a bad password pose?
How much damage can weak or reused passwords pose?
The problem with simple passwords is that they are too weak and can be easily cracked by automated tools. But that’s far from the only issue. The National Cyber Security Centre (NCSC) found that 23.3 million breached accounts used ‘123456’ as a password.
The average person has 100 passwords, so it is understandable why many choose simple passwords or make slight variations of the same passwords. However, these can be easy for hackers to guess, enabling them to access personal data and accounts with ease.
Worse still, reused passwords enable a single breach to cause a chain reaction of breaches on every account you use the same password for. A Google study found that an astonishing 65% of people reuse the same password across multiple – if not all – accounts.
Curious to see whether any of your accounts have been breached? Check if your password has been exposed or breached by using websites such as ‘Have I Been Pwned?’
How to create stronger passwords
Passwords are your first line of defence, which is why weak and simplistic passwords are frequently responsible for data breaches.
Pick three memorable words. A quick, unique and secure password starts with three random words. Pick words that aren’t related to your hobbies, family life or passions, so that your passwords are truly impossible to guess. Take ‘tree’, ‘grate’ and ‘cookie’, for example. Combine those with numbers and characters like ‘Tree8Grate!Cookie’ and you’ve got a truly memorable and virtually impossible to crack password.
Create different passwords for every website or service you use. The temptation to use the same password everywhere is strong, but doing so means that a single breach on any service could compromise all of your accounts.
Check to see if any of your accounts have been breached. By checking websites such as “Have I Been Pwned?” you can see whether any of your details have been breached and released. It should go without saying, but these passwords should be changed as soon as possible.
Make use of a password manager. Password managers ensure that no matter how unique your passwords get, you never forget about them. Most modern web browsers have password managers built-in, but there are free solutions available also, which are compatible with most devices.
How can organisations educate their employees?
Like many things, human error plays a pivotal role in cybersecurity breaches with Nordpass research finding Fortune 500 companies were affected by 15,603,438 password breaches.
Employees are the front line of all businesses, so ensuring they are adequately trained and educated in the importance of password security is crucial.
Password security is no joke, especially when simplistic passwords can potentially cause massive data breaches for businesses.
At Bob’s Business, we can provide you and your employees with the awareness and training needed to take cybersecurity seriously.
With hundreds of engaging and interactive courses, it is why thousands of companies choose Bob’s Business to boost their knowledge and empower their teams.
These days it can seem like there are more ways for cybercriminals to attack your business than minutes in the day, but it’s true: there are a myriad ways that cybercriminals can cause disruption and financial loss.
More than direct attacks, cybercriminals who want to attack a specific business may even opt for other methods such as supply chain attacks. But what is a supply chain attack, who has fallen victim recently, and how do you protect your business from such an attack? Join us as we share everything you need to know.
What is a supply chain attack?
A supply chain attack is when cybercriminals target third-party companies that businesses deal with, rather than directly targeting the businesses they want to attack.
Let’s say your business has the highest level of cybersecurity, if the third-party companies you rely on do not you could still face major cybersecurity problems as a consequence.
There have been some high-profile cases where cyberattacks have targeted supply chains, and SolarWinds is one of the most significant attacks on record.
How was SolarWinds targeted?
SolarWinds is a company that provides Orion; a network and applications monitoring platform. Hackers were able to compromise the infrastructure, which distributed ‘trojanised’ updates to the users.
It was reported that 425 of the US Fortune 500 were customers of SolarWinds, including the US Military, Pentagon and State Department. Additionally, the top ten telecommunications companies and top five accounting firms were also listed as users.
The attack also enabled the hackers to access FireEye’s network, which is a US cybersecurity firm. This impacted companies and organisations around the world, including governments and telecoms.
One of the reasons supply chain attacks are becoming so prevalent is because they allow hackers to access many companies and organisations rather than just one, as demonstrated in the SolarWinds attack.
How to protect your business against supply chain attacks
Research has found that 55% of security professionals reported organisational breaches involving supply chain or third-party providers in the past 12 months.
With attacks on supply chains hotting up, it’s important to stay protected. There are a number of ways that businesses can boost their protection from attacks, including:
Implement a Zero Trust Architecture
A Zero Trust Architecture assumes that all network activity is malicious, so there are a number of strict policies that must be passed before access to intellectual property is granted.
Install anti-virus software
Installing and keeping your anti-virus software up to date will help to protect your systems in the event of a cyberattack.
Use honeytokens
Honeytokens are traps used to catch cybercriminals. They utilise fake resources to fool hackers into thinking they are accessing sensitive data. An alert will be triggered if a hacker attempts an attack, giving businesses advanced warning that an attempt is being made to access sensitive data.
Restrict access to sensitive data
Good access management can make a big difference to protecting businesses. Ensure that only the employees who absolutely must have access to sensitive data to perform their role have access. The more accounts with privileged access, the more accounts hackers can target.
Training employees
Hackers will often try to expose human errors such as poor password management or by tricking employees into clicking dangerous links. Having a high-quality cybersecurity training programme is key to creating a culture of cybersecurity awareness in employees.
raining solutions that are engaging and relate to the employee’s own role and tasks are more effective than the standard off-the-shelf training courses.
Bob’s Business provides cybersecurity training that not only helps employees recognise threats, but also understand what to do in the event of an attack to minimise the consequences.
It’s summer holiday time and for many, it means sun, relaxation and time with the kids.
With plenty of recreational time, many of us will purchase items online, book holidays or scroll through social media – leaving us vulnerable to our personal information being stolen.
According to IBM data, over 90% of cyberattacks occur due to human error. The psychological, emotional, and financial impact cyberattacks can have on victims can be destructive, which is why you need to be so vigilant about your online safety.
Here are some top tips you can implement to improve your cybersecurity and cyber awareness to avoid becoming a victim of a cyberattack:
How to stay cyber-safe this summer
Use strong passwords
Whether you are using work systems or your social media accounts, make sure that you create strong and unique passwords to make them difficult for cybercriminals to decipher. Multi-factor authentication methods are one of the most effective ways to stay secure online, so activate it on every account that lets you use it.
Use secure networks and devices
When you use the internet remotely make sure you use a secure network. Public WiFi networks are convenient to use, but are also at high risk of cyberattacks due to their lower security. Installing antivirus software will also help to boost your cybersecurity and keep you safer online.
Use VPNs
Many businesses have started to use VPNs, the virtual private networks that create a more secure tunnel between your device and the internet. VPNs hide your IP address, which can help to stop cybercriminals from accessing your data.
Make sure the websites you use are trusted and secure. As a minimum, legitimate websites should display that they have an SSL certificate – which the padlock will show at the side of the URL bar, and the website address should start with ‘https’.
Only use websites that you have used before and trust. Should you need to use a website you haven’t used before, try to find online reviews that will help confirm whether the website is genuine and not set up by a scammer.
Be careful what you post
Having more free time to spend online means more time to browse social media. It’s safe to say that social media is a massive part of people’s day-to-day lives and is unlikely to go away anytime soon.
Despite the massive strides and benefits of social media has created for many of us, it has also created more avenues of opportunity for cybercriminals to take advantage of.
Take, for example, your digital footprint – the sum total of all publicly available information about your online. It can give away your location, your passwords and much, much more.
Be wary of links in emails, texts, and social media messages
Before clicking on any links within emails, text messages, or social media messages, take some time to check whether you should trust the link.
Check the sender’s email address to ensure it is not from a scammer using a similar email address of a contact or organisation known to you. Cybercriminals often play on people’s curiosity, using statements like ‘look what I found’ or ‘is this you?’ to try to encourage the recipient to click on the link.
If you’re fortunate to have never encountered the term ‘ransomware’, you’re lucky to be in the minority.
Indeed, the reality of the cyber landscape is such that ransomware attacks have caused severe problems for businesses across nearly all industries, with 80% of organisations hit by a ransomware attack in 2021.
But what is ransomware, how can you prevent attacks, and what should you do in the event of a successful ransomware attack? Join us as we share everything you need to know.
What is ransomware?
Ransomware is malware designed to lock users out of their system or from accessing their files. After cybercriminals have activated their malware, they demand a ransom be paid to regain users’ access to their systems.
Cybercriminals frequently request payments be made using cryptocurrencies, making them almost impossible to trace. Indeed, 2019 research found that Bitcoin accounted for 98% of ransomware payments.
One of the most high-profile and severe ransomware attacks involved the Colonial Pipeline, a Texas-based gas pipeline. A ransomware attack caused six days of enormous disruption to the system. The attack was classed as a national security threat, with the President declaring a state of emergency. The malware infected the systems due to a compromised VPN password, and Colonial Pipeline Company ended up paying almost $5 million in Bitcoin.
While this example affected a large organisation, there are many cases where cybercriminals target smaller organisations, exploiting the fact that smaller businesses are unable to operate without access to their systems. Smaller businesses can often fall into the trap of neglecting their cybersecurity, believing an attack isn’t the sort of thing that would happen to them.
How to prevent ransomware attacks
For businesses, having an effective cybersecurity management strategy is critical to preventing and recovering from ransomware attacks. The strategy should include:
Delivering high-quality training and education for employees, including topics such as avoiding opening unverified emails or clicking links within suspicious emails.
Backing up important files on two different types of storage e.g. cloud and hard drive.
Performing regular software updates.
Access management to limit who can access network drives.
Good password creation practice.
Installation of anti-virus and anti-malware software
What to do in the event of a ransomware attack
There are several actions you should take to limit the damage caused by a ransomware attack, such as: Report the incident to the authorities.
Isolate the infection by separating infected computers.
Identify which strain of malware was used in the attack.
Restore your backups.
Update employees to warn of a follow-up attack.
Investigate the root cause and develop an action plan to prevent future cyberattacks.
If a ransomware attack has not targeted your organisation, there is a possibility that it will happen in the future.
Any organisation that relies on using connected systems can be a victim of ransomware, not just the big companies with large profits. Many businesses think they are not large enough to be worth attacking, making them prime targets for cybercriminals.
Many cyberattacks target human vulnerabilities, as security software can only do so much to prevent these types of attacks. If an employee receives an email with a dangerous link, their training should have prepared them to spot the suspicious email and know what actions should be taken to help protect the business.
Bob’s Business is an industry-leading cybersecurity training provider that is helping businesses reduce the chances of being hit with ransomware attacks through engaging, relatable training courses and simulations.
However, identifying a malicious email is not always as easy as you think. With cybercriminals using more sophisticated techniques to trick email recipients into believing the email is genuine, these attacks are getting harder to stop.
The most common reason for data breaches is human error. As such, educating your employees on how to recognise cyberattacks is crucial for protecting your business from the consequences, ranging from financial loss to reputational damage.
When your team is given the proper training, your team become an essential part of your security.
Check out these top suggestions for identifying and preventing pesky phishing emails.
How to detect a malicious email
Double-check the sender’s email address
Your first port of call is to check and then double-check the sender’s email address to see whether it is from a company domain or public domain.
Malicious emails are more likely to be sent from a public domain email address – for example, one that ends with @gmail.com or yahoo.com. These email addresses are free to set up and are easier for criminals to utilise without getting traced, as they don’t have to provide payment details.
You should also look for any unusual email sender names, as a genuine one from a business will usually be from ‘customersupport@’ or similar. If there is an unknown person’s name, some extra characters or a misspelling, then this could be a sign that it is a malicious email. “l” can look a lot like “1” in an email address at a glance.
Look for mistakes in the content of the email
Another clue to look out for is whether there are any mistakes in the email, such as spelling errors or bad grammar. Genuine business emails are typically professional and error-free.
Flag requests for high-risk data
All employees should be trained to question any request for data. In some phishing scams, criminals will pretend to be a person of authority or someone known to the recipient. By appearing to be a colleague or senior manager, for example, attackers have a better chance to pressurise the victim into sharing personal data or login credentials.
Be careful with urgent messages
A common technique used in email scams is to apply urgency. ‘We have contacted you several times and not received a response’ or ‘take action immediately’ are common tactics. Attackers may also use red font or colouring within the email as this psychologically makes people perceive the request as urgent.
Employees should be very wary of any emails that try to panic them into a fast response, as this is to prevent them from having time to question the authenticity and make the relevant checks.
How to prevent falling victim to malicious emails
Arm your employees with the cybersecurity knowledge they need to spot and stop phishing attacks in your organisation. With Bob’s Phishing and Bob’s Culture, we deploy targeted and tailored phishing emails to your team that simulate real phishing attacks. Staff that click are automatically assigned training which helps to create positive new behaviours around phishing attempts.
In recent years, due to lockdown restrictions, businesses have increased their reliance on technological and digital solutions faster than ever. They have allowed businesses to operate in new ways in order to not only survive but also to thrive. However, they have also created new avenues for attack.
Cybercriminals are adaptable and often ahead of the curve, in a rapidly changing world, they are constantly developing new methods of deception. Just last year, fake NHS emails and texts were sent out by scammers taking advantage of the COVID-19 pandemic.
Because criminals are constantly developing new scams and more sophisticated attacks, businesses must invest more heavily in cybersecurity solutions and processes. But, what does the future hold for cybersecurity?
The International Data Corporation even estimated that worldwide cybersecurity spending will reach around $175 billion by 2024.
The future of ‘The Cloud’ and Artificial Intelligence
Cloud computing has provided numerous benefits, including cost savings, efficiency, and sustainability. However, because of the large amounts of data and personal information stored, it is another service that cybercriminals are targeting. As cybercrime evolves, it is a service that necessitates ongoing security training and awareness.
Artificial intelligence (AI) will greatly assist in cybersecurity; AI technology can identify threats and patterns much faster than traditional security processes. The downside of AI’s rise is that it is also being used by cybercriminals to help improve their strategies. As a result, as AI is used more in attacks, we can expect to face more severe and frequent cyber threats in the future.
As the world around us continues to advance technologically, we must also remain vigilant and aware of cybersecurity trends.
Human error is one of the top risks that criminals target, so businesses must continue to develop stronger cyber risk management frameworks; this means having highly effective cybersecurity training for all employees.
Regular updates should be included within training solutions to not only incorporate the most recent cyberattack trends but to also raise employees’ awareness of the most pressing cybersecurity concerns that are emerging.
Whilst the technology sector is more likely to have a board member with a specific cyber or data security remit, its reliance on technological solutions can hamper its ability to mitigate attacks.
But what are the top cyber threats faced by the technology industry? Join us as we take a look.
Ransomware
One of the biggest threats to any kind of business is disruption that prevents everyday operations. Taking systems offline is one way that a business can be disrupted and the longer the disruption, the more money it will cost.
Ransomware has grown to become one of the key threats facing companies. Put simply, ransomware attacks lock data and systems behind strong encryption and demand payment in turn for returning control of the data. Often, these attacks begin with a simple phishing email and a compromised file download.
Early adoption vulnerabilities
It stands to reason that companies that provide communications and technology solutions will be at the forefront of the adoption of cutting edge technologies. Whilst this can often make for a productive office environment, it can also make them an easier target than companies who do not adopt the very latest in digital tools.
Day-one vulnerabilities, unpatched software and even hardware vulnerabilities are not at all uncommon in new products and software, so being early adopters provides more opportunities for hackers to exploit vulnerabilities.
Distortion
Another emerging problem for the technology sector is the distortion of information, where social engineers alter documents or data for financial gain.
There are various techniques associated with distortion, such as editing documents so an accounts department pays an invoice into the hacker’s account rather than the genuine person who raised the invoice. Another way that distortion can be used is by altering information about the company which could damage brand reputation and lose consumer trust.
The key to reducing the efficacy of distortion attacks is training your team on the techniques employed by social engineers.
Phishing attacks
Phishing attacks are by far the most common root cause behind cybersecurity breaches, including ransomware, malware and spyware attacks.
Indeed, it’s predicted that living with the COVID-19 pandemic will have further accelerated online banking adoption for many consumers.
The reasons for its widespread adoption are clear – digital banking has always offered convenience when it comes to checking balances, making transfers and managing accounts whilst on the go.
However, a large proportion of consumers have previously been reluctant to use digital banking, for reasons such as lacking the appropriate technology, skills, or simply preferring to stick with what they know and trust.
The pandemic not only increased the urgency to use digital banking on the consumer end, but also forced banks to look closely at their investment levels in those digital solutions in order to provide consumers with amazing experiences.
Where there are financial transactions, however, there are criminals looking to profit, and that’s certainly true when it comes to digital banking.
What are the cybersecurity risks in digital banking?
Although there are so many benefits to digital banking, for both the bank and the consumer, there is one major negative: the increased cybersecurity risks. The finance industry is a top target for cyberattacks due to the information they process, not to mention financial systems that can be illegitimately accessed to steal money.
As account holders are using mobile devices, websites, apps and public internet connections to access their online bank account, these entrypoints provide weaknesses for hackers to exploit.
Which? recently analysed 15 banks and building societies’ online banking and mobile app banking platforms, and found “worrying security flaws”. These included insufficient password policies and the lack of two-factor authentication for critical actions. Some of the banks also lacked adequate software that was able to block dangerous emails.
The financial sector has been investing heavily in cybersecurity, with developments for enhanced cybersecurity tools being introduced on a regular basis to protect systems from hackers.
As well as making changes to improve their online security processes and tools, another important aspect of protecting the digital banking sector from cyberattacks is to implement a stronger cybersecurity training programme.
Many companies in the financial sector roll out “off-the-shelf” compliance training courses. Unfortunately, these courses fail to deliver the key outcomes that are required to develop a culture of cyber awareness among employees
Traditional compliance training is typically dull and disengaging, with employees not developing the required behaviours that will help protect the bank from attacks such as phishing emails in the future.
Bob’s Business provides a unique approach to online training by providing engaging courses and interactive phishing simulations. Our training helps to change employee behaviour, rather than simply providing generic information and tick-box questions. Our courses can also be tailored to suit the specific organisation, in order to target any weaknesses that the organisation has.
To fail to plan is to plan to fail, and so every organisation is in a constant state of planning for both the best and worst-case scenarios.
Increasingly, cyberattacks are a significant risk to businesses across all industries but particularly the finance sector, including insurance providers. The COVID-19 pandemic has accelerated digital transformation projects for many companies, who have relied more on digital solutions during this time than ever before.
However, the insurance sector has seen heightened threat levels. So why is this the case, and what is the impact on the industry? Join us as we break down the facts and figures.
Why finance and insurance are high risk for cyber attacks
Finance companies are at a higher risk of being targeted with cyberattacks owing to the large amount of personal data, including financial data, that they process. Insurance companies will gather substantial information from policyholders to calculate the risks and premium prices.
In addition to collecting name, address, date of birth and bank details, insurance companies hold data such as car registration and value, property, and possession details.
This data is collected so that the insurance underwriters can assess the level of risk and set the premiums at the right price, to try to ensure that the company makes a profit. Where there’s sensitive data, however, there are criminals looking to steal it.
With most insurance companies now offering online services, some companies are even operating completely online, the opportunities for hackers have significantly increased from when the majority of transactions happened in a branch or over the telephone.
The same connectivity that allows employees to access company systems from home, or from different locations around the world, has increased the potential for a data breach.
Ransomware attacks have become a growing concern for insurance companies. Last year, an incident in the US forced CNA Financial Corp. to pay $40 million to regain control of its network. Hackers locked the company out of its system for two weeks, causing massive disruption before finally deciding to pay the ransom money.
Another high profile cyber-attack took place in 2015 targeting Anthem Insurance Companies, which exposed the records of almost 80 million customers. Not only did the organisation have to pay $260 million for security improvements and remediations, they also had to pay out $115 million in lawsuits from customers.
What can insurance companies do to protect their business and policyholders?
When a cyberattack targets an insurance company, there are a number of negative consequences. Policyholders can become identity theft victims. In the case of ransomware disruption, the insurance services that policyholders have paid for are not available when they need them – as the company cannot access the necessary policy data to resolve claims.
When the systems are unavailable, the cost to the business is profound. They may end up paying a ransomware release amount in the millions, just to gain control of their systems again. Add this to the compensation that will have to be paid to customers, and you can see how the cost quickly mounts up.
In addition to these costs, data breaches are a significant threat to the reputation of your business. An astonishing 70% of people would stop doing business with a company that experienced a data breach.
As a result, it’s crucial that businesses in the insurance sector and beyond must invest in their cybersecurity strategy to keep their systems as well protected as possible.
The key to a successful cybersecurity strategy is the understanding that the risk of cyberattacks must be owned across the business. For cybersecurity experts cyberattacks are not considered to be an issue simply for IT, but the responsibility of every employee. Developing a culture of cyber awareness within our employees is by far the best protection for any organisation and should be developed through regular, engaging training.