As the risk of cyberattacks continues to grow for businesses, reaching record levels in 2020, it has never been more important to ensure that your teams stay informed about new cyber threats, as well as emerging technology and other tools that are able to enhance cybersecurity and combat online threats.

Developing employee cyber awareness is one of the most effective ways to protect your company from cyberattacks, as in 90% of successful breaches, it is employees who are targeted first.

At Bob’s Business, we believe in creating training solutions that your team actually want to take, and that means using innovative training theories. Join us as we explain.

How learning theories can be utilised in digital training

It is easy to see why it is important to invest money and time into cyber awareness, but as a business, you also need to see optimal results in return for that investment.

That means finding and investing in the most effective training solutions, designed to boost employee cyber awareness.

As we discussed in our last blog, experiential learning is a theory introduced by David Kolb in the 1970s. In short, it’s the theory of learning by doing.

We apply the experiential learning theory to the narrative-driven technological training solutions, Bob’s Business can boost cyber awareness within your organisation to levels that traditional training methods cannot achieve.

But why do we do it? It’s simple, research suggests that the knowledge retention rate of experiential learning can be as high as 90% – far higher than traditional training seminars, books or videos, for example.

So far, we’ve incorporated narratively-driven animations, gamified learning and quizzes and phishing simulations into our training, but now we’re ready to introduce a new type of experiential training experience: remote escape rooms.

Introducing remote escape rooms from Bob’s Business

Escape rooms have grown to become an established entertainment product, but their use in training has largely been ignored – until now.

Hack the Hacker is the first remote cybersecurity escape room, built to teach groups of up to ten at a time vital cybersecurity habits by having them explore the room together, solving clues and cracking the code at the heart of the mystery.

With workers now often spread out across the country, we’ve built Hack the Hacker to work for every organisation. The escape room connects your team together via Zoom where they guide a single avatar around the room, giving them instructions, so they can easily access it from home.

We’ve always battled against notoriously boring traditional cybersecurity training. Now with Hack the Hacker, our remote escape room, we’re bringing cybersecurity to life in an innovative and enjoyable way, one which bonds teams and builds knowledge.

Curious? Find out more about our virtual escape room and how this approach is a game-changing development for cybersecurity training.

Everyone knows that Investing in employee learning and development delivers countless valuable benefits to businesses, but what many forget is that in order to optimise the outputs from learning and development strategies, businesses need to deploy varied learning experiences.

Learning theories have been researched for centuries, and David A. Kolb’s Experiential Learning Theory is one that has received significant acclaim and has been implemented to great effect in a wide range of learning environments.

But what is it, how can it help your employees working from home and how does it work?

What is experiential learning?

Experiential learning is based around a four-step cycle:

• Experience
• Reflect
• Think
• Act

At its core, experiential learning is learning by doing.

The learning process starts with the person experiencing something, like doing a task for example. They then have time to reflect on that experience, taking away what they have learned from the experience. After the thinking step, the person then makes a decision to act, by trying out what they have learned.

The beauty of experiential learning is that all of us are already doing it, each and every day. As such, we often don’t realise we are learning this way, as it feels like a natural process that requires no conscious decision to do it.

By taking the concept of experiential learning into the often artificial world of workplace training, we can help embed lessons effectively in both the short and long term memory.

How can home workers enjoy experiential training?

Due to the pandemic and the government’s work from home advice, many businesses are still operating with employees working from home, either part or full time.

Even with many workplaces reverting back to pre-pandemic working arrangements, there is still a large number of companies that are allowing employees to work from home and this is expected to remain the case in the near future.

It’s a shift which has brought a good number of benefits for businesses, being safer from a health point of view and requiring less office space and allowing employees more flexible working hours.

However, one of the drawbacks of having a workforce working from home is that it limits some of the learning opportunities that would be available in the workplace. For example, learning from other members of the team is restricted, as they are not physically working together.

It limits the potential of experiential learning, so how can your home working teams get involved?

Experiential learning through digital solutions

There are lots of digital technology solutions that have been developed around the experiential learning approach, including training activities that we at Bob’s Business utilise, like our phishing simulations and interactive courses.

Playing games that test skills and knowledge is another way that experiential learning is applied in digital training solutions.

At Bob’s Business, we put our focus on innovative digital training that combines cutting-edge technology with effective learning methodologies to ensure employees develop and thrive, to help businesses succeed in today’s challenging markets.

For a sneak peek at where we’re taking our innovative experiential training next, check out our blog on how experiential learning can help strengthen your cybersecurity.

You’re probably already aware that hacking is becoming a bigger and bigger problem for organisations of all sizes, despite the sophisticated cybersecurity software that is often pushed forward as a ‘cure’.

2020 was a record-breaking year for hacking attempts against UK firms, owing largely to the fact that with many of us working from home, our personal security levels have slipped.

The fallout from a successful hack can be extensive, including reputational damage, fines and loss of customer trust. But what do hackers get out of the deal?

Here are some of the things that hackers use stolen personal information for:

Identity theft

Criminals often illegally access data so that they can steal someone’s identity for financial gain. For example, they can use personal information to apply for loans and credit cards in the victim’s name. In some cases, identity thieves can purchase goods using financial details.

When hacking organisations, a criminal may steal the identity of a trusted senior team leader to encourage more junior staff to give over crucial data.

Selling onto other criminals

It is quite common for cybercriminals to sell data to other criminals on the dark web. The buyer will then use the data for identity theft and other crimes. Hackers sell certain pieces of personal data, sometimes using a shopping list of prices, where there will be a set price for information such as credit and debit card information.

Account takeover

Hackers can use data to take over accounts such as shopping accounts. They will usually change your password so that you will not be able to log into your account, so you might not notice that they have taken over your account immediately.

In targeted phishing attacks

By using personal information, cybercriminals can make phishing attacks seem more authentic, by using the information in the email and tricking victims into thinking that the email is genuine. In these cases, a breach is often just the start of a longer-term series of attacks.

To cause reputational damage

Another way that hackers can use stolen data is to cause embarrassment and reputational damage to companies. Hackers may try to blackmail people, threatening to leak data that would cause harm to the company.

How do you protect your company from hackers?

If your company stores personal information about customers or employees, then it is important that appropriate security measures are in place as per the data protection regulations. 

Having the most up to date software installed on your company’s computers is one of the most effective ways to protect data, as well as deploying a number of other security solutions such as firewalls and making sure your website incorporates the highest level of security protection.

However, even with the most expensive security systems in place, your company may still be vulnerable to hackers when they target employees through phishing emails and other scams. This is because 90% of breaches start with simple human error.

Therefore, the best method of boosting data security in your organisation is to regularly educate and train employees, so that they know what a scam looks like and what to do if they receive one.

Bob’s Business designs effective online training solutions to empower employees to protect their company by increasing their cyber security awareness, using award-winning techniques like our innovative courses and phishing simulations. 

To ensure that your company is as well protected as possible, see how our training courses and simulations will boost your online security.

When it comes to strengthening security within your business, there are plenty of options available.

Be it installing security software as a way of protecting your systems or installing a team or individual to monitor and manage security, there are many important practices you can put in place to help protect your business.

However, these solutions alone are not enough to provide a comprehensive level of security. Why? Because studies have found that 90% of breaches occur due to human error, with employees accidentally leaving their employers vulnerable to cyber attacks.

That’s why, alongside investing in powerful security technology, you should also invest in building a positive security culture, where employees are an integral part of your security strategy.

But what is a security culture, we hear you ask. The simple answer is that when we talk about a culture, we are talking about the attitudes and behaviours of employees.

A positive culture is one where all employees work together and take responsibility for protecting the business by displaying cyber security awareness and taking the right actions.

So, how can you build one within your organisation? Read on.

How to develop a positive security culture

These are some effective ways to start building a security culture in your workplace:

Make security awareness an ongoing priority

Some businesses make the mistake of pushing security awareness at certain points, but leave it off the agenda for the rest of the year. Needless to say, that’s a shortcut to failure.
Security awareness needs to be a constant priority within the business and employees need to know it is important all year round, not just when they complete an annual security awareness course.

Quite simply, secure thoughts and behaviours can only build if regular communications and training are in place, rather than just annual activities.

Outline the desired behaviours

For employees to develop the desired behaviours, they need to have a clear understanding of what the expected behaviours are.

For example, having visual reminders with memorable statements such as “think before you click” helps to embed the importance of thinking before clicking a link in an email, on a website or otherwise.

Lead by example

For any type of culture to be fully adopted, employees need to see the leadership team displaying the expected behaviours. Managers should lead by example in regards to good security practices. This should be evident in meetings, as well as general day-to-day actions and conversations to show employees that leaders are as committed to protecting the company as they are.

Incentivise good security practice

Another way to encourage employees to think about security more and to motivate them to display the required behaviours is to recognise and reward good security behaviour. For example, someone who reports a phishing attack could receive a small reward, which will inspire other employees to replicate the behaviour, so they can be rewarded too.

Developing a security culture does not happen overnight, it requires time and commitment. It involves leaders getting on board, as well as being incorporated into the internal communications strategy. Most importantly, having the right type of cyber awareness training solution is key.

Bob’s Business provides award-winning phishing simulations that can be used all year round to ensure that employees stay up to date on the latest cyber scams. Find out more about the cyber awareness training solutions we offer.

With phishing emails making up 1% of emails sent, an astonishing 3.4 billion hit our inboxes a day. Naturally then, it’s only a matter of time before somebody in your team accidentally clicks a link.

Clicking on a link in a phishing email can leave a business vulnerable to data loss, so it is crucial that you and everyone in your organisation understand the right steps to take in the event of accidentally responding to a phishing email.

Phishing emails can be sent to anyone at an organization and even people like fraud managers or IT security employees can fall victim to a cyberattack. Companies should have a cyber security policy and training awareness program in place that will help employees to take the correct actions.

These are the steps that need to be taken after clicking a phishing link:

1) Report the incident

Your first step should always be to report the incident to your relevant internal team.

By immediately reporting the incident to the relevant team, such as the IT security incident team or service desk, action can be taken to prevent other people in the organisation from doing the same thing.

It’s important to note, however, that employees might be embarrassed that they have been tricked by a scam and be hesitant about reporting the incident. This is why it’s so important that your organisation provides training and awareness that encourages employees to report security incidents without fear that they will be in trouble.

2) Change login passwords

One of the ways that data is compromised through phishing attacks is by tricking people into providing their login credentials, so it is vital that your passwords are changed as soon as possible after a phishing attack.

In many cases, a victim will use the same password for numerous accounts, which can cause a chain reaction of breaches across their accounts. As such, you will need to update all of your passwords as soon as possible.

Passwords should be difficult to guess and training should be provided to ensure that employees know how to set difficult passwords.

3) Investigation of the attack

Once a phishing attack has been reported, the relevant team should conduct a thorough investigation into the circumstances. Endpoint analysis will help to identify if any malicious software has been introduced onto the PC or network.

The investigation should help to decide whether there is a specific security process or system weakness that requires strengthening.

4) Inform the regulators and law authority

Organisations must comply with the rules of their regulatory authorities, such as reporting a phishing incident within a specific amount of time. It may also be necessary to inform the police so that criminal investigations can be completed.

Improve security and raise awareness

Mistakes can be incredibly valuable.

Once the phishing attack investigation has taken place, your organisation should use the information to make their security structure more robust. They can also make arrangements to deliver more comprehensive cyber security training that will help to prevent employees from responding to a phishing email in future.

Bob’s Business offers a range of online training solutions with industry-leading techniques and methodologies to raise cyber security awareness.

Find out more about how we can help protect your business from phishing scams.

With more of us than ever working from home as a consequence of the COVID-19 pandemic, we’ve all had to make adaptations required to support this new working environment.

As well as ensuring that the right technology is available to our teams, including digital security solutions, employee health, safety and wellbeing should always be among the highest priorities for any organisation.

The difficulty for organisations unaccustomed to teams working from home is that, when working in an office or other type of dedicated workspace, health and safety policies are fairly straightforward to put into place and monitor. The same is the case with supporting employees’ wellbeing, but when they’re working at home? That can be a difficulty.

Nevertheless, employers have responsibilities to protect their employees and employees also have responsibilities to keep themself protected – even when our homes become our offices.

These are some of the key responsibilities that all of us need to keep in mind:

Risk assessments

Under the law, employers have a responsibility to assess any risks in an employee’s working environment. Where this is not possible, for example, during the pandemic, the employer should ask the employee to conduct a self-assessment of their workspace and equipment.

The set-up of display screen equipment is important, as a poor set up for working with a laptop or PC can cause postural problems and permanent injury. There is a checklist that can be used to make sure that everything is set up correctly, such as having a comfortable seat that provides support and making sure the screen is in the right position to prevent stooping over or straining your eyes.

Health and safety

Employees also have a responsibility to take care of their own health and safety when working from home. However, without proper guidance then it’s unfair to expect them to develop safety protocols on their own.

As such, they should do this by keeping in regular contact with their manager and keeping them informed of any concerns such as health and safety risks that they face within their home.

Wellbeing

The changeover to working from home can have a negative impact on employee wellbeing, as they are now spending more time on their own, without having their team close by to get support from. Indeed, 67% of British people said they feel less connected to their colleagues as a result of working from home.

People living on their own might be particularly affected by the lack of interaction with work colleagues, so managers should check in with people to see how they are feeling. A simple, earnest conversation about their mental and physical health can make all the difference.

People working from home may also find it more difficult to switch off from work, as they are now combining their workplace with home space. It becomes more difficult to stop thinking about work, compared to when you work in a separate building and leave it for the day.

All of these factors can have a detrimental effect on people’s wellbeing and must be considered when supporting employees who work from home.

At Bob’s Business, we offer more than just cybersecurity awareness training. Our online training courses also cover all of the essentials in terms of health, safety and wellbeing. These engaging courses are ideal for completing by employees who are working from home and managers of teams who are home based.

View our full course list here, and check out our pricing and product comparisons here.

To err is human, but some mistakes can have major consequences for yourself and your organisation.

There are lots of different reasons why a person might make an error in the workplace, such as tiredness, being distracted by other tasks, or in some situations, due to lack of knowledge.

Independent studies have revealed that 88% of data breaches are due to human error. As such, reducing human error is an area of vital importance for every company.

A simple error can end up costing a company a significant amount of money in fines and compensation, as well as potentially irreparable damage to the company reputation.

To better understand the reasons behind the errors, we looked at a report by Professor Jeff Hancock of Stanford University. The study identified that almost half of employees surveyed believed they had made a mistake at work that led to security repercussions.

Here’s what it found:

Younger employees more likely to admit to errors

The report revealed that younger employees were 5x more likely to admit to errors that compromised security.

The report found 50% of 18-30-year-olds admitted to mistakes, while just 10% of over 50s owned up to making mistakes. Professor Hancock’s view on these figures is that younger people are more likely to admit to mistakes, rather than this being representative of which age groups are making the most mistakes.

He referred to the added importance of a positive reporting culture for older generations to reduce the shame of admitting to mistakes, which can be a high risk for companies, as people who admit to errors are more likely to learn from them.

Men click phishing emails with greater regularity

Another very interesting insight was that 25% of employees in the studies had clicked on a phishing scam link, with men more likely (34%) to click a link than women (17%).

The report found that older employees claimed to be the least susceptible to phishing scams but that they actually had less knowledge of what a phishing scam was.

Tech companies are at increased risk of phishing

When looking at which companies were most likely to click on phishing email scams, fast-paced tech companies were the most fallible. While this might surprise some people due to this sector being the most tech-savvy, one plausible reason for this is that tech employees are usually expected to work at a fast pace, answering emails as quickly as possible.

This pace of working, rather than knowledge or age, is more likely to be the key reason for this sector being the worst for falling for scams. Instead of carefully reading through emails and having time to consider the best course of action, employees often felt pressure to quickly deal with enquiries, without giving adequate consideration to potential risks.

Tailored training is vital

Professor Hancock’s strong recommendation based on his findings is to include tailoring training to reduce human risk across organisations.

Our flagship training programme, Bob’s Culture, tailors not only the course rollout for each organisation specifically around the personalities and thought processes of the people in your organisation but also the phishing training delivered.

The key is our unique Human Vulnerability Assessment, an anonymised questionnaire answered by your whole organisation which ensures the training you complete is relevant and necessary to reduce your risk of breaches.

Want to find out more about Bob’s Culture? Click here.

The fight against cybercrime is a constant challenge, and even businesses that invest a large budget into security software and in-house cybersecurity teams aren’t immune to cyber attacks.

There are lots of different ways that criminals try to penetrate companies’ systems, although by far the most common is through your teams.

Fully 90% of breaches start with human error, so making sure that employees know what to do when they receive a phishing email, or another type of attack is vital in preventing future attacks.

When a cybersecurity incident occurs, this is why it is essential that employees report the incident:

• You can react appropriately. The first and most important aspect of reporting is that it gives your internal security team notice that they need to spring into action to prevent data loss or system compromise.
• You can build training around the incident. You can use the incident as an example in training content to make it more relevant to your company compared to a generic example that some training providers use. Do ensure that the example is anonymised though, as highlighting a mistake makes people more likely to hide incidents in the future.
• You can collect data about incidents to look for patterns. Sometimes minor incidents can point towards a bigger issue that needs addressing, so employees should be encouraged to report every single incident, not just the major ones.
• You can communicate the incident to other employees. With the incident communicated, you can share it with your teams so they are aware of the type of scam and do not fall for it.

Importance of reporting incidents

In some instances, people might be afraid to report incidents, as they might feel embarrassed if they did something wrong like click on a link in an email. This is why it is important to communicate to the workforce how important incident reporting is and that the process exists to protect the business, not to identify employee errors.

Making reporting a non-punitive exercise and, in fact, rewarding employees which do report incidents is a vital part of building a positive cybersecurity culture.

How to report incidents

Every business should have its own process for reporting incidents, such as to a fraud team, or to IT security, for example.

The process should be clear for employees, if you have a company intranet site, you should publish your IT security policy and incident reporting process onto it for people to easily find.

Types of incidents that need to be reported

It is also a good idea to list all of the types of incidents that need to be reported. Some of the possible incidents include:

• Phishing emails.
• An attack on a website.
• Improper usage by an employee (including accessing dangerous sites).
• Scareware to buy fake antivirus software.
• Ad-based malware.

These are just a few examples but there are many more techniques and methods that hackers use and errors or unusual behaviour of internal employees should be reported too.

To ensure that your employees understand what to look out for and what course of action to take, our Incident Reporting course is the perfect solution. Book a demo today to discover how you can get access to our Incident Reporting course for your team and full access to our 55+ strong catalogue of cybersecurity and compliance courses.

Having a strong cybersecurity strategy is more important than ever for businesses, with hacking attempts and other online scams growing in frequency.

In a world where technological solutions are considered first, you might well be surprised to hear that 90% of cybersecurity breaches happen due to simple human error. That’s why every good cybersecurity strategy places employee training at its core.

Fortunately, the number of companies considering the human angle in their cybersecurity strategy is growing.

Unfortunately, many of those strategies fail. Sound like you?

Join us as we share some of the common reasons why training strategies fail:

Your training is reactive, not proactive

Many businesses make the mistake of only providing training only when they “need” to.

Whether it’s the sudden realisation that you need to achieve compliance or if the discovery that you’ve been breached, many training programmes are embarked upon reactively, rather than proactively.

Having a more proactive approach to training will help to pre-empt issues and give employees the necessary knowledge before a problem arising that leads to a data breach.

Over-valuing certifications

A common mistake is taking certifications as proof of an employee’s skills. Certifications are proof of knowledge in a specific subject but may not reflect their skills.

So, an employee might be able to answer a set of questions related to cybersecurity but having the skills to take the best actions to protect your business is another story. If you want your employees to have good cybersecurity skills, they need a training course that develops these skills, not training that is a tick-box exercise.

Opting for a one-size-fits-all approach

If your cybersecurity training isn’t tailored to your organisation, this could be severely limiting the effectiveness of your training.

We all have differing levels of knowledge, different biases and, of course, unique personalities – all of which determines your relative risks to various forms of attack.

Training that is tailored to the specific individual’s learning needs, such as Bob’s Culture, is more likely to be effective and therefore your employees will be in a better position to make the most suitable cybersecurity actions.

Bob’s Culture includes our unique Human Vulnerability Assessment, which involves completing a Phishing Baseline and Awareness Questionnaire to build a customised training rollout. This approach identifies potential blind spots and skills gaps that could leave your business vulnerable to a cyberattack, delivering training that’s relevant to your team and your organisation.

Not all employees will react to threats such as phishing emails in the same way, for example, one employee might be more optimistic than their more cautious peers, which could lead to them clicking a link that allows hackers to access your systems.

By tailoring training content around the individual, you give each employee the skills and knowledge to take the best course of action when faced with a potential cyberattack.

Cyberattacks have become a constant problem for businesses of all sizes. Hackers cast their net far and wide, targeting all types of businesses as they look for weaknesses that they can expose and profit from.

Even small businesses are at risk because hackers often believe that they will have less sophisticated security systems in place and will therefore be an easier target.

As such, every organisation needs to be very vigilant about the threat of cyberattacks and have the right systems and other security measures in place to protect their business. But how do you improve cybersecurity knowledge in your workplace?

Training. Why? Because 90% of breaches occur as a result of human error?

That’s why employee cyber awareness training and ongoing education is crucial to keeping businesses protected from the growing number of cyberattack threats.

The key areas that employees should be educated on are:

Data protection

Employees need to know how they can protect data and prevent data breaches. This involves a wide range of actions such as choosing strong passwords and not giving out data to unsolicited emails, calls, texts or any other channels.

The danger of links and popups

Pop-ups and links within emails and text messages are a big danger and employees often fall for scams that put data at risk. Employees need to learn how to identify the risks and report them using the correct process.

Using secure Wi-Fi

With an increasing number of people working from home, or at other places away from the workplace, there are more opportunities for hackers, as some employees will access company systems using Wi-Fi with weak security. Having a firewall for the company network offers some protection for businesses, but employees working home accessing systems that store data also need a firewall for protection.

Keeping security software up to date

When system updates become available, it is important to update them as soon as possible as this helps to keep them secure. Anti-virus and anti-malware protection have regular updates to enable them to protect against new cyber threats.

What to do if there is a data breach

If your business has a data breach, there are a number of consequences that could cause significant problems for your company. Firstly, the financial impact of a data breach can be severe. Under GDPR you can be fined up to 4% of annual global turnover (or €20million – whichever is greater). On top of this, you may need to pay compensation to the people affected by the data breach.

You might also have significant legal fees to pay, so it can be financially crippling to many businesses. The other problem is the reputational damage caused by a breach and the loss of trust from customers. This can cause you to lose existing customers and will also put potential customers off using your business due to the bad publicity surrounding the data breach.

Even if you completely overhaul your security measures, it takes a long time to rebuild trust and improve your business reputation.

All of which is to say that effectively training your team to act appropriately and promptly at the first signs of a data breach is utterly essential.

How to prevent a data breach

Making sure that your employees stay up to date with the cybersecurity measures they need to take is vital in preventing a data breach.

Across three products, Bob’s Business offers comprehensive online training packages covering all aspects of data protection and many other critical compliance subjects. With over 55 courses covering cybersecurity awareness and compliance topics, as well as award-winning simulated phishing training, we make reducing your risk of breach simple.

Find out more about Bob’s Business products here.