You’re probably already aware that hacking is becoming a bigger and bigger problem for organisations of all sizes, despite the sophisticated cybersecurity software that is often pushed forward as a ‘cure’.

2020 was a record-breaking year for hacking attempts against UK firms, owing largely to the fact that with many of us working from home, our personal security levels have slipped.

The fallout from a successful hack can be extensive, including reputational damage, fines and loss of customer trust. But what do hackers get out of the deal?

Here are some of the things that hackers use stolen personal information for:

Identity theft

Criminals often illegally access data so that they can steal someone’s identity for financial gain. For example, they can use personal information to apply for loans and credit cards in the victim’s name. In some cases, identity thieves can purchase goods using financial details.

When hacking organisations, a criminal may steal the identity of a trusted senior team leader to encourage more junior staff to give over crucial data.

Selling onto other criminals

It is quite common for cybercriminals to sell data to other criminals on the dark web. The buyer will then use the data for identity theft and other crimes. Hackers sell certain pieces of personal data, sometimes using a shopping list of prices, where there will be a set price for information such as credit and debit card information.

Account takeover

Hackers can use data to take over accounts such as shopping accounts. They will usually change your password so that you will not be able to log into your account, so you might not notice that they have taken over your account immediately.

In targeted phishing attacks

By using personal information, cybercriminals can make phishing attacks seem more authentic, by using the information in the email and tricking victims into thinking that the email is genuine. In these cases, a breach is often just the start of a longer-term series of attacks.

To cause reputational damage

Another way that hackers can use stolen data is to cause embarrassment and reputational damage to companies. Hackers may try to blackmail people, threatening to leak data that would cause harm to the company.

How do you protect your company from hackers?

If your company stores personal information about customers or employees, then it is important that appropriate security measures are in place as per the data protection regulations. 

Having the most up to date software installed on your company’s computers is one of the most effective ways to protect data, as well as deploying a number of other security solutions such as firewalls and making sure your website incorporates the highest level of security protection.

However, even with the most expensive security systems in place, your company may still be vulnerable to hackers when they target employees through phishing emails and other scams. This is because 90% of breaches start with simple human error.

Therefore, the best method of boosting data security in your organisation is to regularly educate and train employees, so that they know what a scam looks like and what to do if they receive one.

Bob’s Business designs effective online training solutions to empower employees to protect their company by increasing their cyber security awareness, using award-winning techniques like our innovative courses and phishing simulations. 

To ensure that your company is as well protected as possible, see how our training courses and simulations will boost your online security.

When it comes to strengthening security within your business, there are plenty of options available.

Be it installing security software as a way of protecting your systems or installing a team or individual to monitor and manage security, there are many important practices you can put in place to help protect your business.

However, these solutions alone are not enough to provide a comprehensive level of security. Why? Because studies have found that 90% of breaches occur due to human error, with employees accidentally leaving their employers vulnerable to cyber attacks.

That’s why, alongside investing in powerful security technology, you should also invest in building a positive security culture, where employees are an integral part of your security strategy.

But what is a security culture, we hear you ask. The simple answer is that when we talk about a culture, we are talking about the attitudes and behaviours of employees.

A positive culture is one where all employees work together and take responsibility for protecting the business by displaying cyber security awareness and taking the right actions.

So, how can you build one within your organisation? Read on.

How to develop a positive security culture

These are some effective ways to start building a security culture in your workplace:

Make security awareness an ongoing priority

Some businesses make the mistake of pushing security awareness at certain points, but leave it off the agenda for the rest of the year. Needless to say, that’s a shortcut to failure.
Security awareness needs to be a constant priority within the business and employees need to know it is important all year round, not just when they complete an annual security awareness course.

Quite simply, secure thoughts and behaviours can only build if regular communications and training are in place, rather than just annual activities.

Outline the desired behaviours

For employees to develop the desired behaviours, they need to have a clear understanding of what the expected behaviours are.

For example, having visual reminders with memorable statements such as “think before you click” helps to embed the importance of thinking before clicking a link in an email, on a website or otherwise.

Lead by example

For any type of culture to be fully adopted, employees need to see the leadership team displaying the expected behaviours. Managers should lead by example in regards to good security practices. This should be evident in meetings, as well as general day-to-day actions and conversations to show employees that leaders are as committed to protecting the company as they are.

Incentivise good security practice

Another way to encourage employees to think about security more and to motivate them to display the required behaviours is to recognise and reward good security behaviour. For example, someone who reports a phishing attack could receive a small reward, which will inspire other employees to replicate the behaviour, so they can be rewarded too.

Developing a security culture does not happen overnight, it requires time and commitment. It involves leaders getting on board, as well as being incorporated into the internal communications strategy. Most importantly, having the right type of cyber awareness training solution is key.

Bob’s Business provides award-winning phishing simulations that can be used all year round to ensure that employees stay up to date on the latest cyber scams. Find out more about the cyber awareness training solutions we offer.

With phishing emails making up 1% of emails sent, an astonishing 3.4 billion hit our inboxes a day. Naturally then, it’s only a matter of time before somebody in your team accidentally clicks a link.

Clicking on a link in a phishing email can leave a business vulnerable to data loss, so it is crucial that you and everyone in your organisation understand the right steps to take in the event of accidentally responding to a phishing email.

Phishing emails can be sent to anyone at an organization and even people like fraud managers or IT security employees can fall victim to a cyberattack. Companies should have a cyber security policy and training awareness program in place that will help employees to take the correct actions.

These are the steps that need to be taken after clicking a phishing link:

1) Report the incident

Your first step should always be to report the incident to your relevant internal team.

By immediately reporting the incident to the relevant team, such as the IT security incident team or service desk, action can be taken to prevent other people in the organisation from doing the same thing.

It’s important to note, however, that employees might be embarrassed that they have been tricked by a scam and be hesitant about reporting the incident. This is why it’s so important that your organisation provides training and awareness that encourages employees to report security incidents without fear that they will be in trouble.

2) Change login passwords

One of the ways that data is compromised through phishing attacks is by tricking people into providing their login credentials, so it is vital that your passwords are changed as soon as possible after a phishing attack.

In many cases, a victim will use the same password for numerous accounts, which can cause a chain reaction of breaches across their accounts. As such, you will need to update all of your passwords as soon as possible.

Passwords should be difficult to guess and training should be provided to ensure that employees know how to set difficult passwords.

3) Investigation of the attack

Once a phishing attack has been reported, the relevant team should conduct a thorough investigation into the circumstances. Endpoint analysis will help to identify if any malicious software has been introduced onto the PC or network.

The investigation should help to decide whether there is a specific security process or system weakness that requires strengthening.

4) Inform the regulators and law authority

Organisations must comply with the rules of their regulatory authorities, such as reporting a phishing incident within a specific amount of time. It may also be necessary to inform the police so that criminal investigations can be completed.

Improve security and raise awareness

Mistakes can be incredibly valuable.

Once the phishing attack investigation has taken place, your organisation should use the information to make their security structure more robust. They can also make arrangements to deliver more comprehensive cyber security training that will help to prevent employees from responding to a phishing email in future.

Bob’s Business offers a range of online training solutions with industry-leading techniques and methodologies to raise cyber security awareness.

Find out more about how we can help protect your business from phishing scams.

With more of us than ever working from home as a consequence of the COVID-19 pandemic, we’ve all had to make adaptations required to support this new working environment.

As well as ensuring that the right technology is available to our teams, including digital security solutions, employee health, safety and wellbeing should always be among the highest priorities for any organisation.

The difficulty for organisations unaccustomed to teams working from home is that, when working in an office or other type of dedicated workspace, health and safety policies are fairly straightforward to put into place and monitor. The same is the case with supporting employees’ wellbeing, but when they’re working at home? That can be a difficulty.

Nevertheless, employers have responsibilities to protect their employees and employees also have responsibilities to keep themself protected – even when our homes become our offices.

These are some of the key responsibilities that all of us need to keep in mind:

Risk assessments

Under the law, employers have a responsibility to assess any risks in an employee’s working environment. Where this is not possible, for example, during the pandemic, the employer should ask the employee to conduct a self-assessment of their workspace and equipment.

The set-up of display screen equipment is important, as a poor set up for working with a laptop or PC can cause postural problems and permanent injury. There is a checklist that can be used to make sure that everything is set up correctly, such as having a comfortable seat that provides support and making sure the screen is in the right position to prevent stooping over or straining your eyes.

Health and safety

Employees also have a responsibility to take care of their own health and safety when working from home. However, without proper guidance then it’s unfair to expect them to develop safety protocols on their own.

As such, they should do this by keeping in regular contact with their manager and keeping them informed of any concerns such as health and safety risks that they face within their home.

Wellbeing

The changeover to working from home can have a negative impact on employee wellbeing, as they are now spending more time on their own, without having their team close by to get support from. Indeed, 67% of British people said they feel less connected to their colleagues as a result of working from home.

People living on their own might be particularly affected by the lack of interaction with work colleagues, so managers should check in with people to see how they are feeling. A simple, earnest conversation about their mental and physical health can make all the difference.

People working from home may also find it more difficult to switch off from work, as they are now combining their workplace with home space. It becomes more difficult to stop thinking about work, compared to when you work in a separate building and leave it for the day.

All of these factors can have a detrimental effect on people’s wellbeing and must be considered when supporting employees who work from home.

At Bob’s Business, we offer more than just cybersecurity awareness training. Our online training courses also cover all of the essentials in terms of health, safety and wellbeing. These engaging courses are ideal for completing by employees who are working from home and managers of teams who are home based.

View our full course list here, and check out our pricing and product comparisons here.

To err is human, but some mistakes can have major consequences for yourself and your organisation.

There are lots of different reasons why a person might make an error in the workplace, such as tiredness, being distracted by other tasks, or in some situations, due to lack of knowledge.

Independent studies have revealed that 88% of data breaches are due to human error. As such, reducing human error is an area of vital importance for every company.

A simple error can end up costing a company a significant amount of money in fines and compensation, as well as potentially irreparable damage to the company reputation.

To better understand the reasons behind the errors, we looked at a report by Professor Jeff Hancock of Stanford University. The study identified that almost half of employees surveyed believed they had made a mistake at work that led to security repercussions.

Here’s what it found:

Younger employees more likely to admit to errors

The report revealed that younger employees were 5x more likely to admit to errors that compromised security.

The report found 50% of 18-30-year-olds admitted to mistakes, while just 10% of over 50s owned up to making mistakes. Professor Hancock’s view on these figures is that younger people are more likely to admit to mistakes, rather than this being representative of which age groups are making the most mistakes.

He referred to the added importance of a positive reporting culture for older generations to reduce the shame of admitting to mistakes, which can be a high risk for companies, as people who admit to errors are more likely to learn from them.

Men click phishing emails with greater regularity

Another very interesting insight was that 25% of employees in the studies had clicked on a phishing scam link, with men more likely (34%) to click a link than women (17%).

The report found that older employees claimed to be the least susceptible to phishing scams but that they actually had less knowledge of what a phishing scam was.

Tech companies are at increased risk of phishing

When looking at which companies were most likely to click on phishing email scams, fast-paced tech companies were the most fallible. While this might surprise some people due to this sector being the most tech-savvy, one plausible reason for this is that tech employees are usually expected to work at a fast pace, answering emails as quickly as possible.

This pace of working, rather than knowledge or age, is more likely to be the key reason for this sector being the worst for falling for scams. Instead of carefully reading through emails and having time to consider the best course of action, employees often felt pressure to quickly deal with enquiries, without giving adequate consideration to potential risks.

Tailored training is vital

Professor Hancock’s strong recommendation based on his findings is to include tailoring training to reduce human risk across organisations.

Our flagship training programme, Bob’s Culture, tailors not only the course rollout for each organisation specifically around the personalities and thought processes of the people in your organisation but also the phishing training delivered.

The key is our unique Human Vulnerability Assessment, an anonymised questionnaire answered by your whole organisation which ensures the training you complete is relevant and necessary to reduce your risk of breaches.

Want to find out more about Bob’s Culture? Click here.

The fight against cybercrime is a constant challenge, and even businesses that invest a large budget into security software and in-house cybersecurity teams aren’t immune to cyber attacks.

There are lots of different ways that criminals try to penetrate companies’ systems, although by far the most common is through your teams.

Fully 90% of breaches start with human error, so making sure that employees know what to do when they receive a phishing email, or another type of attack is vital in preventing future attacks.

When a cybersecurity incident occurs, this is why it is essential that employees report the incident:

• You can react appropriately. The first and most important aspect of reporting is that it gives your internal security team notice that they need to spring into action to prevent data loss or system compromise.
• You can build training around the incident. You can use the incident as an example in training content to make it more relevant to your company compared to a generic example that some training providers use. Do ensure that the example is anonymised though, as highlighting a mistake makes people more likely to hide incidents in the future.
• You can collect data about incidents to look for patterns. Sometimes minor incidents can point towards a bigger issue that needs addressing, so employees should be encouraged to report every single incident, not just the major ones.
• You can communicate the incident to other employees. With the incident communicated, you can share it with your teams so they are aware of the type of scam and do not fall for it.

Importance of reporting incidents

In some instances, people might be afraid to report incidents, as they might feel embarrassed if they did something wrong like click on a link in an email. This is why it is important to communicate to the workforce how important incident reporting is and that the process exists to protect the business, not to identify employee errors.

Making reporting a non-punitive exercise and, in fact, rewarding employees which do report incidents is a vital part of building a positive cybersecurity culture.

How to report incidents

Every business should have its own process for reporting incidents, such as to a fraud team, or to IT security, for example.

The process should be clear for employees, if you have a company intranet site, you should publish your IT security policy and incident reporting process onto it for people to easily find.

Types of incidents that need to be reported

It is also a good idea to list all of the types of incidents that need to be reported. Some of the possible incidents include:

• Phishing emails.
• An attack on a website.
• Improper usage by an employee (including accessing dangerous sites).
• Scareware to buy fake antivirus software.
• Ad-based malware.

These are just a few examples but there are many more techniques and methods that hackers use and errors or unusual behaviour of internal employees should be reported too.

To ensure that your employees understand what to look out for and what course of action to take, our Incident Reporting course is the perfect solution. Book a demo today to discover how you can get access to our Incident Reporting course for your team and full access to our 55+ strong catalogue of cybersecurity and compliance courses.

Having a strong cybersecurity strategy is more important than ever for businesses, with hacking attempts and other online scams growing in frequency.

In a world where technological solutions are considered first, you might well be surprised to hear that 90% of cybersecurity breaches happen due to simple human error. That’s why every good cybersecurity strategy places employee training at its core.

Fortunately, the number of companies considering the human angle in their cybersecurity strategy is growing.

Unfortunately, many of those strategies fail. Sound like you?

Join us as we share some of the common reasons why training strategies fail:

Your training is reactive, not proactive

Many businesses make the mistake of only providing training only when they “need” to.

Whether it’s the sudden realisation that you need to achieve compliance or if the discovery that you’ve been breached, many training programmes are embarked upon reactively, rather than proactively.

Having a more proactive approach to training will help to pre-empt issues and give employees the necessary knowledge before a problem arising that leads to a data breach.

Over-valuing certifications

A common mistake is taking certifications as proof of an employee’s skills. Certifications are proof of knowledge in a specific subject but may not reflect their skills.

So, an employee might be able to answer a set of questions related to cybersecurity but having the skills to take the best actions to protect your business is another story. If you want your employees to have good cybersecurity skills, they need a training course that develops these skills, not training that is a tick-box exercise.

Opting for a one-size-fits-all approach

If your cybersecurity training isn’t tailored to your organisation, this could be severely limiting the effectiveness of your training.

We all have differing levels of knowledge, different biases and, of course, unique personalities – all of which determines your relative risks to various forms of attack.

Training that is tailored to the specific individual’s learning needs, such as Bob’s Culture, is more likely to be effective and therefore your employees will be in a better position to make the most suitable cybersecurity actions.

Bob’s Culture includes our unique Human Vulnerability Assessment, which involves completing a Phishing Baseline and Awareness Questionnaire to build a customised training rollout. This approach identifies potential blind spots and skills gaps that could leave your business vulnerable to a cyberattack, delivering training that’s relevant to your team and your organisation.

Not all employees will react to threats such as phishing emails in the same way, for example, one employee might be more optimistic than their more cautious peers, which could lead to them clicking a link that allows hackers to access your systems.

By tailoring training content around the individual, you give each employee the skills and knowledge to take the best course of action when faced with a potential cyberattack.

Cyberattacks have become a constant problem for businesses of all sizes. Hackers cast their net far and wide, targeting all types of businesses as they look for weaknesses that they can expose and profit from.

Even small businesses are at risk because hackers often believe that they will have less sophisticated security systems in place and will therefore be an easier target.

As such, every organisation needs to be very vigilant about the threat of cyberattacks and have the right systems and other security measures in place to protect their business. But how do you improve cybersecurity knowledge in your workplace?

Training. Why? Because 90% of breaches occur as a result of human error?

That’s why employee cyber awareness training and ongoing education is crucial to keeping businesses protected from the growing number of cyberattack threats.

The key areas that employees should be educated on are:

Data protection

Employees need to know how they can protect data and prevent data breaches. This involves a wide range of actions such as choosing strong passwords and not giving out data to unsolicited emails, calls, texts or any other channels.

The danger of links and popups

Pop-ups and links within emails and text messages are a big danger and employees often fall for scams that put data at risk. Employees need to learn how to identify the risks and report them using the correct process.

Using secure Wi-Fi

With an increasing number of people working from home, or at other places away from the workplace, there are more opportunities for hackers, as some employees will access company systems using Wi-Fi with weak security. Having a firewall for the company network offers some protection for businesses, but employees working home accessing systems that store data also need a firewall for protection.

Keeping security software up to date

When system updates become available, it is important to update them as soon as possible as this helps to keep them secure. Anti-virus and anti-malware protection have regular updates to enable them to protect against new cyber threats.

What to do if there is a data breach

If your business has a data breach, there are a number of consequences that could cause significant problems for your company. Firstly, the financial impact of a data breach can be severe. Under GDPR you can be fined up to 4% of annual global turnover (or €20million – whichever is greater). On top of this, you may need to pay compensation to the people affected by the data breach.

You might also have significant legal fees to pay, so it can be financially crippling to many businesses. The other problem is the reputational damage caused by a breach and the loss of trust from customers. This can cause you to lose existing customers and will also put potential customers off using your business due to the bad publicity surrounding the data breach.

Even if you completely overhaul your security measures, it takes a long time to rebuild trust and improve your business reputation.

All of which is to say that effectively training your team to act appropriately and promptly at the first signs of a data breach is utterly essential.

How to prevent a data breach

Making sure that your employees stay up to date with the cybersecurity measures they need to take is vital in preventing a data breach.

Across three products, Bob’s Business offers comprehensive online training packages covering all aspects of data protection and many other critical compliance subjects. With over 55 courses covering cybersecurity awareness and compliance topics, as well as award-winning simulated phishing training, we make reducing your risk of breach simple.

Find out more about Bob’s Business products here.

It’s fair to say that running a business with a website used to be a simpler prospect than it is today.

UK data protection law now requires you to publish a privacy policy on your website that explains to website visitors how you use their data. Larger businesses will have legal experts who will write their privacy policy for them, through either an in-house lawyer or someone external that they hire to write up the policy.

For SMEs with smaller teams and budgets, though, it can be tricky to know how to craft a privacy policy.

The good news is that a privacy policy can be created without the necessity to pay a lawyer, all you need to do is ensure the policy includes all of the required information, to avoid any legal issues.

As well as fulfilling data protection requirements, having a privacy policy has several benefits, such as:

• Builds trust with website users
• Looks professional
• Gives people peace of mind
• Fulfills third-party requirements (if you use a third-party service such as Google Analytics)

How to write a privacy policy

If you are going to create your website’s privacy policy yourself, using a template will help to ensure you have included everything that is required.

Reading some privacy policies that similar businesses have created and displayed on their website will also help you to understand what should be included. Remember that they may have missed something out that your business needs to include, so don’t just rewrite someone else’s privacy policy.

Writing your privacy policy

These are the main sections you will need to include:

Your contact details

Within the policy, you should include your legal business name and contact details such as an address, telephone number, and email address.
Type of personal information collected

You should list the types of personal information that you collect, such as name, IP address, address, DOB, contact info, etc. The types of information you collect will usually depend on the type of business you are in.

How you get the information and why you have it

You should clearly explain the processes and methods used to gather their information and also explain why you use it.

How personal information is stored

If you are storing any personal information, you need to provide details about how you store it and what security measures you use to ensure that their data is protected.

Data protection rights

The policy should also explain their data protection rights, giving instructions on how they can opt out of collecting and sharing information. You should also share details of how they can unsubscribe from their mailing list.

How to complain

List your complaints process, such as writing to your address or emailing a complaints email address. If you are a business that is regulated, you should also include details of the complaints process that the regulators have in place if the complainant is not satisfied with your response.

These are the key elements to include within your privacy policy but the content should be tailored to your business and the ways that you use data. Some businesses might not collect much data and therefore their privacy policy can be quite basic, while other companies might be collecting, using, and sharing lots of data and require a more comprehensive privacy policy.

Additional support for creating a privacy policy

Many small businesses appoint a person to have the main responsibility for data protection management. You should make sure that this person receives the latest data protection training to ensure that they have the knowledge they need to keep your business compliant.

Bob’s Business offers several online GDPR courses that cover the key aspects of data protection responsibilities and guidance on processes such as creating a privacy policy.

Find out more about Bob’s Business data protection courses.

As web technology has evolved, we’ve enjoyed the many benefits of a fully connected world. However, we can’t deny that there have been negatives, many of which relate to the ways our data is handled.

One of the main concerns of using digital tools and websites is data protection, with countless of our most commonly used web services collecting personal information from customers and website visitors.

It’s this reality which encouraged regulators to take a fresh look at data protection regulations. The Data Protection Act 1998 was deemed to be no longer fit for purpose due to how technology solutions had changed, with new data protection risks emerging, including the transfer of data outside of the EU.

To ensure EU residents are adequately protected, an EU law called the GDPR (General Data Protection Regulation) was introduced on 25 May 2018. As a result of Brexit, the new UK DPA 2018 now applies as well as the UK GDPR 2018.

Here’s what you need to know:

The seven principles of the GDPR

To comply with the GDPR, many businesses (including small businesses) have had to make a number of changes to how they handle data. The GDPR rules are based around a set of principles.

The 7 GDPR principles are:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

What are the types of data outlined in the GDPR?

The types of data that are protected under the GDPR are outlined under the regulation.

Personal data includes the following:

• Name
• Address
• Email address
• ID card number
• Location data
• IP address

There is also a category of sensitive information that is classed as personal data, which includes information about:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where processed to uniquely identify someone)

How does GDPR affect small businesses?

As a business, you must have a valid lawful basis if you process personal data. The six lawful bases are:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

For your business to stay compliant with GDPR there are a number of actions that are required. For example, having a stronger firewall to improve security or changing online forms to state how the data is used.

Consumers have the right to access personal data you hold about them, and they also have the right to object to the way you use their data. You need to have processes in place that allow consumers to make choices about their data, for example, allowing them to easily unsubscribe from your mailing list.

Struggling with GDPR jargon? Check out our GDPR jargon buster!

The risk of data breaches

Data breaches can affect businesses of any size, not just large businesses. When a business is found to not have the appropriate data protection measures in place and they have a data breach, they are liable to heavy fines. The maximum fine under the UK GDPR is £17.5 million or 4% of the organisation’s annual global turnover, whichever is greater.

It’s more than an idle threat, too. Just ask Google, who found themselves slapped with a record fine in 2019.

Small businesses are often targeted by hackers, as there is a chance that their security measures are weaker, due to having a smaller budget than the bigger companies. However, the cost of a breach can have huge financial implications as well as causing massive reputational damage, so small businesses should be investing in their data security processes.

How businesses can protect themselves

Hiring a GDPR consultant to come and assess the business processes is a good way of getting expert advice but it is also important that employees have a strong knowledge of GDPR and the requirements for compliance.

Bob’s Business provides an extensive package of online training including GDPR compliance, from basics through to more in-depth modules on subjects such as Consent and other key aspects of complying with GDPR.

Take a look at our GDPR training that can quickly get your workforce up to speed with the information that they need to be aware of to stay compliant.