How to create the perfect password

Passwords are like pants. You shouldn’t leave them out where people can see them and you shouldn’t hand them out to strangers!

Your password is often the only thing blocking a whole tidal wave of mischief and headaches (both for you personally, and the company you work for), so it might be a shock for you to learn that guessing a password is much, much easier than you might think.

Password Security is an integral part of securing your organisation. Information created, used, stored or transmitted by your organisation is valuable, both internally and externally which is why the passwords which protect this confidential information should be well thought out, secure and never shared with others.

One common way that online accounts are breached is through password spraying, whereby lists of a small number of common passwords are used to brute force large numbers of accounts.

These attacks are successful because for any given large set of users there will likely be some who are using very common passwords, and these attacks can slip under the radar of protective monitoring which only looks at each account in isolation.

To understand how much of a problem this is, the National Cyber Security Centre recently conducted a research study which allowed participating organisations to assess how vulnerable they would be to a password spraying attack.

From the study, they found that 75% of the participants’ organisations had accounts with passwords that featured in the top 1,000 most common passwords and 87% had accounts with passwords that featured in the top 10,000.

What’s the best way to create a strong password?

When choosing a password, the bare minimum you should be considering is that it’s a mixture of 8 or more upper and lower case letters, numbers, and symbols. You should also consider choosing at least 3 random dictionary words that are easy to remember or even using a secure password manager.

You can check to see how secure your password is at https://howsecureismypassword.net/ based around current guidelines.

We also recommend not updating your password by just simply changing a number. This does NOT make it harder for cyber criminals to guess your password, particularly if it’s been hacked before.

One of the worst, and sadly the most common, password habits we see is people reusing passwords. You should also avoid using the same passwords at home and at work.

You should also set up additional security steps like two-factor authentication (2FA) to ensure that you’re well on your way to securing your accounts from any data breaches or attacks as it provides an extra barrier of support if your password was to be stolen. Unless cyber criminals have access to both your password and the access token through 2FA then they would not be able to gain access to your accounts.

You can educate your staff on how to create the Perfect Password by enrolling them on our dedicated Perfect Passwords course, just one of our cybersecurity awareness courses.

We have always been told that the most effective way to protect ourselves online is to install some form of antivirus software, but this does not always track the data that’s leaving your organisation’s network and devices.

Although it is nothing new, fileless malware is extremely powerful and can have many detrimental effects if you fall victim to it.

Not many people know how it works, and with McAfee warning that fileless malware is a growing trend, the risks of being affected by one of these attacks are only going to rise. So, what is fileless malware?

What is fileless malware?

In most cases, traditional malware can be detected through a signature that your antivirus software will recognise. Your chosen antivirus software will have a bank of signatures that have been collected over the years which will be called upon every time it needs to scan a file.

Fileless malware doesn’t contain a form of any signature, so it bypasses even the most thorough antivirus software which is why it is important to train your workforce on how to look out for the signs of a cyber attack.

In this blog, we’ll explore the topic of fileless malware, how it works, and the best practices for preventing it from affecting you, or anybody else in your organisation.

How Does Fileless Malware Work?

So if the malware that has infected your machine isn’t even attached to a file, how can it work?

Instead of installing software on your machine, it piggybacks legitimate software that’s already installed and uses it against you.

How can fileless malware get into your computer in the first place? Well, it has a very sly way of infecting your machine, which would catch out a lot of people who aren’t vigilant.

It usually starts with a spam email, in which the user is tricked into clicking a link to a web page which will infect a users computer.

The most commonly exploited vulnerability is through the Flash plugin on your browser. As Flash is a trusted piece of software, your antivirus won’t flag it as malicious and the real virus will enter the user’s system unchecked.

What Kind of Damage Can Fileless Malware Do?

Fileless malware is as harmful as almost every other piece of traditional malware, it can steal sensitive information, lock down your computer, and hijack your computer to execute any function.

If a cyber criminal has gone through all the effort to gain full control over your systems, what would be one of the most valuable things to them? Your databases!

You will have databases which store user accounts, personal information, passwords and other company secrets. This is a goldmine for cyber criminals, as they could sell this information onto others who will use the information to commit identity theft.

They don’t always have to just steal and sell information on straight away, some may choose to harvest further credentials long after the fileless malware has worked its way onto your machine. With this access, cyber criminals can gain login credentials to email accounts which can then be used to create phishing emails.

Users are more inclined to click on links and follow dialogues from someone they know such as their boss or the CEO, whose information is available on websites like LinkedIn. This means that whilst they gain company data, they can also harvest personal information from employees which lines their pockets nicely after the initial attack happened.

Luckily, software exists in the field of cyber security that helps to identify patterns or behaviours in systems, software or code that may be the telltale signs of fileless malware.

What is SIEM and How Does It Work?

Security Information and Events Management (SIEM) services are behaviour detection systems that provide real-time analysis of any script ran by a computer or device.

As IT departments and company networks have to run their own scripts, there can be a fine line between what could be a legitimate or malicious script.

This is where behavioural detection systems come in, they analyse incoming scripts want to do and sort out what is malicious and what’s legitimate.

Behavioural detection automatically narrows down what could be thousands of suspicious logs to just a handful of potential threats which makes it more manageable. Behavioural detection software can be very costly as the technology is almost artificial intelligence, as there are almost infinite iterations that the program has to scan and classify scripts as they run.

If the type of attack used is fileless malware, cyber criminals would want to steal data to sell on for profit. Therefore, a handy way to tell if your computer has been infected with fileless malware is for the IT department to monitor outbound logs for suspicious data packets, as hackers will want to send data back home.

How Can I Stop a Fileless Malware Attack?

So how do you actually stop a fileless malware attack? Given that a fileless malware carries no signature, doesn’t install software or create a physical file, you may think it’s impossible to detect.

While it is difficult to recover from a fileless Malware attack, it is not impossible to prevent one from happening. The best way to stop one of these attacks is learning how to prevent attackers from gaining access to your organisation’s network.

Training your workforce to be vigilant to the ways that fileless malware can infect their networks, how it can be transferred through email, and how to spot the signs of a malicious email will go a long way in the fight to keep your organisation secure.

These breaches can happen to anyone and cyber criminals will blanket target your employees because they know that they only need one person to make a mistake to let them in.

Here are some key tips from our Virus Vigilance course to help you spot and prevent fileless Malware from getting into your computer.

• Delete emails from unknown sources and log any attempts with your company policy.
• Contact your IT department immediately if you suspect that your computer has been infected with a virus.
• Only download software and open attachments from trustworthy and reputable sources.
• Invest in good virus protection software and ensure it is updated regularly.

• Watch out for deletion or unexpected appearance of files, slowing down of computer operations, and unexpected or unpredictable behaviour of your systems as these can all be characteristics of a virus attack.

You could invest in costly software or you could train your staff to help mitigate these kinds of attacks happening in the first place – because prevention is better than cure! If you’re interested in engaging training that teaches a wide range of cyber essentials to your staff, book a web demonstration with us to find out how our cyber security training courses can help your organisation.

Here at Bob’s Business, we have noticed an increase in the amount of Malvertising cyber attacks as of late. Unfortunately, it is not common knowledge what malvertising is or how it can negatively affect organisations or individuals who fall into the trap. Below are some key pieces of information that will help give you a better understanding of malvertising.

What is Malvertising?

Malvertising is the act of placing harmful code into adverts which you often see when browsing the web. Criminals will place a small undetectable amount of code into an advert which means that when the advert loads, your computer or device will automatically download the malicious code.

The code in the advert essentially opens the door to your computer and can download additional files which usually contain much more harmful, malicious pieces of malware.

One of the programs that can be downloaded onto your machine is called a Keylogger, which records every letter you press on your keyboard. Keyloggers on your machine will wait until you enter login credentials for a website and steal them.

Who does Malvertising target?

Malvertising can target anyone but can be specifically targeted towards certain groups of people. Criminals may plant their malicious adverts on a website that covers golfing news – which subsequently means that their ideal target is golfers.

However, you may have to dig deeper into why that specific golfing site was chosen. Could it be because doctors or very high earners (CEOs) play golf and are more likely to visit the site? Or just because it’s a popular site and the security is pretty lackluster? It may not always be obvious at first but it can still affect anyone.

What to do if you fall victim to Malvertising?

Just like normal malware, your online account and bank login details can be harvested in the same way.

If you think you’ve fallen victim to Malvertising, it would be advisable to download anti-virus software to scan your PC to clear any potential malicious software.

If you logged into your email account at any point, ensure that it is the first password you change as otherwise hackers may still have access to that account.

It is our strong recommendation that you also change the passwords for any accounts that you may have accessed, including your online banking account. It will also be beneficial to add two-factor authentication onto those accounts.

How to avoid falling victim to Malvertising?

Adding an adblocker to your browser can prevent the threat Malvertising poses. An adblocker does exactly what the name says, it blocks all adverts on websites. If no ads are being displayed, you cannot download programs that infect your machine.

In addition, ensure that your browser and the corresponding plugins are updated, they often contain crucial software patches that can help prevent the malware from reaching your machine.

Make sure to have an up to date antivirus program installed on your computer system or device. Malvertising acts just like normal malware and can be detected then removed by any good antivirus program.

However, these should not be the only line of defence for your organisation as users still need to be aware of cyber threats like these, and organisations should not have to solely rely on software to save the day.

One recommendation from us is to have a robust training system implemented to make users aware of how to spot and protect against malware, prevention is better than a cure.

Our Cyber Security Awareness Training courses teach employees how to avoid malware, what to do in the event of a potential attack and what impact malware can have on your organisation.

If you’re interested in finding out about our cyber security training, click here for more information.

Bob’s Business has enjoyed every moment of over a decade of helping organisations to become more cyber secure, and we’ve loved building the relationships we have over many coffees, many phone calls and many emails. Our friendly, human and professional approach to cyber security training will never change, but our image is.

Meet our new brand image

We are thrilled to announce we are smartening up our image with a refreshed brand to suit the organisation. We are still the same knowledgeable team here to help guide you through the right training solutions to suit your organisation.

Bob’s Business has always used a unique approach to get key information across by teaching organisation employees how to stay cyber secure using relatable office based scenarios featuring a colourful cast of animated characters.

Our cyber security training has effectively engaged and changed the security behaviours of hundreds of thousands of users and hundreds of organisations across the country and beyond. We have loved being able to help both individuals and businesses to feel more secure online, and we will continue to do so under our new look.

This rebrand was conducted to help us showcase our broader training and product portfolio, also demonstrating our ability to cater our training to many different industries, disciplines, audiences and organisations.

Bob’s Business has used a unique method of engaging and communicating cyber security training to help employees across hundreds of organisations prevent becoming victim to cyber attacks. The new brand can be seen on our website where we also have our latest cyber security awareness, GDPR, and compliance training courses.

The new website features an easily navigable layout and a mobile-friendly design to help visitors get the vital information they need as smoothly as possible. As well as a clean and crisp design, the new Bob’s Business website supports a live chat service so users can get in touch with the company’s responsive team with any urgent enquiries.

Bob’s Business will continue posting regular cyber security blogs containing all sorts of handy tips and analysis of the latest industry news and trends with new monthly themes and series that cover the common FAQ’s of cyber security.

Founder and CEO of Bob’s Business, Melanie Oldham said: “We’ve worked hard over the last few months to modernise the Bob’s Business brand to make it reflect us more accurately and show that our courses can help organisations in any industry develop a more security conscious workforce.

When we would talk to industry decision makers about our courses, a lot of them thought that our image was too quirky for them. So with this rebrand, we’ve toned that down to make us more appealing to a broader market while still staying true to our values.

We placed a lot of importance on making the visitor journey on our new website as streamlined as possible and made it easy for users to get all the information they need about our courses.

“Our mission is to provide memorable and engaging educational content that bridges the gap between IT and end users, and produces positive long-term behavioural change for our clients.”

Over the past 10 years Bob’s Business has grown, and through our fantastic portfolio of products, amazing clients and our continued mission to change cyber security cultures we needed an identity that reflects not only our evolution but how we want to connect and communicate for the future.

While we still operate with the same established values, making informative, entertaining and jargon free training to positively change employee behaviour, we will encompass our products and services under a brand ethos that successfully communicates our fundamental character and spirit of our organisation.

We are ready for the next chapter at Bob’s Business, our brand refresh is the start of numerous exciting projects underway at Bob’s HQ and we can’t wait to share… watch this space.

This week at Bob’s Business, we take a look at what the Internet looks like three months on from the introduction of the much anticipated General Data Protection Regulation (GDPR) that came into effect in late May 2018.

GDPR’s effect: three months in

The regulation caused huge ripples across the world with many organisations preparing for it months before the regulation came into effect. Some predicted that the regulation would ‘break the internet’. Of course, as everyone knows, the internet imploded, everyone communicates by pre-agreed pigeon mail and no one dares to turn on their devices anymore.

The truth is the GDPR legislation has done none of that, but it has taken Europe and Britain a leap ahead of the rest of the world when it comes to personal data protection, privacy, transparency and accountability.

What was supposed to happen?

The GDPR was intended to bring a new, unprecedented level of data transparency and awareness to both data handlers and data owners and for every cry about GDPR deadline emails – consumers know more about their personal data rights than ever before.

Organisations are more accountable and our society will benefit massively from opening up the opportunity to counterbalance the information economy in a way that benefits organisations and consumers ethically and responsibly.

How can a business become GDPR compliant?

Here at Bob’s Business, we have been busy supplying all the latest training and information on the regulation through our short, informative GDPR eLearning courses that offer our signature sense of humour through office-based scenarios, which trains your staff to understand how GDPR affects their day-to-day jobs and what role they play to make the organisation compliant.

We have over a decade of experience developing an understanding of how learners take in information and guidance around cyber security training. We have used this knowledge to produce a collection of courses that cover all the key points of GDPR in a way that won’t bore your employees to death or waste precious hours at work.

Our courses, learning portals and policy management systems have become an accessible and robust resource for organisations who want to combat this new challenge in a way that helps them become more proactive, secure and profitable. GDPR isn’t the death sentence it was prophesied to be, so what’s next?

We know it can be hard work to stay on top of the workload sometimes, and life can get busy, so if you’re looking to host your GDPR training in-house we can provide a fully bespoke service supplying the entire GDPR eLearning catalogue in your organisation’s branding and cater the content to your organisation.

If you are looking for advice on how to arm your employees with more ways to protect your organisations data, consider getting in touch with our team to discuss our cyber security courses and engagement packages.

Our friendly staff are here to talk you through the different GDPR training we have available and advise you on the best packages to suit your needs.

One of the biggest challenges facing Chief Information Security Officers and IT Directors can be getting their workforce behind the idea of working in a cyber secure culture. This quick guide will help you hit the hardpoints home and protect your organisation from cyber threats.

IT security is often thought of as a boring subject. This can cause your staff to switch off when it comes to essential cyber security practices, and leaves your organisation vulnerable to security risks that are easily preventable.

The majority of your workforce may fall into the trap of thinking that cyber security doesn’t affect them – when in reality, they couldn’t be more wrong. Cyber criminals see staff as the weakest part of an organisation’s defence because of their tendency to make mistakes. The “Take Five To Stop Fraud” campaign revealed that only 9% of Britons can spot something fraudulent.

Why should I be promoting a secure work culture?

The answer to this question may seem obvious to anyone working in IT or cyber security – it’s one that we hear a lot when speaking to organisations. There are a variety of organisations and individuals that believe they will not fall victim to a cyber security attack.

People with this mindset should ask themselves “What would the consequences be if our organisation was subject to a major security breach?”

At surface level, the breach could result in money or sensitive data being stolen from the organisation. You can attribute a value to stolen money, but any sensitive or client information can be priceless. Cyber criminals will target sensitive data such as financial information, client contracts and employee usernames and passwords in order to either ransom back to the organisation or to leak the information to competitors.

Those are just the financial implications of being unprepared for a cyber attack. Other repercussions can include severe reputational damage to an organisation, which can have an effect on customer trust and buying confidence, resulting in an impact on profits.

In mid-June 2018 Dixons-Carphone, one of Europe’s largest consumer electronics retailers who operate the likes of Currys, PC World and KNOWHOW, admitted a huge data breach involving 5.9 million payment cards and 1.2 million personal data records.

Although no fraudulent activity has been reported, this breach massively undermined the reputation of Dixons-Carphone and the company reported that profits plunged 24%.

Organisations, no matter how big or small, are not immune to outside threats and the consequences of not being prepared for them.

What’s the best way to engage employees with cyber security?

So the next question you need to ask is, what steps can you take to start promoting IT security in the workplace. Here are 6 things that you can do to create a cyber secure workplace:

1. Implement staff training that covers the whole spectrum of cyber security focussing on engaging end-users
2. Encourage a culture change by getting employees to talk about cyber security regularly by using bitesized training courses
3. Establish a clear process for your employees to follow when reporting security breaches, and reinforce it by integrating your policies into your staff training
4. Apply your training initiative over an extended period of time to ensure that information security is at the forefront of your workforce’s minds and make them feel comfortable about reporting breaches rather than distancing themselves from them.
5. Use additional materials around the office to support your cyber security training campaign. For example, displaying posters or desk calendars that feature security tips from the information security campaign that you’re running
6. Include your workforce when discussion of cyber security, they might know somebody who has been affected by cyber crime and this could help hammer home the message of employees applying the same vigilance in the workplace

If you are looking for cyber security training that integrates with your internal policies, find out more about our Cyber Security Awareness Training eLearning course.

Times are changing. Gone are the days where our only security concern was making sure that our doors and windows were locked. Through the rise in technology and the growth of online activity, the manner in which we now work has redefined, putting not only our personal data at risk, but business data in jeopardy too.

We often scrutinise the belief that a cyber attack would never happen to us, perceiving that we won’t be targeted, and if so, we would be too tech-savvy to be caught out by it. 20 years ago we would agree that the likelihood of being victimised from a cyber attack would have been highly unlikely, yet in today’s cyber society, barely a day goes by without a cyber related incident hitting the news headlines.

Cyber security is now going mainstream, but the problem that we face is keeping it in the mindset of our workforce on a daily basis. Make sure your organisation isn’t featured on the next double page spread of a newspaper – for the wrong reasons!

Let’s look at some Cyber Security trends:

• Cyber crime damage costs to hit £4.35 trillion annually by 2021.
• The majority of businesses (67%) have spent money on their cyber security, which is higher among medium firms (87%) and large firms (91%).
• £4,590 is the average annual investment spent on cybersecurity.
• More than 4,000 ransomware attacks have occurred every day since the beginning of 2016
• 7 out of 10 organisations admit their security risk increased significantly in 2017.

What is the purpose and goals of Cyber Security Training?

There is often a misconception when it comes to cybersecurity, claiming that if the right technology is in place, then the people using it shouldn’t be an issue. It’s all well and good having the latest antivirus protection software installed, but one wrong click from an employee and before you know it your organisation can come crashing down. The importance of providing information security awareness training cannot be emphasised enough.

With 46% of businesses experiencing a cyber breach in the last 12 months, it is of no surprise that cyber security training is not only becoming ever more demandable for organisations, but increasingly necessary.

It is estimated that almost 90% of data breaches are caused through human error, with social engineering exploits only set to magnify. With more and more employees now connected to the internet, and relying on IT to go about their jobs, this has provided cybercriminals with limitless opportunities to exploit the vulnerable, especially targeting those who have very little understanding and awareness on the issue.

The goal of a training program should not simply be to ensure your employees are aware of security threats. Training goals should focus on the bigger picture, working towards creating an information security working culture within your organisation, and ensuring employees can be trusted as the frontline defense mechanism to counter any incoming cyber attacks.

Training helps break down the ever growing communication barrier that now exists between IT/compliance and end users, protecting business critical information, as well as reducing the down time caused by the effects of a cyber attack.

Moreover, when organisations are seeking to gain ISO27001 certification from Accredited Registrars, staff training is often one of the requirements that the Information Security Management standard will require as part of its regulation.

What are the most common cyber security myths?

“Training is a costly procedure that will deter the time of my employees.” This is often the case for traditional classroom type training days, but eLearning is a cost-effective and flexible solution that minimises staff downtime and enables users to complete their training at their leisure.

“I won’t be targeted.” This is simply not true. Anybody can be a target; from an individual, to a large organisation, to a charity! An attacker can have a number of motives, some less obvious than others. For example, a cyber criminal who isn’t interested in money won’t necessarily target a large corporation with plenty of cash. Other motives for a breach can include theft of data, reputational damage, or simply to cause general malice.

“Technology’s got it covered.” As we have noted already, having the latest protection software installed on your devices, in no way offers as a guarantee from becoming victimised from a cyber attack. One wrong click from an end user is all it takes to leave your information security hanging in the lurch, putting both you and your organisation at risk.

Who’s responsible for cybersecurity?

By reading this blog, you have shown a sign of interest in cybersecurity and maybe feeling that the responsibility is on your shoulders. But who is responsible for it all?

In a recent study, only a mere 29% of businesses have board members with responsibility for cyber security. This simply isn’t good enough.  Essentially by not educating or training your workforce on cybersecurity and the issues it prevails, you are simply pushing your employees under the bus, with it being only a matter of time before they fall victim to a vicious cyber attack, consequently coming back to bite YOU.

It’s easy to play the blame game. It was employee X from the sales department who opened the dodgy email that lost all of our data, therefore he’s the one in the firing line. But this shouldn’t be the case!

There’s a difference when it comes to responsibility and accountability, in that you can share responsibility however being accountable for something, you must be answerable to your actions. This applies to cybersecurity. It is each and everyone’s responsibility to ensure that they are dealing with information security in a safe and controlled manner, however not everybody is accountable. Whether it’s the CEO, Managing Director or Data Officer, it is critical that somebody within your organisation can take accountability for information security.

eLearning is engaged learning

We get it. Cybersecurity is a dry and dull topic that we all wish could be swept under the carpet! So just how do we engage our workforce on a topic that they have no interest in?

The way we learn and absorb information has evolved. The persistent development in technology now means learning in front of a screen is becoming more and more popular, as it provides learners with increased interactivity, accessibility and convenience.

Why is eLearning effective?

• Engaging animations

Delivering training through animated modules helps make key behaviours and learning points memorable. Scenarios that users can relate too improves information retention, through jargon free, easy to understand content and bite sized modules.

• Accessible and flexible

eLearning is available 24/7. This allows users to complete modules whenever and wherever it is convenient, and ensures that they are learning in a comfortable environment. If an employee is ill, in a meeting, or is simply busy, eLearning ensures no employee will miss out on the training.

• Consistency

Using eLearning ensures that each and every user is provided with exactly the same training, delivered through consistent communications. This ensures the entire organisation are aligned with a corresponding understanding and awareness of information security, within their working environment.

• Cost and time efficient

According to a recent study, eLearning requires 40-60% less time, compared to classroom training. Being able to deliver training internally at the user’s desktop restrains them from having to travel halfway around the country to receive their training. This saves not only employee work time, but can save on expenses such as accommodation and travel.

• Improves engagement

We would all agree that there are times when you’ve been sat in a classroom and found yourself daydreaming, staring at a blank canvas wall. eLearning is a breath of fresh air from mundane traditional learning, with our modules in particular achieving engagement figures upwards of 80%.

• Visible results, instant compliance

Through eLearning, users can instantly be tested on their understanding upon completing their training. Likewise, feedback is available immediately, meaning users aren’t having to wait weeks or even months to find out if they need to redo or undergo further training.

How we can help

At Bob’s Business, we are focused around providing organisations with the solution to creating secure workplace cultures. Through our eLearning modules we aim to provide users with a fun and engaging learning path, taking away the stress and apathy that typical traditional learning can present.

With all this in mind, get in touch today to find out more about how our services and solutions can help your organisation.

By understanding the way users behave and approaching training exercises from an employee perspective, rather than an organisational one, you will revolutionise your security strategies.

Today, email is the number one delivery method for ransomware and other malware. A study in 2015 by Intel Security shockingly revealed that 97% of people around the world are unable to identify a sophisticated phishing email.

What is Phishing?

Phishing is the act of sending emails pretending to be from reputable companies in order to coax individuals into giving out sensitive information, such as passwords and bank details. The criminal practice of phishing dates back to 1996, stemming from hackers who broke into America On-Line (AOL) accounts by scamming passwords from unsuspecting users.

Cyber criminals view people as the weakest link in an organisations defence as they’re prone to making simple mistakes that compromise security. To prevent breaches, it is essential that you employ effective techniques to strengthen the human element of your cyber security defences to nullify these internal and external threats.

Internal threats can be either accidental; unintentionally sending confidential information to the wrong colleague, or deliberate; a disgruntled employee intent on stealing confidential data.

External threats can include the delivery of malware, such as trojans, viruses, ransomware through phishing emails to an organisation, as well as accidents caused by events beyond an organisation’s control.

At Bob’s Business, we deliver a comprehensive phishing simulation service to help you combat the ever-increasing threat of phishing emails. Aimed at providing employees with a well-rounded knowledge on the topic and introducing simple, yet practical changes to your daily routines both in and outside of work, education is at the heart of a phishing simulation.

What’s the best way to train employees against phishing threats?

It’s important to understand what makes employees tick when it comes to training and how you can avoid the common pitfalls when rolling out training.

These can include complications such as tedious course content, organisations considering learning to be too time-consuming, or employees simply having no desire to learn.

This can make it difficult for you to implement training strategies to develop employee capabilities and understanding. Likewise, it is important that you set out clear objectives for training campaigns and ensure that all involved are aware of the process and its benefits.

Some training providers simply send out mock phishing emails to the workforce without letting them know of the training campaign, employees can perceive this in the wrong way, creating an “us vs them” attitude, meaning that employees misconceive the motivations for the training believing that they are been tested and scrutinised behind their backs.

This misconception can create a long-term division between employees and the organisation, resulting in trust and communication issues.

Our CEO, Melanie Oldham, advises that simulated phishing campaigns should be applied in a transparent manner so management and employees are on the same wavelength. Prior to the training, employees should be walked through the process, highlighting how the approach will benefit all involved. Communication creates trust, therefore by pointing out to employees that the campaign is designed to educate them on the dangers of phishing, rather than punishing them, this builds the trust relationship amongst each and every employee.

As well as clear communication, Melanie encourages using gamification techniques in a simulated phishing campaign so that employees have the chance to earn rewards, this will provide them with a greater incentive to apply themselves to the training.

Initial simulated phishing emails enable you to identify any weak points within your human firewall, by which those who fall victim to the original phishing emails are redirected to a phishing eLearning module. The training allows for users to understand how phishing emails are sent, the objective and goals of phishing emails, and how best to avoid being caught out by them.

Our OSPA award-winning phishing simulation service, referred to as ‘Think Before You Click’ uses the same process. After using the service, some organisations experienced a reduction of click rates for phishing emails by over 75%, considerably reducing the vulnerability of sensitive data within the organisations.

‘Think Before You Click’ has received positive feedback from both the organisations and its end users. For one client, 22,370 staff completed the animated learning module, which received an approval rate of 80% (with 52% of staff giving an approval score of 100%) despite it not being mandatory. This demonstrates that this approach is beneficial, educational and positive for both the organisation and the employee.

Phishing employees in a controlled environment carry a multitude of benefits. The campaigns reveal vulnerabilities, where training resources should be dedicated and ensures that employees are equipped with the information for dealing with internal and external threats.

Your workforce is the human firewall protecting your organisation and testing it for weaknesses and helping to build strong and secure foundations is an essential part of ensuring that security is airtight.

You must ask yourself: would they rather an employee be caught out by a controlled training exercise, or fall hook, line, and sinker for a real phishing scam?

Click here to find out more about our award-winning phishing simulation service and how it can help you improve the human firewall in your organisation.

Infosecurity Europe is one of the biggest global cyber security conferences and every year the event comes to London for its annual celebration of the best that the cyber security and technology sector has to offer. Bob’s Business made its 7th appearance at the prestigious cyber security event which is hosted at Olympia London over the course of 3 days.

The event brought many established industry leaders and decision-makers to the nation’s capital and we were privileged to meet both old and new friends during our time hosting our stand, conducting live demonstrations and providing in-depth advice about our cyber security and GDPR training modules.

Bobs Business at Infosec 2018

Ross Black, Business Development Manager at Bob’s Business, said: “This was my first time attending Infosecurity Europe and I was extremely impressed with what the show had to offer”.

“Having started in January this was my first experience of Infosec. It was great to meet lots of cyber security and IT professionals  and discuss how we can help them build a more secure conscious workforce through our engaging and vibrant cyber security and GDPR eLearning courses.”

This year, Bob’s Business decided to provide the opportunity for visitors to win a fantastic range of prizes using their intellect and skill. The Bob’s Business booth ran a ‘Crack the Safe’ competition providing visitors the chance to crack the combination for the safe in an attempt to win a selection of amazing prizes worth over £1000, including the latest technology such as Amazon Echo Dots, Virtoba virtual reality headsets and Lego London sets. Across the 3 days we had over 30 winners who were successful in cracking the safe and winning a stack of prizes.

The Bob’s Business Rebrand

We also launched the Bob’s Business rebrand at Infosecurity 2018 to reveal our new look to the cyber security industry. The new look received fantastic praise with many commenting about the brand new modern look that appeals to clients old and new. This rebrand is being done to help the business achieve its aim of being both professional and quirky, a trait it values as helping it stand out in today’s market.

Infosecurity Strategy Workshops

On day 2 of the exhibition Bob’s Business took centre stage, as our CEO, Melanie Oldham hosted a presentation in the Strategy Talks Section, providing an insightful and impactful presentation on positive ways for Chief Security Officers and Senior Technical Officers to train their employees to become more aware of phishing emails and attacks utilising the Bob’s Business ‘Think Before You Click’ phishing simulations.

Melanie took the audience through examples of successful phishing simulations and training that Bob’s Business have provided and the positive impacts it has had on organisations, with some campaigns seeing up to a 75% reduction click rate in phishing emails.

This can minimise an organisations chances of being targeted for malicious means through high-risk individuals substantially as individuals learn from their own mistakes very quickly and begin to understand the consequences of engaging with phishing emails. If you’re interested in finding out more about our phishing simulations and training – you can find out more about Bob’s Business ‘Think Before You Click’ program here.

How to Run Successful Phishing Awareness Training

After the presentation, Melanie commented: “It’s great to have had the opportunity to speak at such a great event. Being able to share my knowledge, experience and passion for cyber security with so many people is a real pleasure.”

“This year’s Infosecurity Europe has been a massive success for Bob’s Business. We had lots of people visit our stand who were very interested in our cyber security and GDPR courses.”

“It was also really exciting to unveil our new look to visitors, many of who really liked our refreshed modern branding.”

Melanie’s presentation provided 5 key takeaway points on how to run a successful phishing awareness campaign in a way that will help your organisation learn and conduct themselves appropriately when engaging with suspected phishing campaigns.

• Keep the training simple
• Human issues need to be addressed with humanity
• Don’t underestimate the significance of compassion
• Encourage open, honest and transparent Communications
• Breakdown barriers to build trust

After the success of this years Infosecurity Europe Conference we’re already looking forward to next year’s event and we hope to see you there too!