The COVID-19 lockdown has completely changed day-to-day life in the UK; we can’t go out, visit family or travel for any unnecessary means.

We humans are innately social animals, which has posed a question for many – how can I see my friends, or speak to my family? Well, the answer has been around for a while, though it has not been very popular until recently.

What is Social Web Calling?

Web call software is nothing new. Organisations have used video conferencing as a way of conducting meetings across long distances for decades, but it never really made the leap into everyday life. After all, if you wanted to see your friends, you could just go and see them, right?

Today, with the rise of social distancing, many of us are taking to social web call software such as Zoom and apps like House Party to stay in touch with our loved ones, chatting, drinking, laughing and, in some cases, quizzing.

These apps allow us to connect with friends and family in group video calls to recreate the social interactions we’re sincerely missing.

Interestingly, video conferencing really doesn’t work if everyone shouts over each other, so you might find yourself having the most civil conversations you’ve ever had with your friends!

Unsecure Interactions

As with any form of social media, there is a dark side to web conferencing software. For example, conversations on these apps are often unprotected, potentially exposing vulnerable adults and children to malicious individuals, which is something that parents should be particularly wary of.

On top of this, the security surrounding these apps is lax to say the least. Just this week, Prime Minister Boris Johnson shared a screenshot of a cabinet meeting taking place over a Zoom video conference.

Number 10 was quickly scrutinised for firstly posting the ID for the chat, which was, fortunately, password protected, and secondly for using Zoom, an app that has previously found itself in the information security firing line.

Zoom advertises end-to-end encryption as a key feature, but have recently been forced to admit that this is not the case, meaning that users’ conversations are not as secure as they are led to believe. This makes Number 10’s use of Zoom all the more worrying.

How to Practise Secure Social Web Calling

Video conferencing solutions often do not prioritise security, or make it an optional feature. This is because security measures often need updating and improving, and so they do not use end-to-end encryption by default in order to preserve quality, which can sometimes reduce the quality of the video stream.

Below are a set of top tips that will ensure your video conferencing remains safe and secure:

• Use a video conferencing system that is end-to-end encrypted, so that only the participants on the call have the ability to access it and it cannot be made available to third parties.
• Do not presume that your video conferencing system has the option of encryption enabled. Check in the settings to ensure that this has been turned on.
• Use a software that supports single sign-on (SSO), as it reduces the risk of your credentials being stolen or compromised.
• Check your environment to ensure that your video stream does not contain sensitive information.

Is your workforce struggling to adapt to the new working environment? With cyber security attacks at alarmingly high levels, now isn’t the time to drop your guard. Discover how our innovative and engaging cyber security awareness courses are ideal for your organisation today, book a web demonstration or get in touch to find out more.

Home is where the heart is, or at least that’s how the saying goes. However, when it comes to information security, home isn’t as safe an environment as you might think. Hackers already prefer attacking home networks because their security measures are often not as thorough as an organisation’s.

IT departments across the country have been put under unprecedented pressure due to the COVID-19 (Coronavirus) outbreak. Suddenly, organisations are relying on staff working from home in order to continue operating, and many were not prepared for it. This means, in the eyes of cybercriminals, it’s open season.

Ask yourself: Is my network as secure as it could be? If a hacker targeted me, have I done everything I can to protect my own and my organisation’s data? If the answer to both these questions is not a resounding ‘NO’, then you might find this blog on security when working from home useful.

For even more hints and tips – including information for organisations using Office365 – click here to read a piece we produced for our partner Data2Vault!

Phishing At Home

Phishing is the chief cause of all data breaches, accounting for over 90%. While this is still a huge concern for those within an office, home workers have their guard lower and are more susceptible.

To make matters worse, scammers are using the Coronavirus panic as a way of making potential victims click, posing as bodies like the Government and the World Health Organisation (WHO). We have already written about some of these new scams in a blog, which you can view here.

However, if you want a quick read, here are our top tips for how to avoid being phished at home:

• Be wary of emails that contain links, imply a sense of urgency or ask for login details.
• Double-check emails for spelling and grammar errors as this is a sign of a phishing attack.
• Hover your cursor over any links you’re unsure of to check their actual destination.
• Remember not to give out details online unless you have instigated it.

Covid-19 Ransomware

Phishing attacks on their own pose a significant threat to your personal and organisational security, but when they lead to ransomware attacks, the damage can be catastrophic to an organisation.

Ransomware, which encrypts and locks all data on your device or system, demands payment or will automatically destroy every file it has discovered. With data being the most valuable asset of any organisation, it’s virtually impossible to quantify the damage that mass deletion can cause.

Worse still, coronavirus has birthed a new host of ransomware attacks. Just last week, healthcare workers were attacked with ransomware which used coronavirus as bait.

While we’d strongly recommend following our tips for reducing your risk of being phished to help reduce your chance of falling victim to ransomware, there are steps you should take to protect your data in the event your data is encrypted by ransomware:

• Run ethical phishing tests on your organisation and target eLearning at staff who fail to spot their nature, to raise awareness
• If remote users are set up to store their files and data on your organisation’s servers, protect that data with regular backups with cyber scanning and Attack Loop prevention.
• If your remote users are storing their data on their local systems, then set up end-point malware scanning and detection.

Secure Mobile Working

With current Coronavirus measures forcing so many employees to work from home, and 48% of phishing attacks taking place on mobile devices, it really is like shooting phish in a barrel for cybercriminals.

More than 57% of all internet traffic comes from mobile devices, so it’s no surprise that attackers have turned their focus to mobile employees, especially when you consider that users are 3x more vulnerable to phishing on mobile devices than on desktops.

If you are self-isolating and/or working from home, then remember to:

• Secure your wi-fi connection by updating your antivirus software and making sure you’ve changed your password from your router’s default. Strong passwords use a collection of random, but memorable words interweaved with numbers, capitals and special characters amounting to more than 8 characters e.g. Pile4Loose2Twix”
• Regularly update your privacy tools, add-ons for browsers and check your patch levels.
• Backup your data so that, in the worst-case scenario of staff falling foul of ransomware, all is not lost.
• Make sure you are using a secure connection. If your organisation’s policies permit its use, consider using a Virtual Private Network (VPN) to connect your PC to your workplace server.
• Check that you have encryption tools installed.

For organisations looking to make secure cyber behaviours part of their culture, book a web demonstration with a member of our team to discover how our innovative eLearning courses can help you reduce your risk of breaches.

Transparency is one of the best ways for your organisation to maintain a high level of trust with its customers and the public.

The Freedom of Information Act (2000) was introduced to provide public access to information held by public authorities, including several guidelines and requirements for organisations to consider.

Failure to comply can have troublesome consequences for you as an individual as well as your organisation. Therefore, it’s important that you understand your roles and responsibilities regarding Freedom of Information (FOI) within your organisation.

What is a Freedom of Information Request?

Anyone can make a request for information from a public authority. A freedom of information request must be presented in writing either by email or by letter. In addition, new guidelines state that you should treat requests made via social media as legitimate.

Requests should include the requester’s name and a reference to the information in question. However, the request does not have to specifically mention all information or the Freedom of Information Act.

How to Reply to Freedom of Information Requests

You have two main responsibilities when replying to a freedom of information request: inform the requester as to whether or not you possess the information and provide that information.

Providing the requested information is not exempt from public release (see the section below), you should respond with all information relating to the request within 20 days.

Selective or incomplete information, or an overview, would not be considered an adequate response to a Freedom of Information request.

Bear in mind that more general requests might need clarification before you adequately answer. In this case, you should contact the requester as soon as possible.

Wherever possible, your freedom of information officer should take the lead role in replying to requests. Remember, you can always refer to the Data Handling Flowchart if you’re ever unsure of how to deal with an information request.

Is Any Information Exempt From Freedom of Information Requests?

There are three main sets of circumstances which would make information exempt from being released under the Freedom of Information Act (2000).

Remember, even if you’re unable to release information relating to a request, you should still contact the requester within 20 days explaining the reasoning for your decision not to release the information.

The three circumstances are:

Class-based

You should exempt any information that concerns a pending legal investigation as this could potentially compromise the case and endanger those involved.

Privilege-based

You should assess whether the information relates to a member of the royal family, or is likely to cause harm upon release. Should this be the case, your reply must state:

• A negative consequence of the information’s release
• How the release could lead to this consequence
• A real possibility of the consequence occurring.

Vexatious

Requests can be deemed vexatious if the information has already been provided to the requester or made available to the public. In either case, a reply should still be sent explaining the refusal and directing the requester to the information.

While your organisation needs to protect its digital assets, it also needs to protect itself physically. This is why most organisations run Closed Circuit Television (CCTV) throughout their premises.

However, despite so many organisations operating CCTV, many are still unaware of CCTV best practices. There are a number of things to consider from a legal and operational point of view.

The following blog will take you through the benefits of using CCTV, how to use it correctly, when & how to release footage and why it’s important.

Benefits of CCTV

CCTV is paramount to physical security. By being able to record and rewatch footage of your premises, you can identify risks & suspicious activity, keep an accurate record of any malicious activities for later legal action, and maintain the health & safety of your organisation.

From a crime prevention point of view, CCTV is invaluable as a tool for collecting evidence and monitoring risks. For example, if you notice a suspicious individual, you can monitor their activity to see if they return or actually do something to harm your business. The police can then act on this information with video evidence by their side.

Using CCTV Correctly

CCTV cannot be used without first displaying signs that indicate its use. This is so members of the public are aware that they will be filmed when on your premises, maintaining transparency and trust between your organisation and the public.

It doesn’t just stop with signs either. You can’t display CCTV in a location that you cannot justify. The reasons you could use to justify CCTV use include crime prevention and ensuring health & safety.

Lastly, you should regularly check and make sure your cameras are facing the right way and are not obstructed.

Releasing CCTV

There are a number of reasons why you might release CCTV footage.

If a crime has been committed in the area that your CCTV covers, the police may request specific footage to help with their investigation. This is one of the most common reasons for releasing CCTV footage.

Additionally, CCTV footage of a person is classed as personal data, which means that data subjects (individuals you hold the personal data of) have a right to access this information.

Data subjects can do this by submitting a Subject Access Request (SAR). You must respond to SARs within one month in order to comply with the Data Protection Act (DPA) (2018) and the General Data Protection regulations (GDPR).

Remember, when responding to a SAR, do not include any footage that could identify another individual. This would be classed as a data breach.

Top Tips

Bob’s Business has spent over a decade helping organisations protect their digital and physical assets. Below are a number of simple dos and don’ts, which will help you maintain a strong and secure CCTV system.

Do…

• Always check that CCTV cameras are not blocked and facing the correct way.
• Make sure CCTV footage is protected and only accessible by authorised individuals.
• Ensure that footage is used appropriately and deleted once used as it is classed as personal information.

Don’t…

• Forget to display signs when having a CCTV system in operation.
• Store data for longer than necessary.

With an intense focus on exterior cyber security threats, it can be easy to overlook just how crucial it is to take precautions when you are printing sensitive information. However, the risks created by leaking data could potentially damage your organisation are very, very real.

Although you might feel secure in your workplace, many organisations share printing services with others, which means that standard printing can leave confidential data exposed.

This blog will take you through the risks of printing, the benefit of secure printing and leave you with some top tips so that you can print with peace of mind.

Risky Printing

Your office printer might not spring to mind as being a security threat, but without consideration, it could present a serious risk to your organisation’s information and resources. In fact, a recent white paper showed that 63% of surveyed businesses had experienced a printer-related data breach.

When printing to a standard printer, if you do not collect documents straight away, you could unintentionally cause an information breach if the prints end up in the wrong hands.

Under the General Data Protection Regulation (GDPR), breaching personal information could result in a fine of up to €20 million or 4% of your organisation’s annual turnover, whichever is greater.

Remember, you should inform your manager immediately if you suspect a data breach due to missing printed files.

Benefits of Secure Printing

The key advantage of using secure printing services, like Follow-Me printing, is that they require you to log in using a username and password before your prints are released.

This means that if you can’t pick up your prints immediately, whatever information you’ve printed will be safe until you log in.

You should never share your username or password with anyone as this could potentially leave your prints unsecure. If you have reason to believe that your password has been compromised, inform your line manager and create a new password as soon as possible.

Remember, you can refer to our Perfect Passwords blog for advice on creating an uncrackable password.

Confidential Covers

Remember, even when using secured printing, confidential cover notes should be added to documents and utilised when printing information with restricted access.

The purpose of confidential cover notes is to deter all those who the document does not concern from reading it.

These pages should state whom the document is intended for and state clearly that it contains confidential information. Also, when collecting prints, you should make sure to double-check that you have only taken your documents, and not anyone else’s.

Top Tips

Having spent over 12 years helping organisations of all shapes and sizes protect their information, Bob’s Business has collected several simple dos and don’ts relating to secure printing…

Do…

• Collect your documents from shared printers straight away.
• Use secure printing e.g. follow-me printing, where possible. This uses password access or an individual ID key pass is needed to collect your prints.
• Use a confidential cover note when printing sensitive documents.

Don’t…

• Take every document from the printer without checking to see if they are yours.

Data has become one of the most valuable assets in the world, making information security more important than it’s ever been. Unfortunately, this has made cybercriminals more driven and dangerous too.

Bob’s Business has spent over a decade helping organisations instil a cyber secure culture to better protect their own and their customers’ data.

Throughout the years, we’ve noticed that employees are often laxer or more trusting in the office than they are outside of work, and don’t understand the importance of constant and habitual data protection. The following blog will explain what Keeping it Clear is all about, why it is important and what the best practices are.

Understanding Habits

We all have habits, but it might surprise you to learn just how much we rely on them. A study showed that almost 50% of people’s daily behaviours are automatic. Your habits are a huge part of your everyday life. They allow you to go into autopilot, conserve mental energy and perform repetitive tasks with speed and precision.

However, habits can also cause problems. For example, have you ever moved houses in the same area only to find yourself accidentally walking/driving to your old address?

Clear Desk by Default

So, why are we talking about habits? Well, Keeping it Clear is all about consistently and constantly maintaining a clear desk, locking away physical documents, securing removable data storage devices and locking your screen.

This is good information security practise, even when you’re only leaving your desk for a moment. Right now, your brain has an automated response when you decide to leave your desk. If this does not include clearing all your documents away, then you could be putting your organisation’s and its customers’ data at risk.

It takes an average of 66 days of conscious thought to break old habits and form new ones. To help yourself remember, simply write ‘Keep Clear’ on a post-it note on your screen. This short prompt will remind you each time you leave your desk unattended.

Why You Should Choose Cloud-based Storage

Cloud-based storage services are a great way of reducing the risk of physical documents falling into the wrong hands.

By uploading documents to a shared cloud platform, which is accessible to multiple accounts that are granted permission to view or edit, you can maintain one online version that can then be shared digitally without having to create multiple copies.

This ensures the integrity of the information as it removes multiple versions of the same document.

Top Tips

In our time working with organisations, we’ve amassed a number of simple, top tips to help protect information in various ways. The following things should help you get into the habit of maintaining a clear desk, and keep your organisation and its information in the clear.

• Keep a clear desktop to maintain the integrity and availability of information.
• Lock your computer when leaving your desk to avoid any unauthorised access.
• Never leave documents or removable data storage devices openly accessible.
• When working remotely, follow the same keeping clear guidelines as you would at work!

With IASME set to take over sole responsibility of administering the Government’s Cyber Essentials scheme on April 1, we’ve cooked up a special offer for any organisation looking to achieve accreditation. That’s right, we’re offering our brand new Cyber Essentials course for free until April 1.

What is Cyber Essentials?

Cyber Essentials is a government accreditation scheme designed to highlight organisations which are proactive when it comes to cyber security and protecting their clients’ and customers’ data.

It is a mandatory requirement for organisations wishing to work with government agencies, building trust and ensuring that data and information is handled in a safe and responsible manner.

Cyber Essentials chiefly aims to provide a clear statement of the basic controls all organisations should implement to protect themselves from common internet-based threats and offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.

Get Your Free Cyber Essentials Course

Our Cyber Essentials course is built from the ground-up to help you discover whether your organisation is ready to achieve certification. Built on the government’s guidelines, it takes you on a step by step journey to reveal whether you’re ready to take and achieve your accreditation.

Available for free until April 1 2020, it’s the ideal first step on your journey towards Cyber Essentials accreditation.

This course is no longer available as a free download.

Have you ever accidentally sent a group email that contained all the recipients’ addresses in the ‘CC’ field? While this can be an innocent mistake in a personal email, including others’ contact details in a professional email could constitute a data breach

Information classification is vital in maintaining your organisation’s reputation and future, so we’ve created the following blog to help explain what it is, why it’s important, and how to do it.

What is Information Classification?

Information classification is a way of categorising and concealing sensitive information so that it is only seen by those authorised to do so. It defines how confidential information should be handled and protected. For example, your organisation could have a number of classifications, including Public, Private or Restricted.

Your workplace policy should highlight the manner in which each classification is communicated. Remember, disclosing confidential information to unauthorised sources can lead to loss of productivity, customers, reputation and public trust, even if it’s accidental.

However, not all information requires the same protection.

What Should I Classify?

You should consult and familiarise yourself with your organisation’s policy regarding information classification as there may be specific practises you need to be aware of.

However, confidential information, which is not already publicly available, must not be divulged with anyone who is not authorised to access it. The format of this information will vary and therefore requires different methods of classification:

Physical Documents

• All physical documents need to be classified.
• Lock all physical documents that contain confidential information away when not in use.
• When sending physical documents, remember to include a return address, mark the envelope ‘addressee only’ and do not include the classification level on it.

Digital Files

• Digital files containing confidential information should be password-protected on secure networks.
• Employees should only be able to access information if they are authorised to.

Removable Data Storage Devices

• You can place digital files in password-protected folders to reduce the risk of unauthorised access on removable data storage devices.
• Remember, they have a high risk of loss or theft due to their portability and should be locked away when not in use.

Emails

• Email accounts should be adequately password-protected to stop unauthorised individuals from accessing them. If you’re unsure what is adequate, we have recently written about creating the perfect password.
• The classification level should always be added to the subject line, and the information should be encrypted to ensure only the intended recipient sees the email’s contents.
• Remember to use the ‘CC’ and ‘BCC’ fields correctly. Including addresses in the Carbon Copy (CC) field means that those recipients’ addresses will be visible, whereas Blind Carbon Copy (BCC) will keep their addresses hidden.

Why Should I Classify?

Information breaches can have serious consequences for you and your organisation. Due to the GDPR, your organisation could be given a fine of up to €20 million or 4% of its annual turnover, whichever is greater.

Remember, even though the GDPR only applies to the personal data of EU citizens, the UK Data Protection Act (2018) is in place and includes the six security principles of the GDPR.

On top of this, your organisation could suffer reputational damage from a data breach, meaning you could lose relationships with customers and clients due to damaged trust.

To learn more about our Carefully Classified course or any of our other award-winning cybersecurity awareness courses or services, get in touch or book a web demonstration.

If someone offered you £5,000 in exchange for £50, would you do it? While you might spot the scam, hundreds of people are being caught out every day online, losing their hard-earned cash to cybercriminals.

In this blog post, we’ll be taking you through everything you need to know about advance fee frauds, including what it is and how to spot an attack before you fall victim.

What Is Advance Fee Fraud?

Advance fee fraud is a type of scam where a criminal pretends to be someone else and offers a large sum of money in exchange for a significantly smaller, one-time fee.

Fraudsters play on an array of emotions when attempting to steal your cash. They’ll often talk up an ‘incredible opportunity’, which will result in you being rewarded a large sum of money. In the same breath, the fraudster will tell you that the ‘incredible opportunity’ will soon expire, evoking a sense of urgency and making you act rashly.

It’s a saying as old as sin, but if it seems too good to be true, it probably is.

How Can You Spot an Attack?

Some scams will be easier to spot than others. If someone emails you claiming to be a foreign Prince in need of a loan to release his gold reserves, then you’ll probably figure out that something’s not right.

However, if a cybercriminal has done their research, it can be trickier. It all comes down to how advanced the attack is.

There are, however, some tell-tale signs that can help you detect these fraudsters straight away:

Unsolicited Communication

Generally, unsolicited communication is a good sign of advance fee fraud, so you should always be suspicious of emails from people you do not know that arrive from out of the blue.

However, if fraudsters do their research, they may pretend to be from an organisation you trust, offering a promotion you’re interested in. Remember, you should independently visit the organisation’s website or contact them directly to confirm any promotions you may have been sent.

Unbelievable Offers

Very few things in life are free, especially money. As nice as it might seem, no one is going to make you rich for nothing, and you should question anyone who is offering to.

Asking for Payment

If an email is asking for payment, then it’s very clear what the sender wants. Regardless of what they are offering, asking for payment is a strong indicator of advance fee fraud.

Illegitimate Links

If you receive an email that looks in any way suspicious, remember not to click on any links without first checking that they are real. You can hover your cursor over a link to reveal its destination before clicking. This is a good habit to get into generally, especially when using work accounts.

Spelling and Grammar

Legitimate organisations tend to draft emails several times before sending them out, so spelling mistakes are a great way of detecting fraudsters. People receive so many emails each day that criminals bank on you not properly reading their messages. Take the time to carefully read your emails and be wary of mistakes.

Urgency

As previously mentioned, fraudsters will always imply that there is a time limit to their unbelievable offer. This is all part of their plan. They don’t want you to go away and think about the legitimacy of their offer. They just want you to act and send them your money as quickly as possible. Remember, any unsolicited communication that is trying to make you do something in a rush should not be trusted.

According to a 2017 Economist article, data has overtaken oil as the most valuable resource the world has to offer. It’s a startling claim, but not an untrue one.

In the modern age, virtually everything we do produces data. From the journeys we take every day to the websites we browse as we sit in front of the TV at night, everything is recorded in vast data sets, which are extremely valuable to the organisations that hold them.

Naturally, where there’s value, criminals will always attempt to cause damage. However, that’s not the only threat. Human error can result in massive data loss too so backing up data is absolutely essential.

In this blog post, we will take you through everything you need to know about backing up data, including what it is, why it is important, and how to do it.

What is a Data Backup?

A backup is simply a copy of your information that can be accessed in the event of the original information being lost or compromised. Think of it as a snapshot of your system, which you can go back to if something happens.

If you have Cloud storage on your phone, then you may already be familiar with how this works, and its benefits. For example, if you had an album of sentimental, baby photos on a phone that used Cloud storage, you would be able to access the photos online if you were to lose your phone.

Backing up your organisation’s data would enable the same protection from loss.

Why Backup Your Data?

Storing sensitive data without a backup is a bit like having a football team with no subs.

From a financial point of view, losing data can be catastrophic. This could be because customers no longer trust that you can protect their personal information, or because you have physically lost customer data and are unable to re-establish the relationships.

On top of all this, the Information Commissioner’s Office (ICO) can impose cut-throat fines for data protection non-compliance, which is the last thing you need after a data breach.

How to Backup Securely?

Bob’s Business has spent years helping organisations instil a cyber secure culture, including how to backup sensitive information. Below is a selection of Bob’s Top Tips, taken from our NCSC-accredited Cyber Security Awareness module, which boasts engagement rates of over 90%.

• Your backup storage should be at an external site. This would mean that if your primary site was compromised, your information wouldn’t be.
• Many Cloud-based storage systems offer an auto-save option, which saves work as it’s being done and lowers the risk of loss. You can implement automatic saving into your work software, or introduce a daily backup policy for your staff.
• Remember not to power off any device that is performing a backup as this could result in the data not being saved correctly.
• Use multiple backups in multiple locations to drastically reduce the risk of data loss.

To learn more about Cyber Security Awareness or any of our other innovative cyber security awareness eLearning courses, click here or get in touch.