Small business cybersecurity training: Is it worth investing in?

We’re lucky enough to speak to hundreds of organisations every single month, and often hear the same question asked: ‘Is small business cybersecurity training worth it?’

Whilst cybersecurity attacks might seem like a big business problem, the reality for small organisations is stark.

19 seconds from now a small business in the UK will be hacked. Around 65,000 hacks are attempted on small businesses every day in the UK, with around 4,500 being successful. That’s around a 7% success rate.

So, is small business cybersecurity worth investing in? Of course it is. The way we see it, if your organisation depends on technology to operate, cybersecurity training is as vital to your operation as a shutter is to a newsagent.

Don’t believe us? Join us as we share the stats behind small business cyber attacks, the reasons small businesses are targeted, and how you can protect yourself.

What do the stats say about small business cyber attacks?

Small and medium-sized businesses are primary targets for cyber-attacks. Here are some recent statistics to paint a picture:

  • 40% of small businesses in the UK experience a cyber-attack each year (Statista)
  • Every 19 seconds a small business is hacked (Hiscox)
  • Every 14 seconds an SMB is victim to a ransomware attack (Herjavec Group)
  • 45% of employees receive no cybersecurity training (Kaspersky)
  • 71% of customers would take their business elsewhere after a data breach (Allianz)
  • 27% of malware incidents can be attributed to ransomware (Verizon)
  • 60% of SMBs that suffer a cyber-attack go out of business within 6 months (com)

These numbers paint a stark picture: SMBs are primary targets for cybercriminals and the consequences for these businesses can be devastating.

The most shocking stat of all though? A stunning 45% of employees receive no cybersecurity training at all. This has to change. Without cybersecurity training, employees cannot be expected  to protect themselves and the company against cyber-attacks.

Why are SMBs targeted?

SMBs are primary targets for cyber-attacks because they tend to have less security than larger enterprises, and in some cases, no security at all. Low security gives cybercriminals an easy payday. It’s easier to go after smaller fish than develop complex attacks to expose the big fish.

Another reason SMBs are targeted is that they often lack the ability to respond to attacks in real-time. SMBs are often slow to react to attacks, if they react at all, which gives hackers more time get in and out with whatever they are trying to steal.

SMBs are also guilty of not investing in cybersecurity training for employees. Over 90% of successful cybersecurity attacks can be traced back to human error. As such, training is important because it equips employees with the knowledge to recognise threats, prevent cyber-related incidents and respond to potential threats.

What impact could an attack have?

Cyber-attacks can result in financial losses from theft of information, financial losses from disruption to doing business, lost customers, costs from cleaning systems, costs from downtime, costs from fines if personal data is lost, damage to your reputation, damage to other companies and damage to your customers.

What is directly at risk?

When we talk about cybersecurity it can be difficult to imagine what is directly at risk and how it could affect your organisation.

Here’s what’s at risk:

Your money

Your money is at risk in several ways. Hackers could empty your bank account, steal cryptocurrency, intercept payments and raise false invoices. They could disrupt your service, interrupt subscriptions, and delete payment data.

Your IT-based services

In 2020, 43% of online security breaches were from attacks on web applications, more than double the results from last year (Verizon). The disruption caused by hackers to IT-based services can destroy a brand and business overnight.

Your data

Data takes many forms. It includes bank information, client lists, customer databases, emails, financial reports, deals you are making, pricing information, patents, manufacturing data, stock and inventory lists and much more.

What can your organisation do?

Invest in cybersecurity training

By taking steps to deploy cybersecurity training in your organisation, you can reduce your risk of breach by up-to 74%. Bob’s Business offers unique, jargon-free NCSC certified cybersecurity training solutions for organisations of all sizes.

Encrypt data

Use encryption on all devices that hold and receive data. This will ensure that sensitive data is useless without decoding.

Secure your computers

Your computers should have anti-malware software and two-factor authentication. You can also restrict access to certain websites and restrict downloads.

Secure your networks

Secure your network with a firewall, proxies, access control, antivirus software and a high-quality VPN. Enable two-factor authentication for admin access.

Monitor your systems  

Collect activity logs and monitor your IT systems. You can use performance monitoring solutions and network monitoring software to identify unauthorised or malicious activity.

Implement identity and access management

Identity and access management facilitates a secure and effective remote workforce and ensures devices can only be accessed by authorised people.

With our award-winning range of small business cybersecurity courses, you can start taking cybersecurity seriously in a fun, pragmatic way. Get in touch with us to discover how we can help your organisation become much more secure.

Identity Theft: What is It and What Can You Do to Stop It?

When we think of theft, we tend to think of our belongings like wallets, purses, smartphones, tablets and laptops. But there’s nothing more precious that can be stolen than your identity.

It can’t be snatched out of a bag or swiped from a table whilst we aren’t looking, but careless behaviour can result in your identity falling into the hands of a cybercriminal. 

Simple mistakes, such as throwing away a bank statement without shredding it, leaving your laptop unattended in a public place, or sending an email to the wrong address, can expose your personal information.

While those actions might seem innocuous, leaving personal information lying around or accessible to others can hold financial or reputational repercussions. Personal data holds substantial value, making it an important target for cybercriminals. 

Once your personal information has been exposed, an identity thief is then able to impersonate you and act on your behalf. For example, signing you up for bank loans, applying for tax refunds, or even emptying your bank account!

What is the Scale of Identity Theft?

Identity theft might seem like an abstract threat, but it’s far from rare. In fact, 2019 saw the highest ever reported cases of identity theft, according to the Cifas National Fraud Database with over 223,000 cases reported, up a remarkable 18% on the previous year. 

Identity theft poses a huge threat for individuals and organisations. Don’t believe us? Check out these statistics: 

Is Identity Theft a Workplace Threat?

Identity theft is often framed as an issue for the individual. After all, it’s your identity being stolen. However, identity theft is being increasingly utilised to gain access to organisations’ vital data. 

By focusing on human vulnerability, attackers can compromise a single email account and use the stolen data to form more advanced attacks against the business.  

This can impact the financial position of a business, potentially resulting in large sums of money lost without any possibility of recovery. 

A business’ reputation, built upon years of excellent service and trust, can likewise experience substantial damage. This can create a secondary financial loss, where customers leave due to fear and loss of confidence in a business. 

Ultimately, the consequences of an attack can become too difficult to deal with, amidst recovery costs exceeding business capabilities, giving a business no option but to shut shop and close trading doors completely.

How to Protect Yourself (and Organisation) from Identity Theft

Identity theft can have serious implications on both your personal and professional life. However, becoming a victim can be relatively easy to avoid. 

Take a look at our prevention tips to stop your personal information and data from being stolen:

  • Invest in a paper cross-shredder to destroy all personal and confidential information before discarding.
  • Check your credit card and bank statements regularly and look out for any unfamiliar activity.
  • Be wary of telephone calls, emails or letters that ask you to give or update security or personal information. Check the identity of removal staff and any unfamiliar faces.
  •  Never share your pins, passwords or personal identification.
  • Install firewalls and protections on your electronic devices, in particular, your computer, phone and laptop.
  • Be careful when using public WiFi networks. Fraudsters can hack into a network, putting your personal data and information at risk.
  • Be conscious of the usernames you choose when online as they can give away your identity to those researching you, for example, ‘Firstname.Lastname84’.
  • Don’t be afraid to question someone asking for a copy of your driving license, passport or another form of primary identification. 

What to Do If Your Identity Is Stolen

There is no worse feeling than the knowledge that a complete stranger has gained access to your personal information or belongings. 

It’s a situation nobody wants to face, so here’s our quick 7 step guide to follow if your identity is stolen.  

  1. Act quickly. As soon as you become aware of a case of Identity fraud make sure you act upon it immediately. Contact Action Fraud on 0300 123 2040 or at the Action Fraud website.
  2. Report any lost or stolen documents to the organisation that issued them. This includes items such as your passport, driving licence and credit card. 
  3. Inform your bank, building society and credit card company. Get in touch and let them know that you have become victim to a fraud attack and make them aware of any unusual transactions on your statement.
  4. Contact the police and inform them about the theft/loss of your personal information, and any suspicious applications and transitions that you have encountered. Make sure you ask for a crime reference number.
  5. Contact the Post office. Your identity thief may have changed your home address, so contact the post office to prevent mail being sent to the wrong address.
  6. Request copies of your credit file and check for any suspicious credit requests. 
  7. Contact CIFAS (the UK’s Fraud Prevention Service) to apply for protective registration.

Sign up for our free web demonstration, showcasing how Bob’s Business can help keep your organisation secure. 

What Were the Most Common Passwords in 2020?

Feel like you have more passwords than you’ve had hot dinners? You’re not alone. With studies showing that the average person has 100 passwords, we’re all managing an ever-growing arsenal of passwords.

Choosing the perfect password, however, can feel like an arduous task, and often leads us into creating the; quickest, easiest, most memorable passwords we can.

The problem? They’re rarely the most secure ones.

The result is a pandemic of poor password choices that fatally weaken our defence against cybercriminals. They’re traps which can compromise your data, finances and even your organisation’s cybersecurity.

With the Coronavirus pandemic and the rise in home working in 2020, cybercriminals and the software they utilise has not only grown more sophisticated, but more effective. As such, there’s never been a better time to brush up on how to write a secure password.

In 2020, we took a look back at the most common passwords of 2019, and now, thanks to research from NordPass, we can reveal the most commonly used passwords worldwide in 2020.

So, join us below as we share with you 2020’s most common passwords and explain why you shouldn’t reuse your password alongside much, much more.

What were the most common passwords of 2020?

The top five most commonly used passwords in 2020 were:

  1. 123456
  2. 123456789
  3. picture1
  4. password
  5. 12345678

Just as in 2019, what unites each of these passwords is the very same thing: simplicity.

The appeal of simplistic passwords is clear. They don’t take long to think up; they’re easy to remember and – most of all – you get to spend less time dreaming up passwords and more time doing something fun, like watching your new Netflix subscription.

Unfortunately, simple passwords come with a simple downside; they’re just as simple to crack. In fact, password cracking software can break through 4 of 5 of these passwords in less than a second.

What does the password list tell us?

Several themes recur time and time again in the NordPass password list.

As always, numerical patterns are a prevalent theme, with repeated digit passwords like ‘1111111’, ‘555555’ or ‘999999’ appearing alongside ‘12345’ and ‘123654’ in the top 100.

In fact, out of the top twenty passwords, numerical patterns appear eleven times, highlighting just how common they are.

Another theme that appears time and time again in the list is football teams and fictional characters. Forbes research found that football teams ‘liverpool’, ‘chelsea’, ‘arsenal’, ‘manutd’, and ‘everton’ were the five most commonly used. Meanwhile, ‘superman’, ‘naruto’, ‘tigger’, ‘pokemon’ and ‘batman’ were the most commonly used fictional characters.

Other popular common passwords are names and musicians, which appear throughout the top 100.

So, what do all these patterns tell us?

When building passwords, most of us fall back into behaviours which favour choosing something simple, easy to remember and in some cases, close to our hearts. Whether it’s our football club, favourite band, an easy to recall set of numbers or even our name – many of us are choosing passwords that don’t require us to memorise anything complicated.

All of which brings us to:

How to create a stronger password

There are countless ways to create good, secure passwords, but many popular methods ignore the fact that though ‘C7sf3LU!6w’ is a strong password, it’s virtually impossible to remember. Especially when you compare it to something like ‘leedsutd’, or ‘ashley’.

That’s why at Bob’s Business, we recommend the ‘three words’ method of password creation. Pick three random, unconnected words and put them together. Passwords like ‘frogcapitalglass’ are easy to remember and, crucially, unique.

For an even more secure password, combine those three words with capital letters and numbers, like “Frog6Capital0glass” want to check how secure your new password is? Try How Secure is my Password and discover just how quickly cybercriminals could crack your password.

How often should you change your password?

When it comes to how often you should change your password, you might have heard some conflicting reports. Some schools of thought suggest every month, others once every quarter.

The problem with a mandatory password change is that they tend to encourage rushed superficial changes – an extra capitalised letter here or a few new numbers there. For hackers, these slight changes are easy to guess.

For that reason, it’s recommended that you create unique passwords for each service you use.

Of course, if any service you use is breached, you should immediately change your password to stop criminals from accessing your private information. Finding out whether an account you use has been exposed is simple, just use a website like Have I Been Pwned?

How to remember your passwords

Strong passwords are crucial, but unique passwords are perhaps the most critical element of password security. After all, should your login credentials for one service become exposed, unique passwords ensure that your other accounts remain secure.

That can mean dozens – if not hundreds – of unique passwords required. So, how exactly do you remember all those passwords?

You don’t.

Instead, we recommend you make use of a password manager.

Password managers come in many shapes and sizes, from software managers like Passbolt to password managers that are built directly into your browser. In fact, there’s a good chance you’re already using a password manager in your browser.

So, instead of trying to recall your passwords, make use of a password manager and never worry about forgotten passwords again.

Bob’s top password tips

Creating a secure and memorable password doesn’t need to be complicated. Just follow our top password tips below, and you’ll never need to worry about your password security again.

  • Choose three random, memorable words to make your password. Try to choose words that aren’t related to your life, hobbies or passions, so that no automated hacking system or individual can figure out your password.
  • Create unique different passwords for every website or service you use. The temptation to use the same password everywhere is strong, but doing so means that a single breach on any service could compromise all of your accounts.
  • Check to see if any of your accounts have been breached. By checking Have I Been Pwned? you can see whether any of your details have been breached and released. It should go without saying, these passwords should be changed as soon as possible.
  • Make use of a password manager. Password managers ensure that no matter how unique your passwords get, you never forget about them. Most modern web browsers have password managers built-in, but there are free solutions available also, which are compatible with most devices.

How can organisations educate their employees?

Password security is no joke, especially when insecure passwords can create unnecessary risk for businesses.

At Bob’s Business, we understand that your employees are at the core of your organisational cybersecurity health. They’re the front line of your battle against cybercrime and, without proper training, can be manipulated to grant access to confidential and valuable information.

Our online cybersecurity courses cover everything from making the perfect password to GDPR compliance, phishing detection and data protection. They’re designed to help your team understand cybercrime threats and empower them to protect your organisation further.

Don’t Get Phished This Christmas: Everything You Need to Know

From overstuffed turkeys to overstuffed family members, there’s a lot to love about the Christmas period. Although this year might look a little different to previous years, the optimism, care and thoughtfulness that we pour into the season will mean that it’s just as joyful as ever.

That is, provided you don’t fall into the hands of a scammer. Yes, unfortunately, Christmas is a period of very good cheer for those looking to exploit eager shoppers.

According to recent studies, phishing attacks have climbed dramatically in the Coronavirus era, and with Christmas shopping reaching its peak, you can be certain that it’s going to climb higher still.

But what can you do to protect yourself? In this guide, we’ll explain what phishing is, why you should care and reveal the essential tips to keep your bank account safe, your family in gifts and your data protected.

Let’s get started!

What is phishing?

Let’s start with the biggest question of all – what is phishing?

Phishing is an extremely common type of cyber security attack wherein a fraudster sends you an email which resembles a legitimate email from a reputable source, but is designed to steal your personal information, login credentials or bank details.

More often than not, these emails mirror brands that you trust, and prey on that trust to lull you into giving away your valuable personal information.

Phishing emails take many forms, from invoices for products you didn’t buy to warnings about overdue tax payments, but they’re all designed to encourage you to do the same thing: give away your information.

Why should I care about phishing?

You might be thinking to yourself “why should I care about phishing? I’m not exactly a millionaire, who would target me?”

It’s a good question, but the answer is scarier than you might think. The truth is that whilst targeted phishing attacks are a real threat, the average person receives 16 malicious emails a month and, worryingly, email providers are only 25% of phishing attempts are stopped before they hit your inbox.

Worse still, our internal analysis has revealed that, depending on which psychological elements were in play, the success rate of phishing attempts can hit over 94%.

It’s shocking but true: we’re all susceptible to falling for a well-crafted phishing attack. Keep in mind also that it only takes one phishing attack to compromise your accounts and, from there, do real and significant damage.

Much like Santa, Christmas isn’t a holiday for fraudsters, and their attentions will only increase as we turn our time towards online shopping.

How do I spot a phishing attempt?

So we’ve covered what phishing is and why you should care about it, but how do you spot a phishing attempt?

At Bob’s Business, we’re experts in phishing simulations and phishing training for workforces, and we’ve developed a list of seven huge warning signs you can look out for in your emails to determine whether an email is legitimate or simply an attempt to extract your private information.

They are:

  • The sender’s email address is suspicious.
  • The email has poor spelling and grammar.
  • The email has an odd use of imagery.
  • The email is designed to make your panic or act hastily.
  • The email sounds “too good to be true”.
  • The email contains links which look suspicious when you hover over them.
  • The email contains suspicious branding.

These seven elements are covered in much more detail in our dedicated “how to spot a phishing email” blog, which is essential for helping develop your defence against phishing emails.

Can I train my staff to avoid phishing emails?

Much like dogs, phishing emails are more just for Christmas – they’re a year-round threat and, when it comes to your business, only one breach can break your data wide open.

Phishing attacks were behind 90% of breaches this year, according to Verizon, making them by far the most significant danger to your organisations’ security.

By training your staff to spot and stop phishing emails before they do their harm, you empower your team to protect your organisation.

With Bob’s Business’ award-winning range of phishing courses phishing simulations and Think Before you Click phishing training, you can do just that. Keen to learn more? Get in touch with a member of our team and discover just how affordable and effective our solutions are.

Become Cyber Aware With These Top Tips

The National Cyber Security Centre’s Cyber Aware campaign is in full swing, and at Bob’s Business, we couldn’t be more supportive of their efforts to help individuals and organisations make basic cyber security practices a part of their everyday lives.

With so many of us living our personal, private and professional lives online, the risks associated with losing access to your accounts or having your identity stolen are too great to ignore.

The good news? With only a few small changes, we can all become more Cyber Aware and cyber secure.

Here are the NCSC’s top 6 tips for becoming Cyber Aware (and one of our own, too!)

Create a separate password for your email account

Creating unique passwords for each service you use prevents one breach leading to a chain reaction of breaches, but it’s especially important that your email account has a completely unique password.

With access to your email account, any service you use can have it password reset and changed, completely locking you out.

Think up three random words to create strong passwords

Weak passwords can be cracked by automated software in seconds, and passwords based on your private life can be easily guessed. The solution to memorable yet difficult to crack passwords? Think up three random words!

PianoFromageCartwheel is infinitely more secure than password123, and is just as memorable too. For more security, use special characters and numbers, like £Piano8Fromage!Cartwheel.

Save your passwords in your browser

Doubting your ability to remember all those freshly secured passwords? What if I told you that you don’t need to remember them at all?

By using your browser’s built-in password manager, you never need to remember your passwords again. All modern browsers like Google Chrome, Microsoft Edge, Firefox, Safari feature built-in password managers which automatically store your passwords as you browse.

It’s quick, convenient and far more secure than keeping your passwords in a document or in a notebook.

Turn on two-factor authentication (2FA)

Two-factor authentication (2FA) is a free security feature that’s offered as an option in many online services and it ensures that even if somebody has your password, they can’t access your account. How?

2FA reduces your risk of breach by asking you to provide a second factor of authentication, typically entering a code sent to your phone.

Always check to see if your online services offer 2FA, and if they do, ensure that you enable it.

Keep your devices and software updated

Updates for your devices and software are about more than merely adding features – they patch major security flaws too.

Cyber criminals use these security flaws to gain access to your systems, and that can spell disaster.

So, always ensure your devices and software are fully up to date.

Backup your devices

If your phone, tablet, laptop or PC are hacked, your sensitive personal data can be lost, damaged or stolen.

By turning on backups on your devices, you can roll back to a safe point and retrieve your personal and private data. More than good cyber security practice, backing up your devices is great practice for data protection too.

Train your workforce

In organisations of any size, the most important element of your cyber security isn’t a firewall or a hardware solution – it’s your workforce.

Over 90% of breaches occur as a result of human error, so empowering your team to create new, secure and positive cyber security behaviours is vital to protecting your organisation.

At Bob’s Business, we know that empowered teams are the bedrock of a secure organisation. That’s why we create award-winning, NCSC-certified cyber security training services for your team – all of which take place online.

To learn more about how we transform behaviours within organisations of all sizes, book a demonstration here.

Cyber resilience: everything you need to know

Let’s face it, we can all get a little lost when it comes to cyber security jargon. So much so, in fact, that we published our own cyber security jargon buster last year!

There was one topic that we left out of that blog though – cyber resilience.

For organisations of all sizes, it’s a growing concern and an area which is seeing an understandable rise in prominence. But what is it, why is it important and what can you do to become more cyber resilient?

Join us as we share everything you need to know 👇

What is Cyber Resilience?

Cyber resilience, at its heart, is both an individual and an organisation’s capability to sense, resist and respond to cyber attacks. It encompasses both cyber security and organisational resilience to defend against potential cyber attacks and ensure survival following an attack.

Cyber security is how we keep the criminals out, and cyber resilience is about how we respond to a cyber attack when the criminals get in.

Why is Cyber Resilience important?

It only takes one employee clicking on a phishing email to jeopardise cyber resilience. Once cybercriminals gain access, they can lock up critical information and bring down your infrastructure.

A cyber attack only needs to be successful once, whereas an organisation’s cyber resilience needs to be effective every time. As such, cyber resilience is pivotal to staying operational within an increasingly digitised corporate world.

Whilst it’s exciting that organisations are rapidly developing and taking advantage of new, digitally-enabled opportunities, this also increases an organisation’s attack surface, making them more vulnerable to cyber threats.

In the digital age, companies are no longer defined by their physical assets alone. Some organisations, such as Uber and Airbnb, hold few physical assets at all. As assets become digitised, the cost of stolen data is rising and only will continue to grow in the future.

What can we do to become more Cyber Resilient?

Culture Change

We can never fully predict what attacks may be coming our way. However, we can ensure that staff are better equipped to tackle threats.

Traditionally, cyber security cultures in the workplace place a heavy emphasis on fear and blame to try and change behaviour. There instead needs to be a shift from a blame culture in organisations to a positive and educational culture.

People in organisations should aim to work together to deal with internal and external threats, rather than being blamed for being a victim of a cyber attack. Blame will only increase resistance from employees, rather than increase the adoption of positive cyber security behaviours. Working together to support each other helps eradicate stigma and creates a more secure culture.

A positive, healthy and effective cyber security culture begins by deploying the right education – education that is psychologically motivated to effectively change behaviour.

Cyber Education

Robust cyber security cultures begin with awareness training to introduce correct behaviours and expectations, before using consistent reminders and support to reinforce cultural change.

A robust cyber security culture means that staff begin to take on ‘extra-role behaviour’, carrying out positive behaviours that are not part of their regular duties.

Typically, those extra-role behaviours include helping others who struggle to understand policies, voicing concerns to management and referring others to relevant information when needed.

To be effective, cyber education has to be simple and relatable, whilst outlining the risks of not following procedures. All too often, people find information security challenging to relate to.

After all, it’s easier to comply with rules and procedures like health & safety, because we can all visualise risks like flooding or fires. It is much harder to envisage a ‘loss of information’, and harder still to visualise the consequences if people are not aware of the risks.

Good cyber education should explain not only the threats of a breach but also that it’s vital to invest time into following cyber security procedures.

A more secure culture, where people support each other and are proactive to risks, increases resilience. This, in turn, leads to a more secure organisation, which can lead to greater trust in your platform, services and brand.

What are cyber cultures?

To understand cyber cultures, we turn to the Cybersecurity Culture Maturity Model, developed by the Massachusetts Institute of Technology (MIT). The Cybersecurity Culture Maturity Model highlights how to increase organisational resilience to cyber attacks.

In short, the model recommends that employees are transitioned from a level 1 mindset, to a level 4 mindset, where cyber security is seen as being a part of everyone’s role.

With the right education, staff can be made aware of risks, taught the right procedures and consistently reminded of cyber security, so that it becomes innate to everyone’s role.

MIT explains that organisations need to move from a culture where the IT specialists take responsibility for all cyber security-related issues, to one where every employee feels responsible for keeping the organisation secure.

By viewing cyber security as being everyone’s role, cyber resilience is increased, as the culture is proactive towards threats and can anticipate them. Cyber security is then viewed as a tool for increasing productivity and engagement, rather than preventing it.

Ready to take your team from level 1 to level 4? Our cyber security awareness training is proven, effective and ready to deploy to your team within days. Get in touch with a member of our team today to learn more.

Why Now Isn’t the Time to Hit Pause on Training

COVID-19 has prompted a global financial slowdown, one which has caught plenty of organisations out. Although hopes of a v-shaped recession abound there’s no denying that, at present, we’re very much on the downswing, rather than the up.

It’s prompted a time of self-reflection and belt-tightening for organisations across the globe. Accordingly, many organisations are halting their cyber security training programs.

We think that’s the wrong path to take. Join us as we share precisely why.

Threats are increasing, not decreasing

The first and, perhaps, most important thing to note about the current cyber security environment is that far from being less active, we’re witnessing more (and more novel) attacks than before the pandemic began, like that which recently resulted in a death in a German hospital.

According to a recent study, cybercriminals are taking advantage of the uncertainty and unfamiliarity of the pandemic to isolate and attack individuals within organisations.

Indeed, spear-phishing attempts using COVID-specific designs and language have proven to be a remarkably common attack vector, as we covered in a recent blog.

With the variety and frequency of attacks increasing, now isn’t the time to scale back cyber security training.

Failure to train now impacts your organisation for years to come

It’s tempting to believe that we can moth-ball our organisation and simply pull it out of storage when the circumstances are more favourable.

However, we know that simply isn’t the case – especially when it comes to training.

Quite simply, the longer your team goes without training, the longer training will take to be effective when you resume. If you’re merely looking to tick a few compliance boxes, that might be fine, but if you’re trying to create real cultural change, it’s a fast track to failure.

For new behaviours to become second nature, it takes continuous training, regular reinforcement and support from across the organisation. Unfortunately, training isn’t a tap that you can turn on and off and expect to be effective.

If you’re serious about empowering your team to protect your organisation, now isn’t the time to pause your training program.

Threats don’t stop at your office doors

Working from home has become the new norm over the last six months, but with the move to home offices and personal equipment comes a raft of potential threats which aren’t found when teams are located in your offices.

Cybercriminals are using the lack of in-house security employed at many larger organisations to make opportunistic attacks on your workforce – many of which have never been seen before.

By abandoning training, you weaken your organisations immune response to threats, increasing your chances of breaches and the financial and reputational damage that it entails.

Want to learn more about how training can help build a cyber security culture within your organisation and create resilience from attacks? Get in touch with a member of our team today.

Report Finds Coronavirus Impact on Cyber Security

To suggest that the Coronavirus, COVID-19, has had an impact on our day to day lives would be something of an understatement. It barely needs repeating, but the global impact of Coronavirus has been staggering, with its impact being felt in virtually every aspect of life.

Case in point? The Coronavirus’ measurable impact on the cyber security landscape.

In the past, we’ve covered the rise in Coronavirus scams, and now a new study from Cynet has revealed the sheer scale of the Coronavirus’ impact on the way cybercriminals are attempting to prise open your security processes and gain access to your systems.

Why has the Coronavirus’ impacted cyber security?

Cynet’s study found that their systems detected a sharp increase in new, sophisticated cyber-threats across its global network, designed to take advantage of the unique circumstances created by the pandemic. Specifically:

  • Staff working from home
  • Extensive use of VPNs to connect to work networks
  • Broad usage of private and personal devices to access work emails
  • Lack of security team presence
  • Conspiracy theories created in the wake of the virus

Together, these circumstances have created a ‘perfect storm’ for opportunistic cyber criminals who are capitalising on the fear, uncertainty, unfamiliarity and confusion of the pandemic.

What has been the effect of the Coronavirus on cyber security?

Critically, their study found that in the confusion surrounding COVID-19, both the volume of attacks and the types of new malware have grown significantly. Cynet break their findings down into two key areas:

New types of malware

Historical data from Cynet shows that roughly 80% of detected attacks utilise existing malware, phishing techniques and malware variants, with 20% of attacks utilising novel versions of each.

However, in the first three months of the pandemic, they detected a significant upswing in novel attacks, witnessing a roughly 35/65 split on new to existing attack types.

This significant jump highlights the opportunistic nature of cybercrime, with cybercriminals quickly designing attacks to isolate and expose individuals within an organisation. 

An increased volume of attacks

Over the same three months, Cynet’s Detection and Response team witnessed a spike in the number of requests from organisations seeking their expertise. From an average of roughly 200 per month in the five months prior to the pandemic, February, March and April saw numbers ranging between 400 and 550. 

Although not indicative of overall global trends, this finding nonetheless highlights that organisations witnessed significant new challenges throughout the pandemic.

Which sectors were the most affected?

When it comes to cyber attacks, no sector is safe from breaches. Whether your orgnisation is large or small, for-profit or non-profit, you need to remain vigilant to attacks. Case in point?

According to the analysis, only one sector saw a decline in attacks: Sports & Education, for obvious reasons.

The rest all saw an increase in the number of attacks with Finance (+32.63%), Food Production (+29.36%) and Retail (+23.42%) particularly affected. The other sectors included IT Technology and Services, Machiner, Oil & Energy, Telecommunications, Manufacturing and Automotive.

What can you do to protect your organisation?

Cynet’s analysis of the Coronavirus and its impact on cyber security highlights one thing above all else – the need for more comprehensive organisational cyber security.

Technological solutions have their place, but with an estimated 80% of breaches occurring as a result of human error, rather than technological failure, it’s essential that you empower your team to protect your organisation.

By giving your workforce the tools they need to spot and stop attacks before they do damage, you can dramatically reduce your chances of data loss and reputational damage.

It’s why our cyber security awareness training is adopted by organisations large and small, and why we’re tireless in our goal to bring everyone together to improve organisational cyber security.

Want to know more? Get in touch with a member of our team today.

Three Business Continuity Calamities

Having a business with no continuity plan is a bit like having a ship with no lifeboats.

While we all like to imagine our lives and organisations will always run smoothly, unexpected events can change everything in an instant. When such events strike, you either have a plan or you don’t. This is what business continuity is all about. You’re preparing for scenarios that could hinder or completely stop your business.

This blog will take you through three real-life examples of businesses that have suffered through a lack of continuity planning and leave you with some top tips you take away to help better prepare your organisation in the event of a disaster.

Ransomware Attack on Atlanta

The SamSam ransomware attack hit the city of Atlanta in March 2018. The Government’s computer systems were targeted, resulting in a number of services shutting down, including police records, parking services, utilities and other programmes. This persisted for five days, meaning many departments had to revert to hand-written paperwork.

The attackers demanded a $52,000 payment to bring the system back online but the full recovery took months. It is estimated to have cost a total of $17 million to fix, with nearly $3 million being spent exclusively on emergency IT consultants and crisis management firms.

In retrospect, this attack had been coming. Two months prior to the attack, an audit revealed that there were between 1,500 and 2,000 vulnerabilities in the city’s IT systems, including ‘obsolete software’ and a security culture driven by ‘undocumented processes’.

Hospitals Infected with a Computer Virus

In November 2016, a network of hospitals in the UK was infected with a computer virus, crippling its systems and halting operations at three separate locations for five days.

In that time, patients were turned away at the door and advised to visit other hospitals, even those who had suffered major trauma or were giving birth. Only patients suffering from severe accidents were admitted.

A report by Computing.co.uk showed that the hospitals had no business continuity plan document in place, which resulted in more than 2,800 procedures and appointments being cancelled.

The Backup Blackout

The California Department of Motor Vehicles suffered a computer outage, which shut down its operations for several days. Several DMV California offices closed with drivers having nowhere to turn to for their license or vehicle registration needs.

Both the primary and secondary backup systems went offline simultaneously because they were within the same facility and shared the same power source. Data security experts were quick to point out California DMV’s backup blunder, noting that it was a disaster waiting to happen.

Remember, backup systems should be stored in a separate location to your primary system. This means that if one backup fails, there is another ready to take its place.

Our Top Tips

Having spent over a decade helping organisations secure information and understand the importance of business continuity, we’ve collected a number of simple, top tips for you to take away and consider for your organisation’s business continuity.

  • Familiarise yourself with your organisation’s business continuity plan.
  • Make sure everyone knows where the external site is in the event of a disaster.
  • Resume business as soon as possible to reduce the consequences.
  • Backup your files on a daily basis to a secondary location to minimise potential data loss.

Business continuity in the age of Coronavirus is more important than ever before. From your cyber security to your data collection, our product helps your staff before the front line in your fight against cybercrime. Learn more about how Bob’s Business can help you now by booking a web demonstration.

Health & Safety: What You Need to Know

According to the latest Health & Safety Executive (HSE) statistics, over 28.2 million working days were lost in 2019 as a result of work-related ill health and non-fatal injuries. Even if we drastically undervalue each working day at 1 penny, this equates to £282,000 in lost revenue.

Health & safety is in everyone’s remit. While employers have a duty and responsibility to provide a safe working environment, all employees are responsible for maintaining it. Remember, your greatest defence when it comes to health & safety is vigilance, foresight and prevention.

The following blog will take you through everything you need to know about health & safety in the workplace, including relevant documentation, employers’ & employees’ responsibilities and ways you can help to keep your workplace safe.

The Health & Safety at Work Act (1974)

The Health & Safety at Work Act (1974) contains wide-ranging guidelines for employers and workers to create a safe working environment.

In short, everyone has the right to feel safe at work and employers are required to protect the health, safety and welfare of all employees and people on their premises.

For a more detailed reference, the Health & Safety Executive website contains the full version and a condensed overview of the Health and Safety at Work Act (1974).

Employers’ responsibilities

Employers are responsible for ensuring the health, safety and welfare of employees and others on the premises. This includes:

  • A safe place and system of work.
  • Safe equipment and machinery.
  • Safe and competent colleagues (employers are also responsible for the actions of their employees and managers).
  • Carrying out risk assessments and taking steps to control or eliminate risks.
  • Appointing a competent person responsible for health & safety.
  • Informing workers about all potential risks of the work process.

Essential Health & Safety Documents

There are two key documents to consider when it comes to Health & Safety:

Risk Assessment Form

Risks are part of everyday life. Something as simple as crossing the road could have disastrous consequences, but that doesn’t mean we don’t do it. We accept risks and minimise them by, in this case, looking both ways and using crossings where possible. Health & safety risks are no different.

Using risk assessment forms, you can identify, mitigate, minimise and nullify these risks to keep your workplace as safe as possible.

Accident Report Form

Your organisation needs to document accidents for various reasons.

Firstly, to highlight the cause of the accident, which can then be assessed using a risk assessment form, and secondly, the severity and nature of injury must be noted for legal reasons.

Top Tips

Over the last 12 years, Bob’s Business has helped organisations of all shapes and sizes secure their information and keep their workplaces safe. Below is a selection of our dos and don’ts for health & safety in the workplace.

Do…

  • Comply with guidelines in the Health & Safety at Work Act (1974).
  • Stay vigilant and report any potential hazards.
  • Complete risk assessments to identify and reduce risks.
  • Record all accidents on accident report forms.

Don’t…

  • Ignore health & safety hazards.
  • Tamper with health & safety procedures.

Ready to learn more? Our Health & Safety course forms part of our comprehensive cybersecurity awareness course catalogue, touching on everything from H&S to GDPR compliance, cyber security and more. Click here to learn more.