Why HR’s role in cyber risk management is growing

Many businesses make the mistake of thinking that cyberattacks only target bigger, higher-profile companies, simply because those stories garner news coverage.

The reality? Small businesses are the most at risk of attack.

Hackers look to take advantage of the smaller IT and training budgets to find vulnerabilities that can be used for financial gain.

This blog explores the increasing role of HR in cyber risk management in creating a stronger defence for organisations.

The role of HR in cybersecurity

While IT provides expertise in installing hardware security solutions, such as antivirus and antimalware software, firewalls, and SSL certificates, HR is the expert in policies and people.

One of the biggest risks to an organisation’s cybersecurity is employee errors, both accidental mistakes and intended data security breaches.

A University study found that employee mistakes cause 88% of data breach incidents.

Therefore, HR has a significant role to play in developing a culture of employees who are cyber risk-averse and display the required behaviours to help keep the organisation protected from cyberattacks.

Why the role is growing

Historically, protecting IT systems was seen as a problem for the IT department, and HR would have minimal involvement in cyber risk management.

However, more organisations are realising that HR has a crucial role in helping them establish strong cyber risk management processes.

How HR can help develop a culture of cyber security

While IT teams diligently defend against digital threats, HR plays a vital role in ensuring the entire company is equipped to minimise errors and enhance cyber resilience.

By promoting a positive cyber culture, HR lightens the load on IT, reducing breaches, costs, and downtime.

  • Awareness and education: HR can drive cybersecurity awareness by conducting comprehensive training and providing access to webinars, ensuring all employees understand its importance.
  • Learning and adaptation: HR can facilitate regular workshops and upskilling opportunities in cybersecurity, enabling employees to adapt to evolving threats effectively.
  • Overcoming challenges: HR can address resistance to change by fostering open communication and transparency about cybersecurity, ensuring alignment with organisational objectives.

Read more here about how leaders can create a strong cybersecurity culture.

How HR can develop a high-quality cybersecurity risk management framework

Policies

HR should ensure that comprehensive company policies, such as those related to information security, social media use, and cybersecurity, are in place.

Although the IT team will have the main responsibility for writing policies that sit within their domain, HR should have a policy management process to ensure that policies are kept up to date and are easily accessed by employees – for example, published on the company intranet site.

Setting data and access controls

Another area HR can support cybersecurity in is by ensuring that access levels are appropriate.

Access to systems and data should be restricted; this ensures that only those who are essentially required to can access data for their job responsibilities.

Background checks

Internal fraud is a problem that can lead to data breaches and HR can implement strict screening processes when recruiting, such as background checks and references.

This can help to detect candidates who represent a higher risk to the organisation.

Training and regulatory compliance

HR is responsible for regulatory compliance, including mandatory training.

Traditional regulatory compliance training is not always effective for organisations seeking to increase employee knowledge and develop a culture of high cybersecurity awareness.

Remember, almost 90% of breaches start with simple human error!

Incident response planning

HR has a vital role in maintaining incident response plans. Working closely with IT and other departments, HR selects suitable individuals for key roles within the incident response team.

HR also oversees their actions to ensure they fulfil their duties effectively during incidents. This careful oversight ensures the response team is prepared to handle cybersecurity incidents as they occur.

How Bob’s Business can help your organisation

Bob’s Business is committed to ensuring not only the effectiveness of your IT defences but also the readiness of your employees.

We work closely with your HR team to identify organisational vulnerabilities and provide tailored courses that can be delivered to employees.

By leveraging our expertise and innovative approach, we empower organisations to navigate the complexities of cybersecurity with confidence.

With Bob’s Business by your side, you can effectively minimise errors, reduce breaches, and mitigate the impact of cyber incidents on your business operations.

The state of cybersecurity, Q1 2024 edition.

Q1 of 2024 is already behind us, and while the weather might be improving, the cybersecurity threat landscape certainly is not.

Rapidly advancing AI, evolving scams, and higher-than-usual staff turnover in many organisations have created a perfect storm for cybercriminals, resulting in major breaches and increased vulnerabilities.

At Bob’s Business, we partner with several companies to support organisations through those challenges, develop their security posture, and promote positive outcomes in all forms of cybersecurity challenges.

While we’re the experts on all things cybersecurity education, we’re proud of our partnerships, and so we’re opening the floor to just a handful of our trusted partners for their thoughts on The State of Cybersecurity. Let’s get to meet our panellists:

Meet the panelists


Simon Nicholls, UK VP of Sales at Keepnet Labs

Simon Nicholls is the UK VP of Sales at Keepnet Labs, a company transforming cybersecurity by prioritising the human element through a holistic platform that integrates cutting-edge technology, behavioural psychology, and nudge theory. Simon joined the business as the first VP of Sales and is helping to scale the EMEA operation from the ground up.


Rowan Sinclair, Founder & CEO at Nayaka Security

Rowan Sinclair is the founder and CEO of Nayaka Security, a next-gen security specialist that helps SMEs navigate the wild and wonderful landscape of cybersecurity. With a handpicked suite of leading cybersecurity tools and a focus on education and awareness, Nayaka Security empowers clients to proactively protect their digital assets, forging a secure future for businesses in the digital age.


Karl Greenfield, CEO at Pentest Cyber

Karl Greenfield has been involved in cybersecurity since the 1980s and has led many successful teams and task forces globally, most recently as CEO of Pentest Cyber Ltd; specialising in the provision of Cyber Essentials Plus and high-end penetration testing services, with a focus on providing “result-driven” objective testing services beyond “auto-scans” to a discerning international audience.


We asked them a series of questions about the state of the industry and what they think the future holds for cybersecurity.

What notable cybersecurity threats have emerged or evolved so far in 2024?


Simon: In a similar trend analysis to the Allianz Risk Barometer, we have seen the largest emerging risk in 2024 as mobile devices. Specifically, in this area, there has been an astronomical rise in attacks targeting employees’ MFA. Over a period of 90 days, Okta’s network logged approximately 113 million attacks targeting MFA. Email security is a well-developed space in cyber, but mobile device security has fallen behind, meaning it is the go-to attack vector for many hackers in 2024.


Rowan: Automated social engineering incorporating LLM (Large Language Models) via LinkedIn / Teams / Slack. However, traditional click-a-link phishing is still prevalent, with users consistently falling prey. In my inbox, in particular, I’ve noticed DocuSign, payroll, and faux-supplier phishing attempts.


Karl: The prevalence of AI-augmented techniques in everything including cybersecurity attack and defence can no longer be ignored. The persistence with which the commodity attacks can now be deployed means that any momentary drop in defences for e.g. patching or reconfiguration that would previously be well covered by “good luck alone” can now be enough to result in compromise.

What innovative approaches or strategies are being used to improve cybersecurity awareness and promote a security-conscious culture within organisations?


Simon: Behavioural-based learning is a key element of a solid human risk management strategy in 2024. A blanket approach to improving cybersecurity awareness isn’t sufficient. Our clients are specifically interested in tracking user behaviour across all known attack vectors and training the users that need it most with targeted and tailored training to their knowledge gaps.


Rowan: As the average staff age staff decreases (or we get older), the importance of shorter, bitesize content is important to trap attention spans. On-the-spot training with email security solutions like Tessian or Egress has also helped increase security awareness.


Karl: Blending several approaches together as a bespoke “force multiplier”. PTC’s “Cyber-Capability-As-A-Service” combines pen-testing with managed accreditation. Cyber Essentials Plus is a favourite since NCSC reported 50% uptake increase in a year. Add the need to build, maintain and monitor cybersecurity culture tailored to each environment. We use Bob’s Business’ strengths to convey subjects clearly, to the largest audience. Key to our needs is the integral automation of admin tasks, scheduling and deployment of learning opportunities against organisational deadlines.


How can organisations better prepare and adapt to the evolving cybersecurity landscape?


Simon: Knowledge is preparation. Immersing yourself in the new advancements in cybersecurity will help keep companies 1 step ahead. Attending well-respected events and a select number of webinars/round tables with topics that align with the overall security strategy is the best way to keep abreast of these developments in the most time-efficient way.


Rowan: Constant surveillance such as automated pen-testing solutions, rigorous IDAM, advanced inbound and outbound email security, and, of course, a fully managed user awareness training so IT teams don’t drop the ball on creating a security awareness culture.


Karl: Start by deploying basic defences such as those inherent in gaining “Cyber Essentials Plus”.“Work up” bespoke to your situation, either by your own organisation’s design or in consultation with an expert such as PTC. Remember no two networks are the same so you must tailor your approach to your unique circumstances. One size, and very rarely, one product seldom “fits all”.


What cybersecurity trends and challenges do you anticipate for the remainder of 2024 and beyond?


Simon: Consolidation is a real trend amongst CISOs. With more security tools than ever on the market, CISOs have the challenge of building a robust toolkit for their security teams without the need for them to log in to multiple different platforms every day to do their job effectively. Identifying top-class consolidated solutions to help resolve this issue and reduce overall security spend will be a challenge and trend this year.


Rowan: As a trend, more security for Kubernetes-based businesses and an increased number of solutions incorporating quantum-resistant algorithms. On the challenge side, security continues to be ROI deficient at an SME level meaning continued difficulty demonstrating its value to senior management until ultimately the organisation is hit by a data breach.


Karl: AI will continue to change things in ways that we can only presently imagine. High-skilled, experienced personnel will remain essential and will become even more scarcely available when needed. New geopolitical developments will continue as a vector for “baddies” to seek to exploit us. The good news is that by taking a structured and measured approach to deploying basic defences, we can continue to protect ourselves effectively.

Partner with Bob’s Business

Eight in ten businesses say that cybersecurity is a high priority for their management boards. Bob’s Business offers a range of solutions designed to reduce their risk of breaches by up to 74%.

With generous compensation, hands-on support and unique differentiation in the market, we’re the best choice for companies looking for a trusted partner within the cybersecurity education space.

Learn more and book in time for a partnership chat here.

The seven video conferencing mistakes you can’t afford to make

When was the last time you stepped out of the office for a face-to-face meeting?

With the rise of online meetings, chances are it’s becoming a rare occurrence.

The perks of not commuting, seamless long-distance communication, and more have made virtual meetings the go-to choice.

But, amidst the convenience, it’s crucial not to overlook the security risks.

As we navigate through the rise of webinars, online meetings, and virtual hangouts, it’s vital to ensure we’re following best practices to keep cyber threats at bay.

The seven video chat mistakes that you simply can’t afford to make

Leaving your microphone on

Let’s start with a classic – leaving the microphone on.

Of course, we all know that video conferencing often takes place within the home, where a myriad of distractions can lead to all sorts of requirements for off-mic moments.

The problem is that pesky microphone recording every word you say.

It’s a privacy nightmare, and without a little awareness, you might find yourself caught out saying something you regret.

This could include conversations around you that contain sensitive information such as GDPR-related discussions or the exchange of passwords, posing a significant privacy and cybersecurity risk to the organisation.

The fix for this one is simple, just remember to turn off your microphone when you’re not speaking!

Sharing your screen with valuable information on it

One of the biggest advantages that video conferencing brings to the business world is the ability to quickly and easily share what’s on our screens with everyone else.

In a world where the majority of our work is done on computer screens, it’s a real positive.
However, it’s more than just the work we do on our screens. Everything from curiosity in Google searches to tabs with classified information are visible if they’re on screen when you share with your workmates, creating a potentially awkward situation.

Some platforms allow you to share only ‘one tab’ or’ one window’ at a time.

This feature allows you to selectively choose what content is visible to others, adding an extra layer of security to your virtual meetings.

You should always check your screen carefully before you share it with your team – you’ll be glad you did!

Sharing photographs of your meetings online

One trend that has led to security risks within online meetings is sharing pictures of video calls.

Popular video conferencing solutions like Zoom require a meeting ID number to join—one that’s visible on screen—and sharing pictures of that meeting means that anyone with a supported device can dial into your call.

With so many vital, highly confidential meetings being held worldwide, it’s crucial that your private information is kept that way—no matter how proud you are of your meeting—so keep your meeting pictures off social media.

Do you remember when Boris Johnson shared an image of the first virtual cabinet meeting back in 2020, exposing the meeting ID and cabinet members’ usernames? – A huge breach of government security, and one that caused real headaches for Government security officials.

Not warning your cohabitors that you’re on a call

We’re all in this together and, for many of us, that means family and cohabitors spending our time under the same roof. It’s a tricky situation, but one that we have no choice but to handle.

If you don’t have a dedicated office space where you can focus solely on your work, it’s crucial that you let the people you’re sharing a space with know that you’re going to be on a call.

We’ve seen plenty of widely shared incidents of unwitting people wandering into compromised positions, so take the time to ask for a little privacy.

Missing end-to-end encryption

It’s important to consider encryption when choosing video meeting platforms.

Without end-to-end encryption, there’s a risk that cyber hackers could intercept sensitive information exchanged during meetings.

Look for video meeting platforms that offer encryption features to protect your data in transit, making it harder for unauthorised parties to access.

Failing to update software

Keeping your video conferencing software up to date is essential for maintaining security.

Neglecting software updates leaves your system vulnerable to cyber threats. After all, there’s a reason why that update was pushed live.

Make sure to regularly update your software to patch security vulnerabilities and strengthen your defences against potential attacks.

Implementing automated update mechanisms can simplify this process and ensure that your video meeting stays secure against growing cybersecurity threats.

Not securing your call

You’d make sure the door was shut before holding a private meeting, wouldn’t you?

Therefore, it goes without saying that you should lock your video call to stop individuals from joining without permission.

Whether you’re using Google Hangouts, Zoom, Skype, or any other video conferencing tool, you’ll find a range of security features that ensure only those who are invited can access the call.

Take the time to review and adjust default settings, such as enabling password protection and waiting rooms, to enhance the security of your virtual meetings.

How Bob’s Business can help you

With the rise of virtual meetings, ensuring the security of your online interactions is crucial.

Our tailored cybersecurity training equips you with the knowledge and skills needed to navigate virtual meetings – and all things cyber – safely.

Our courses cover all aspects of secure online communication, from understanding the risks of leaving your microphone on to securing your calls with password protection.

With practical guidance on adjusting default settings and implementing encryption features, we empower you to confidently navigate virtual meetings and mitigate potential threats.

Our innovative online cybersecurity awareness courses are designed to offer real, actionable advice in fun, short and unique animations – so why wait? Interact with the bot below to find out more.

Vans data breach explained: Everything you need to know

Imagine the sinking feeling of a critical system failure right before a major product launch.

Now imagine having to communicate to millions of customers that their records were exposed in a data breach.

That’s the harsh reality Vans’ parent company, VF Corporation, faced in December 2023.

This breach is a stark reminder for CISOs and CEOs: even industry giants are vulnerable.

While details remain under investigation, the incident highlights the ever-present threat of cyberattacks and the crucial role strong cybersecurity plays in protecting your organisation’s reputation and customer trust.

Let’s dig into the details & explore how your organisation can avoid this same fate.

A look inside the Vans data breach

In December 2023, VF Corporation, Vans’ parent company, fell victim to a cyber-attack.

While the initial details were murky, a later filing with the US Securities and Exchange Commission confirmed the hackers’ haul: an astounding 35.5 million customers’ personal data.

Here’s what we know so far:

While the exact cause remains under investigation, VF Corp. suggests unauthorised actors gained access to their systems.

Thankfully, financial information like credit card details seem to be safe.

However, the stolen data reportedly includes names, email addresses, phone numbers, billing and shipping addresses, and, potentially, purchase history.

The aftermath: Vans emailed customers in March 2024 to inform them of the breach and potential risks associated with compromised data.

They also offered guidance on how to avoid phishing scams that might capitalise on the situation.

From clicks to consequences: Why this matters

Vans’ data breach serves as a stark reminder of the ever-present threat of cybercrime. But beyond the initial shock, it raises crucial questions:

  • Human error or sophisticated attack?: While details are limited, the incident highlights the vulnerability of even established companies to human error. Remember, even a single unprotected email can be a gateway to a massive data leak.
  • Beyond financial loss: The repercussions of a data breach extend far beyond monetary compensation. Breaches erode customer trust, a vital asset in today’s competitive retail landscape.
  • A wake-up call for all: This incident isn’t just about Vans. It’s a cautionary tale for every company entrusted with customer data. Strong cybersecurity practices are no longer a luxury; they’re a necessity.

How to avoid a similar fate

The good news is that businesses can take proactive steps to minimise the risk of data breaches. Here are some key strategies:

  • Educate your employees: Regular cybersecurity training empowers employees to identify phishing attempts, handle sensitive data responsibly, and adhere to company security policies.
  • Embrace awareness: Don’t let cybersecurity training become a one-time event. Regular awareness programs ensure employees stay updated on the latest threats and best practices.
  • Passwords matter: To add an extra layer of security, enforce strong password policies, including mandatory changes and multi-factor authentication.
  • Encryption is key: Encrypt sensitive data at rest and in transit to minimise the damage if a breach occurs.
  • Control who sees what: Implement access controls, granting access to sensitive data only to those who absolutely need it.
  • Prepare for the worst: Develop a comprehensive incident response plan outlining steps to take in case of a breach. This includes communication protocols and measures to mitigate the impact.
  • Security audits: Conduct regular security audits to identify vulnerabilities before hackers do.
  • Security is everyone’s job: Foster a culture of security within your organisation. When employees understand the importance of data protection and feel comfortable reporting potential security incidents, everyone wins.

How Bob’s Business can help protect your organisation

The Vans data breach is a cautionary tale. It highlights the importance of robust cybersecurity practices and the devastating consequences of even a single misstep.

By prioritising employee training, implementing strong data security measures, and fostering a culture of security awareness, businesses can take control of their data destiny and protect the trust of their customers.

Remember, in the age of cybercrime, prevention is always better than cure.

Here at Bob’s Business, we’re here to help you grind to a halt on data breaches before they land you in a precarious situation.

From employee training and phishing awareness programs to security audits and incident response planning, we offer a comprehensive toolkit to safeguard your customer data.

Click here to learn more about our cyber solutions.

How to create a proactive incident response plan

Have you ever heard the saying, “Fail to prepare, prepare to fail”?

It is especially relevant in cybersecurity practices.

With AI enabling scammers and hackers to create more sophisticated attacks at scale, being prepared for the worst-case scenario is vital for business success.

While taking steps to prevent attacks is vital, having a strong incident response plan is just as important. It’s like having a safety net – it can minimise the impact of a cyber incident and save you time and money.

Keep reading to learn how to create a strong response plan to keep your organisation safe.

What is a response plan?

Defining the phrase

A response plan is a structured framework outlining the steps to be taken in the event of a cybersecurity incident.

An incident response plan offers a clear approach to:

  • Identifying the issue
  • Containing the breach
  • Mitigating the attack
  • Recovering from security incidents
  • Preventing future incidents

It outlines the roles and responsibilities of individuals or teams involved in the response process, establishes communication processes, and defines escalation processes.

The benefits of a response plan

Stronger cybersecurity resilience

Being proactive means preparing for potential cyber threats in advance. By doing so, businesses can identify vulnerabilities, set up defences, and establish response strategies.

This makes them more resilient against cyber-attacks.

Secured business continuity

With a proactive plan in place, businesses can ensure that essential services continue uninterrupted even during cyber incidents.

This minimises downtime, protects data integrity, and maintains customer trust, keeping operations running smoothly.

Savings on costs

Investing in proactive measures can save businesses money in the long run.

By addressing security issues early, companies can avoid expensive consequences such as data breaches, legal fines, and damage control.

Regular security checks and employee training also help prevent incidents, reducing financial losses.

Reputational protection

A well-executed response plan defends against financial losses and shields a business’s reputation.

Clear and prompt communication during and after an incident shows professionalism and accountability. This builds trust with customers and partners, enhancing the business’s image and loyalty.

Faster recovery

With a response plan ready to go, businesses can respond quickly and efficiently to cyber incidents. This enables faster recovery times and reduces the overall impact on operations.

A step-by-step response plan

Step 1: Establish an incident response team

Designate individuals responsible for responding to cybersecurity incidents. Clearly define their roles and responsibilities.

Step 2: Communication

Create a clear communication strategy for reporting incidents internally and externally. Ensure prompt internal communication to halt the breach, followed by updates to stakeholders once the risk is contained.

Step 3: Incident identification criteria

Define clear criteria for identifying security breaches based on their severity and impact on the organisation.

Step 4: Containment

Develop a plan for containing the breach, including monitoring systems and analysing affected areas to determine the extent of the violation and the necessary containment measures.

Step 5: Investigation and analysis

Conduct a thorough investigation and analysis of the incident to determine its cause and impact. Identify vulnerabilities and weaknesses in systems or processes that contributed to the breach.

Step 6: Mitigation and recovery

Implement strategies to mitigate the impact of the incident and recover affected systems and data. Prioritise critical systems and services to minimise downtime and disruption to business operations.

Step 7: Security experts

Consider contacting planned external experts who can offer additional guidance in resolving the incident. Ensure these experts have access to the required resources and support to address the situation effectively.

Step 8: Enhance security measures

Take steps to enhance security measures based on lessons learned from the incident. This may include implementing additional safeguards, updating security policies, or improving security controls.

Step 9: Training, improvement, and awareness

Conduct training sessions to improve incident response capabilities and raise awareness of cybersecurity risks among employees.

Continuously review and update training programs to address the growing threats and vulnerabilities.

How Bob’s Business can help your organisation

At Bob’s Business, we’re dedicated to ensuring your organisation is prepared for any cybersecurity incident.

Through a comprehensive review of your current cybersecurity measures, we identify vulnerabilities and tailor training specifically for your business’ blind spots.

Our courses are built on two principles—behavioural science and psychology—to deliver truly exceptional results to organisations of all sizes in the public and private sectors.

Ready to build your cybersecurity culture? Discover our range of cybersecurity awareness training solutions.

What is cyber insurance?

In an ideal cyber world, a company would achieve foolproof cybersecurity, ensuring hackers fail every time

However, cyber insurance can be a valuable asset for many organisations to protect against the inevitability of human error.

As cyber-attacks become more sophisticated, the risks they pose also increase.

These attacks aren’t mere inconveniences, either. Indeed, they can result in significant financial loss, reputational harm, and legal liabilities.

Accordingly, many businesses purchase cyber insurance to help reduce the strain caused by a cyber-attack and enable them to bounce back from a breach.

But what is cyber insurance, and how could it benefit your organisation? Join us as we explore the topic.

Understanding cyber insurance

Cyber insurance is a specialised form of insurance designed to provide financial protection against losses resulting from cyber-related incidents.

Its purpose is to help businesses mitigate the financial impact of cyber-attacks and data breaches by covering various expenses and liabilities associated with such events.

These policies typically offer several types of coverage tailored to address different aspects of cyber risk management:

  • Data breach response: This helps cover the costs of responding to a data breach, such as investigating what happened, notifying affected customers, and managing the fallout to protect reputations.
  • Business interruption: If a cyber attack disrupts business operations and causes a loss of income, this coverage can help make up for that lost revenue and cover any extra expenses needed to get back on track.
  • Liability: This protects businesses from legal claims and expenses if a business is sued because of a cyber incident like a customer’s data being compromised due to negligence.
  • Cyber extortion: If cybercriminals demand a ransom to release data or systems, this coverage can help resolve the situation, including covering the ransom payment if needed.
  • Cybercrime: This covers losses from various cyber crimes, such as fraudulent transactions or scams that target your business.

Assess your business’s cyber risk profile

Understanding your business’s digital risks is key. Review your cyber risk profile closely to identify potential threats and weaknesses.

Just like checking for leaks in a roof before a storm, assessing your cyber risk profile helps you prepare for cyber trouble by choosing the right type of insurance.

Consider the cyber threats that could affect your business, such as data breaches or scams.
Then, think about how these threats could harm your operations and finances.

For example, a data breach could lead to a loss of customer trust and expensive legal bills.
The right insurance can help to mitigate these consequences.

If you’re unsure where to start, insurance companies can help identify your vulnerabilities and tailor a cyber insurance policy to fit your needs.

Evaluating the limitations and benefits

Recognising that cyber insurance policies often come with limitations and exclusions is important. These can vary, but common ones include things such as acts of war or intentional acts by employees.

It’s crucial to be aware of these limitations as they can affect the adequacy of your coverage.

Despite these limitations, cyber insurance provides significant benefits. It offers financial protection against unforeseen cyber incidents, which can save your business from large costs.

For example, it can cover expenses related to data breach response, business interruption, and legal liabilities.

By understanding both the benefits and potential limitations, you can make an informed decision about whether cyber insurance is the right choice for your business.

How to integrate cyber insurance into cybersecurity processes

Tailored coverage

Work closely with your insurance provider to tailor a cyber insurance policy that aligns with your business’s unique risk profile.

Ensure that the policy provides adequate coverage for potential cyber incidents, including data breaches, business interruptions, and legal liabilities.

Incident response planning

Develop a strong incident response plan that outlines the steps to take in the event of a cyber incident.

This plan should include procedures for initiating insurance claims and utilising coverage effectively to mitigate financial losses and restore normal business operations.

Employee training and awareness

While cyber insurance acts as a safety net, cybersecurity awareness training remains a vital part of any cybersecurity strategy. Indeed, many insurers require employees to undergo regular cybersecurity awareness training as part of their agreement.

Educate your employees about the importance of cybersecurity best practices and the role they play in protecting the business from cyber threats.

Regular policy review

Review your cyber insurance policy regularly to ensure that it remains up-to-date with your changing business needs and cyber threats.

Update your policy as necessary to address any new risks or vulnerabilities.

By incorporating these strategies into your cybersecurity processes, you can effectively integrate cyber insurance into your overall risk management strategy.

At Bob’s Business, we are committed to helping organisations strengthen their defences against cyber attacks. That’s why we’re an Aviva Specialist Partner, offering Aviva customers our award-winning, industry-leading cybersecurity awareness & education products at a discounted rate.

We offer tailored solutions to address your cybersecurity challenges and blindspots with gamified eLearning that your employees actually enjoy!

Explore our range of courses here.

The psychology of authority in phishing (and how to stop it)

You’ve heard the warnings: don’t click suspicious links, be wary of urgent emails, and never share your password.

Yet, even the most tech-savvy individuals fall victim to phishing scams. Why?

It’s because phishers don’t just rely on technical trickery; they exploit a powerful human instinct: our inherent trust in authority.

Imagine receiving an email from your CEO or bank demanding immediate action.

The pressure mounts and you might find yourself clicking a link or opening an attachment without thoroughly scrutinising it.

Our vulnerability to authority and time pressure is what phishers leverage to steal sensitive information and wreak havoc on organisations.

Phishing attacks are the most common cyber threat, costing businesses an estimated $23 billion globally in 2023.

But why are these seemingly obvious scams so successful? The answer lies in a powerful psychological phenomenon: the allure of authority.

This blog delves into the psychology behind phishing and the allure of authority. We’ll explore real-world examples, examine the impact of these attacks, and ultimately discuss why cybersecurity awareness training is crucial for every organisation.

Let’s dig into it.

Everything you need to know about authority in phishing

The allure of authority

Phishers don’t just throw random titles around. They meticulously craft their emails to mimic trusted sources, often impersonating:

  • Banks and financial institutions: “Your account has been flagged for suspicious activity. Click here to verify your details.”
  • IT departments: “Important system update required. Click the link to avoid disruptions.”
  • Government agencies: “Urgent tax notification. Download the attached document for further details.”

Phishers exploit a cognitive bias called the “asymmetry of power” by masquerading as entities we’re conditioned to trust.

We tend to perceive those in authority as having superior knowledge and expertise, making us more likely to comply with their requests, even if presented in an unusual manner.

This exploitation of trust isn’t a new idea. In the infamous 1961 Milgram experiment, psychologist Stanley Milgram demonstrated how readily individuals comply with authority figures, even when instructed to administer supposedly harmful shocks to another person.

This experiment highlights the power of authority and its potential to override our moral compass in certain situations.

Furthermore, phishers leverage the power of social influence.

Humans are inherently social creatures, and seeing others succumb to authority figures (even a fabricated one in an email) can increase our own susceptibility.

Imagine receiving an email seemingly from your CEO or manager, urging immediate action. It’s easy to see how even the most vigilant individuals might fall prey to such tactics.

The urgency factor

Phishing emails often employ urgency tactics to heighten the sense of fear and immediacy.

Phrases like “urgent action required,” “account suspension risk,” or “limited-time offer” create a sense of time pressure, bypassing our rational thinking and pushing us to click the malicious link or open the attachment.

This tactic exploits our natural mental shortcuts, where readily available information (like the urgency mentioned in the email) is more persuasive than seeking out additional evidence.

When authority and urgency combine

In a meta-analysis of Bob’s Phishing campaigns, we revealed that when phishing emails look like they’re from an internal source and threaten a danger, like those outlined above, phishing success rates can hit a 94% click rate.

It’s an astonishing reminder that no matter how aware of phishing threats we believe ourselves to be, the right combination of elements can bypass our internal defences.

Why cybersecurity awareness training is your ally

While the tactics may seem simple, the consequences of falling victim to a phishing attack can be devastating.

Data breaches, financial losses, and reputational damage are just some of the potential repercussions.

This is where cybersecurity awareness training steps in as your organisation’s shield against these threats.

Here’s how training empowers your employees:

  • Demystifying the tactics: Training equips employees with the knowledge to identify the red flags in phishing attempts. They learn to recognise suspicious sender addresses, generic greetings, poor grammar, and illogical urgency.
  • Empowering critical thinking: Training goes beyond just identifying red flags. It encourages employees to question everything, verify information with official sources, and avoid clicking suspicious links or opening attachments.
  • Building a culture of security: By creating a cybersecurity awareness culture within your organisation, you foster open communication, allowing employees to report suspicious emails and seek clarification when unsure. This collaborative approach strengthens your overall defence against cyber threats.

Remember, cybersecurity is a shared responsibility.

It’s not just about the latest technology; it’s about empowering your workforce to be the first line of defence.

By investing in cybersecurity awareness training, you equip your employees with the knowledge and skills to navigate the ever-evolving digital landscape safely.

Understanding the psychology behind phishing tactics, particularly the allure of authority and urgency, is crucial for proactively protecting your organisation.

By prioritising cybersecurity awareness training, you empower your employees to become active participants in keeping your valuable data and systems secure. Want to learn about our cybersecurity solutions that will actually engage your employees? Click here to find out more.

Meet the women shaping the cybersecurity industry

Whilst the demand for cybersecurity expertise has never been so high amongst organisations, there remains a significant skills shortage within the industry.

Indeed, according to UK Government research, 50% of all UK businesses have a basic cybersecurity skills gap, and 33% have an advanced skills gap. It’s a situation that makes the relative rarity of women in cybersecurity all the more confusing.

Just 24% of all cybersecurity employees worldwide are women, a dramatic increase from the 11% in 2017, but still far from parity.

While progress is being made, we still have a long way to go regarding improving diversity in our sector.

In this blog, we’re chatting with female role models in the sector leading the way for a change. Let’s get started.

Meet the panelists


Melanie Oldham OBE, Founder and CEO of Bob’s Business

Melanie’s journey began back in 2007 when she was tasked with supporting the IT team at the Mid Yorkshire Chamber of Commerce to develop a method of translating cybersecurity into a format that staff would easily understand.

16 years later, Melanie has become a leading voice and respected force in the infosec sphere, dedicating herself to raising cybersecurity awareness within organisations and breaking down the barriers between IT teams and their staff. In the 2022 New Year’s Honours List Melanie was awarded an OBE for Services to Cybersecurity.


Carolyn McKenna, Head of Security Demand, Capability & Awareness at Smart DCC

Carolyn is the Head of Security Demand, Capability & Awareness at Smart DCC – the company that has designed, built, and now manages the technology infrastructure that underpins the smart meter roll-out for Great Britain.

With a background in Information Security compliance, as well as Business Continuity Management Systems, she worked in the telecoms sector for over 25 years, before moving over to Smart DCC and the energy sector in 2018.


Anya Bridges, Junior Project Manager, Bob’s Business

Anya joined Bob’s Business in September 2020, aged just 16, as a Cybersecurity Apprentice keen to discover a sector firmly on the rise.

Since then, she’s enjoyed her own remarkable rise through the ranks, receiving promotions to Cybersecurity Technician and, most recently, Project Manager. The latter is a role she’s also undertaken at the Yorkshire Cyber Security Cluster (YCSC), before graduating to the Steering Committee.

Along the way, she’s received awards and PRINCE 2 Qualifications.


Cathryn O’Shea, Online Security and Support Manager at Cornerstones Education

When Cathryn graduated from the University of Huddersfield in 2014 with a degree in music, she had no idea what she wanted to do with her career.

She took an office administration job at Cornerstones Education, which was just about to launch its first online platform for schools. Cathryn helped populate the platform with content and users and built an effective customer journey.

The big challenge came when schools started asking security-based questions about their system, especially with the introduction of the GDPR, so Cathryn and the team decided to go all out and implement ISO 27001 across the business.


Caroline Kaye, MD and Principal Consultant at CRK Consulting Limited

Caroline is a mum of two, running her own consultancy business, CRK Consulting Limited, delivering ISO 27001, ISO 9001 and GDPR to businesses across the UK.

Educated to a degree level in IT and working in numerous IT roles, cybersecurity seemed a natural way forward for Caroline. The first opportunity to implement an Information Security Management System came when she worked for an IT company, and ISO 27001 certification was required to secure a large contract.

Fast-forward to today, and 2024 marks the 10th anniversary of Caroline running her own business, in that time she has worked across multiple industries such as manufacturing, software development, education and training, market research and finance, and has never looked back.


We asked them a series of questions about their achievements, the state of the industry and what they think the future holds for women in cybersecurity.

What are your greatest achievements within the cybersecurity industry?


Melanie: “Helping IT & compliance teams break through the communication barriers that exist between them and end users. Getting everyone to understand the benefits of adopting good cybersecurity practices and how a subject that creates so much resistance can really be made simple.”

“Organically growing a project that was a passion into an award-winning, internationally recognised business that provides employment and stability to a diverse hugely talented team of individuals.”


Carolyn: “I think my greatest achievement to date is creating Smart DCC’s first intake of Degree Apprentices. We partner with Manchester Met University on their Digital & Technology Solutions Degree Apprenticeship, with four fantastic colleagues now in their final year of the course – following Cybersecurity or Data Analytics pathways. It’s such a privilege to be involved in shaping early careers.”


Anya: “As a young woman in tech, my achievements in cybersecurity include receiving the Special Recognition Award for Cyber Apprentice of the Year in 2023 and leading on impactful processes and projects for the business.”


Cathryn: “When Cornerstones planned to implement ISO 27001 in January 2018, I was promoted to Online Security and Support Manager, given the standard, and given four months until the certification audit to get things in place.”

“With the help of my fantastic team, Cornerstones are now fully certified, and is successfully monitoring and maintaining their Information Security Management System.”


Caroline: “When my clients have that light bulb moment when it all falls into place and makes sense, this gives me a warm fuzzy feeling inside knowing that I can walk away from the company and they no longer need my services. They have the skills and confidence to manage their own systems and risks. That’s a job well done.”

What advice would you give to women seeking a career in cybersecurity?


Melanie: “I think it’s essential to acknowledge bad things are going to happen, but what’s important is how quickly you dust yourself off and rise to the challenge. Accepting this has helped me develop a resilience that keeps me going when curve balls come bounding in and knock me off my feet!”

“It’s tough when your kids say ‘Mummy I hate your work, I want you to stay with me today!’ But it makes me smile when they say ‘My mum teaches people to stay safe and not be silly online’. Knowing that I am helping secure their future makes it all worth it and I have made it my personal mission to make the online world a safer place”.


Carolyn: “For girls still in school I would encourage them to step outside of what might be seen in their families or culture as traditional roles. My own daughter is 23, and works in Security Architecture at Fujitsu, having completed a Cyber Degree Apprenticeship herself.
Diversity in Security is paramount – if we all come from the same kind of background, we will all think in the same way. We need gender diversity, neurodiversity, cultural diversity and so much more in security to ensure we truly are ‘covering all bases’ regarding our ways of thinking, security controls and designs.”

“Get involved in initiatives such as Cyber First Girls Competition run by the National Cyber Security Centre, look for summer school events for cybersecurity run by companies and universities and don’t be afraid to step out of your comfort zone!”


Anya: “For women entering cybersecurity, my advice is to build a strong foundation of connections, engage in continuous learning, network actively, showcase your skills online, and most importantly have confidence in yourself.”


Cathryn: “It’s an exciting time to join the industry as the world of technology is evolving rapidly so it’s never straightforward! There’s a wealth of information, networks and support so you’re never alone.”

“I landed in this role completely out of my depth and I’m learning something new every day. Make friends, network, and don’t be afraid to challenge people and speak out.”


Caroline: “Go for it, find what area of cybersecurity best suits you, technical or governance for example, seek new challenges and opportunities, and accept that you will make mistakes, this is the best way to learn. Lean on other experts in the area, the people I have come across in this industry are so helpful and willing to share knowledge. Don’t be afraid to ask for help.”

“There are so many ways of learning, information and contacts are at your fingertips. Don’t be a know-it-all, sit back listen to people’s opinions, if you don’t agree, be constructive and work together – no one knows everything.”


What is it like to be a successful woman in an industry predominantly made up of men?


Melanie: “Initially, I found it quite awkward but now love the fact that I am able to inspire and energise an audience of IT professionals, that historically I was intimidated by. Knowing they really appreciate and respect my views and experiences is fantastic.”


Carolyn: “Whilst the industry is still predominantly male, I am definitely seeing more women these days, which is fantastic news. When I joined Smart DCC six years ago, I was the first and only female for over a year, with very few female applicants coming through – now 36% of our Senior & Wider Leadership Team is female!”

“I see many inspiring women at industry events now who have created their own successful cyber businesses, so the balance is slowly getting there. It is important to work in an environment where diversity and inclusion are evident so that you feel comfortable having your voice heard.”


Anya: “Being a woman in a male-dominated industry involves inspiring others, advocating for diversity, and navigating challenges with resilience. Despite occasional obstacles, the experience has been so fulfilling. I have been very fortunate to have a great team around me, and my male colleagues have consistently provided support and encouragement whenever I’ve needed it.”


Cathryn: “Rewarding! I’m in a unique position in that I work very closely alongside other successful women in the industry who have brought a wealth of experience to help us navigate the world of cybersecurity. Despite the challenges we’ve faced along the way, the rewards have definitely been worth the effort.”

“Outside of the workplace I conduct and play in both brass and concert bands, and I have come up against similar challenges because of my age and gender. It has given me the confidence to stand my ground as my career in the cybersecurity industry progresses.”


Caroline: “Liberating. One of my line managers (male) told me that I would never be a success after having children and choosing to work part-time, from that point he constantly ‘kept me in my place’ and told me that I wasn’t good enough. Looking back, I realise he was threatened by my skills and knowledge, eventually making me stronger and more determined. Since running my own business, I don’t see or have experienced any gender inequalities or even notice anymore that I’m the only female in the room, as my presence and input is valued, based on my experiences and knowledge gained over the years.”

“When I do take a step back and reflect, it makes me proud that I can run a successful business in a male-dominated environment, what a great message and role model for my daughter – my aim has been achieved.”

AI startup Anthropic data breach: What you need to know

Have you ever hit “send” on an email and immediately regretted it?

The consequences of such a simple mistake can be enormous, especially when the email contains sensitive information.

This scenario became a reality for Anthropic, when a simple human error led to the unintended leak of consumer data.

Let’s explore how one small oversight can have significant implications for an organisation’s reputation, and how your organisation can avoid making a similar mistake.

Understanding the Anthropic data breach

Understanding the breach

In January 2024, Anthropic, an AI startup known for its Claude family of large language models (LLMs) and chatbots, faced a cybersecurity incident due to human error.

The breach began when a contractor sent an unprotected email to a third party containing sensitive customer data, such as customer names and open credit balances.

The breach did not include banking or payment information.

Once the breach was discovered, Anthropic swiftly initiated an investigation to assess the extent of the incident and identify the underlying causes.

Anthropic stated this was an isolated incident caused by human error and not a representation of vulnerabilities within Anthropic’s systems.

However, the consequences of the breach were significant, as sensitive customer information had been compromised.

The company promptly emailed their database to confirm only a ‘subset’ of customers were affected and provided guidance on how to avoid potential phishing attacks, such as:

  • Requests for payment
  • Requests to amend payment instructions
  • Emails containing suspicious links
  • Requests for credentials or passwords

Reflecting on the breach

The Anthropic incident highlights how a small human error can lead to significant consequences.

Despite advances in technology, human error remains a major cause of data breaches. Professor Jeff Hancock’s study found that 88% of data breach incidents result from employee errors.

Notably, even large companies like Anthropic, often seen as tech leaders, can experience human error data breaches.

This challenges the belief that only smaller, less resourceful companies are vulnerable.

Such breaches can harm a company’s reputation and customer trust, especially when seen as preventable.

Anthropic’s swift apology and proactive steps to inform customers about potential scams show a commitment to addressing the issue and preventing future incidents through thorough investigation.

The Anthropic incident serves as a reminder of the importance of addressing human error in cybersecurity and taking immediate action to maintain trust and prevent future breaches.

The consequences of human error in data breaches:

  • Reputation damage: Breaches can tarnish a company’s reputation, leading to a loss of trust and credibility.
  • Loss of customer loyalty: Customers may take their business elsewhere, resulting in a decline in loyalty.
  • Financial losses: Breaches incur costs for investigation, notification, and security measures, leading to financial losses.
  • Regulatory compliance issues: Non-compliance with regulations can result in fines and reputational damage.
  • Operational disruption: Breaches disrupt normal business operations, requiring resources for resolution.
  • Legal consequences: Companies may face lawsuits and penalties for negligence in data protection.

How you can prevent human error data breaches

Employee training

Provide comprehensive cyber awareness training on data security protocols, including identifying phishing emails with simulations, proper handling of sensitive information, and adherence to company policies and procedures.

Regular awareness programs

Conduct regular awareness programs to keep employees updated on the latest cybersecurity threats and best practices for data protection.

Strong password policies

Enforce strong password policies, including regular password changes and multi-factor authentication, to add an extra layer of security.

Data encryption

Encrypt sensitive data both in transit and at rest to prevent unauthorised access in case of a breach.

Access controls

Implement access controls to limit employee access to sensitive data only to those who need it for their job roles.

Incident response plan

Develop and regularly update an incident response plan to outline steps to be taken in the event of a data breach, including communication protocols and actions to mitigate the impact.

Regular security audits

Conduct regular security audits to identify vulnerabilities and address them promptly.

Create a culture of security

Foster a culture of security within the organisation, where employees understand the importance of data protection and feel comfortable reporting potential security incidents.

How Bob’s Business can help your organisation

At Bob’s Business, we provide engaging solutions to help organisations reduce the risk of human error data breaches.

Our training and awareness programmes are designed to equip employees with the knowledge and skills necessary to identify and prevent cybersecurity threats.

To further help organisations address the growing threat of QR code phishing, we are offering a free QR code phishing campaign to test staff vulnerability!

Simply interact with the bot below to get started.

Training across generations: Cyber education from Gen X to Gen Z

There’s no denying that, when it comes to technology, the only real constant is change.

From the days of backing-up to floppy disks to saving our data to the cloud, cyber technology has undergone a wholesale revolution!

It’s also true that new generations of employees have risen to positions of responsibility within organisations, bringing new perspectives and varying levels of technical literacy and expertise to executive boards.

With each generation experiencing a different tech era, however, the question is: how does that affect your cybersecurity, and should you adapt your training accordingly?

Join us as we share everything you need to know.

Cybersecurity training from Gen X to Gen Z

Technology differences across generations

Gen X

Born between the early 1960s and the early 1980s, Generation X witnessed the transformative journey into the digital era. They embraced the advent of personal computers and experienced the early days of the internet.

Gen Xers became adept at navigating a landscape that seamlessly blended analogue and nascent digital experiences. Their technological journey laid the groundwork for the profound changes that would follow.

Millennials

Spanning the early ’80s to mid-’90s, Millennials emerged as pioneers of the mobile era. Their formative years coincided with the rapid rise of smartphones and the explosion of social media platforms.

This tech-savvy generation adapted swiftly to the shifting landscape, seamlessly integrating mobile devices into their daily lives. Millennials became the architects of a more interconnected world, shaping how businesses engage with technology and each other.

Gen Z

Known as the ‘digital natives,’ Generation Z was born between the mid-1990s and early 2010s. Unlike their predecessors, Gen Zers took their first steps in a world dominated by smartphones and instant connectivity.

Growing up in an age of unprecedented access to information, they possess an innate understanding of digital platforms, making them agile navigators of the ever-evolving technological landscape. Gen Z’s perspective is shaped by a constant flow of information, influencing how they interact with businesses and consume technology.

Generational cybersecurity challenges

Understanding the different tech eras that each generation grew up in highlights why tailored training can be beneficial.

Generation X

A cautious approach:

Having grown up in the pre-digital era, they have a unique approach to technology. Their introduction to the internet occurred when the internet was far more of a ‘wild-west’ than later generations found it, resulting in a more cautious attitude towards technology. This caution significantly influences their approach to suspicious links and privacy settings.

Dependency:

Unlike more recent generations, they might not depend solely on smartphones for everyday convenience, which can reduce their vulnerability to specific digital risks.

Email-oriented communication:

Having witnessed the rise of email communication, Gen X often rely heavily on email for professional and personal interactions. This reliance makes them susceptible to phishing attacks targeting email platforms.

Desktop-centric work:

Gen Xers will likely be more familiar with desktop-based work environments than later generations. This familiarity may make them less vulnerable to certain cyber threats more common in mobile-centric settings.

Millennials

Social media:

Millennials, being early adopters of social media, might share significant amounts of personal information online. This openness can make them targets for social engineering attacks and identity theft.

Data shows millennials are responsible for more than a third of phishing and identity theft incidents.

App-driven lifestyle:

With the creation of mobile apps, millennials tend to handle various tasks through applications. This app-driven lifestyle exposes them to risks related to app permissions, potentially compromising their data.

Research has shown Millennials show susceptibility to online dating scams, with a staggering 44% falling victim, for example – through the use of the Tinder app.

Remote work trends:

Millennials, with a higher inclination towards remote work, face cybersecurity challenges related to securing home networks, sharing sensitive information digitally, and adapting to new digital collaboration tools.

Gen Z

Poor password practise:

Research suggests that Generation Z is more likely than older generations to use the same password for both professional and personal accounts, possibly due to the convenience of managing multiple accounts and devices.

IT updates:

Gen Z tends to overlook mandatory IT updates, possibly due to their constant interaction. The constant flow of notifications makes it easy to miss updates. (58% for Gen Z, 42% for millennials and 31% for Gen X.)

Visual and video content consumption:

Gen Z’s preference for visual and video content can lead to exposure to malicious content on various platforms.

Online multiplayer gaming:

With a significant presence in online multiplayer gaming, Gen Z faces unique cybersecurity risks associated with gaming platforms, including potential exposure to scams and phishing.

Web browser habits:

Additionally, research shows Gen Z often accepts web browser cookies on their work-issued devices (48%), surpassing the rates of millennials (43%), and Gen X (31%).

Adapting training methods

A one-size-fits-all approach to cybersecurity training may not be optimal. Tailoring training methods to align with the learning preferences of each generation ensures more effective education and compliance.

Practical examples for Gen X:

Given their unique journey from the analogue to the digital age, Gen X individuals appreciate practical, real-world examples. They’ve seen the evolution from some of the first cyber threats to today’s sophisticated attacks.

Including case studies and scenarios that resonate with their experiences helps highlight the relevance of cybersecurity in their day-to-day lives.

Interactive workshops for millennials:

Millennials, having grown up in the age of smartphones and social media, thrive on interactive learning experiences. Consider conducting workshops that encourage active participation, discussions, and real-world scenarios.

Concise and visual materials for Gen Z:

Gen Z consumes information through visual mediums. Utilise concise and visually appealing materials, such as infographics, short videos, and interactive content. This approach aligns with their preference for quick, visual information, making cybersecurity concepts more accessible and engaging.

Common cyber threats

While each generation faces specific challenges, common cyber threats require all generations to be vigilant and aware.

Employees should efficiently recognise suspicious emails, links, or messages regardless of generation.

Additionally, malware doesn’t discriminate based on age.

Ensure all employees understand the importance of efficient antivirus software and regular system updates.

Emphasise the significance of strong, unique passwords across all generations. The adoption of good password practices is essential to protecting accounts.

How Bob’s Business can help your organisation

At Bob’s Business, we’re dedicated to building training experiences that fit the needs of every generation.

From our innovative, engaging and practical eLearning training to our phishing simulations, gamified experiences and more, we aim to establish strong cybersecurity practices within your organisation. That’s why we’re trusted by organisations big and small to deliver their training and protect their data.

Click here to discover our course collection.