ISO 14001 is an international standard that provides guidance on implementing and managing an Environmental Management System (EMS). It is effective for organisations of all shapes and sizes, from start-ups to corporate giants.

If you want to help lower your carbon emissions, you’re going to need to change a few things at work. It doesn’t mean you walking miles every day to work and never turning your lights on, just a few simple compromises that will gradually help lower the emissions you produce.

The following blog will take you through why ISO 14001 is so important, the advantages to compliance and how to comply.

Environmental Concerns

Concerns around climate and environmental change have never been as prevalent in society as they are today, with more and more people coming to understand their role in a greener society.

As much as there is we can do as individuals though, making your organisation as green as possible is one of the best ways to improve both your carbon footprint and public perception. Not only that, but going green will actually cut costs for your organisation in certain areas, such as energy.

Worryingly, in spite of the Government’s plan to reduce the UK’s carbon emissions to net-zero by 2050, over a third of businesses have no plan in place.

Benefits of Going Greener

Reducing your carbon emissions can have a number of benefits for your organisation, including:

Reduced Waste, Energy and Costs

Cutting costs without cutting services or functionality is always welcomed. You can increase your organisation’s turnover by saving energy where possible. This could be something as small as opening windows rather than running air-conditioning.

Compliance and Legislation

This can be instrumental in receiving business opportunities or gaining large contracts, where active compliance is often a requirement.

Increased Stakeholder and Customer Trust

Reducing your carbon emissions could give your organisation a competitive advantage by improving your public image and impressing your organisation’s stakeholders.

How to Reduce your Organisation’s Carbon Emissions

You take your first steps towards a greener organisation with the smallest changes. In fact, you may already do some of these things.

• Where possible, produce double-sided prints in greyscale to reduce paper waste and coloured ink use.
• If you’re holding a meeting that requires many people to travel, consider using video-conferencing instead to reduce carbon emissions.
• Reduce your energy expenditure by opening windows rather than using air-conditioning.
• Chat to your colleagues and see if you live in similar areas. If so, consider car-sharing to divide your carbon footprints.
• Assuming you live within a reasonable distance of your workplace, you could try walking or even cycling to work, both of which will cut your carbon emissions whilst also improving your health and wellbeing.
• Another way of improving your health and your organisation’s carbon footprint is to take the stairs instead of elevators, especially if you’re only going up one or two floors.
• While paper may grow on trees, remember to recycle it correctly using the appropriate bin. This will reduce your wastage and help sustain the environment.

Ready to learn more? Our ISO 14001 course is part of our full course catalogue, addressing key issues like your organisation’s cyber security, ISO and GDPR compliance and much, much more. Click here to learn more.

“How are you doing?”

It’s a question we’re asking our staff a lot these days. Whether it’s their physical and mental wellbeing, or the safety and security of their home working environment, there’s plenty to consider in these turbulent times.

That’s why we’ve built a new interactive eLearning course called Home Working, and why we’re giving it away for free. It’s our way of helping organisations and individuals get to grips with difficult times.

But what can you expect to learn from our free module?

• How to secure your home network and protect your organisation’s information
• How to maintain your mental and physical wellbeing
• How to stay productive when working from home

We think it’s the perfect tonic for Coronavirus disinformation, anxiety, and the sharp rise in scams and cyber attacks prompted by COVID-19.

Getting started couldn’t be easier, just click here and fill in a short web form and we’ll deliver your course as a link you can distribute to your workforce. For more information, email info@bobsbusiness.co.uk.

The COVID-19 lockdown has completely changed day-to-day life in the UK; we can’t go out, visit family or travel for any unnecessary means.

We humans are innately social animals, which has posed a question for many – how can I see my friends, or speak to my family? Well, the answer has been around for a while, though it has not been very popular until recently.

What is Social Web Calling?

Web call software is nothing new. Organisations have used video conferencing as a way of conducting meetings across long distances for decades, but it never really made the leap into everyday life. After all, if you wanted to see your friends, you could just go and see them, right?

Today, with the rise of social distancing, many of us are taking to social web call software such as Zoom and apps like House Party to stay in touch with our loved ones, chatting, drinking, laughing and, in some cases, quizzing.

These apps allow us to connect with friends and family in group video calls to recreate the social interactions we’re sincerely missing.

Interestingly, video conferencing really doesn’t work if everyone shouts over each other, so you might find yourself having the most civil conversations you’ve ever had with your friends!

Unsecure Interactions

As with any form of social media, there is a dark side to web conferencing software. For example, conversations on these apps are often unprotected, potentially exposing vulnerable adults and children to malicious individuals, which is something that parents should be particularly wary of.

On top of this, the security surrounding these apps is lax to say the least. Just this week, Prime Minister Boris Johnson shared a screenshot of a cabinet meeting taking place over a Zoom video conference.

Number 10 was quickly scrutinised for firstly posting the ID for the chat, which was, fortunately, password protected, and secondly for using Zoom, an app that has previously found itself in the information security firing line.

Zoom advertises end-to-end encryption as a key feature, but have recently been forced to admit that this is not the case, meaning that users’ conversations are not as secure as they are led to believe. This makes Number 10’s use of Zoom all the more worrying.

How to Practise Secure Social Web Calling

Video conferencing solutions often do not prioritise security, or make it an optional feature. This is because security measures often need updating and improving, and so they do not use end-to-end encryption by default in order to preserve quality, which can sometimes reduce the quality of the video stream.

Below are a set of top tips that will ensure your video conferencing remains safe and secure:

• Use a video conferencing system that is end-to-end encrypted, so that only the participants on the call have the ability to access it and it cannot be made available to third parties.
• Do not presume that your video conferencing system has the option of encryption enabled. Check in the settings to ensure that this has been turned on.
• Use a software that supports single sign-on (SSO), as it reduces the risk of your credentials being stolen or compromised.
• Check your environment to ensure that your video stream does not contain sensitive information.

Is your workforce struggling to adapt to the new working environment? With cyber security attacks at alarmingly high levels, now isn’t the time to drop your guard. Discover how our innovative and engaging cyber security awareness courses are ideal for your organisation today, book a web demonstration or get in touch to find out more.

Home is where the heart is, or at least that’s how the saying goes. However, when it comes to information security, home isn’t as safe an environment as you might think. Hackers already prefer attacking home networks because their security measures are often not as thorough as an organisation’s.

IT departments across the country have been put under unprecedented pressure due to the COVID-19 (Coronavirus) outbreak. Suddenly, organisations are relying on staff working from home in order to continue operating, and many were not prepared for it. This means, in the eyes of cybercriminals, it’s open season.

Ask yourself: Is my network as secure as it could be? If a hacker targeted me, have I done everything I can to protect my own and my organisation’s data? If the answer to both these questions is not a resounding ‘NO’, then you might find this blog on security when working from home useful.

For even more hints and tips – including information for organisations using Office365 – click here to read a piece we produced for our partner Data2Vault!

Phishing At Home

Phishing is the chief cause of all data breaches, accounting for over 90%. While this is still a huge concern for those within an office, home workers have their guard lower and are more susceptible.

To make matters worse, scammers are using the Coronavirus panic as a way of making potential victims click, posing as bodies like the Government and the World Health Organisation (WHO). We have already written about some of these new scams in a blog, which you can view here.

However, if you want a quick read, here are our top tips for how to avoid being phished at home:

• Be wary of emails that contain links, imply a sense of urgency or ask for login details.
• Double-check emails for spelling and grammar errors as this is a sign of a phishing attack.
• Hover your cursor over any links you’re unsure of to check their actual destination.
• Remember not to give out details online unless you have instigated it.

Covid-19 Ransomware

Phishing attacks on their own pose a significant threat to your personal and organisational security, but when they lead to ransomware attacks, the damage can be catastrophic to an organisation.

Ransomware, which encrypts and locks all data on your device or system, demands payment or will automatically destroy every file it has discovered. With data being the most valuable asset of any organisation, it’s virtually impossible to quantify the damage that mass deletion can cause.

Worse still, coronavirus has birthed a new host of ransomware attacks. Just last week, healthcare workers were attacked with ransomware which used coronavirus as bait.

While we’d strongly recommend following our tips for reducing your risk of being phished to help reduce your chance of falling victim to ransomware, there are steps you should take to protect your data in the event your data is encrypted by ransomware:

• Run ethical phishing tests on your organisation and target eLearning at staff who fail to spot their nature, to raise awareness
• If remote users are set up to store their files and data on your organisation’s servers, protect that data with regular backups with cyber scanning and Attack Loop prevention.
• If your remote users are storing their data on their local systems, then set up end-point malware scanning and detection.

Secure Mobile Working

With current Coronavirus measures forcing so many employees to work from home, and 48% of phishing attacks taking place on mobile devices, it really is like shooting phish in a barrel for cybercriminals.

More than 57% of all internet traffic comes from mobile devices, so it’s no surprise that attackers have turned their focus to mobile employees, especially when you consider that users are 3x more vulnerable to phishing on mobile devices than on desktops.

If you are self-isolating and/or working from home, then remember to:

• Secure your wi-fi connection by updating your antivirus software and making sure you’ve changed your password from your router’s default. Strong passwords use a collection of random, but memorable words interweaved with numbers, capitals and special characters amounting to more than 8 characters e.g. Pile4Loose2Twix”
• Regularly update your privacy tools, add-ons for browsers and check your patch levels.
• Backup your data so that, in the worst-case scenario of staff falling foul of ransomware, all is not lost.
• Make sure you are using a secure connection. If your organisation’s policies permit its use, consider using a Virtual Private Network (VPN) to connect your PC to your workplace server.
• Check that you have encryption tools installed.

For organisations looking to make secure cyber behaviours part of their culture, book a web demonstration with a member of our team to discover how our innovative eLearning courses can help you reduce your risk of breaches.

Transparency is one of the best ways for your organisation to maintain a high level of trust with its customers and the public.

The Freedom of Information Act (2000) was introduced to provide public access to information held by public authorities, including several guidelines and requirements for organisations to consider.

Failure to comply can have troublesome consequences for you as an individual as well as your organisation. Therefore, it’s important that you understand your roles and responsibilities regarding Freedom of Information (FOI) within your organisation.

What is a Freedom of Information Request?

Anyone can make a request for information from a public authority. A freedom of information request must be presented in writing either by email or by letter. In addition, new guidelines state that you should treat requests made via social media as legitimate.

Requests should include the requester’s name and a reference to the information in question. However, the request does not have to specifically mention all information or the Freedom of Information Act.

How to Reply to Freedom of Information Requests

You have two main responsibilities when replying to a freedom of information request: inform the requester as to whether or not you possess the information and provide that information.

Providing the requested information is not exempt from public release (see the section below), you should respond with all information relating to the request within 20 days.

Selective or incomplete information, or an overview, would not be considered an adequate response to a Freedom of Information request.

Bear in mind that more general requests might need clarification before you adequately answer. In this case, you should contact the requester as soon as possible.

Wherever possible, your freedom of information officer should take the lead role in replying to requests. Remember, you can always refer to the Data Handling Flowchart if you’re ever unsure of how to deal with an information request.

Is Any Information Exempt From Freedom of Information Requests?

There are three main sets of circumstances which would make information exempt from being released under the Freedom of Information Act (2000).

Remember, even if you’re unable to release information relating to a request, you should still contact the requester within 20 days explaining the reasoning for your decision not to release the information.

The three circumstances are:

Class-based

You should exempt any information that concerns a pending legal investigation as this could potentially compromise the case and endanger those involved.

Privilege-based

You should assess whether the information relates to a member of the royal family, or is likely to cause harm upon release. Should this be the case, your reply must state:

• A negative consequence of the information’s release
• How the release could lead to this consequence
• A real possibility of the consequence occurring.

Vexatious

Requests can be deemed vexatious if the information has already been provided to the requester or made available to the public. In either case, a reply should still be sent explaining the refusal and directing the requester to the information.

While your organisation needs to protect its digital assets, it also needs to protect itself physically. This is why most organisations run Closed Circuit Television (CCTV) throughout their premises.

However, despite so many organisations operating CCTV, many are still unaware of CCTV best practices. There are a number of things to consider from a legal and operational point of view.

The following blog will take you through the benefits of using CCTV, how to use it correctly, when & how to release footage and why it’s important.

Benefits of CCTV

CCTV is paramount to physical security. By being able to record and rewatch footage of your premises, you can identify risks & suspicious activity, keep an accurate record of any malicious activities for later legal action, and maintain the health & safety of your organisation.

From a crime prevention point of view, CCTV is invaluable as a tool for collecting evidence and monitoring risks. For example, if you notice a suspicious individual, you can monitor their activity to see if they return or actually do something to harm your business. The police can then act on this information with video evidence by their side.

Using CCTV Correctly

CCTV cannot be used without first displaying signs that indicate its use. This is so members of the public are aware that they will be filmed when on your premises, maintaining transparency and trust between your organisation and the public.

It doesn’t just stop with signs either. You can’t display CCTV in a location that you cannot justify. The reasons you could use to justify CCTV use include crime prevention and ensuring health & safety.

Lastly, you should regularly check and make sure your cameras are facing the right way and are not obstructed.

Releasing CCTV

There are a number of reasons why you might release CCTV footage.

If a crime has been committed in the area that your CCTV covers, the police may request specific footage to help with their investigation. This is one of the most common reasons for releasing CCTV footage.

Additionally, CCTV footage of a person is classed as personal data, which means that data subjects (individuals you hold the personal data of) have a right to access this information.

Data subjects can do this by submitting a Subject Access Request (SAR). You must respond to SARs within one month in order to comply with the Data Protection Act (DPA) (2018) and the General Data Protection regulations (GDPR).

Remember, when responding to a SAR, do not include any footage that could identify another individual. This would be classed as a data breach.

Top Tips

Bob’s Business has spent over a decade helping organisations protect their digital and physical assets. Below are a number of simple dos and don’ts, which will help you maintain a strong and secure CCTV system.

Do…

• Always check that CCTV cameras are not blocked and facing the correct way.
• Make sure CCTV footage is protected and only accessible by authorised individuals.
• Ensure that footage is used appropriately and deleted once used as it is classed as personal information.

Don’t…

• Forget to display signs when having a CCTV system in operation.
• Store data for longer than necessary.

With an intense focus on exterior cyber security threats, it can be easy to overlook just how crucial it is to take precautions when you are printing sensitive information. However, the risks created by leaking data could potentially damage your organisation are very, very real.

Although you might feel secure in your workplace, many organisations share printing services with others, which means that standard printing can leave confidential data exposed.

This blog will take you through the risks of printing, the benefit of secure printing and leave you with some top tips so that you can print with peace of mind.

Risky Printing

Your office printer might not spring to mind as being a security threat, but without consideration, it could present a serious risk to your organisation’s information and resources. In fact, a recent white paper showed that 63% of surveyed businesses had experienced a printer-related data breach.

When printing to a standard printer, if you do not collect documents straight away, you could unintentionally cause an information breach if the prints end up in the wrong hands.

Under the General Data Protection Regulation (GDPR), breaching personal information could result in a fine of up to €20 million or 4% of your organisation’s annual turnover, whichever is greater.

Remember, you should inform your manager immediately if you suspect a data breach due to missing printed files.

Benefits of Secure Printing

The key advantage of using secure printing services, like Follow-Me printing, is that they require you to log in using a username and password before your prints are released.

This means that if you can’t pick up your prints immediately, whatever information you’ve printed will be safe until you log in.

You should never share your username or password with anyone as this could potentially leave your prints unsecure. If you have reason to believe that your password has been compromised, inform your line manager and create a new password as soon as possible.

Remember, you can refer to our Perfect Passwords blog for advice on creating an uncrackable password.

Confidential Covers

Remember, even when using secured printing, confidential cover notes should be added to documents and utilised when printing information with restricted access.

The purpose of confidential cover notes is to deter all those who the document does not concern from reading it.

These pages should state whom the document is intended for and state clearly that it contains confidential information. Also, when collecting prints, you should make sure to double-check that you have only taken your documents, and not anyone else’s.

Top Tips

Having spent over 12 years helping organisations of all shapes and sizes protect their information, Bob’s Business has collected several simple dos and don’ts relating to secure printing…

Do…

• Collect your documents from shared printers straight away.
• Use secure printing e.g. follow-me printing, where possible. This uses password access or an individual ID key pass is needed to collect your prints.
• Use a confidential cover note when printing sensitive documents.

Don’t…

• Take every document from the printer without checking to see if they are yours.

Data has become one of the most valuable assets in the world, making information security more important than it’s ever been. Unfortunately, this has made cybercriminals more driven and dangerous too.

Bob’s Business has spent over a decade helping organisations instil a cyber secure culture to better protect their own and their customers’ data.

Throughout the years, we’ve noticed that employees are often laxer or more trusting in the office than they are outside of work, and don’t understand the importance of constant and habitual data protection. The following blog will explain what Keeping it Clear is all about, why it is important and what the best practices are.

Understanding Habits

We all have habits, but it might surprise you to learn just how much we rely on them. A study showed that almost 50% of people’s daily behaviours are automatic. Your habits are a huge part of your everyday life. They allow you to go into autopilot, conserve mental energy and perform repetitive tasks with speed and precision.

However, habits can also cause problems. For example, have you ever moved houses in the same area only to find yourself accidentally walking/driving to your old address?

Clear Desk by Default

So, why are we talking about habits? Well, Keeping it Clear is all about consistently and constantly maintaining a clear desk, locking away physical documents, securing removable data storage devices and locking your screen.

This is good information security practise, even when you’re only leaving your desk for a moment. Right now, your brain has an automated response when you decide to leave your desk. If this does not include clearing all your documents away, then you could be putting your organisation’s and its customers’ data at risk.

It takes an average of 66 days of conscious thought to break old habits and form new ones. To help yourself remember, simply write ‘Keep Clear’ on a post-it note on your screen. This short prompt will remind you each time you leave your desk unattended.

Why You Should Choose Cloud-based Storage

Cloud-based storage services are a great way of reducing the risk of physical documents falling into the wrong hands.

By uploading documents to a shared cloud platform, which is accessible to multiple accounts that are granted permission to view or edit, you can maintain one online version that can then be shared digitally without having to create multiple copies.

This ensures the integrity of the information as it removes multiple versions of the same document.

Top Tips

In our time working with organisations, we’ve amassed a number of simple, top tips to help protect information in various ways. The following things should help you get into the habit of maintaining a clear desk, and keep your organisation and its information in the clear.

• Keep a clear desktop to maintain the integrity and availability of information.
• Lock your computer when leaving your desk to avoid any unauthorised access.
• Never leave documents or removable data storage devices openly accessible.
• When working remotely, follow the same keeping clear guidelines as you would at work!

With IASME set to take over sole responsibility of administering the Government’s Cyber Essentials scheme on April 1, we’ve cooked up a special offer for any organisation looking to achieve accreditation. That’s right, we’re offering our brand new Cyber Essentials course for free until April 1.

What is Cyber Essentials?

Cyber Essentials is a government accreditation scheme designed to highlight organisations which are proactive when it comes to cyber security and protecting their clients’ and customers’ data.

It is a mandatory requirement for organisations wishing to work with government agencies, building trust and ensuring that data and information is handled in a safe and responsible manner.

Cyber Essentials chiefly aims to provide a clear statement of the basic controls all organisations should implement to protect themselves from common internet-based threats and offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

Get Your Free Cyber Essentials Course

Our Cyber Essentials course is built from the ground-up to help you discover whether your organisation is ready to achieve certification. Built on the government’s guidelines, it takes you on a step by step journey to reveal whether you’re ready to take and achieve your accreditation.

Available for free until April 1 2020, it’s the ideal first step on your journey towards Cyber Essentials accreditation.

This course is no longer available as a free download.

Have you ever accidentally sent a group email that contained all the recipients’ addresses in the ‘CC’ field? While this can be an innocent mistake in a personal email, including others’ contact details in a professional email could constitute a data breach

Information classification is vital in maintaining your organisation’s reputation and future, so we’ve created the following blog to help explain what it is, why it’s important, and how to do it.

What is Information Classification?

Information classification is a way of categorising and concealing sensitive information so that it is only seen by those authorised to do so. It defines how confidential information should be handled and protected. For example, your organisation could have a number of classifications, including Public, Private or Restricted.

Your workplace policy should highlight the manner in which each classification is communicated. Remember, disclosing confidential information to unauthorised sources can lead to loss of productivity, customers, reputation and public trust, even if it’s accidental.

However, not all information requires the same protection.

What Should I Classify?

You should consult and familiarise yourself with your organisation’s policy regarding information classification as there may be specific practises you need to be aware of.

However, confidential information, which is not already publicly available, must not be divulged with anyone who is not authorised to access it. The format of this information will vary and therefore requires different methods of classification:

Physical Documents

• All physical documents need to be classified.
• Lock all physical documents that contain confidential information away when not in use.
• When sending physical documents, remember to include a return address, mark the envelope ‘addressee only’ and do not include the classification level on it.

Digital Files

• Digital files containing confidential information should be password-protected on secure networks.
• Employees should only be able to access information if they are authorised to.

Removable Data Storage Devices

• You can place digital files in password-protected folders to reduce the risk of unauthorised access on removable data storage devices.
• Remember, they have a high risk of loss or theft due to their portability and should be locked away when not in use.

Emails

• Email accounts should be adequately password-protected to stop unauthorised individuals from accessing them. If you’re unsure what is adequate, we have recently written about creating the perfect password.
• The classification level should always be added to the subject line, and the information should be encrypted to ensure only the intended recipient sees the email’s contents.
• Remember to use the ‘CC’ and ‘BCC’ fields correctly. Including addresses in the Carbon Copy (CC) field means that those recipients’ addresses will be visible, whereas Blind Carbon Copy (BCC) will keep their addresses hidden.

Why Should I Classify?

Information breaches can have serious consequences for you and your organisation. Due to the GDPR, your organisation could be given a fine of up to €20 million or 4% of its annual turnover, whichever is greater.

Remember, even though the GDPR only applies to the personal data of EU citizens, the UK Data Protection Act (2018) is in place and includes the six security principles of the GDPR.

On top of this, your organisation could suffer reputational damage from a data breach, meaning you could lose relationships with customers and clients due to damaged trust.

To learn more about our Carefully Classified course or any of our other award-winning cybersecurity awareness courses or services, get in touch or book a web demonstration.