How to stay safe online

The internet has become a foundational element of our daily lives. From work lives which increasingly demand constant internet access to leisure time which leans on streaming, browsing and gaming, living online is more common than ever.

However, it’s not without risk.

A report by CNBC revealed that hackers targeted small businesses 43% of the time, trying to take advantage of the fact that they are often more vulnerable due to the lack of security measures and IT security knowledge within the company.

Online threats come in a wide variety of formats, and it is becoming increasingly difficult to identify the threats, as cybercriminals invent more sophisticated attacks to outsmart security software and unsuspecting employees.

That’s why we’ve put together this essential guide to staying safe online with simple, actionable and effective tips. Let’s get started.

Our top tips for staying safe online

Protect your emails by using a strong and separate password

Your email account should have a strong password that is not easy to guess, but is easy to remember

Avoid using personal information such as your name, birthday or username. The longer the password, the stronger it will be, and you should try to include numbers, symbols, uppercase and lowercase letters. The simplest method is to pick three unique, unconnected words and combine them with characters and numbers, like “Fan5Field3Shock!”. It’s easy to remember and virtually impossible to crack.

It’s also important to have unique passwords for different logins. That way, if one account is compromised, you aren’t susceptible to a chain reaction of breaches that expose your online presence.

Want to know the worlds most commonly used passwords? Click here.

Install the latest software and app updates

Software developers work tirelessly to patch security holes in their products, so don’t let their efforts go to waste, make sure that apps and web plugins are always up to date.

Additionally, install effective security software such as antivirus protection, firewalls and network security. They won’t stop you making a mistake, but they can sometimes offer a layer of protection against known malware.

Turn on two-factor authentication

Having two-factor authentication helps to protect your accounts from unauthorised access by strengthening your online accounts with an added layer of protection in addition to a username and password.

This often takes the form of a code texted to your phone, or sent to your email address, that confirms you are who you say you are. It’s a quick, simple and effective way to help protect your accounts – even if your password is compromised.

Use a password manager

Using a free or paid for password manager is one of the safest ways to manage multiple passwords and make sure you do not end up locked out of your account if you forget a password.

The problem with having a unique password for each service you use (and you definitely should have a unique password for each) is that it quickly means remembering hundreds of passwords.

That’s why you should be using a dedicated password manager, not only do these tools remember all your passwords for you, they can even suggest a strong password automatically on new websites.

Secure smartphones and tablets with a screen lock

Smartphones and tablets are convenient to carry around, but they are also more likely to get lost or stolen than larger devices. It is therefore imperative that you use a screen lock on smartphones and tablets to prevent people from being able to access apps you have on your phone.

If you have Apple Pay or a similar smartphone payment app that you use, a screen lock can stop people from using it before you have a chance to contact the bank to cancel the card it is linked to.

Always backup your most important data

If you lose a device or it gets damaged, backups ensure that you don’t lose all of your data.

There are lots of different ways to do this, depending on the size of data you are backing up and your preference for how often you want to back up. For example, you can perform physical backups by plugging in an external hard drive and backing up your data there. Alternatively, you can use cloud storage to back up data. The choice is yours!

Stay up to date with online security training

Regularly training yourself and your team on online security can ensure that you’re all aware of the latest cyber threats and understand the actions and measures that you can take to stay protected.

Bob’s Compliance from Bob’s Business gives you and your team full access to our 50+ strong catalogue of cybersecurity and compliance eLearning courses, including Web Woes, from just £1.39 per month. Learn more here.

The essential guide to securing your premises

As a business owner, protecting your assets is one of your top priorities. After you have spent years developing your business, just one preventable incident could cause huge problems. Therefore, it is important to have comprehensive security measures in place, for both physical and digital security.

In this guide, we’ll cover the essential security measures your organisation needs to deploy to protect your business. Let’s get started.

The five steps to secure your premises

1) Appoint a person with the responsibility for security

One person must have overall accountability and authority to make decisions regarding security, so choose the most suitable person for the job. For larger businesses, you may want to employ a person specifically for this role but for smaller businesses, the responsibilities will usually be in addition to their current job role.

2) Assess your risks

The first step to establishing the relevant security measures is to assess the main risks, such as weak points that could result in a break-in to your premises. The accountable person should perform the assessment and record all of the potential risks that could result in damage or loss to your business.

The main areas to focus on are:

Physical security

This involves inspecting the security of windows, doors, and any other physical weaknesses where someone could break into the property. You should inspect the types of locks that you have in place and decide whether you need to upgrade them to the highest level of security, for example, installing anti-snap locks on doors.

Electronic security

You should also review your existing electronic security, such as your alarm and CCTV. If you do not have the latest technology of these solutions, now could be the right time to invest in better electronic security. The quality of CCTV systems available now compared to ten years ago has vastly improved, incorporating sophisticated features to deter potential thieves and trespassers.

3) Prevent IT theft

Protecting your IT systems is also hugely important and is a legal requirement if you collect any customer data. You must comply with the relevant data protection laws depending on how you use and transfer data. To ensure that you are preventing IT theft you should have a robust IT security framework including a firewall, encryption software, and other appropriate security software.

In addition to this, you need to make sure that your IT equipment is protected from theft. For example, if a laptop was stolen from your premises, this could potentially result in a data loss incident, as well as losing valuable equipment. Therefore, having a secure storage place for IT equipment and ensuring systems are password protected is essential.

4) Consider the threat of arson

Arson and vandalism are a problem that businesses also have to consider, as there is an increasing number of these types of incidents occurring, accounting for over 50% of all attended fires. Vandals and arsonists often target business premises when they are unoccupied, causing considerable damage and threatening lives.

A high-quality CCTV system can help to deter arsonists and vandals but there are other actions you can take to protect your business. For example, making sure there are no combustible materials left outside and there is no accumulation of waste or rubbish.

5) Train your employees

Another important step in protecting your premises is to ensure that your employees have adequate training in the key areas including data protection, IT security, and protecting the premises. If you have delegated responsibility to an employee for the security of your premises, they would benefit from the Protected Premises course available from Bob’s Business.

Get in touch with our team today and start reducing your risk within hours.

What you need to know about diversity and inclusion in the workplace

Diversity and inclusion are vital in all areas of life and in the workplace they are crucial for a diverse set of people to work together cohesively.

Having good quality diversity and inclusion policies in place, as well as providing comprehensive training on these topics can help workplaces to improve their diversity and inclusion.

What are the benefits of diversity and inclusion in the workplace?

There are many benefits to businesses by having a diverse and inclusive workplace, including:

  • Greater levels of engagement, with more people feeling involved, respected and treated fairly. Employees that feel engaged with their workplace work harder and companies with high levels of employee engagement usually have lower rates of absences, which delivers significant cost savings for the company.
  • Teams work more productively with a broader range of perspectives and there is more chance of generating fresh ideas. Where you have a mix of ages, genders, ethnicities and educational backgrounds, there are more varied inputs coming from life experiences.
  • Studies show that companies with more gender and racial diversity, perform higher than their competitors. Diverse and inclusive companies will generally return higher profits.
  • There is a bigger talent pool to recruit from, so you are more likely to find high calibre candidates for roles. People want to work in diverse and inclusive cultures and if your company has a good reputation for D&I, this gives you more appeal to work for than other companies.
  • Employees working in inclusive teams are happier to stay working for the company, saving the expense of recruiting and training new staff as replacements.

What is the difference between inclusion and diversity?

The words diversity and inclusion are often used together in the same term but the meaning of each is quite different.

Diversity in the workplace refers to having employees that are of a different race, gender, sexual orientation, religion and class and who have different political beliefs.

Inclusion is used to describe how much people feel valued and involved and whether they feel fairly treated by their employers and peers.

Getting an even balance of diversity and inclusion is essential for companies, as having one without the other can have disastrous effects. Diversity without inclusion can result in a culture where people do not feel part of the company, and inclusion without diversity will limit innovation and new ideas from developing.

Evaluating your executive team

When you are looking at ways to build a more diverse and inclusive workplace, you should start from the top. The executive team is the most visible team in the organisation and if there is a lack of diversity and inclusion, this makes a big statement about your company’s recruitment and promotion approach.

As well as having visible diversity in your executive team, you should also consider whether leaders are demonstrating inclusion. If your leaders are not driving inclusion by example, they would benefit from attending a training course to help them to understand the changes they need to make.

How to create a more diverse and inclusive culture

Start with recruitment

Recruitment processes should include assessing whether job applicants are going to contribute towards improving diversity and inclusion. Training courses that help people to understand diversity and inclusion better should be provided to all employees, not just the executive team.

Another way to help embed a culture of diversity and inclusion is to acknowledge and honour multiple religions and cultural practices. This might involve celebrating the festivals of different faiths and holding themed events that celebrate a range of different cultures.

You can also incorporate inclusivity into your core values to show that it is an important part of the way your business operates. If you have an employee survey, include questions related to whether they feel that the workplace is diverse and inclusive and request feedback that can be used to make improvements.

Listening to feedback from employees is the best way to get a true reflection of what the culture of your business actually feels like from employees’ perspectives.

Utilise inclusive language

Another way to help to make your workplace more inclusive is by using inclusive language, for example, using “spouse” and “partner” as opposed to “husband” and “wife”. If you have an internal communications team, they should be ensuring that the language used in their communications is inclusive.

Managers should be flexible to accommodate religious practices such as prayer times, or a change of working hours to help people who are fasting for religious reasons to get enough sleep after staying up late to break their fast, for example.

The HR department should also strengthen anti-discriminatory policies and help to ensure that the policies are adhered to.

Deploy training

Educating all employees about diversity and inclusion is one of the most significant actions that will make a difference. Bob’s Business offers a Celebrating Difference course that enables learners to develop a better understanding of the key principles of diversity and inclusion in the workplace.

The training also uses creative storytelling scenarios which are more engaging and thought-provoking for learners, compared to some of the more traditional and mundane training material used by other training companies.

Ready to get started? Discover Bob’s Business’ range of training solutions here.

The good, the bad and the ugly of cybersecurity statistics (2021 edition)

At Bob’s Business, we’re at the very forefront of organisational cybersecurity training and simulated phishing training. Making training entertaining, engaging and effective is what we do.

In order to make training truly effective, however, we need to understand the cybersecurity habits, behaviours and assumptions that underpin behaviours across organisations.

It’s why we created the Human Vulnerability Assessment, our unique organisational benchmarking tool which we deploy to Bob’s Culture clients to help deliver truly tailored training and demonstrate organisational improvement.

Now, we’re ready to reveal some of the statistics we’ve gleaned from over six months of opening HVA deployments – statistics that reveal the good, the bad and the ugly of cybersecurity in 2021.

The Good

97% of recipients believe that everyone in their organisation had a role to play in cybersecurity.

77% did not feel that they could be complacent with regard to cybersecurity due to their organisation’s automated defences.

71% consider it possible for their organisation to fall victim to a cyberattack.

The Bad

24% of recipients answered that they occasionally download files and media without verifying their authenticity. That means that around one in four employees were at risk of accidentally downloading malware, which can have severe consequences for an organisation.

11% of recipients responded that they do with some level of frequency share work passwords with their colleagues. Sharing passwords like this leads to less secure accounts and may result in data breaches.

45% of those questioned did not claim to be at all suspicious of incoming emails.

The Ugly

65% of recipients admitted to reusing passwords on multiple sites. This means that a data breach on one external site may lead to multiple compromised accounts.

16% admit to clicking links in emails from unverified sources. Our tests show otherwise, as while any given phishing simulation typically achieves a ~16% click rate, the overall portion of recipients that click on at least one template throughout a campaign is higher.

Only 46% of recipients claimed always to follow their company’s cybersecurity policies. More troubling still was that 14% claimed not to know the policies at all.

The methodology

The HVA questionnaire was sent to users at 25 organisations. In total 4,937 users completed the test. As questions were added to the HVA or changed over time, the sample for specific questions varies. The results for all organisations were collated. Key demographic statistics were then drawn from questions of interest.

Why every organisation should be ISO 27001 certified

How can you give partner organisations and customers greater confidence in the way they interact with your business, and assure the reliability, security, and integrity of your systems and information? The answer: ISO 27001 certification.

ISO 27001 certification is an important standard for most organisations with an ISMS (Information Security Management System), but what is ISO 27001, and do you need it?

This article will discuss why your organisation should be ISO 27001 certified and answer all your questions.

What is ISO 27001?

ISO 27001 is the internationally recognised specification for implementing an ISMS (Information Security Management System). It delivers a framework to establish, operate, monitor, review and maintain an ISMS.

ISO 27001 is the most comprehensive and respected standard of its kind, published by the International Organisation for Standardisation (ISO), in partnership with the International Electrotechnical Commission (IEC). It is one part of a wider series of standards (the ISO/IEC 27000 series) that covers information security.

What are the requirements of ISO 27001 training?

You could jump straight into ISO 27001 training without any primer, but you’ll get much more from it if you familiarise yourself with the standard first.

As such, we recommend your team take our ISO 27001 course, where they will learn the principles of ISO 27001, why it’s important, how everyone can improve information security in your organisation, and how to react to noncompliance in your organisation.

Deploying cybersecurity awareness training to your team is the next step. Demonstrating that your team have completed cybersecurity awareness training is a required element to achieve the standard. Whether it’s Bob’s Culture or Bob’s Compliance, our products help you do just that.

You may be wondering where cybersecurity comes into all this, and the answer is simple – ISO 27001 is an information security framework and cybersecurity forms part of this. As the world becomes more dependent on technology, cyber will take an increasing role in how we establish, operate, monitor, review and maintain our ISMS.

In terms of specific requirements for ISO 27001 training, this depends on the type of course you take, and the needs of your organisation.

What are the benefits of ISO 27001 certification?

There are several benefits to ISO 27001 certification:

  • Increased partner and customer confidence in your organisation
  • Retain customers and win new business
  • Prevent loss of reputation over compliance concerns
  • Avoid hefty fines over non-compliance
  • Avoid wasted investment in the wrong security standards
  • Comply with other regulations, such as SOX
  • Plug gaps and loopholes in your information security
  • Improve risk management
  • Demonstrate a clear commitment to information security
  • Build a culture of security within your organisation
  • Establish, operate, monitor, review and maintain an ISMS to the highest standards

ue to this wide range of benefits, you should look beyond ISO 27001 as a compliance tool and more as a way to achieve several business benefits. It can deliver value in several ways, making it a worthwhile investment for many organisations.

What types of organisations benefit from ISO 27001 certification?

While many organisations have some form of information security standards in place, ISO 27001 is a comprehensive framework for information security, delivering compliance, and assurance, across all areas of an ISMS.

Because of this, ISO 27001 certification can benefit any organisations that are directly or indirectly involved in information security — and especially those that handle sensitive data.

Examples include:

  • Government agencies – including national and local government departments
  • IT companies – including software developers, cloud computing companies, IT support companies
  • Financial companies – including banks, lenders, brokerage houses, insurers, wealth management firms
  • Telecoms companies – including internet service providers, mobile networks, satellite companies
  • Technology companies – including software companies, hardware companies, biotech companies, renewable energy companies

Another important thing to remember is public and private organisations can define compliance with ISO 27001 as a legal requirement in their contracts.

This means you may need ISO 27001 certification to be a partner, customer or supplier to some organisations, a point that is most relevant to highly-regulated industries like finance, where ISO 27001 is considered an industry standard.

What next?

If you’ve made it this far, then there’s a good chance you believe your organisation would benefit from ISO 27001 certification.

The next step is to discuss this with ISO certification experts, who will help you figure it out once and for all if it’s right for your organisation.

In any case, it’s important to implement effective information security education and awareness across your organisation, and our cybersecurity awareness training is the perfect way to get started.

Your GDPR jargon buster

Let’s face it, GDPR legislation isn’t an easy read. Scrap that – it’s a slog. It’s so vast, in fact, that you can spend hours reading it and not understand very much at all.

The good news, however, is that it gets significantly easier once you understand what the jargon means and how it all links together.

To help out, we’ve put together this helpful GDPR jargon buster which you can use as a primer before undergoing GDPR training and diving into the intricacies of the legislation. It’s a 5-minute read that’ll save you hours of time.

Let’s get to it…

What is a Data Protection Officer?

A Data Protection Officer is an expert in data protection law. Their role is to ensure an organisation processes personal data in compliance with the GDPR.

It is a legally required appointment where the processing in question involves regular and systematic monitoring of data subjects on a large scale, or where the processing is of special categories of data on a large scale (the threshold is 5,000 persons).

What is a Subject Access Request?

A Subject Access Request (SAR) is a request for access to personal data. This is the correct legal mechanism under the GDPR for accessing and receiving a copy of personal data as well as other supplementary information held on file.

An individual can make a SAR themselves or have a legal representative do it in writing, verbally, or even on social media. As the ICO says, “a request is valid if it is clear that the individual is asking for their own personal data. An individual does not need to use specific words, refer to legislation or direct the request to a specific contact.”

What is a Data Subject?

A Data Subject is any person with a data file who can be identified directly or indirectly via an identifier from the data collected about them.

Examples of personal identifiers include name and passport number. Identifiers also include physical, physiological, genetic, mental, economic, cultural and social identifiers, such as religion and race.

What is a Data Controller?

A Data Controller is an entity (company, individual, or other body) that controls the means and purpose of processing data. They are the decision-makers with regards to processing. In other words, they instruct the processor.

What is a Data Processor?

A Data Processor is an entity (company, individual, or other body) that processes data on behalf of a Data Controller. They only work on the instructions of the Data Controller. They serve the controller’s interests rather than their own.

What is Profiling?

In the GDPR, Profiling is defined as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.” Organisations use profiling to predict behaviour, discover user preferences, and make decisions (such as credit decisions).

What is Pseudonymisation?

Pseudonymisation is a data entry technique that replaces or removes certain identifiers from data sets with pseudonyms or values that cannot identify the individual. Controllers will often pseudonymise data so they can use the data beyond the purpose for which it was originally collected. This is allowed under Article 6(4)(e) of the GDPR.

The UK GDPR defines Pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”

What is the Data Protection Act?

The Data Protection Act 2018 is UK legislation that sets out the framework for the UK GDPR, a modified version of the EU GDPR with derogations and other provisions.

Put simply, the Data Protection Act 2018 is the UK’s implementation of the EU’s General Data Protection Regulation, which is why you will see the phrase “UK GDPR” used a lot in reference to legislation that applies in the United Kingdom.

Find out more

Our NCSC-certified GDPR training courses are the perfect way for everyone in your organisation to learn more about the GDPR. We can help you get to grips with the GDPR and ensure compliance across your organisation.

What you need to know about anti-bribery training

When you think of bribery, you might think of bent coppers (thanks, Line of Duty). Or, you might imagine shady political deals and cash-lined handshakes.

The reality for the vast majority of businesses and organisations, however, is much more prosaic – though no less insidious. Bribery is, in fact, extremely commonplace. Why? Simply because many employees don’t know a bribe when they see one.

As such, anti-bribery training is required to reduce the risk that someone who works for you or on your behalf might be exposed to bribery.

Oddly, despite bribery being a common cause of corruption, many organisations do not train staff to be aware of what situations and actions they should be avoiding. This leaves them exposed to non-compliance and regulatory or legal action.

The compliance aspect of bribery comes via The Bribery Act 2010, not only says that commercial organisations should adopt a “risk-based approach” to managing bribery risks, but also includes training as one of its six principles.

In this blog, we’ll reveal what you need to know about anti-bribery training so you can figure out if your organisation needs it and what to do next.

What is anti-bribery training?

Anti-bribery training educates staff about bribery so they can recognise it and make the correct decisions when they encounter it.

There are two core learning outcomes with anti-bribery training:

  • Being able to recognise the many forms of bribery
  • Being able to react/respond to bribery attempts correctly

It’s important for everyone in an organisation who might be exposed to bribery to receive anti-bribery training so there are no weak links.

The Bribery Act 2010 defines bribery in law and any good anti-bribery course should help people understand the intricacies of the legislation.

What are the six principles of the Bribery Act?

The Bribery Act 2010 has six principles. They are not prescriptive but are designed to guide and inform decisions regarding anti-bribery policy.

Principle 1

Proportionate procedures

Put in place procedures that are proportionate to the scale and complexity of your commercial organisation’s activities.

Principle 2

Top-level commitment

Foster a top-level culture within your organisation that takes bribery seriously and makes it clear that bribery is not acceptable.

Principle 3

Risk assessment

Assess and understand the risks of bribery posed to your organisation and the persons associated with it.

Principle 4

Due diligence

Take a proportionate and risk-based approach to bribery in respect of procedures and the persons who might be exposed to bribery.

Principle 5

Communication (including training)

Ensure that your bribery and prevention policies are understood within your organisation with training that is proportionate to the risks you face.

Principle 6

Monitoring and review

Keep on top of your bribery policy and procedures and make improvements where necessary to assure continued compliance.

You can find more detail about the six principles of the Bribery Act here.

Who needs an anti-bribery policy?

Every commercial organisation that is at risk of being exposed to bribery needs an anti-bribery policy to comply with legislation.

The Bribery Act 2010 creates offences of offering or receiving bribes and failing to prevent persons associated with your organisation from committing bribes on its behalf.

An anti-bribery policy is necessary to comply with the law and ensure that your organisation proportionately counters bribery and corruption.

What is classed as bribery?

Bribery is an unethical gesture intended to influence a person’s behaviour by offering a financial or other advantages.

Bribes are often business-motivated and come in many forms, but they always intend to achieve an advantage, whether it be financial or preferential treatment.

Unfortunately, bribes can be difficult to spot. Is offering a referral fee to an executive in another company to win a contract a bribe? Is offering a female employee a bonus in return for coming back to work early from maternity leave a bribe?

Because bribes can be difficult to spot, anti-bribery training is essential for commercial organisations. By knowing what a bribe looks like, everyone in your organisation will be able to avoid it, spot it and stop it before it escalates.

How can you reduce bribery in your organisation?

The most important thing is to understand the legislation surrounding bribery and create an anti-bribery policy around that legislation.

One of the most important aspects of your policy will be anti-bribery training so that everyone in your organisation can recognise bribery and react to bribery attempts correctly.

Like all procedures, training should be proportionate to risk, but some training will also help to establish an anti-bribery culture in your organisation.

We recommend mandatory general training for all employees that covers education and awareness raising about bribery. More intensive training may also be needed for people in higher-risk roles such as finance, purchasing and IT.

Our anti-bribery course is a great place to start. It’s accredited by the National Cyber Security Centre and simplifies the intricacies of bribery legislation, with engaging animations and simple, effective language.

These Two Elements Create Devastatingly Effective Phishing Emails

Phishing emails remain one of the biggest threats facing both individuals and organisations online. According to analysis from Verizon, 90% of all cyber security incidents and breaches in 2017 included a phishing element, and 76% of organisations experienced a phishing attack.

Of course, not all phishing emails are created equal, ranging from broad attacks around phoney billionaires with trapped funds to specific, targeted campaigns which utilise your publicly available information.

At Bob’s Business, we’re at the forefront of the fight against phishing emails. Our award-winning Think Before you Click phishing simulation finds the vulnerabilities in your organisation and launches targeted training to reduce the likelihood of your workforce clicking on malicious links.

Our approach is deeply rooted in science, which is why, working in conjunction with the University of Huddersfield, we have created a statistical analysis of the results from over 67,000 phishing emails.

The results were stunning and revealed the factors that can lead to a phishing success rate of 94%. But what are those factors, and what can you do to reduce your organisation’s risk of falling victim to an attack? Join us as we share our findings.

What Makes an Effective Phishing Email?

Element #1: Internal vs. External emails

internal vs external factors

The key factor that determined if a phishing email was a success or not was whether it appeared to come from within the organisation (internal, e.g. an apparent IT security update) or outside the organisation (external, e.g. a discount offer from an online retailer).

Over one in three employees (37.2%) were phished when opening external emails. However, the phishing rate rose to 78% when the emails seemed to be from an internal source. This suggests that employees trust emails that appear to come from internal sources almost twice as much as those from an external source.

Element #2: Danger vs. Benefit

danger vs benefit

The other factor that determined whether a phishing email was a success or not was whether it employed a ‘danger’ or ‘benefit’ to encourage the recipient to engage with the embedded link.

A ‘danger’ in a phishing email is some sort of risk of loss to the recipient if they do not respond, such as the threat of losing access to an account or a large unexpected bill. A ‘benefit’ might be a voucher for a free product or a tax rebate that requires claiming.

Our research found that a phishing email featuring a ‘danger’ had a phishing success rate of 75%, whilst a phishing email with a ‘benefit’ had a phishing success rate of 39%, clearly indicating that we’re all more likely to act when under pressure.

Combining Factors

By combining elements, our analysis reveals the common blind spots in organisations.

As expected, phishing emails that posed as internal and included a ‘danger’ were by far the most effective.

The analysis shows that, if the email was from an external source, just over one in three employees (37.2%) clicked on the email and were phished. However, if the email was from an internal source, between 44.6% and 94.1% clicked, depending on whether there was a benefit or a danger that encouraged the user to do so.

If an email was from an internal source and contained a benefit, we saw a phishing rate of just under one in two (44.6%), while internal emails that contained a danger led to a high risk of phishing, with over nine out of ten people being phished (94.13%).

What Can We Learn From This Analysis?

With phishing rates on the rise globally and attacks growing more sophisticated by the day, it’s vital that each of us understands the risks that phishing attacks pose.

Technological solutions offer some protection from phishing attacks, but with analysis of big tech firms finding that only 36% of phishing emails with links were stopped by their systems, it’s clear that more needs to be done to tackle the issue.

It’s especially pressing when you consider that just one phishing email needs to be successful in order to potentially breach your systems.

As such, the only viable option for organisations is to train their staff to better understand how to identify and report phishing emails effectively. By combining a simulated phishing campaign with targeted training, we have found that phishing risk can be reduced by 74.83%.

We firmly believe that focusing on human behaviour and understanding why your employees’ click is the key to reducing risks as training can then be targeted towards changing behaviour.

Book a web demonstration today to learn more about how we can help transform cultures within your organisation.

Download the Infographic

Want to raise awareness of phishing within your organisation, or simply looking for a visual way to share our findings? Click on the infographic below to download your own sharable copy.

Phishing Psychology Infographic Bobs Business

Methodology

Bob’s Business’ analysis includes 67,000 users and found that more than 18,000 (26.8%) individuals opened phishing emails. Of these 18,000 that were opened, over 10,000 (56.2%) were successfully phished. All statistics are pulled from the 18,000 individuals who opened the phishing emails.

Contact Us for Comment

Want to discuss our findings? Get in touch with our team at marketing@bobsbusiness.co.uk

Introducing Bob’s Compliance

Bob’s Business is proud to announce the launch of an all-new, SaaS solution aimed at bringing cybersecurity training to SME organisations. Available from just £1.39 per user, per month.

At Bob’s Business, we know that cybersecurity is crucial for organisations of all sizes, not just big businesses. In fact, according to the FSB, UK SME organisations see almost 10,000 attacks a day.

Historically, however, smaller organisations have shied away from training their team on cybersecurity and compliance topics. Why? Because the products available to them have been too expensive, demanded long-term contracts and had features that SME’s don’t need.

The good news? We’ve built a solution that’s tailor-made to give you everything you need, and nothing you don’t, at a price that’s affordable for all. It’s called Bob’s Compliance, but what makes it the ideal solution for you?

Affordable pricing, instant access

Times are tough, especially for SME organisations. That’s why we’ve driven down the price of our training to make it affordable for every organisation.

From the price of a cup of coffee a month, your team can start learning critical cybersecurity, compliance and social engineering topics. Better still, signing up and enrolling your users takes mere minutes, and is completed online.

Full access to our NCSC-accredited course catalogue

With Bob’s Compliance, every member of your team gets access to our full course catalogue on your own organisational LMS, complete with completion tracking.

That means access to our full GDPR catalogue and popular courses like Secure Printing, Social Media, Carefully Classified, Email Etiquette, Mobile Working, Perfect Passwords and Phishing Fears; ideal for demonstrating compliance with ISO 27001.

No long-term contract (unless you want one)

We’ve heard you loud and clear – committing to a one or three-year contract is a significant demand in trying times. That’s why with Bob’s Compliance we’re introducing rolling one-month contracts.

It’s the ideal solution for organisations looking to give our training a try, spread the cost of their annual training or simply cancel their subscription as and when they wish.

Want even better value? One and three-year contracts are available with huge savings on monthly subscriptions!

Ready to get started? Click here!

What is considered a breach of the GDPR?

The General Data Protection Regulation (GDPR) sets out legislation that governs how data related to people in the EU and UK should be collected and processed. In the UK, the GDPR forms part of the Data Protection Act 2018.

One of the areas of focus for the GDPR is data breaches, which fall under the wider topic of data management. Under the GDPR, organisations that control and process data are accountable for that data and must take steps to manage and secure it.

When this data is compromised, a breach of GDPR occurs. With potential fines of up-to €20 million (about £17.5 million) or 4% of annual global turnover – whichever is greater – for infringements, data breaches can have serious consequences for you and your organisation.

In this blog, we’ll share with you what a constitutes a GDPR breach, the most common cause of breaches and what your organisation can do to avoid them.

What is a breach of GDPR?

In the GDPR text, a data breach is defined as a breach of security leading to the accidental, unlawful or deliberate destruction, loss, alteration, unauthorised disclosure of, or access to, personal data related to individuals living in the EU.

Based on this, data breaches can fall into three categories:

  1. Confidentiality breach – unauthorised or accidental access to personal data
  2. Availability breach – loss or destruction of personal data
  3. Integrity breach – unauthorised or accidental alteration of personal data

The GDPR covers two types of data: ‘personal data’, such as name and surname, home address, email address, location data; and ‘sensitive personal data’: such as biometric data, healthcare records, union memberships and religious beliefs.

What are the common causes of breaches?

Data breaches come in various forms and sizes, ranging from breaches caused by hacking, malware and ransomware, to breaches facilitated by password guessing, phishing and Distributed Denial of Service (DDoS) attacks.

Other causes of data breaches include portable device loss, unintended disclosure, insider leaks and physical data loss (such as from a fire).

Not all incidents are the result of a cyberattack, however, many are. Here’s a breakdown of some of the most common breach types:

Hacking

Most large-scale data breaches are caused by hackers. A variety of techniques are used by these criminals, including SQL injection, Malware and DDoS attacks. Hacking is premeditated in most cases to compromise a specific data set.

Ransomware

Ransomware is a malicious program that demands payment while holding a computer for ransom. The program then threatens to destroy all data on the computer if the ransom isn’t paid, which would count as an availability breach.

Employee negligence

Employee negligence could be something as simple as emailing a spreadsheet containing personal data to the wrong person, or as sinister as emailing data to a criminal pretending to be the company CEO, which is exactly what happened with Snapchat in 2016.

Unauthorised access

Unauthorised access can be facilitated by weak passwords, one-step authentication and leaving devices logged in. Privileged users with access to sensitive information present the biggest risk to organisations.

Portable device loss

Portable device loss poses a significant data management risk and especially when devices are not encrypted and cannot be remotely wiped. This happened in 2007 when a disc containing the personal details of 25m British families got lost in the post.

Unintended disclosure

Unintended disclosure is when employees with access to sensitive information unintentionally or by mistake reveal confidential information. This is a leading cause of major data breaches under the GDPR.

What can your organisation do?

Invest in training

With the potential for serious fines, it’s vital that GDPR training is deployed to your employees, so that they understand their role in your organisation’s data protection policy.

Your existing training may be insufficient to cover the GDPR and implement necessary behavioural changes. Your employees will need the training to put into practice your privacy and security policies.

Make cybersecurity a top priority

Nothing poses a bigger risk to your organisation than data breaches. Making cybersecurity a top priority will ensure your organisation takes all necessary steps to establish protocols like assigning a data protection officer (DPO) and carrying out Data Protection Impact Assessments (DPIAs).

Stay up to date

Cybersecurity threats are evolving at a rapid rate. Industry trends come and go. Compliance requirements change over time. You need to be aware of the latest developments in cybersecurity and GDPR law so that you can be prepared for the latest threats, continue to comply with the GDPR and run a sound operation.

Partner with a cybersecurity expert

Bob’s Business offers NCSC certified cybersecurity courses that are designed to change company culture. We can put your organisation on a path to GDPR compliance. Request a free web demonstration to see how Bob’s Business can help keep your organisation secure, or click here to view our success stories.