For most businesses, ransomware is the great boogeyman, always lurking around the corner.

The prospect of walking into work one day to find all your data locked behind a paywall is a terrifying one, and worst of all, it’s far from a remote possibility.

Ransomware attacks in 2018 reached 204 million, a figure which is expected to be significantly higher in 2019. Indeed, 2019 has been a bumper year for ransomware attacks, with Q3 seeing a 37% increase in attacks over the previous quarter, according to Beazley.

From reputational damage to data loss, the costs associated with ransomware attacks are numerous, resulting in a hugely perilous situation for businesses of all sizes.

Curiously though, there is today a general comfort around ransomware attacks. Businesses are increasingly adapting to the reality of impending ransomware attacks by deploying backup software.

By regularly backing up your data, the idea goes, you can simply roll back your system to a point before it was locked down by a ransomware attack. Simple and effective, right? Well, not anymore.

Cybercriminals are many things, but lazy isn’t one of them. More recent strains of ransomware like Samas, MongoLock and Zenis – to name just a few – go the extra mile and actively search & destroy backup files, leaving businesses completely vulnerable to ransomware attacks once again.

That’s not all though, because some ransomware strains have been adapted to hide on a network for months at a time before becoming active. This means that any attempt to roll back to older (supposedly safe) backups results in an ‘attack loop’, where backing up only restarts the attack.

Far from breaking news, reports of Ransomware attacks deleting backups date back as far as April 2017, with one Veeam user posting:

“On 2/7 we were hit with Samas Ransomware. Of course I freaked but I felt confident driving into work that I was ok with backups… The server itself got wiped with Samas, but I still felt confident. I looked in the Veeam_Backups folder a few times on both Drobos and both were empty… I knew at that point they were gone.”

This evolving, ever-escalating threat is exactly why businesses should never stop adapting.

The approach to this new ransomware environment should be a two-pronged one: effective phishing training and backup software that is designed to manage advanced ransomware attacks.

Tackling the Modern Ransomware Environment

How Can Phishing Training Help Protect Organisations from Ransomware Threats?

Phishing attempts are, by far, the most common way for ransomware to enter a system. Although often considered separate threats, phishing and ransomware are typically found as a couple, with phishing emails directing people to files and web pages that will then install ransomware onto their system.

But how commonly is ransomware tied into phishing attempts? Well, an estimated 90% of cyber attacks begin with a phishing or spear-phishing email.

It’s a startling statistic and one which can’t be ignored in the battle against ransomware. Whilst hardware and software barriers offer some protection against phishing emails, they lose efficacy as soon as an email finds its way through.

That’s why it’s vital that your staff are trained to spot the signs of phishing emails before they click. Our award-winning Think Before You Click simulated phishing training measures your workforces susceptibility to phishing attacks, before directing affected members of staff to our unique training environment.

Think Before You Click can lower click rates by 74%, dramatically reducing an organisation’s susceptibility to phishing emails and ransomware. However, no single solution can completely remove the potential of a member of your workforce falling victim to a phishing attack.

That’s where advanced backup support comes in to play.

How Can An Advanced Backup Provider Help Protect Organisations from Ransomware Threats?

When – not if – ransomware finds its way past your workforce, you need a backup solution to handle ransomware that finds its way past well-trained staff.

Solutions like Data2Vault’s Attack Loop prevention service, Powered by Asigra tackles increasingly intelligent ransomware viruses by offering multiple layers of protection, including:

• Two-factor authentication for volume backup deletion, protecting from automated mass-deletion.
• Variable naming for backup files to avoid auto-deletion.
• Automatic scanning of files during backup and recovery.

By utilising these three protective layers, solutions like Asigra can help curb the effectiveness of ransomware attacks.

Together with effective workforce phishing training, the threat from ransomware attacks is almost completely curtailed, helping to protect your organisation’s reputation and financial future.

There’s a lot of money in information, which is why threats from cybercriminals are growing increasingly common.

Cyber security is arguably the most important measure modern organisations can take to keep their clients’ information safe. However, what cyber security actually entails is often misconstrued by key decision-makers within organisations.

In this article, we’ll be giving you a total overview on cyber security, including: what it is, what it focuses on, what it protects you from and why it’s important.

What is Cyber Security?

Cyber security focuses on protecting computer systems and digital infrastructures from online attack. This includes components such as hardware, software, and data.

People often confuse cyber security with information security, which is a much broader concept that is concerned with protecting all aspects of information including hard and digital copies.

Thankfully, some organisations are waking up to the alarming threat that cybercrime poses and have begun investing in staff training to better prepare and arm themselves against new-age digital threats.

Unfortunately, not everyone’s up to speed. Only 51% of businesses and 29% of charities have installed the five basic technical controls of cyber security, as defined by the NCSC. It’s great news for cybercriminals, especially when you consider the number of data breaches and successful attacks occurring every year.

While your organisation might seem secure, ask yourself, is it doing enough to mitigate threats and protect both monetary and informational assets?

Why is Cyber Security Important?

Cyber security awareness is at an all-time high, owing to the hundreds of high-profile cyber attacks every single year. Shockingly, 2018 saw nearly half of all UK businesses fall victim to cyber attacks. If these had all been physical robberies, we’d be talking about an unprecedented crime wave.

The reason for those attacks is simple: there’s money in cyber crime. Just this week, news hit that the UN is set to investigate North Korea for a series of alleged cyber attacks that are thought to have raised over $2bn for nuclear weapons.

When it comes to your organisation, effective cyber security could be the difference between success and failure.

A data breach can damage everything from your finances to your reputation, the latter being much harder to earn back. You don’t need to look too far for an example. Last year, the infamous Cambridge Analytica and Facebook data breach resulted in 5% of Brits deleting their accounts – and that’s Facebook!

It’s crucial to understand these threats so that you are in the best position to protect yourself and your organisation. In order to do this, you need to learn the three pillars of cyber security and the types of threats that are out there.

What are the Three Pillars of Cyber Security?

We believe there are three key pillars of cyber security. By addressing these pillars, organisations can protect themselves from both impulsive and premeditated attacks. They are:

1. People

The most advanced technology in the world is powerless if the people in your organisation are vulnerable to exploitation. Most data breaches are the result of human error or malicious intervention. From an organisational point of view, it only takes one person to fall for a phishing email to compromise your whole system.

We believe that staff awareness training is by far the most effective way to instil a cyber security culture within your organisation.

2. Processes

Processes are like a checklist and guide you can follow to make sure you’re employing the best practices for cyber security. It is also a great way of communicating with your employees exactly what is expected of them.

These processes can be far-reaching, from employees’ roles and responsibilities when processing information to reporting suspect emails. Certifications such as ISO 27001, which is covered by our cyber security training courses, can help you develop cyber-safe processes that best suit your organisation.

3. Technology

Technology is your initial defence against cyber attacks.

Cybercriminals are constantly changing their tactics and your antivirus software needs to match this. This is not to say that you should look to install new software, but rather to keep on top of new versions and updates as these could protect you from a new threat that the old version would not recognise.

Whilst we at Bob’s Business think too much emphasis is placed on technological solutions compared to the human factor, it’s vital that software is kept up to date.

What are the Different Types of Cyber Security Threat?

There are a host of cyber security threats that could damage your organisation. We have identified the three most common avenues cybercriminals explore when attacking an organisations finances or data.

Social Engineering

Social engineering uses psychological tactics to prey on people, rather than technology. Using ultimatums and evoking urgency to make victims act rashly and give away information. The most common and successful method for this is email phishing.

We have written extensively on how to spot phishing emails but an example might be an email which demands you: ‘pay £50 now to avoid being charged £1,000’ or says ‘we believe your account has been hacked, please enter your login details to avoid your account being deleted’.

Malware

This is a broad term that describes any software that is designed to harm a computer system. This can include trojans, worms, viruses and more. Each of these can be downloaded by following a link in an email or using an illegitimate website.

Staff training is crucial to stopping malware from infecting your system. Quite simply, your employees need to know what they’re looking for.

For example, many people look at the lock icon and ‘HTTPS’ next to a web address and assume it’s safe. However, cybercriminals can recreate this with ease and goad victims into thinking they’re using the internet safely.

Ransomware

Ransomware is a type of malware that is an extremely popular choice of attack for cybercriminals. After installing harmful software onto your computer system, cybercriminals will encrypt all the data on the device and demand payment to allow the organisation to use the system again.

Notorious ransomware attacks include the Wannacry attack, which infected over 300,000 devices and caused untold financial and reputational damage to organisations as large as the NHS, FedEx, Renault and Hitachi.

For businesses, the most effective solutions to combat ever-evolving cyber security threats is to keep your software up to date and implement staff training in cyber security awareness to create a secure culture.

Learn more about how we can help educate your staff in cyber security awareness here.

Read our updated guide to 2020’s most common passwords here!

Let’s face it – few of us enjoy the process of picking a password. We’re often marooned between a simple yet memorable password and a truly secure one.

The result? An epidemic of poor choices which means that, when it comes to choosing passwords, many of us are falling into the same traps. They’re traps which can compromise your personal data, finances and even your organisation’s cyber security.

Cybercriminals and the software they utilise are growing more sophisticated by the day, so there’s never been a better time to brush up on how to write a secure password.

Thanks to work by the National Cyber Security Council (NCSC), we finally have an idea of what the most common passwords in the world are. The passwords were scraped from hacks in the Have I Been Pwned? database and reveal some serious flaws in common password design.

Join Bob’s Business below as we share with you the most common passwords, explain why you shouldn’t reuse your password and much, much more.

What were 2019s most Common Passwords?

The top five most commonly used passwords in 2019 were:

• 123456 (23.2m)
• 123456789 (7.7m)
• qwerty (3.8m)
• password (3.6m)
• 111111 (3.1m)

What unites each of these passwords? Simplicity. They’re super simple to think up and remember, which is good. On the other hand, they’re so easy to crack that they’re basically useless.

What Does the Password List Tell Us?

There are a number of themes that recur time and time again in the NCSC’s password list.

Numerical patterns are a very common theme, with passwords like ‘000000’ or ‘654123’ appearing constantly in the NCSC’s list of the 100,000 most hacked passwords. In fact, out of the top twenty passwords, numerical patterns appear twelve times, highlighting just how common they are.

Another theme that appears time and time again in the list is names. The NCSC’s data found that ‘ashley’, ‘michael’, ‘daniel’, ‘jessica’ and ‘charlie’ were the five most commonly used names as passwords, but there are hundreds of examples on the list.

Other popular common passwords are football teams, musicians, superheroes and swear words, which appear shockingly often.

So, what do all these patterns tell us? When we’re building passwords, most of us just choose something that’s easy to remember. Whether it’s the football club we love, our favourite band, an easy to recall set of numbers or even our own name – many of us are choosing passwords that don’t require us to memorise anything complicated.

All of which brings us to…

How to Make a Good Password (and Remember It!)

There are countless ways to create good, secure passwords, but many methods ignore the fact that it takes a monumental effort to remember ‘C7sf3LU!6w’ instead of ‘leedsutd’.

That’s why at Bob’s Business, we recommend the ‘three words’ method of password creation. Simply pick three random, unconnected words and put them together. Passwords like ‘laminateboomtag’ are easy to remember and, crucially, unique.

Aren’t sure just how secure your password is? Type it into How Secure is my Password and discover just how quickly your password could be cracked.

How Often Should You Change your Password?

There are plenty of myths out there about how often you should change your password. Some schools of thought suggest every month, others once every quarter.

The problem with mandatory password changes is that they tend to encourage superficial changes to passwords – a capitalised letter here or a new number there. For hackers, those small changes are easy to adapt to.

Instead, you should simply choose a unique password for every website or service you sign up to.

Dedicated password manager software will keep track of your passwords and automatically input them across your devices, whilst browsers like Chrome now support built-in password management, so you don’t even need to remember your passwords.

Of course, if any service you use is hacked, you should change your password immediately to stop criminals accessing your private information. Finding out whether an account you use has been hacked is simple, just use a website like Have I Been Pwned?

Our top Password Tips

Creating a secure and memorable password doesn’t need to be difficult. In fact, it can be easy. Just follow our top password tips below and you’ll never need to worry about your password security again.

• Build your passwords from three random yet memorable words. Try to choose words which aren’t related to your life, so no favourite bands or teams and certainly not your name. That way no automated hacking system or individual can figure out your password.
• Use different passwords for every website or service you use. The temptation to use the same password everywhere is strong, but doing so means that a single breach on any service could compromise all of your accounts.
• Check to see if any of your accounts have been breached. By inputting your email address into a website like Have I Been Pwned? you can see whether any of your details have been breached and released. Companies will also email you to alert you if their service has been breached.
• Always change any passwords you have on breached services. It should go without saying, but if your information has been breached, you should change your password as soon as possible, alongside updating your password on any websites that share the breached password.
• If in doubt, check the strength of your password. There are plenty of services that will show how strong your password is, but our favourite is How Secure is my Password, which instantly reveals how long it would take a computer to crack your password.

How Can Businesses Educate Their Employees?

It’s no secret good password practice is essential to ensuring that businesses aren’t put at unnecessary risk.

A single employee with their password in the public domain can compromise the security of your entire organisation, opening the door to all manner of cybercriminals.

At Bob’s Business, we understand that when it comes to the cyber security health of your business, your employees are the most valuable weapon in your arsenal. They’re the front line of your battle against cyber crime and, without proper training, can be manipulated to grant access to confidential and valuable information.

Our cyber security eLearning courses cover everything from how to make the perfect password to GDPR compliance, phishing detection and data protection. They’re designed to help you staff understand the threats posed by cyber crime and reshape their behaviour to protect your organisation.

It will come as little surprise to anyone who’s ever received a suspect looking invoice, but the major technology firms – including Apple, Google and Microsoft – are failing to protect users from phishing email threats.

The confirmatory news-flash comes from Plymouths Centre for Security, Communications and Network (CSCAN), who set about finding what action the big tech firms were taking to protect users and businesses from phishing threats.

Their research reveals shocking flaws in the automatic detection software employed across the major email service providers, but first, it’s vital to understand what ‘phishing’ actually is.

What is Phishing?

Phishing emails are, quite simply, the most common way for cybercriminals to steal your personal information like credit card details or password information.

Phishing attacks are conducted through emails which are carefully designed to look just like the real thing. Oftentimes, they’ll use urgent language to force you through to a page which is designed to harvest your personal information. From there, compromising your accounts is as simple as inputting the details you provided.

The threats are even more significant to businesses, with phishing emails posing one of the biggest threats to any organisation.

What did the Study Find?

Plymouth’s Centre for Security, Communications and Network started by sending two sets of messages to ‘victim accounts’, using email templates pulled from the archives of reported phishing attacks.

The first of those emails was simply plain text, with no links included. The second set of emails had all the original links in place, pointing to their original destination.

Researchers then studied which emails made it through to users inboxes and whether users were warned that these emails were malicious. The result? Well, it certainly doesn’t reflect well on the big tech firms.

75% of the phishing emails without links and 64% of those with links made their way into the target inboxes. Even worse, only 6% of those emails were marked as malicious.

Commenting on the findings, Bob’s Business CEO Melanie Oldman said: “This study only further illustrates how, when it comes to phishing, we can’t trust technology alone to protect us. With instances of ever-more sophisticated phishing attacks on the rise, all businesses should implement simulated phishing training to educate staff on the risks associated with phishing emails before they cause significant harm”.

What can you do to Avoid Phishing Attacks?

The key to avoiding phishing attacks is raising awareness and creating a secure culture. Whether in your personal life or in a business environment, being aware of the telltale signs of a phishing email can make all the difference.

We’ve written extensively on how to spot a phishing email in the past. For those short on time though, we’ve included seven ways to spot a phishing email here:

1. Check the sender’s email address – Phishing email addresses often give themselves away with misspellings or odd strings of letters and numbers.
2. Check the spelling and grammar of the email – Phishing emails commonly feature spelling or grammatical errors. No serious business would send out an email with a grammatical error.
3. Look for odd use of imagery – Blurry, old or oddly laid out imagery might be a giveaway that an email isn’t from a legitimate source.
4. The email is designed to push you into a rash decision – Many phishing emails are designed to encourage you to make a decision you’ll later regret. Always take time to carefully read an email before you do anything.
5. The email sounds too good to be true – Much like phishing emails designed to cause panic, many phishing emails are built around good news, hoping you won’t think clearly about what you’re doing until it’s too late.
6. Check the links – Most phishing emails try to get you to click on a link. Look closely at these links to spot fakery.
7. Compare emails to legitimate versions – If the email is from a company you’ve interacted with in the past, compare the new email to the old one to look for discrepancies.

For businesses, the fastest and most reliable way of ensuring your staff are aware of the serious risks that phishing emails pose and how to mitigate them is to combine our award-winning eLearning course with our phishing simulation solution.

Learn more about how Bob’s Business can help your staff protect you from phishing attacks here.

We love what we do here at Bob’s Business, and as one of the founders and creators of the Yorkshire Cyber Security Cluster (YCSC) along with CRK consulting, we are proud to be helping regional organisations to become more cyber secure.

Introducing the YCSC

The YCSC is an initiative created as part of the UK Cyber Security Forum to help organisations across the Yorkshire region to collaborate and build stronger standards of cyber security as part of a knowledge exchange collective.

It brings together recognised cyber security experts, a selection of academic institutions, charities, local bodies and the police force who are all working together towards reducing cybercrime within Yorkshire and the surrounding regions.

The YCSC now has over 30 core member organisations and an extended community of hundreds of individuals that is growing daily. As well as businesses, academia and public service providers from around the Yorkshire region, the Yorkshire and Humber Regional Cyber Crime Unit (YHROCU) are also members that regularly talk at the meetings, giving insights into what is happening within the cyber security industry.

Sergeant Shelton Newsham from the Regional Cyber Crime Unit described the relationship with the YCSC: “We have a close relationship with the cluster. It is one that brings several benefits to businesses and the public throughout the four forces we cover. The ability of the cluster to bring together industry experts is an important factor in enabling new issues to be raised, problems to be discussed and intelligence to be shared.”

“These open and honest discussions enable us all to work together to reduce that risk to businesses and individuals. The opportunity for law enforcement, industry and academia to meet and discuss issues is something that enables greater knowledge sharing across various sectors to benefit those that live and work in our region. Collaboration leads to more creative approaches enabling law enforcement to connect with different business areas who all have the same goal which is to reduce the risk of businesses and individuals becoming a victim of Cyber Crime.”

The YCSC meetings are held bi-monthly at The Digital Media Centre in Barnsley and are open to anyone who wishes to attend. There are traditionally three speakers at the meetings who talk about a selected theme or topic, helping to educate other members about this area of cyber security.

At the last YCSC meeting in June 2018, Bharat Mistry, principal security strategist at Trend Micro, spoke about ransomware. Thomas Chappelow, a Principal Consultant in PCI and Information Security at Data Protection People, also provided a talk on ‘A day out with Ransomware’.

When speaking about his involvement with the YCSC, Thomas Chappelow said: “A key part of my work is the engagement of stakeholders within the industry, and the wider public, on the importance of cyber and information security capability-building. The Yorkshire Cyber Security Cluster provides a vital forum for regional and national experts, law enforcement officers, and other stakeholders, to share with each other the lessons they are learning within their respective sectors. I’m excited to see the Cluster develop into a key regional security resource.”

The cluster also heard from one of its key members Dr. Daniel Dresner who speaks regularly at the meetings. We asked him what he thought about the YCSC: “I look forward to YCSC meetings. They are an ideal combination of businesses, law enforcement, and academics who come together to look at practical cyber security in (as has been said elsewhere) an ‘unfettered…untrammelled’ atmosphere. YCSC avoids the false divisions of business and family persona which makes it the kind of community approach that I’m interested in – it sets out to make a difference.”

Past meetings have focused on other aspects of the cyber security community such as ‘The next generation of professionals’ where Kathy Mckay from Ideansinc discussed ‘The Commercialisation Project and Building a Northern cyber security Talent Pool, working alongside industries and universities’.

Melanie Oldham, Co-Founder of the YCSC said: “What I love about the cluster is we are all experts in our own field and get the opportunity to showcase this at the meetings, whilst improving our wider knowledge and identifying commercial collaboration opportunities with some great regional businesses, increasing revenue and resilience to the region”.

In the meeting, the cluster will be hearing from Ryan Mackenzie about Advanced Threat Protection, other speakers are to be confirmed.

Join the YCSC

Could you be one of our next speakers? If you would like to speak at one of the future events please get in touch by emailing email@ycsc.org.uk.

If you would like to become a member then all you have to do is come along to the next YCSC meeting and speak to a member of our team about membership. Our meetings are free to attend and you can secure your ticket here on our Eventbrite page.

If you would like to get involved or find out more, visit the YCSC website or you can contact us at email@ycsc.org.uk.

Just over eight months since the introduction of the General Data Protection Regulation, and world-renowned technology giants, Google, have been hit with a record fine of £44m for failing to comply with the new legislation. 

Google’s GDPR Fine Explained

The CNIL, France’s data protection office found Google guilty of breaking EU privacy laws by failing to acquire adequate consent from its users regarding the data used for personalised advertising.  

The regulator also found that the search engine provider didn’t provide clear and easily accessible information to consumers regarding the collection and manner in which their personal data was held.

The CNIL discovered that the setting to allow personalised advertisements was automatically selected when users were creating an account, which Google then used as the basis for all of its processing systems to be carried out. This does not comply with the General Data Protection Regulation (GDPR), which says the consent is “specific” only if it is given distinctly for each purpose.

In a recent statement, Google said “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”

Original complaints against Google were filed on the 25th May 2018 by privacy rights groups, None of Your Business (NOYB) and La Quadrature du Net (LQDN). The groups claimed Google did not have the legal right under the GDPR to process user data for personalised advertisements. 

Max Schrems, chairman of NOYB, said, “We are very pleased that, for the first time, a European data protection authority is using the possibilities of the GDPR to punish clear violations of the law. Following the introduction of the GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often, only superficially, adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

After months of speculation around the enforcement of GDPR fines, maybe this is the wake-up call and ‘made to example’ that Europe has been waiting for.

How will the fine affect Google? 

Considering that Google had an estimated annual turnover of around £85bn ($110bn) for 2017, the €50m (£44m) fine that they have received will be a drop in the ocean. It may seem that Google has gotten off lightly this time around, as the GDPR indicates that organisations could be fined a maximum of 4% of their annual turnover; which in Google’s case could have been an estimated £4bn (€4.5bn) fine. 

The real damage done is to Google’s reputation. The fact that the largest search engine provider in the world has been found to be in breach of GDPR will lead to users being more reluctant to use Google services because they cannot trust them to handle data responsibly. Under the GDPR, individuals are able to claim compensation if their rights have been violated, so this could be just the start of the thickening plot.

Dr Lukasz Olejnik, an independent privacy researcher and adviser, indicated that the ruling was the world’s largest data protection fine. “This is a milestone in privacy enforcement and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of the GDPR decade,” he said.

How does GDPR affect you?

Now that the first ‘big’ fine has been issued under GDPR, the bar has been set when it comes to what’s acceptable under new data protection laws – and how much it can cost an organisation.

We can expect more fines to follow throughout 2019, and to make sure that you’re not one of them you should review your existing data protection procedures within your organisation. This includes what kind of data you keep, how you handle data and training your staff to understand what role they have to play in maintaining GDPR compliance.

Before the GDPR was introduced last May, we wrote a quick article highlighting how the new data protection law will affect organisations of all shapes and sizes.

At Bob’s Business, we’re the trusted experts in providing online cyber security training. That’s why we developed our very own suite of GDPR training courses to help organisations get up to speed with the new regulation and ensure all users understand their obligations. To try the GDPR demo course for yourself, visit our GDPR training page to get started.

Bob’s Business has been providing engaging, educational cyber security training for its clients since 2007. We pride ourselves on the work we’ve done to help benefit the information security community and how our courses have helped organisations develop secure workplace cultures. That’s why we’re thrilled to announce that we have been nominated for not one, but two industry awards.

Our nominated Cyber Security Courses

Bob’s Business Founder and CEO Melanie Oldham, has been nominated for Security Champion of the Year in the 2019 Women In IT awards, whilst the business’ Cyber Security Awareness Training product has been shortlisted for Outstanding Security Training Initiative in the Outstanding Security Performance Awards (OSPAs).

The Women in IT Awards is the world’s largest event focused on tackling gender imbalance by recognising the achievements of women within the technology sector. Since its launch in 2015, the Women in IT Awards has showcased women in technology and identified new role models in London, New York, Ireland and Silicon Valley.

The winner will be announced at the awards ceremony on 30th January at the Grosvenor Square, Marriott Hotel, London.

The Outstanding Security Training Initiative category at the OPSA’s recognises individuals or companies that operate a successful training scheme, which promotes outstanding performance and has produced identifiable results.

In this category, Bob’s Business has put forward its Cyber Security Awareness Training package. Since it was first released the online training courses have educated over 500,000 users across hundreds of organisations on cyber security essentials, which gives individuals a foundation in cyber best practice and creates a secure working environment for our clients.

Bob’s Business previously won an OSPA in 2017 for its innovative ‘Think Before You Click’ phishing simulation service. Implemented as a positive not punitive training exercise for employees, communication is at the heart of each ‘mock’ phishing email campaign, strengthening the relationship between IT and end users, where historically barriers have been created.

The winners for the Outstanding Security Performance Awards are to be announced on the 28th February 2019 at the Royal Lancaster, London.

Founder and CEO of Bob’s Business, Melanie Oldham said “ I have sidestepped previous women in cyber awards as I wanted to be recognised as the pioneer of a great business, not just a woman within the cyber sector. Having now developed a growing business and understanding the importance good role models play in attracting more females into the industry, along with the importance of diversity, I now feel proud to be nominated for my achievements within the cyber sector”.

What is ISO 27001?

ISO 27001 is part of the ISO 27000 family, a group of international standards for Information Security Management Systems. It is the best-known standard in the family providing requirements for an information security management system (ISMS).

The standard has 10 short clauses and 114 controls that are designed to cover so much more than just IT. The clauses and controls are tested as part of an ongoing external assessment.

Management within an organisation is responsible for determining the scope of the ISMS for certification purposes; this can be limited to a single department, location or the whole organisation.

Just remember that having the certificate in one area of the organisation does not mean that any other areas of the organisation have an adequate approach to information security management.

ISMS provides an approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management approach. It can help organisations of any size or sector keep vital information assets secure.

What to consider before embarking on your ISO 27001 journey?

Before you begin, you need to answer yes to all these simple questions if you are serious about gaining an ISO certification.

• Are you fully committed to this journey?
• Do you have buy-in from all senior management?
• Has the scope been defined and agreed?
• Has ISO 27001 been communicated to the rest of the organisation?
• Have heads of department been engaged?
• Do you train your staff regarding information security

We won’t lie, it is a commitment that takes some time to implement and to keep up to date, but the benefits to your organisation are well worth the time it takes, and if you have buy-in from the whole organisation they can assist with the implementation.

What are the benefits of ISO 27001 to your organisation?

ISO 27001 integrates information security principles into your organisation as usual processes, giving you the confidence to meet clients growing data protection expectations and new business opportunities.

Once you have achieved your certification, your organisation will be able to claim that you:

• Follow best practices to mitigate cyber threats and have an incident response and management process in place to respond to cyber attacks
• Have established a formal risk management process
• Are taking appropriate control measure to protect confidential information

Other benefits include having a solid foundation to comply with legislation in turn reducing the risk/likelihood of costly fines or financial loss, protecting/enhancing your brand reputation and assuring clients and regulators that you take cyber security risks seriously.

Our ISO 27001 journey

Here at Bob’s Business, we started our ISO 27001 journey back in 2015. Why? Well, we wanted to be seen by our clients as a security-conscious supplier, who cares about their client data and practices what they preach in our cyber security awareness courses, which are aligned to the standard and teach end users how to help your organisation become more cyber secure.

For us, as an organisation the ISMS has provided guidance on the policies and processes that we needed in place that have supported the growth of the organisation from four employees back in 2015 to nearly thirty now. It has enabled us to submit tenders for more contracts that previously we would not have been able to, as it demonstrates to potential clients our commitment to Information Security and Data Protection.

Having ISO 27001 in place made our GDPR journey less daunting as both of them aim to strengthen data security and mitigate the risk of data breaches. It has enabled us to quickly complete client questionnaires relating to GDPR and how we protect their data.

A key component of ISO 27001 is ensuring policies are rolled out to staff and that training/education around information security is provided. Our Learning Management System (LMS) allows for tracking, reporting and policy integration of cyber security training, policies and policy acceptance.

By having the LMS and the training in place, we are able to demonstrate to external auditors that we train all our staff in cyber security awareness and that the policies have been read and accepted.

Would Bob’s Business recommend ISO 27001?

Yes, most definitely, not only has it given clients and prospects assurances that we are a security-conscious organisation, but it has helped us grow the business while maintaining the integrity of information security.

As a growing SME, ISO 27001 enables us to be able to react quickly to internal and external issues. We have the ability to revoke privileges, close accounts and reallocate key information if we lose a member of staff. When or if a breach occurs we are able to notify those involved in a timely manner.

How can you achieve ISO 27001 compliance?

Our courses are designed to give end users within any organisation awareness of information security in a short, engaging, entertaining manner. We offer over 20 bite-sized courses, all designed to be completed in less than 15 minutes, this keeping employee time spent training at a minimum.

If you’d like to find out more about our courses, click here.

When you think of hacking, you may think of a stereotypical cyber-criminal sat in their basement remotely attacking organisations and servers in order to gain unauthorised access to systems. However, this isn’t always the case as most people seem to overlook one very basic security concern, shoulder surfing!

Shoulder surfing is technically another form of hacking as it allows users to “gain unauthorised access to data in a system or a computer”… But not everyone treats it the same as a full-scale attack where one remotely forces their way to your data.

What is Shoulder Surfing?

So what actually is shoulder surfing? The hint is in the name. It’s the act of hovering over someone’s shoulder whilst they are working on their computer. During this time, you may see what passwords they enter, how their network is configured and what sensitive files they have on their computer.

You no longer need fancy, expensive keyloggers or to spend thousands on deploying malware on websites, you just have to watch over their shoulder and see what they type.

Shoulder surfers can use physical tools such as binoculars, video cameras and some vision-enhancing devices to help them spy on your computer from a further away distance.

How can you avoid shoulder surfers?

Avoiding shoulder surfing attacks across an organisation requires concerted cyber security awareness efforts to change behaviour. However, on an individual level, it’s possible to follow these tips to dramatically reduce your chances of falling victim of shoulder surfing:

Install a privacy filter

One way to negate a shoulder surfer would be to install a device on your screen called a privacy filter. Most people tend to think this is some form of program or software that is installed on your machine, but instead, it’s almost like a screen protector like you would apply to your phone.

Privacy filters are made out of polarized sheets of plastic which removes all screen visibility except for users that are sat straight in front of the screen. All a shoulder surfer would see is a black screen, so rest assured they can only see your device if they’re sat in your place, which should be easy to spot.

Sit away from people or form a physical barrier

If privacy filters aren’t for you, you should also be mindful to tilt your screen away from people next to you so they don’t have an easy line of sight to your content. You may also want to create a physical barrier such as folders, binders or any other object to negate line of sight.

Another useful tip is to avoid doing work in crowded areas. Try to refrain from doing work in cafes, airports, hotel lobbies and other very popular public spaces. All of these locations make you an easy target and makes the shoulder surfer much harder to spot.

Use a password manager

Criminals like to watch you input passwords or follow your keystrokes when on a sensitive page. But how can you stop their eyes from tracking the credentials that you enter? One popular solution for storing passwords would be a password manager. Using one of those, you’ll no longer have to manually enter your password as the fields autocomplete themselves. Say goodbye to key watchers as you’ll no longer have to enter your information.

Always be under the assumption that you’re on camera. I’m not saying be paranoid in public all the time, but imagine that your every move whilst on a computer is being recorded. It’ll help you be more cautious with what you do on your machine to help negate shoulder surfers.

Use two-factor authentication 

We would also recommend having some form of 2 Factor Authentication setup on all of your accounts. Therefore, if they do manage to spy on your password or login details, they’ll still need your mobile or another external device to approve the login.

One report shows that new technology has progressed to the point that an optical illusion can be implemented into smartphone logins which can easily thwart the plans of a shoulder surfer.

The new technology claims that by manipulating spatial frequency and several images, they can trick people into seeing different images depending on your distance from the device. Therefore, you may see someone entering ‘1234’ as their pin, but as the app randomises the order for each login attempt plus the different image, you probably entered something completely different to what they think.

In conclusion, shoulder surfing can be extremely effective and a much cheaper method of gaining sensitive information. Although difficult to spot, they can be deterred if you take our advice on board.

It’s that time of year again, some people at home are carving pumpkins and others will be sitting down to binge their favourite horror films.

Some of our personal film favourites include Friday the 13th, Nightmare on Elm Street and Shaun of the Dead, but one thing that makes us want to hide under the covers is the headlines about data breaches that we see on a day-to-day basis.

This year we’ve seen the likes of British Airways, Uber and even Facebook fall prey to cybercriminals and other parties looking to steal or misuse the crucial data of their customers/users.

To get into the spirit of Halloween this year, we’ve picked out 3 real cyber security horror stories that send chills down our spines.

Cyber security horror stories

1. Hackers remotely take control of a Jeep while somebody drives it

In 2015, Wired magazine carried out an experiment where they wanted to see what could be done if somebody was to wirelessly hijack a Jeep Cherokee – except they did this in a real-life environment, while the magazine’s editor was driving it down a highway!

The hackers got up to all sorts of mischief at first by switching the radio to different stations, turning on the windscreen wipers and blasting out cold air through the car’s air conditioning system.

Then, the experiment got took to the next level, the hackers cut the transmission as the Jeep was coming up to a long incline on the highway. The Editor said that he started to frantically press the accelerator, but to no avail, the car started to slow down with an 18-wheeler truck bearing down behind it.

Thankfully, the hackers didn’t put the Editor in much more danger and he finished his nightmare car journey unharmed. But it does raise the question about the world we’re entering with the Internet of Things.

If you want to read the full story about Wired magazine’s hacked Jeep experiment, you can do so here.

2. Wannacry attack on the NHS

In May 2017, around 40 National Health Service organisations and some GP practices were affected by a global ransomware attack that locked down computers containing patient data demanding payment of €300 (£230) in the virtual currency Bitcoin.

The malicious encryption program, named WannaCry, exploited a flaw in Microsoft Windows XP and spread throughout the organisation’s network after gaining access when an NHS employee clicked a link in a phishing email.

It is estimated that 6,900 appointments were cancelled as a result of the attack, but it’s not known the full extent of the disruption caused to GP appointments, ambulances and other NHS trusts.

The scariest part was how far the malware spread and it was reported to have infected organisations from more than 70 countries. As well as the NHS, other organisations were affected including US delivery company FedEx and car manufacturers Renault.

Microsoft released a patch that fixed the vulnerability before the attack, however people failing to update their Windows machines so the WannaCry encryptor was able to spread across the world like a zombie virus.

As well as creating a case for educating employees about avoiding the risks of phishing emails, it also demonstrates that organisations should make sure they have their own zombie survival/business continuity plan ready.

3. Cambridge Analytica and Facebook

Picture this, you’re scrolling through your Facebook feed and you come across one of your friends sharing a personality test, while you’ve got some time to kill you decide to take it.

Fast forward a few years and you find out that the personality test was just a way for an organisation to access not only your personal data, but your friend’s data as well.

This is the story of many people whose data was harvested in the Cambridge Analytica and Facebook scandal.

If you’d like to know more about the Facebook and Cambridge Analytica scandal, we covered the full story and the consequences of it in a blog post.

Reminiscent of something out of George Orwell’s 1984, Cambridge Analytica used a personality quiz to harvest the data of over 50 million Facebook users, most of those were in the US. This personal data was then allegedly used to influence the results of the US 2016 Presidential Election.

While this isn’t necessarily a cyber security story, it’s a data protection story that people need to be more vigilant about who has access to their personal data and what information can be put online.

If you want to make sure your organisation doesn’t become one of these horror stories, discover our cyber security training and begin the process of turning your employees from weakness to strength.