Thee Data Protection Act, originally signed into law in 1998, has had a profound impact since its introduction over 20 years ago.

Rewriting the rulebook for how businesses process data, the Data Protection Act 1998 ensured that customer data is given appropriate value within organisations. In 2018, it was brought up to date to incorporate GDPR and ensure that it meets the demands of the digital world we live in.

Far from an abstract threat to an organisation, the Data Protection Act is actively pursued by the ICO, and can result in massive financial and reputational damage if not closely adhered to.

In July 2019, the ICO served an £80,000 fine to a London-based property company for failing to implement access restrictions when transferring financial data of both landlords and tenants.

They aren’t the only organisation to recently fall foul to the Data Protection Act 2018, either. In October 2018, Bupa was fined £175,000 for failing to prevent a massive data breach, which compromised the personal information of up to 108,000 international health insurance companies.

What Should Businesses Do to Protect Themselves from Falling Foul of the Data Protection Act 2018?

Inevitably, information will have to be shared within an organisation, so simply not handling data isn’t an option.

Instead, organisations should ensure that everyone within the organisation is aware of the kind of data being handled and the repercussions if this data is breached. No one wants a Data Protection scandal lingering over their heads.

First and foremost, businesses need to be aware of the seven principles of the Data Protection Act. These principles are the cornerstones of data protection and ensuring that data is not lost, stolen or copied without consent.

If those at the top of the tree aren’t aware of and on board with these principles, then it will be impossible to spread the message down to employees. This is where many companies fail.

Data Protection needs to be seen as a serious issue and not an afterthought to fill quotas.

The human factor should not be underestimated. With this in mind, businesses must ensure that their staff are trained in the principles of Data Protection. Failure to do so could lead to sensitive information being leaked, which will damage the organisation’s reputation and could lead to financial consequences.

Bob’s Top Data Protection Tips:

• Make sure that whoever is in possession of the data understands they are responsible for it.
• Do not throw away data in the bin unless it is securely locked or it has been shredded.
• Encrypt all your sensitive data – use two-step authentication to add an extra layer.
• Always verify a customer’s identity when a request for personal information is made.

Our Data Protection training module ensures all staff are aware of every principle of the Data Protection Act so they handle data with care.

The module walks users through different types of data, the precautions that need to be in place and how they should dispose of information once they have finished with it. End-users must be aware of the principles that make up the backbone of the Data Protection act, so our bite-sized module is the perfect solution.

To learn more, get in touch with a member of our team or buy our data protection course online.

How would your office function without email? Ever since its popularisation in the 90s, offices have made email an indispensable part of their everyday workflow. From arranging meetings and placing orders to organising the annual secret Santa, email has proven vital.

Whilst email has undoubtedly been a force for good, it isn’t without its perils. From emails sent to the wrong recipient to data leaks, there’s plenty of ways the humble email can turn dangerous.

It’s why good email etiquette is essential within an organisation. Oftentimes, breaches are as a direct result of uneducated email habits. It’s an under-appreciated piece of the cyber security puzzle, which is why we launched our Email Etiquette course to help shape workforce behaviour.

But what are the biggest contributors to email fails?

What Is the Biggest Contributor to Bad Email Etiquette?

Ask anyone about their email pain-points and you’ll hear one issue above all others: CCing (especially when it involves people who do not know each other).

The issue of when to CC and when to BCC is a crucial one for workplace security and, if you ask around your office, you’ll find that at least one of your colleagues has accidentally copied unrelated recipients into an email using the ‘to’ or ‘CC’ functions rather than the ‘BCC’ function.

What makes it such a common issue in the workplace? Well, there are a few theories.

One theory suggests that long days in the office mean lower concentration levels, resulting in seemingly innocuous mistakes. It’s a great case for regular breaks, even if it’s just a quick stroll across the office to chat with somebody!

That will certainly play a part, but the larger issue is training. Quite simply, few organisations train their employees on the correct way to handle emails. In fact, many people don’t even know that these functions exist.

What’s the Problem with Failing to BCC?

When you send emails without hiding personal email addresses with BCC, it allows those in the chain to access everyone’s information. From there, it’s trivial to launch spam, chain mail or even phishing attacks.

The knock-on effect from BCC misuse can be catastrophic to the reputation of a business. If not dealt with care, reputational and financial damage are realistic outcomes.

How to Avoid Email Disaster

Next time you send an email, make sure you follow Bob’s tips to avoid a potential disaster:

• Make sure you use the ‘BCC’ function to hide email addresses when sending emails to unrelated individuals.
• Make sure you proofread your emails more than once before sending them.
• If you do send an email that contains personal details that it shouldn’t, then make sure you are sensitive to the victims and apologise straight away.
• Enable a delay on emails so you can retrieve them within a set time limit in case you have realised you have made a mistake.
• Note that emails have the same legal status as letters, so pay attention to any disclaimers or legal notices on emails sent to you – they can be actioned.

What Makes a Professional Email?

There is no science to writing an email that’s perfect for an office environment, but there are a few tips to making sure an email looks friendly, yet professional.

A few things to consider include:

• Never start an email with the word ‘Hey’.
• Try to avoid humour because it tends not to translate well in text.
• Avoid using emojis.
• Maintain a clear and serious tone.
• Try to limit your use of exclamation marks, it can look unprofessional.
• Proofread your emails more than once before sending.
• Include a meaningful and straightforward subject.
• Avoid the use of caps-lock, as this can come off as aggressive.

Good email etiquette isn’t something that can be mastered in a day, however. That’s why we recommend rolling out our Email Etiquette module across your workforce to help protect your valuable data and your reputation amongst the business community.

The festive season is upon us – a time of the year that some love whilst others loathe.

Millions of people online will be rushing to bag themselves 60% off the latest tech gadgets or get two for one on their friend’s favourite gift set. With all the hype and rush that surrounds Christmas shopping, we can easily be drawn into making impulsive decisions that feel great at the time, but we later live on to regret.

To help you shop safely online this Christmas, we’ve put together a quick 7 part guide to ensure that you don’t bite on the bait that’s feeding cyber criminals.

How To Be Safe When Shopping Online

1. Be vigilant when using public WiFi networks

Mobile shopping is now part of the mainstream retail experience, so much so that mobile sales accounted for 34.5% of total ecommerce sales in 2017, with this figure set to rise to 54% by 2021.

If you’re sat in the coffee shop browsing online catalogues, it is sometimes tempting to connect to free public WiFi hotspots to get a faster, more reliable connection and save on mobile data.

But be AWARE. Public WiFi has significant security vulnerabilities. Cyber criminals are easily able to position themselves between you and the router, meaning that when you go to put the all-important payment details in, they are able to intercept all of your personal information.

To find out more about using Public Wi-Fi, take a read of our guide here.

2. Look out for the SSL

When visiting a website, make sure to look out for an SSL certificate and padlock in the web address bar of your browser.

An SSL certificate shows that data you are sending to a website and the data a website is sending back to you is encrypted and secure. Just remember though, this doesn’t mean the website isn’t malicious!

3. Avoid phishing attacks

When Christmas shopping deals are coming at you thick and fast, it’s easy for security to slip your mind.

Cyber criminals know this so they look forward to this time of year because they see the average consumer rushing around to snatch deals as easy pickings.

Phishing attacks can take all sorts of forms, but the ones to watch out for are spear-phishing attacks. These are when phishing emails are tailored made increasing the likelihood of deceiving the target into giving away sensitive information or clicking a link containing malware such as keyloggers.

For instance, if a cybercriminal knows that you’re either in the market for a new laptop, or if your laptop is 3-4 years old, they might create a fictitious offer for the latest HP Envy so it has an increased chance of drawing you in.

Some things you can do to spot the signs of a phishing email are:

• Check the sender’s email address. Has the email come from who it says it’s from?
• Check the spelling and grammar in the email. Large scale organisations will have staff dedicated to making sure that all their communications are error-free.
• Make sure that the links in the email aren’t taking you elsewhere. You can see where a link is going by hovering over it without clicking.

So, if you receive an email from Amazon with an amazing offer that you think is too good to be true, just remember, that’s because it probably is!

4. Check user reviews
If you are uncertain about the authenticity of a website that has a Christmas deal that tickles your fancy, it is good practice to do an online search for that company.

If there are plenty of reviews shouting praises about the brand, great! Shop to your heart’s content! (don’t let your guard down too much though!)

If there are lots of negative reviews, or even none at all, you should probably think twice about that offer.

5. Keep your anti-virus software up to date

Having anti-virus on your computer and smart device is highly recommended, as it can protect you from a wide range of attacks, basic or complex. Keeping anti-virus up to date is almost as important as having some in the first place. Keeping it up to date can keep your devices protected and keep your data safe!

If you don’t have any form of anti-virus protection, go get some now and come back to this blog later.

6. Pay by Credit Card

Before you enter any payment details, make sure to use some of the tips in this guide to ensure you are buying from a genuine and secure site.

When buying online, we would advise using a credit card opposed to a debit card. Credit cards offer much more protection against fraudulent charges, in that debit cards are NOT automatically covered by payment protection insurance but credit cards are.

Under Section 75 of the Consumer Credit Act, credit cards must provide protection for any purchases that are above £100 and below £30,000.

7. Train yourself

Taking the time out to make sure that you’re knowledgeable on how to keep yourself safe online in the first place can save you a lot of anguish later on.

Our online cyber security training courses are packed full of useful tips and presented in a concise and entertaining way, making best practices accessible to all.

Having read this blog, you should now be much better prepared and vigilant when it comes to shopping safely online.

Here at Bob’s Business, we are the experts when it comes to training your organisation on how to be more cyber resilient against the growing rise of cyber threats.

Want to find out more about how our award-winning cyber security training can help you and your organisation? Try our free demo course today to get a taste of the action.

Most people would claim that they could spot a bribe if they saw one. But not all bribes in business are as obvious as handing over a big briefcase filled with money. 

In the UK, bribery in the workplace is a serious problem with 71% of citizens considering corruption to be a major issue. There is a need to bring awareness to the differences between kindness and bribery, and to distinguish the very fine line between a gift and a bribe.

What is Bribery?

Bribery is a gesture intended to sway an individual’s decisions or actions by offering something of value. Bribes are often business-motivated and used to:

• Keep or secure a contract or order with a business.
• Gain an advantage over a competitor.
• Secure a contract with a national, local or foreign official.
• Make someone turn a blind eye to health and safety, poor performance, the substitution of materials or false labour chargers.
• Falsify an inspection report to gain a certificate/accreditation.

As you can see a bribe can come in many forms, and for many reasons. By knowing what a bribe looks like, and why they are bribing you, you’ll be able to spot and stop it.

Unfortunately, even though you know what a bribe looks like, bribery within the workplace is often a grey area. After all, who’s to say what is a kind act and what is malicious?

A bribe can be more than just a monetary payment. For example, if an employer offers to fast-track a promotion, but only if you do something for them in return, then that is a bribe even though no money is changing hands.

What is the Bribery Act (2010)?

Since bribery is such a major problem, the Bribery Act (2010) was introduced to enhance and amend UK law on bribery, including foreign bribery, in order to better address the requirements of the 1997 OECD anti-bribery Convention. 

Internationally, the Bribery Act (2010) is among the most rigid legislation, introducing a tough liability offence for companies and partnerships who fail to prevent bribery.

The Bribery Act (2010) covers four prime offences:

• Two general offences covering the promising or giving of an advantage, and requesting, agreeing to receive or accepting of an advantage.
• A discrete offence of bribery of a foreign public official.
• A new offence of failure by a commercial organisation to prevent a bribe being paid to obtain or retain business, or gain a business advantage (should an offence be committed it will be a defence that the organisation has adequate procedures in place to prevent bribery).

Some of these offences might be more applicable to your organisation than others, but this doesn’t mean that you shouldn’t have an understanding of them.

What Are Anti-Bribery Best Practices?

Bribes can find their way to your staff at every level of your organisation, from giving a gift to a decision-maker on a deal to bribing a cleaner to stick an infected USB drive into your network. 

Preventing bribery and corruption in your organisation starts by raising awareness amongst your staff, teaching them best practices and what to do if they ever receive a bribe. Here are our top tips: 

• If you receive a bribe, the first thing you should do is report it to your manager. Bribery relies on you keeping information to yourself, so don’t forget that your colleagues are around to help.
• Remember, not all free things are bribes, free tea and coffee at a networking event isn’t a bribe. Bribery tends to be an illicit act, you needn’t worry about taking a free branded pen from a potential supplier or partner. 
• Be suspicious of deals that are struck without correct oversight. Deals that are completed without discussion or approval can be a hotbed for corruption. 
• Keep a keen eye out for red flags like payments offered in cash, and unusually high commissions or fees, which far exceed typical rates. Internal auditing of suspicious payments can avoid significant damage further down the line. 

To educate your staff about how to avoid bribery and corruption in your organisation, enrol your workforce on our Anti-Bribery course today.

For most businesses, ransomware is the great boogeyman, always lurking around the corner.

The prospect of walking into work one day to find all your data locked behind a paywall is a terrifying one, and worst of all, it’s far from a remote possibility.

Ransomware attacks in 2018 reached 204 million, a figure which is expected to be significantly higher in 2019. Indeed, 2019 has been a bumper year for ransomware attacks, with Q3 seeing a 37% increase in attacks over the previous quarter, according to Beazley.

From reputational damage to data loss, the costs associated with ransomware attacks are numerous, resulting in a hugely perilous situation for businesses of all sizes.

Curiously though, there is today a general comfort around ransomware attacks. Businesses are increasingly adapting to the reality of impending ransomware attacks by deploying backup software.

By regularly backing up your data, the idea goes, you can simply roll back your system to a point before it was locked down by a ransomware attack. Simple and effective, right? Well, not anymore.

Cybercriminals are many things, but lazy isn’t one of them. More recent strains of ransomware like Samas, MongoLock and Zenis – to name just a few – go the extra mile and actively search & destroy backup files, leaving businesses completely vulnerable to ransomware attacks once again.

That’s not all though, because some ransomware strains have been adapted to hide on a network for months at a time before becoming active. This means that any attempt to roll back to older (supposedly safe) backups results in an ‘attack loop’, where backing up only restarts the attack.

Far from breaking news, reports of Ransomware attacks deleting backups date back as far as April 2017, with one Veeam user posting:

“On 2/7 we were hit with Samas Ransomware. Of course I freaked but I felt confident driving into work that I was ok with backups… The server itself got wiped with Samas, but I still felt confident. I looked in the Veeam_Backups folder a few times on both Drobos and both were empty… I knew at that point they were gone.”

This evolving, ever-escalating threat is exactly why businesses should never stop adapting.

The approach to this new ransomware environment should be a two-pronged one: effective phishing training and backup software that is designed to manage advanced ransomware attacks.

Tackling the Modern Ransomware Environment

How Can Phishing Training Help Protect Organisations from Ransomware Threats?

Phishing attempts are, by far, the most common way for ransomware to enter a system. Although often considered separate threats, phishing and ransomware are typically found as a couple, with phishing emails directing people to files and web pages that will then install ransomware onto their system.

But how commonly is ransomware tied into phishing attempts? Well, an estimated 90% of cyber attacks begin with a phishing or spear-phishing email.

It’s a startling statistic and one which can’t be ignored in the battle against ransomware. Whilst hardware and software barriers offer some protection against phishing emails, they lose efficacy as soon as an email finds its way through.

That’s why it’s vital that your staff are trained to spot the signs of phishing emails before they click. Our award-winning Think Before You Click simulated phishing training measures your workforces susceptibility to phishing attacks, before directing affected members of staff to our unique training environment.

Think Before You Click can lower click rates by 74%, dramatically reducing an organisation’s susceptibility to phishing emails and ransomware. However, no single solution can completely remove the potential of a member of your workforce falling victim to a phishing attack.

That’s where advanced backup support comes in to play.

How Can An Advanced Backup Provider Help Protect Organisations from Ransomware Threats?

When – not if – ransomware finds its way past your workforce, you need a backup solution to handle ransomware that finds its way past well-trained staff.

Solutions like Data2Vault’s Attack Loop prevention service, Powered by Asigra tackles increasingly intelligent ransomware viruses by offering multiple layers of protection, including:

• Two-factor authentication for volume backup deletion, protecting from automated mass-deletion.
• Variable naming for backup files to avoid auto-deletion.
• Automatic scanning of files during backup and recovery.

By utilising these three protective layers, solutions like Asigra can help curb the effectiveness of ransomware attacks.

Together with effective workforce phishing training, the threat from ransomware attacks is almost completely curtailed, helping to protect your organisation’s reputation and financial future.

There’s a lot of money in information, which is why threats from cybercriminals are growing increasingly common.

Cyber security is arguably the most important measure modern organisations can take to keep their clients’ information safe. However, what cyber security actually entails is often misconstrued by key decision-makers within organisations.

In this article, we’ll be giving you a total overview on cyber security, including: what it is, what it focuses on, what it protects you from and why it’s important.

What is Cyber Security?

Cyber security focuses on protecting computer systems and digital infrastructures from online attack. This includes components such as hardware, software, and data.

People often confuse cyber security with information security, which is a much broader concept that is concerned with protecting all aspects of information including hard and digital copies.

Thankfully, some organisations are waking up to the alarming threat that cybercrime poses and have begun investing in staff training to better prepare and arm themselves against new-age digital threats.

Unfortunately, not everyone’s up to speed. Only 51% of businesses and 29% of charities have installed the five basic technical controls of cyber security, as defined by the NCSC. It’s great news for cybercriminals, especially when you consider the number of data breaches and successful attacks occurring every year.

While your organisation might seem secure, ask yourself, is it doing enough to mitigate threats and protect both monetary and informational assets?

Why is Cyber Security Important?

Cyber security awareness is at an all-time high, owing to the hundreds of high-profile cyber attacks every single year. Shockingly, 2018 saw nearly half of all UK businesses fall victim to cyber attacks. If these had all been physical robberies, we’d be talking about an unprecedented crime wave.

The reason for those attacks is simple: there’s money in cyber crime. Just this week, news hit that the UN is set to investigate North Korea for a series of alleged cyber attacks that are thought to have raised over $2bn for nuclear weapons.

When it comes to your organisation, effective cyber security could be the difference between success and failure.

A data breach can damage everything from your finances to your reputation, the latter being much harder to earn back. You don’t need to look too far for an example. Last year, the infamous Cambridge Analytica and Facebook data breach resulted in 5% of Brits deleting their accounts – and that’s Facebook!

It’s crucial to understand these threats so that you are in the best position to protect yourself and your organisation. In order to do this, you need to learn the three pillars of cyber security and the types of threats that are out there.

What are the Three Pillars of Cyber Security?

We believe there are three key pillars of cyber security. By addressing these pillars, organisations can protect themselves from both impulsive and premeditated attacks. They are:

1. People

The most advanced technology in the world is powerless if the people in your organisation are vulnerable to exploitation. Most data breaches are the result of human error or malicious intervention. From an organisational point of view, it only takes one person to fall for a phishing email to compromise your whole system.

We believe that staff awareness training is by far the most effective way to instil a cyber security culture within your organisation.

2. Processes

Processes are like a checklist and guide you can follow to make sure you’re employing the best practices for cyber security. It is also a great way of communicating with your employees exactly what is expected of them.

These processes can be far-reaching, from employees’ roles and responsibilities when processing information to reporting suspect emails. Certifications such as ISO 27001, which is covered by our cyber security training courses, can help you develop cyber-safe processes that best suit your organisation.

3. Technology

Technology is your initial defence against cyber attacks.

Cybercriminals are constantly changing their tactics and your antivirus software needs to match this. This is not to say that you should look to install new software, but rather to keep on top of new versions and updates as these could protect you from a new threat that the old version would not recognise.

Whilst we at Bob’s Business think too much emphasis is placed on technological solutions compared to the human factor, it’s vital that software is kept up to date.

What are the Different Types of Cyber Security Threat?

There are a host of cyber security threats that could damage your organisation. We have identified the three most common avenues cybercriminals explore when attacking an organisations finances or data.

Social Engineering

Social engineering uses psychological tactics to prey on people, rather than technology. Using ultimatums and evoking urgency to make victims act rashly and give away information. The most common and successful method for this is email phishing.

We have written extensively on how to spot phishing emails but an example might be an email which demands you: ‘pay £50 now to avoid being charged £1,000’ or says ‘we believe your account has been hacked, please enter your login details to avoid your account being deleted’.

Malware

This is a broad term that describes any software that is designed to harm a computer system. This can include trojans, worms, viruses and more. Each of these can be downloaded by following a link in an email or using an illegitimate website.

Staff training is crucial to stopping malware from infecting your system. Quite simply, your employees need to know what they’re looking for.

For example, many people look at the lock icon and ‘HTTPS’ next to a web address and assume it’s safe. However, cybercriminals can recreate this with ease and goad victims into thinking they’re using the internet safely.

Ransomware

Ransomware is a type of malware that is an extremely popular choice of attack for cybercriminals. After installing harmful software onto your computer system, cybercriminals will encrypt all the data on the device and demand payment to allow the organisation to use the system again.

Notorious ransomware attacks include the Wannacry attack, which infected over 300,000 devices and caused untold financial and reputational damage to organisations as large as the NHS, FedEx, Renault and Hitachi.

For businesses, the most effective solutions to combat ever-evolving cyber security threats is to keep your software up to date and implement staff training in cyber security awareness to create a secure culture.

Learn more about how we can help educate your staff in cyber security awareness here.

Read our updated guide to 2020’s most common passwords here!

Let’s face it – few of us enjoy the process of picking a password. We’re often marooned between a simple yet memorable password and a truly secure one.

The result? An epidemic of poor choices which means that, when it comes to choosing passwords, many of us are falling into the same traps. They’re traps which can compromise your personal data, finances and even your organisation’s cyber security.

Cybercriminals and the software they utilise are growing more sophisticated by the day, so there’s never been a better time to brush up on how to write a secure password.

Thanks to work by the National Cyber Security Council (NCSC), we finally have an idea of what the most common passwords in the world are. The passwords were scraped from hacks in the Have I Been Pwned? database and reveal some serious flaws in common password design.

Join Bob’s Business below as we share with you the most common passwords, explain why you shouldn’t reuse your password and much, much more.

What were 2019s most Common Passwords?

The top five most commonly used passwords in 2019 were:

• 123456 (23.2m)
• 123456789 (7.7m)
• qwerty (3.8m)
• password (3.6m)
• 111111 (3.1m)

What unites each of these passwords? Simplicity. They’re super simple to think up and remember, which is good. On the other hand, they’re so easy to crack that they’re basically useless.

What Does the Password List Tell Us?

There are a number of themes that recur time and time again in the NCSC’s password list.

Numerical patterns are a very common theme, with passwords like ‘000000’ or ‘654123’ appearing constantly in the NCSC’s list of the 100,000 most hacked passwords. In fact, out of the top twenty passwords, numerical patterns appear twelve times, highlighting just how common they are.

Another theme that appears time and time again in the list is names. The NCSC’s data found that ‘ashley’, ‘michael’, ‘daniel’, ‘jessica’ and ‘charlie’ were the five most commonly used names as passwords, but there are hundreds of examples on the list.

Other popular common passwords are football teams, musicians, superheroes and swear words, which appear shockingly often.

So, what do all these patterns tell us? When we’re building passwords, most of us just choose something that’s easy to remember. Whether it’s the football club we love, our favourite band, an easy to recall set of numbers or even our own name – many of us are choosing passwords that don’t require us to memorise anything complicated.

All of which brings us to…

How to Make a Good Password (and Remember It!)

There are countless ways to create good, secure passwords, but many methods ignore the fact that it takes a monumental effort to remember ‘C7sf3LU!6w’ instead of ‘leedsutd’.

That’s why at Bob’s Business, we recommend the ‘three words’ method of password creation. Simply pick three random, unconnected words and put them together. Passwords like ‘laminateboomtag’ are easy to remember and, crucially, unique.

Aren’t sure just how secure your password is? Type it into How Secure is my Password and discover just how quickly your password could be cracked.

How Often Should You Change your Password?

There are plenty of myths out there about how often you should change your password. Some schools of thought suggest every month, others once every quarter.

The problem with mandatory password changes is that they tend to encourage superficial changes to passwords – a capitalised letter here or a new number there. For hackers, those small changes are easy to adapt to.

Instead, you should simply choose a unique password for every website or service you sign up to.

Dedicated password manager software will keep track of your passwords and automatically input them across your devices, whilst browsers like Chrome now support built-in password management, so you don’t even need to remember your passwords.

Of course, if any service you use is hacked, you should change your password immediately to stop criminals accessing your private information. Finding out whether an account you use has been hacked is simple, just use a website like Have I Been Pwned?

Our top Password Tips

Creating a secure and memorable password doesn’t need to be difficult. In fact, it can be easy. Just follow our top password tips below and you’ll never need to worry about your password security again.

• Build your passwords from three random yet memorable words. Try to choose words which aren’t related to your life, so no favourite bands or teams and certainly not your name. That way no automated hacking system or individual can figure out your password.
• Use different passwords for every website or service you use. The temptation to use the same password everywhere is strong, but doing so means that a single breach on any service could compromise all of your accounts.
• Check to see if any of your accounts have been breached. By inputting your email address into a website like Have I Been Pwned? you can see whether any of your details have been breached and released. Companies will also email you to alert you if their service has been breached.
• Always change any passwords you have on breached services. It should go without saying, but if your information has been breached, you should change your password as soon as possible, alongside updating your password on any websites that share the breached password.
• If in doubt, check the strength of your password. There are plenty of services that will show how strong your password is, but our favourite is How Secure is my Password, which instantly reveals how long it would take a computer to crack your password.

How Can Businesses Educate Their Employees?

It’s no secret good password practice is essential to ensuring that businesses aren’t put at unnecessary risk.

A single employee with their password in the public domain can compromise the security of your entire organisation, opening the door to all manner of cybercriminals.

At Bob’s Business, we understand that when it comes to the cyber security health of your business, your employees are the most valuable weapon in your arsenal. They’re the front line of your battle against cyber crime and, without proper training, can be manipulated to grant access to confidential and valuable information.

Our cyber security eLearning courses cover everything from how to make the perfect password to GDPR compliance, phishing detection and data protection. They’re designed to help you staff understand the threats posed by cyber crime and reshape their behaviour to protect your organisation.

It will come as little surprise to anyone who’s ever received a suspect looking invoice, but the major technology firms – including Apple, Google and Microsoft – are failing to protect users from phishing email threats.

The confirmatory news-flash comes from Plymouths Centre for Security, Communications and Network (CSCAN), who set about finding what action the big tech firms were taking to protect users and businesses from phishing threats.

Their research reveals shocking flaws in the automatic detection software employed across the major email service providers, but first, it’s vital to understand what ‘phishing’ actually is.

What is Phishing?

Phishing emails are, quite simply, the most common way for cybercriminals to steal your personal information like credit card details or password information.

Phishing attacks are conducted through emails which are carefully designed to look just like the real thing. Oftentimes, they’ll use urgent language to force you through to a page which is designed to harvest your personal information. From there, compromising your accounts is as simple as inputting the details you provided.

The threats are even more significant to businesses, with phishing emails posing one of the biggest threats to any organisation.

What did the Study Find?

Plymouth’s Centre for Security, Communications and Network started by sending two sets of messages to ‘victim accounts’, using email templates pulled from the archives of reported phishing attacks.

The first of those emails was simply plain text, with no links included. The second set of emails had all the original links in place, pointing to their original destination.

Researchers then studied which emails made it through to users inboxes and whether users were warned that these emails were malicious. The result? Well, it certainly doesn’t reflect well on the big tech firms.

75% of the phishing emails without links and 64% of those with links made their way into the target inboxes. Even worse, only 6% of those emails were marked as malicious.

Commenting on the findings, Bob’s Business CEO Melanie Oldman said: “This study only further illustrates how, when it comes to phishing, we can’t trust technology alone to protect us. With instances of ever-more sophisticated phishing attacks on the rise, all businesses should implement simulated phishing training to educate staff on the risks associated with phishing emails before they cause significant harm”.

What can you do to Avoid Phishing Attacks?

The key to avoiding phishing attacks is raising awareness and creating a secure culture. Whether in your personal life or in a business environment, being aware of the telltale signs of a phishing email can make all the difference.

We’ve written extensively on how to spot a phishing email in the past. For those short on time though, we’ve included seven ways to spot a phishing email here:

1. Check the sender’s email address – Phishing email addresses often give themselves away with misspellings or odd strings of letters and numbers.
2. Check the spelling and grammar of the email – Phishing emails commonly feature spelling or grammatical errors. No serious business would send out an email with a grammatical error.
3. Look for odd use of imagery – Blurry, old or oddly laid out imagery might be a giveaway that an email isn’t from a legitimate source.
4. The email is designed to push you into a rash decision – Many phishing emails are designed to encourage you to make a decision you’ll later regret. Always take time to carefully read an email before you do anything.
5. The email sounds too good to be true – Much like phishing emails designed to cause panic, many phishing emails are built around good news, hoping you won’t think clearly about what you’re doing until it’s too late.
6. Check the links – Most phishing emails try to get you to click on a link. Look closely at these links to spot fakery.
7. Compare emails to legitimate versions – If the email is from a company you’ve interacted with in the past, compare the new email to the old one to look for discrepancies.

For businesses, the fastest and most reliable way of ensuring your staff are aware of the serious risks that phishing emails pose and how to mitigate them is to combine our award-winning eLearning course with our phishing simulation solution.

Learn more about how Bob’s Business can help your staff protect you from phishing attacks here.

We love what we do here at Bob’s Business, and as one of the founders and creators of the Yorkshire Cyber Security Cluster (YCSC) along with CRK consulting, we are proud to be helping regional organisations to become more cyber secure.

Introducing the YCSC

The YCSC is an initiative created as part of the UK Cyber Security Forum to help organisations across the Yorkshire region to collaborate and build stronger standards of cyber security as part of a knowledge exchange collective.

It brings together recognised cyber security experts, a selection of academic institutions, charities, local bodies and the police force who are all working together towards reducing cybercrime within Yorkshire and the surrounding regions.

The YCSC now has over 30 core member organisations and an extended community of hundreds of individuals that is growing daily. As well as businesses, academia and public service providers from around the Yorkshire region, the Yorkshire and Humber Regional Cyber Crime Unit (YHROCU) are also members that regularly talk at the meetings, giving insights into what is happening within the cyber security industry.

Sergeant Shelton Newsham from the Regional Cyber Crime Unit described the relationship with the YCSC: “We have a close relationship with the cluster. It is one that brings several benefits to businesses and the public throughout the four forces we cover. The ability of the cluster to bring together industry experts is an important factor in enabling new issues to be raised, problems to be discussed and intelligence to be shared.”

“These open and honest discussions enable us all to work together to reduce that risk to businesses and individuals. The opportunity for law enforcement, industry and academia to meet and discuss issues is something that enables greater knowledge sharing across various sectors to benefit those that live and work in our region. Collaboration leads to more creative approaches enabling law enforcement to connect with different business areas who all have the same goal which is to reduce the risk of businesses and individuals becoming a victim of Cyber Crime.”

The YCSC meetings are held bi-monthly at The Digital Media Centre in Barnsley and are open to anyone who wishes to attend. There are traditionally three speakers at the meetings who talk about a selected theme or topic, helping to educate other members about this area of cyber security.

At the last YCSC meeting in June 2018, Bharat Mistry, principal security strategist at Trend Micro, spoke about ransomware. Thomas Chappelow, a Principal Consultant in PCI and Information Security at Data Protection People, also provided a talk on ‘A day out with Ransomware’.

When speaking about his involvement with the YCSC, Thomas Chappelow said: “A key part of my work is the engagement of stakeholders within the industry, and the wider public, on the importance of cyber and information security capability-building. The Yorkshire Cyber Security Cluster provides a vital forum for regional and national experts, law enforcement officers, and other stakeholders, to share with each other the lessons they are learning within their respective sectors. I’m excited to see the Cluster develop into a key regional security resource.”

The cluster also heard from one of its key members Dr. Daniel Dresner who speaks regularly at the meetings. We asked him what he thought about the YCSC: “I look forward to YCSC meetings. They are an ideal combination of businesses, law enforcement, and academics who come together to look at practical cyber security in (as has been said elsewhere) an ‘unfettered…untrammelled’ atmosphere. YCSC avoids the false divisions of business and family persona which makes it the kind of community approach that I’m interested in – it sets out to make a difference.”

Past meetings have focused on other aspects of the cyber security community such as ‘The next generation of professionals’ where Kathy Mckay from Ideansinc discussed ‘The Commercialisation Project and Building a Northern cyber security Talent Pool, working alongside industries and universities’.

Melanie Oldham, Co-Founder of the YCSC said: “What I love about the cluster is we are all experts in our own field and get the opportunity to showcase this at the meetings, whilst improving our wider knowledge and identifying commercial collaboration opportunities with some great regional businesses, increasing revenue and resilience to the region”.

In the meeting, the cluster will be hearing from Ryan Mackenzie about Advanced Threat Protection, other speakers are to be confirmed.

Join the YCSC

Could you be one of our next speakers? If you would like to speak at one of the future events please get in touch by emailing email@ycsc.org.uk.

If you would like to become a member then all you have to do is come along to the next YCSC meeting and speak to a member of our team about membership. Our meetings are free to attend and you can secure your ticket here on our Eventbrite page.

If you would like to get involved or find out more, visit the YCSC website or you can contact us at email@ycsc.org.uk.

Just over eight months since the introduction of the General Data Protection Regulation, and world-renowned technology giants, Google, have been hit with a record fine of £44m for failing to comply with the new legislation. 

Google’s GDPR Fine Explained

The CNIL, France’s data protection office found Google guilty of breaking EU privacy laws by failing to acquire adequate consent from its users regarding the data used for personalised advertising.  

The regulator also found that the search engine provider didn’t provide clear and easily accessible information to consumers regarding the collection and manner in which their personal data was held.

The CNIL discovered that the setting to allow personalised advertisements was automatically selected when users were creating an account, which Google then used as the basis for all of its processing systems to be carried out. This does not comply with the General Data Protection Regulation (GDPR), which says the consent is “specific” only if it is given distinctly for each purpose.

In a recent statement, Google said “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”

Original complaints against Google were filed on the 25th May 2018 by privacy rights groups, None of Your Business (NOYB) and La Quadrature du Net (LQDN). The groups claimed Google did not have the legal right under the GDPR to process user data for personalised advertisements. 

Max Schrems, chairman of NOYB, said, “We are very pleased that, for the first time, a European data protection authority is using the possibilities of the GDPR to punish clear violations of the law. Following the introduction of the GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often, only superficially, adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

After months of speculation around the enforcement of GDPR fines, maybe this is the wake-up call and ‘made to example’ that Europe has been waiting for.

How will the fine affect Google? 

Considering that Google had an estimated annual turnover of around £85bn ($110bn) for 2017, the €50m (£44m) fine that they have received will be a drop in the ocean. It may seem that Google has gotten off lightly this time around, as the GDPR indicates that organisations could be fined a maximum of 4% of their annual turnover; which in Google’s case could have been an estimated £4bn (€4.5bn) fine. 

The real damage done is to Google’s reputation. The fact that the largest search engine provider in the world has been found to be in breach of GDPR will lead to users being more reluctant to use Google services because they cannot trust them to handle data responsibly. Under the GDPR, individuals are able to claim compensation if their rights have been violated, so this could be just the start of the thickening plot.

Dr Lukasz Olejnik, an independent privacy researcher and adviser, indicated that the ruling was the world’s largest data protection fine. “This is a milestone in privacy enforcement and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of the GDPR decade,” he said.

How does GDPR affect you?

Now that the first ‘big’ fine has been issued under GDPR, the bar has been set when it comes to what’s acceptable under new data protection laws – and how much it can cost an organisation.

We can expect more fines to follow throughout 2019, and to make sure that you’re not one of them you should review your existing data protection procedures within your organisation. This includes what kind of data you keep, how you handle data and training your staff to understand what role they have to play in maintaining GDPR compliance.

Before the GDPR was introduced last May, we wrote a quick article highlighting how the new data protection law will affect organisations of all shapes and sizes.

At Bob’s Business, we’re the trusted experts in providing online cyber security training. That’s why we developed our very own suite of GDPR training courses to help organisations get up to speed with the new regulation and ensure all users understand their obligations. To try the GDPR demo course for yourself, visit our GDPR training page to get started.