What you need to know about anti-bribery training

When you think of bribery, you might think of bent coppers (thanks, Line of Duty). Or, you might imagine shady political deals and cash-lined handshakes.

The reality for the vast majority of businesses and organisations, however, is much more prosaic – though no less insidious. Bribery is, in fact, extremely commonplace. Why? Simply because many employees don’t know a bribe when they see one.

As such, anti-bribery training is required to reduce the risk that someone who works for you or on your behalf might be exposed to bribery.

Oddly, despite bribery being a common cause of corruption, many organisations do not train staff to be aware of what situations and actions they should be avoiding. This leaves them exposed to non-compliance and regulatory or legal action.

The compliance aspect of bribery comes via The Bribery Act 2010, not only says that commercial organisations should adopt a “risk-based approach” to managing bribery risks, but also includes training as one of its six principles.

In this blog, we’ll reveal what you need to know about anti-bribery training so you can figure out if your organisation needs it and what to do next.

What is anti-bribery training?

Anti-bribery training educates staff about bribery so they can recognise it and make the correct decisions when they encounter it.

There are two core learning outcomes with anti-bribery training:

  • Being able to recognise the many forms of bribery
  • Being able to react/respond to bribery attempts correctly

It’s important for everyone in an organisation who might be exposed to bribery to receive anti-bribery training so there are no weak links.

The Bribery Act 2010 defines bribery in law and any good anti-bribery course should help people understand the intricacies of the legislation.

What are the six principles of the Bribery Act?

The Bribery Act 2010 has six principles. They are not prescriptive but are designed to guide and inform decisions regarding anti-bribery policy.

Principle 1

Proportionate procedures

Put in place procedures that are proportionate to the scale and complexity of your commercial organisation’s activities.

Principle 2

Top-level commitment

Foster a top-level culture within your organisation that takes bribery seriously and makes it clear that bribery is not acceptable.

Principle 3

Risk assessment

Assess and understand the risks of bribery posed to your organisation and the persons associated with it.

Principle 4

Due diligence

Take a proportionate and risk-based approach to bribery in respect of procedures and the persons who might be exposed to bribery.

Principle 5

Communication (including training)

Ensure that your bribery and prevention policies are understood within your organisation with training that is proportionate to the risks you face.

Principle 6

Monitoring and review

Keep on top of your bribery policy and procedures and make improvements where necessary to assure continued compliance.

You can find more detail about the six principles of the Bribery Act here.

Who needs an anti-bribery policy?

Every commercial organisation that is at risk of being exposed to bribery needs an anti-bribery policy to comply with legislation.

The Bribery Act 2010 creates offences of offering or receiving bribes and failing to prevent persons associated with your organisation from committing bribes on its behalf.

An anti-bribery policy is necessary to comply with the law and ensure that your organisation proportionately counters bribery and corruption.

What is classed as bribery?

Bribery is an unethical gesture intended to influence a person’s behaviour by offering a financial or other advantages.

Bribes are often business-motivated and come in many forms, but they always intend to achieve an advantage, whether it be financial or preferential treatment.

Unfortunately, bribes can be difficult to spot. Is offering a referral fee to an executive in another company to win a contract a bribe? Is offering a female employee a bonus in return for coming back to work early from maternity leave a bribe?

Because bribes can be difficult to spot, anti-bribery training is essential for commercial organisations. By knowing what a bribe looks like, everyone in your organisation will be able to avoid it, spot it and stop it before it escalates.

How can you reduce bribery in your organisation?

The most important thing is to understand the legislation surrounding bribery and create an anti-bribery policy around that legislation.

One of the most important aspects of your policy will be anti-bribery training so that everyone in your organisation can recognise bribery and react to bribery attempts correctly.

Like all procedures, training should be proportionate to risk, but some training will also help to establish an anti-bribery culture in your organisation.

We recommend mandatory general training for all employees that covers education and awareness raising about bribery. More intensive training may also be needed for people in higher-risk roles such as finance, purchasing and IT.

Our anti-bribery course is a great place to start. It’s accredited by the National Cyber Security Centre and simplifies the intricacies of bribery legislation, with engaging animations and simple, effective language.

These Two Elements Create Devastatingly Effective Phishing Emails

Phishing emails remain one of the biggest threats facing both individuals and organisations online. According to analysis from Verizon, 90% of all cyber security incidents and breaches in 2017 included a phishing element, and 76% of organisations experienced a phishing attack.

Of course, not all phishing emails are created equal, ranging from broad attacks around phoney billionaires with trapped funds to specific, targeted campaigns which utilise your publicly available information.

At Bob’s Business, we’re at the forefront of the fight against phishing emails. Our award-winning Think Before you Click phishing simulation finds the vulnerabilities in your organisation and launches targeted training to reduce the likelihood of your workforce clicking on malicious links.

Our approach is deeply rooted in science, which is why, working in conjunction with the University of Huddersfield, we have created a statistical analysis of the results from over 67,000 phishing emails.

The results were stunning and revealed the factors that can lead to a phishing success rate of 94%. But what are those factors, and what can you do to reduce your organisation’s risk of falling victim to an attack? Join us as we share our findings.

What Makes an Effective Phishing Email?

Element #1: Internal vs. External emails

internal vs external factors

The key factor that determined if a phishing email was a success or not was whether it appeared to come from within the organisation (internal, e.g. an apparent IT security update) or outside the organisation (external, e.g. a discount offer from an online retailer).

Over one in three employees (37.2%) were phished when opening external emails. However, the phishing rate rose to 78% when the emails seemed to be from an internal source. This suggests that employees trust emails that appear to come from internal sources almost twice as much as those from an external source.

Element #2: Danger vs. Benefit

danger vs benefit

The other factor that determined whether a phishing email was a success or not was whether it employed a ‘danger’ or ‘benefit’ to encourage the recipient to engage with the embedded link.

A ‘danger’ in a phishing email is some sort of risk of loss to the recipient if they do not respond, such as the threat of losing access to an account or a large unexpected bill. A ‘benefit’ might be a voucher for a free product or a tax rebate that requires claiming.

Our research found that a phishing email featuring a ‘danger’ had a phishing success rate of 75%, whilst a phishing email with a ‘benefit’ had a phishing success rate of 39%, clearly indicating that we’re all more likely to act when under pressure.

Combining Factors

By combining elements, our analysis reveals the common blind spots in organisations.

As expected, phishing emails that posed as internal and included a ‘danger’ were by far the most effective.

The analysis shows that, if the email was from an external source, just over one in three employees (37.2%) clicked on the email and were phished. However, if the email was from an internal source, between 44.6% and 94.1% clicked, depending on whether there was a benefit or a danger that encouraged the user to do so.

If an email was from an internal source and contained a benefit, we saw a phishing rate of just under one in two (44.6%), while internal emails that contained a danger led to a high risk of phishing, with over nine out of ten people being phished (94.13%).

What Can We Learn From This Analysis?

With phishing rates on the rise globally and attacks growing more sophisticated by the day, it’s vital that each of us understands the risks that phishing attacks pose.

Technological solutions offer some protection from phishing attacks, but with analysis of big tech firms finding that only 36% of phishing emails with links were stopped by their systems, it’s clear that more needs to be done to tackle the issue.

It’s especially pressing when you consider that just one phishing email needs to be successful in order to potentially breach your systems.

As such, the only viable option for organisations is to train their staff to better understand how to identify and report phishing emails effectively. By combining a simulated phishing campaign with targeted training, we have found that phishing risk can be reduced by 74.83%.

We firmly believe that focusing on human behaviour and understanding why your employees’ click is the key to reducing risks as training can then be targeted towards changing behaviour.

Book a web demonstration today to learn more about how we can help transform cultures within your organisation.

Download the Infographic

Want to raise awareness of phishing within your organisation, or simply looking for a visual way to share our findings? Click on the infographic below to download your own sharable copy.

Phishing Psychology Infographic Bobs Business

Methodology

Bob’s Business’ analysis includes 67,000 users and found that more than 18,000 (26.8%) individuals opened phishing emails. Of these 18,000 that were opened, over 10,000 (56.2%) were successfully phished. All statistics are pulled from the 18,000 individuals who opened the phishing emails.

Contact Us for Comment

Want to discuss our findings? Get in touch with our team at marketing@bobsbusiness.co.uk

Introducing Bob’s Compliance

Bob’s Business is proud to announce the launch of an all-new, SaaS solution aimed at bringing cybersecurity training to SME organisations. Available from just £1.39 per user, per month.

At Bob’s Business, we know that cybersecurity is crucial for organisations of all sizes, not just big businesses. In fact, according to the FSB, UK SME organisations see almost 10,000 attacks a day.

Historically, however, smaller organisations have shied away from training their team on cybersecurity and compliance topics. Why? Because the products available to them have been too expensive, demanded long-term contracts and had features that SME’s don’t need.

The good news? We’ve built a solution that’s tailor-made to give you everything you need, and nothing you don’t, at a price that’s affordable for all. It’s called Bob’s Compliance, but what makes it the ideal solution for you?

Affordable pricing, instant access

Times are tough, especially for SME organisations. That’s why we’ve driven down the price of our training to make it affordable for every organisation.

From the price of a cup of coffee a month, your team can start learning critical cybersecurity, compliance and social engineering topics. Better still, signing up and enrolling your users takes mere minutes, and is completed online.

Full access to our NCSC-accredited course catalogue

With Bob’s Compliance, every member of your team gets access to our full course catalogue on your own organisational LMS, complete with completion tracking.

That means access to our full GDPR catalogue and popular courses like Secure Printing, Social Media, Carefully Classified, Email Etiquette, Mobile Working, Perfect Passwords and Phishing Fears; ideal for demonstrating compliance with ISO 27001.

No long-term contract (unless you want one)

We’ve heard you loud and clear – committing to a one or three-year contract is a significant demand in trying times. That’s why with Bob’s Compliance we’re introducing rolling one-month contracts.

It’s the ideal solution for organisations looking to give our training a try, spread the cost of their annual training or simply cancel their subscription as and when they wish.

Want even better value? One and three-year contracts are available with huge savings on monthly subscriptions!

Ready to get started? Click here!

What is considered a breach of the GDPR?

The General Data Protection Regulation (GDPR) sets out legislation that governs how data related to people in the EU and UK should be collected and processed. In the UK, the GDPR forms part of the Data Protection Act 2018.

One of the areas of focus for the GDPR is data breaches, which fall under the wider topic of data management. Under the GDPR, organisations that control and process data are accountable for that data and must take steps to manage and secure it.

When this data is compromised, a breach of GDPR occurs. With potential fines of up-to €20 million (about £17.5 million) or 4% of annual global turnover – whichever is greater – for infringements, data breaches can have serious consequences for you and your organisation.

In this blog, we’ll share with you what a constitutes a GDPR breach, the most common cause of breaches and what your organisation can do to avoid them.

What is a breach of GDPR?

In the GDPR text, a data breach is defined as a breach of security leading to the accidental, unlawful or deliberate destruction, loss, alteration, unauthorised disclosure of, or access to, personal data related to individuals living in the EU.

Based on this, data breaches can fall into three categories:

  1. Confidentiality breach – unauthorised or accidental access to personal data
  2. Availability breach – loss or destruction of personal data
  3. Integrity breach – unauthorised or accidental alteration of personal data

The GDPR covers two types of data: ‘personal data’, such as name and surname, home address, email address, location data; and ‘sensitive personal data’: such as biometric data, healthcare records, union memberships and religious beliefs.

What are the common causes of breaches?

Data breaches come in various forms and sizes, ranging from breaches caused by hacking, malware and ransomware, to breaches facilitated by password guessing, phishing and Distributed Denial of Service (DDoS) attacks.

Other causes of data breaches include portable device loss, unintended disclosure, insider leaks and physical data loss (such as from a fire).

Not all incidents are the result of a cyberattack, however, many are. Here’s a breakdown of some of the most common breach types:

Hacking

Most large-scale data breaches are caused by hackers. A variety of techniques are used by these criminals, including SQL injection, Malware and DDoS attacks. Hacking is premeditated in most cases to compromise a specific data set.

Ransomware

Ransomware is a malicious program that demands payment while holding a computer for ransom. The program then threatens to destroy all data on the computer if the ransom isn’t paid, which would count as an availability breach.

Employee negligence

Employee negligence could be something as simple as emailing a spreadsheet containing personal data to the wrong person, or as sinister as emailing data to a criminal pretending to be the company CEO, which is exactly what happened with Snapchat in 2016.

Unauthorised access

Unauthorised access can be facilitated by weak passwords, one-step authentication and leaving devices logged in. Privileged users with access to sensitive information present the biggest risk to organisations.

Portable device loss

Portable device loss poses a significant data management risk and especially when devices are not encrypted and cannot be remotely wiped. This happened in 2007 when a disc containing the personal details of 25m British families got lost in the post.

Unintended disclosure

Unintended disclosure is when employees with access to sensitive information unintentionally or by mistake reveal confidential information. This is a leading cause of major data breaches under the GDPR.

What can your organisation do?

Invest in training

With the potential for serious fines, it’s vital that GDPR training is deployed to your employees, so that they understand their role in your organisation’s data protection policy.

Your existing training may be insufficient to cover the GDPR and implement necessary behavioural changes. Your employees will need the training to put into practice your privacy and security policies.

Make cybersecurity a top priority

Nothing poses a bigger risk to your organisation than data breaches. Making cybersecurity a top priority will ensure your organisation takes all necessary steps to establish protocols like assigning a data protection officer (DPO) and carrying out Data Protection Impact Assessments (DPIAs).

Stay up to date

Cybersecurity threats are evolving at a rapid rate. Industry trends come and go. Compliance requirements change over time. You need to be aware of the latest developments in cybersecurity and GDPR law so that you can be prepared for the latest threats, continue to comply with the GDPR and run a sound operation.

Partner with a cybersecurity expert

Bob’s Business offers NCSC certified cybersecurity courses that are designed to change company culture. We can put your organisation on a path to GDPR compliance. Request a free web demonstration to see how Bob’s Business can help keep your organisation secure, or click here to view our success stories.

Small business cybersecurity training: Is it worth investing in?

We’re lucky enough to speak to hundreds of organisations every single month, and often hear the same question asked: ‘Is small business cybersecurity training worth it?’

Whilst cybersecurity attacks might seem like a big business problem, the reality for small organisations is stark.

19 seconds from now a small business in the UK will be hacked. Around 65,000 hacks are attempted on small businesses every day in the UK, with around 4,500 being successful. That’s around a 7% success rate.

So, is small business cybersecurity worth investing in? Of course it is. The way we see it, if your organisation depends on technology to operate, cybersecurity training is as vital to your operation as a shutter is to a newsagent.

Don’t believe us? Join us as we share the stats behind small business cyber attacks, the reasons small businesses are targeted, and how you can protect yourself.

What do the stats say about small business cyber attacks?

Small and medium-sized businesses are primary targets for cyber-attacks. Here are some recent statistics to paint a picture:

  • 40% of small businesses in the UK experience a cyber-attack each year (Statista)
  • Every 19 seconds a small business is hacked (Hiscox)
  • Every 14 seconds an SMB is victim to a ransomware attack (Herjavec Group)
  • 45% of employees receive no cybersecurity training (Kaspersky)
  • 71% of customers would take their business elsewhere after a data breach (Allianz)
  • 27% of malware incidents can be attributed to ransomware (Verizon)
  • 60% of SMBs that suffer a cyber-attack go out of business within 6 months (com)

These numbers paint a stark picture: SMBs are primary targets for cybercriminals and the consequences for these businesses can be devastating.

The most shocking stat of all though? A stunning 45% of employees receive no cybersecurity training at all. This has to change. Without cybersecurity training, employees cannot be expected  to protect themselves and the company against cyber-attacks.

Why are SMBs targeted?

SMBs are primary targets for cyber-attacks because they tend to have less security than larger enterprises, and in some cases, no security at all. Low security gives cybercriminals an easy payday. It’s easier to go after smaller fish than develop complex attacks to expose the big fish.

Another reason SMBs are targeted is that they often lack the ability to respond to attacks in real-time. SMBs are often slow to react to attacks, if they react at all, which gives hackers more time get in and out with whatever they are trying to steal.

SMBs are also guilty of not investing in cybersecurity training for employees. Over 90% of successful cybersecurity attacks can be traced back to human error. As such, training is important because it equips employees with the knowledge to recognise threats, prevent cyber-related incidents and respond to potential threats.

What impact could an attack have?

Cyber-attacks can result in financial losses from theft of information, financial losses from disruption to doing business, lost customers, costs from cleaning systems, costs from downtime, costs from fines if personal data is lost, damage to your reputation, damage to other companies and damage to your customers.

What is directly at risk?

When we talk about cybersecurity it can be difficult to imagine what is directly at risk and how it could affect your organisation.

Here’s what’s at risk:

Your money

Your money is at risk in several ways. Hackers could empty your bank account, steal cryptocurrency, intercept payments and raise false invoices. They could disrupt your service, interrupt subscriptions, and delete payment data.

Your IT-based services

In 2020, 43% of online security breaches were from attacks on web applications, more than double the results from last year (Verizon). The disruption caused by hackers to IT-based services can destroy a brand and business overnight.

Your data

Data takes many forms. It includes bank information, client lists, customer databases, emails, financial reports, deals you are making, pricing information, patents, manufacturing data, stock and inventory lists and much more.

What can your organisation do?

Invest in cybersecurity training

By taking steps to deploy cybersecurity training in your organisation, you can reduce your risk of breach by up-to 74%. Bob’s Business offers unique, jargon-free NCSC certified cybersecurity training solutions for organisations of all sizes.

Encrypt data

Use encryption on all devices that hold and receive data. This will ensure that sensitive data is useless without decoding.

Secure your computers

Your computers should have anti-malware software and two-factor authentication. You can also restrict access to certain websites and restrict downloads.

Secure your networks

Secure your network with a firewall, proxies, access control, antivirus software and a high-quality VPN. Enable two-factor authentication for admin access.

Monitor your systems  

Collect activity logs and monitor your IT systems. You can use performance monitoring solutions and network monitoring software to identify unauthorised or malicious activity.

Implement identity and access management

Identity and access management facilitates a secure and effective remote workforce and ensures devices can only be accessed by authorised people.

With our award-winning range of small business cybersecurity courses, you can start taking cybersecurity seriously in a fun, pragmatic way. Get in touch with us to discover how we can help your organisation become much more secure.

Identity Theft: What is It and What Can You Do to Stop It?

When we think of theft, we tend to think of our belongings like wallets, purses, smartphones, tablets and laptops. But there’s nothing more precious that can be stolen than your identity.

It can’t be snatched out of a bag or swiped from a table whilst we aren’t looking, but careless behaviour can result in your identity falling into the hands of a cybercriminal. 

Simple mistakes, such as throwing away a bank statement without shredding it, leaving your laptop unattended in a public place, or sending an email to the wrong address, can expose your personal information.

While those actions might seem innocuous, leaving personal information lying around or accessible to others can hold financial or reputational repercussions. Personal data holds substantial value, making it an important target for cybercriminals. 

Once your personal information has been exposed, an identity thief is then able to impersonate you and act on your behalf. For example, signing you up for bank loans, applying for tax refunds, or even emptying your bank account!

What is the Scale of Identity Theft?

Identity theft might seem like an abstract threat, but it’s far from rare. In fact, 2019 saw the highest ever reported cases of identity theft, according to the Cifas National Fraud Database with over 223,000 cases reported, up a remarkable 18% on the previous year. 

Identity theft poses a huge threat for individuals and organisations. Don’t believe us? Check out these statistics: 

Is Identity Theft a Workplace Threat?

Identity theft is often framed as an issue for the individual. After all, it’s your identity being stolen. However, identity theft is being increasingly utilised to gain access to organisations’ vital data. 

By focusing on human vulnerability, attackers can compromise a single email account and use the stolen data to form more advanced attacks against the business.  

This can impact the financial position of a business, potentially resulting in large sums of money lost without any possibility of recovery. 

A business’ reputation, built upon years of excellent service and trust, can likewise experience substantial damage. This can create a secondary financial loss, where customers leave due to fear and loss of confidence in a business. 

Ultimately, the consequences of an attack can become too difficult to deal with, amidst recovery costs exceeding business capabilities, giving a business no option but to shut shop and close trading doors completely.

How to Protect Yourself (and Organisation) from Identity Theft

Identity theft can have serious implications on both your personal and professional life. However, becoming a victim can be relatively easy to avoid. 

Take a look at our prevention tips to stop your personal information and data from being stolen:

  • Invest in a paper cross-shredder to destroy all personal and confidential information before discarding.
  • Check your credit card and bank statements regularly and look out for any unfamiliar activity.
  • Be wary of telephone calls, emails or letters that ask you to give or update security or personal information. Check the identity of removal staff and any unfamiliar faces.
  •  Never share your pins, passwords or personal identification.
  • Install firewalls and protections on your electronic devices, in particular, your computer, phone and laptop.
  • Be careful when using public WiFi networks. Fraudsters can hack into a network, putting your personal data and information at risk.
  • Be conscious of the usernames you choose when online as they can give away your identity to those researching you, for example, ‘Firstname.Lastname84’.
  • Don’t be afraid to question someone asking for a copy of your driving license, passport or another form of primary identification. 

What to Do If Your Identity Is Stolen

There is no worse feeling than the knowledge that a complete stranger has gained access to your personal information or belongings. 

It’s a situation nobody wants to face, so here’s our quick 7 step guide to follow if your identity is stolen.  

  1. Act quickly. As soon as you become aware of a case of Identity fraud make sure you act upon it immediately. Contact Action Fraud on 0300 123 2040 or at the Action Fraud website.
  2. Report any lost or stolen documents to the organisation that issued them. This includes items such as your passport, driving licence and credit card. 
  3. Inform your bank, building society and credit card company. Get in touch and let them know that you have become victim to a fraud attack and make them aware of any unusual transactions on your statement.
  4. Contact the police and inform them about the theft/loss of your personal information, and any suspicious applications and transitions that you have encountered. Make sure you ask for a crime reference number.
  5. Contact the Post office. Your identity thief may have changed your home address, so contact the post office to prevent mail being sent to the wrong address.
  6. Request copies of your credit file and check for any suspicious credit requests. 
  7. Contact CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration.

Sign up for our free web demonstration, showcasing how Bob’s Business can help keep your organisation secure. 

What Were the Most Common Passwords in 2020?

Feel like you have more passwords than you’ve had hot dinners? You’re not alone. With studies showing that the average person has 100 passwords, we’re all managing an ever-growing arsenal of passwords.

Choosing the perfect password, however, can feel like an arduous task, and often leads us into creating the; quickest, easiest, most memorable passwords we can.

The problem? They’re rarely the most secure ones.

The result is a pandemic of poor password choices that fatally weaken our defence against cybercriminals. They’re traps which can compromise your data, finances and even your organisation’s cybersecurity.

With the Coronavirus pandemic and the rise in home working in 2020, cybercriminals and the software they utilise has not only grown more sophisticated, but more effective. As such, there’s never been a better time to brush up on how to write a secure password.

In 2020, we took a look back at the most common passwords of 2019, and now, thanks to research from NordPass, we can reveal the most commonly used passwords worldwide in 2020.

So, join us below as we share with you 2020’s most common passwords and explain why you shouldn’t reuse your password alongside much, much more.

What were the most common passwords of 2020?

The top five most commonly used passwords in 2020 were:

  1. 123456
  2. 123456789
  3. picture1
  4. password
  5. 12345678

Just as in 2019, what unites each of these passwords is the very same thing: simplicity.

The appeal of simplistic passwords is clear. They don’t take long to think up; they’re easy to remember and – most of all – you get to spend less time dreaming up passwords and more time doing something fun, like watching your new Netflix subscription.

Unfortunately, simple passwords come with a simple downside; they’re just as simple to crack. In fact, password cracking software can break through 4 of 5 of these passwords in less than a second.

What does the password list tell us?

Several themes recur time and time again in the NordPass password list.

As always, numerical patterns are a prevalent theme, with repeated digit passwords like ‘1111111’, ‘555555’ or ‘999999’ appearing alongside ‘12345’ and ‘123654’ in the top 100.

In fact, out of the top twenty passwords, numerical patterns appear eleven times, highlighting just how common they are.

Another theme that appears time and time again in the list is football teams and fictional characters. Forbes research found that football teams ‘liverpool’, ‘chelsea’, ‘arsenal’, ‘manutd’, and ‘everton’ were the five most commonly used. Meanwhile, ‘superman’, ‘naruto’, ‘tigger’, ‘pokemon’ and ‘batman’ were the most commonly used fictional characters.

Other popular common passwords are names and musicians, which appear throughout the top 100.

So, what do all these patterns tell us?

When building passwords, most of us fall back into behaviours which favour choosing something simple, easy to remember and in some cases, close to our hearts. Whether it’s our football club, favourite band, an easy to recall set of numbers or even our name – many of us are choosing passwords that don’t require us to memorise anything complicated.

All of which brings us to:

How to create a stronger password

There are countless ways to create good, secure passwords, but many popular methods ignore the fact that though ‘C7sf3LU!6w’ is a strong password, it’s virtually impossible to remember. Especially when you compare it to something like ‘leedsutd’, or ‘ashley’.

That’s why at Bob’s Business, we recommend the ‘three words’ method of password creation. Pick three random, unconnected words and put them together. Passwords like ‘frogcapitalglass’ are easy to remember and, crucially, unique.

For an even more secure password, combine those three words with capital letters and numbers, like “Frog6Capital0glass” want to check how secure your new password is? Try How Secure is my Password and discover just how quickly cybercriminals could crack your password.

How often should you change your password?

When it comes to how often you should change your password, you might have heard some conflicting reports. Some schools of thought suggest every month, others once every quarter.

The problem with a mandatory password change is that they tend to encourage rushed superficial changes – an extra capitalised letter here or a few new numbers there. For hackers, these slight changes are easy to guess.

For that reason, it’s recommended that you create unique passwords for each service you use.

Of course, if any service you use is breached, you should immediately change your password to stop criminals from accessing your private information. Finding out whether an account you use has been exposed is simple, just use a website like Have I Been Pwned?

How to remember your passwords

Strong passwords are crucial, but unique passwords are perhaps the most critical element of password security. After all, should your login credentials for one service become exposed, unique passwords ensure that your other accounts remain secure.

That can mean dozens – if not hundreds – of unique passwords required. So, how exactly do you remember all those passwords?

You don’t.

Instead, we recommend you make use of a password manager.

Password managers come in many shapes and sizes, from software managers like Passbolt to password managers that are built directly into your browser. In fact, there’s a good chance you’re already using a password manager in your browser.

So, instead of trying to recall your passwords, make use of a password manager and never worry about forgotten passwords again.

Bob’s top password tips

Creating a secure and memorable password doesn’t need to be complicated. Just follow our top password tips below, and you’ll never need to worry about your password security again.

  • Choose three random, memorable words to make your password. Try to choose words that aren’t related to your life, hobbies or passions, so that no automated hacking system or individual can figure out your password.
  • Create unique different passwords for every website or service you use. The temptation to use the same password everywhere is strong, but doing so means that a single breach on any service could compromise all of your accounts.
  • Check to see if any of your accounts have been breached. By checking Have I Been Pwned? you can see whether any of your details have been breached and released. It should go without saying, these passwords should be changed as soon as possible.
  • Make use of a password manager. Password managers ensure that no matter how unique your passwords get, you never forget about them. Most modern web browsers have password managers built-in, but there are free solutions available also, which are compatible with most devices.

How can organisations educate their employees?

Password security is no joke, especially when insecure passwords can create unnecessary risk for businesses.

At Bob’s Business, we understand that your employees are at the core of your organisational cybersecurity health. They’re the front line of your battle against cybercrime and, without proper training, can be manipulated to grant access to confidential and valuable information.

Our online cybersecurity courses cover everything from making the perfect password to GDPR compliance, phishing detection and data protection. They’re designed to help your team understand cybercrime threats and empower them to protect your organisation further.

Don’t Get Phished This Christmas: Everything You Need to Know

From overstuffed turkeys to overstuffed family members, there’s a lot to love about the Christmas period. Although this year might look a little different to previous years, the optimism, care and thoughtfulness that we pour into the season will mean that it’s just as joyful as ever.

That is, provided you don’t fall into the hands of a scammer. Yes, unfortunately, Christmas is a period of very good cheer for those looking to exploit eager shoppers.

According to recent studies, phishing attacks have climbed dramatically in the Coronavirus era, and with Christmas shopping reaching its peak, you can be certain that it’s going to climb higher still.

But what can you do to protect yourself? In this guide, we’ll explain what phishing is, why you should care and reveal the essential tips to keep your bank account safe, your family in gifts and your data protected.

Let’s get started!

What is phishing?

Let’s start with the biggest question of all – what is phishing?

Phishing is an extremely common type of cyber security attack wherein a fraudster sends you an email which resembles a legitimate email from a reputable source, but is designed to steal your personal information, login credentials or bank details.

More often than not, these emails mirror brands that you trust, and prey on that trust to lull you into giving away your valuable personal information.

Phishing emails take many forms, from invoices for products you didn’t buy to warnings about overdue tax payments, but they’re all designed to encourage you to do the same thing: give away your information.

Why should I care about phishing?

You might be thinking to yourself “why should I care about phishing? I’m not exactly a millionaire, who would target me?”

It’s a good question, but the answer is scarier than you might think. The truth is that whilst targeted phishing attacks are a real threat, the average person receives 16 malicious emails a month and, worryingly, email providers are only 25% of phishing attempts are stopped before they hit your inbox.

Worse still, our internal analysis has revealed that, depending on which psychological elements were in play, the success rate of phishing attempts can hit over 94%.

It’s shocking but true: we’re all susceptible to falling for a well-crafted phishing attack. Keep in mind also that it only takes one phishing attack to compromise your accounts and, from there, do real and significant damage.

Much like Santa, Christmas isn’t a holiday for fraudsters, and their attentions will only increase as we turn our time towards online shopping.

How do I spot a phishing attempt?

So we’ve covered what phishing is and why you should care about it, but how do you spot a phishing attempt?

At Bob’s Business, we’re experts in phishing simulations and phishing training for workforces, and we’ve developed a list of seven huge warning signs you can look out for in your emails to determine whether an email is legitimate or simply an attempt to extract your private information.

They are:

  • The sender’s email address is suspicious.
  • The email has poor spelling and grammar.
  • The email has an odd use of imagery.
  • The email is designed to make your panic or act hastily.
  • The email sounds “too good to be true”.
  • The email contains links which look suspicious when you hover over them.
  • The email contains suspicious branding.

These seven elements are covered in much more detail in our dedicated “how to spot a phishing email” blog, which is essential for helping develop your defence against phishing emails.

Can I train my staff to avoid phishing emails?

Much like dogs, phishing emails are more just for Christmas – they’re a year-round threat and, when it comes to your business, only one breach can break your data wide open.

Phishing attacks were behind 90% of breaches this year, according to Verizon, making them by far the most significant danger to your organisations’ security.

By training your staff to spot and stop phishing emails before they do their harm, you empower your team to protect your organisation.

With Bob’s Business’ award-winning range of phishing courses phishing simulations and Think Before you Click phishing training, you can do just that. Keen to learn more? Get in touch with a member of our team and discover just how affordable and effective our solutions are.

Become Cyber Aware With These Top Tips

The National Cyber Security Centre’s Cyber Aware campaign is in full swing, and at Bob’s Business, we couldn’t be more supportive of their efforts to help individuals and organisations make basic cyber security practices a part of their everyday lives.

With so many of us living our personal, private and professional lives online, the risks associated with losing access to your accounts or having your identity stolen are too great to ignore.

The good news? With only a few small changes, we can all become more Cyber Aware and cyber secure.

Here are the NCSC’s top 6 tips for becoming Cyber Aware (and one of our own, too!)

Create a separate password for your email account

Creating unique passwords for each service you use prevents one breach leading to a chain reaction of breaches, but it’s especially important that your email account has a completely unique password.

With access to your email account, any service you use can have it password reset and changed, completely locking you out.

Think up three random words to create strong passwords

Weak passwords can be cracked by automated software in seconds, and passwords based on your private life can be easily guessed. The solution to memorable yet difficult to crack passwords? Think up three random words!

PianoFromageCartwheel is infinitely more secure than password123, and is just as memorable too. For more security, use special characters and numbers, like £Piano8Fromage!Cartwheel.

Save your passwords in your browser

Doubting your ability to remember all those freshly secured passwords? What if I told you that you don’t need to remember them at all?

By using your browser’s built-in password manager, you never need to remember your passwords again. All modern browsers like Google Chrome, Microsoft Edge, Firefox, Safari feature built-in password managers which automatically store your passwords as you browse.

It’s quick, convenient and far more secure than keeping your passwords in a document or in a notebook.

Turn on two-factor authentication (2FA)

Two-factor authentication (2FA) is a free security feature that’s offered as an option in many online services and it ensures that even if somebody has your password, they can’t access your account. How?

2FA reduces your risk of breach by asking you to provide a second factor of authentication, typically entering a code sent to your phone.

Always check to see if your online services offer 2FA, and if they do, ensure that you enable it.

Keep your devices and software updated

Updates for your devices and software are about more than merely adding features – they patch major security flaws too.

Cyber criminals use these security flaws to gain access to your systems, and that can spell disaster.

So, always ensure your devices and software are fully up to date.

Backup your devices

If your phone, tablet, laptop or PC are hacked, your sensitive personal data can be lost, damaged or stolen.

By turning on backups on your devices, you can roll back to a safe point and retrieve your personal and private data. More than good cyber security practice, backing up your devices is great practice for data protection too.

Train your workforce

In organisations of any size, the most important element of your cyber security isn’t a firewall or a hardware solution – it’s your workforce.

Over 90% of breaches occur as a result of human error, so empowering your team to create new, secure and positive cyber security behaviours is vital to protecting your organisation.

At Bob’s Business, we know that empowered teams are the bedrock of a secure organisation. That’s why we create award-winning, NCSC-certified cyber security training services for your team – all of which take place online.

To learn more about how we transform behaviours within organisations of all sizes, book a demonstration here.

Cyber resilience: everything you need to know

Let’s face it, we can all get a little lost when it comes to cyber security jargon. So much so, in fact, that we published our own cyber security jargon buster last year!

There was one topic that we left out of that blog though – cyber resilience.

For organisations of all sizes, it’s a growing concern and an area which is seeing an understandable rise in prominence. But what is it, why is it important and what can you do to become more cyber resilient?

Join us as we share everything you need to know 👇

What is Cyber Resilience?

Cyber resilience, at its heart, is both an individual and an organisation’s capability to sense, resist and respond to cyber attacks. It encompasses both cyber security and organisational resilience to defend against potential cyber attacks and ensure survival following an attack.

Cyber security is how we keep the criminals out, and cyber resilience is about how we respond to a cyber attack when the criminals get in.

Why is Cyber Resilience important?

It only takes one employee clicking on a phishing email to jeopardise cyber resilience. Once cybercriminals gain access, they can lock up critical information and bring down your infrastructure.

A cyber attack only needs to be successful once, whereas an organisation’s cyber resilience needs to be effective every time. As such, cyber resilience is pivotal to staying operational within an increasingly digitised corporate world.

Whilst it’s exciting that organisations are rapidly developing and taking advantage of new, digitally-enabled opportunities, this also increases an organisation’s attack surface, making them more vulnerable to cyber threats.

In the digital age, companies are no longer defined by their physical assets alone. Some organisations, such as Uber and Airbnb, hold few physical assets at all. As assets become digitised, the cost of stolen data is rising and only will continue to grow in the future.

What can we do to become more Cyber Resilient?

Culture Change

We can never fully predict what attacks may be coming our way. However, we can ensure that staff are better equipped to tackle threats.

Traditionally, cyber security cultures in the workplace place a heavy emphasis on fear and blame to try and change behaviour. There instead needs to be a shift from a blame culture in organisations to a positive and educational culture.

People in organisations should aim to work together to deal with internal and external threats, rather than being blamed for being a victim of a cyber attack. Blame will only increase resistance from employees, rather than increase the adoption of positive cyber security behaviours. Working together to support each other helps eradicate stigma and creates a more secure culture.

A positive, healthy and effective cyber security culture begins by deploying the right education – education that is psychologically motivated to effectively change behaviour.

Cyber Education

Robust cyber security cultures begin with awareness training to introduce correct behaviours and expectations, before using consistent reminders and support to reinforce cultural change.

A robust cyber security culture means that staff begin to take on ‘extra-role behaviour’, carrying out positive behaviours that are not part of their regular duties.

Typically, those extra-role behaviours include helping others who struggle to understand policies, voicing concerns to management and referring others to relevant information when needed.

To be effective, cyber education has to be simple and relatable, whilst outlining the risks of not following procedures. All too often, people find information security challenging to relate to.

After all, it’s easier to comply with rules and procedures like health & safety, because we can all visualise risks like flooding or fires. It is much harder to envisage a ‘loss of information’, and harder still to visualise the consequences if people are not aware of the risks.

Good cyber education should explain not only the threats of a breach but also that it’s vital to invest time into following cyber security procedures.

A more secure culture, where people support each other and are proactive to risks, increases resilience. This, in turn, leads to a more secure organisation, which can lead to greater trust in your platform, services and brand.

What are cyber cultures?

To understand cyber cultures, we turn to the Cybersecurity Culture Maturity Model, developed by the Massachusetts Institute of Technology (MIT). The Cybersecurity Culture Maturity Model highlights how to increase organisational resilience to cyber attacks.

In short, the model recommends that employees are transitioned from a level 1 mindset, to a level 4 mindset, where cyber security is seen as being a part of everyone’s role.

With the right education, staff can be made aware of risks, taught the right procedures and consistently reminded of cyber security, so that it becomes innate to everyone’s role.

MIT explains that organisations need to move from a culture where the IT specialists take responsibility for all cyber security-related issues, to one where every employee feels responsible for keeping the organisation secure.

By viewing cyber security as being everyone’s role, cyber resilience is increased, as the culture is proactive towards threats and can anticipate them. Cyber security is then viewed as a tool for increasing productivity and engagement, rather than preventing it.

Ready to take your team from level 1 to level 4? Our cyber security awareness training is proven, effective and ready to deploy to your team within days. Get in touch with a member of our team today to learn more.