What you need to know from the Cyber Security Breaches Survey 2024

Every year, The Department for Science, Innovation and Technology (DSIT), in partnership with the Home Office, releases the findings from their annual Cyber Security Breaches Survey, with the results invariably informing cybersecurity discussion for the 12 months to follow.

This year, 2,000 UK businesses, 1,004 UK registered charities and 430 education institutions were consulted from 7 September 2023 to 19 January 2024. All of this is to say that when it comes to cybersecurity in the UK, there are no more authoritative sources from which to draw.

We’ve reviewed the 2024 survey numbers, pulled out some of the most notable findings, and separated them into categories for your reading pleasure. In this blog, we’ll be sharing those findings. Let’s get started.

Prevalence of cyber breaches and attacks:

  • Half of businesses (50%) and around a third of charities (32%) reported experiencing some form of cyber security breach or attack in the last 12 months. This was much higher for medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%).

Types of breaches and attacks:

  • The most common type of breach or attack was phishing (84% of businesses and 83% of charities). To a much lesser extent, this was followed by others impersonating organisations in emails or online (35% of businesses and 37% of charities) and then viruses or other malware (17% of businesses and 14% of charities).

Costs of breaches and attacks:

  • Among those identifying any breaches or attacks, the survey estimates the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830. For charities, it was approximately £460.

Cyber hygiene measures:

  • There have been slight increases in the deployment of cyber hygiene measures among businesses compared to 2023, such as using up-to-date malware protection (up from 76% to 83%), restricting admin rights (up from 67% to 73%), network firewalls (up from 66% to 75%) and agreed processes for phishing emails (up from 48% to 54%).

Risk management and supply chains:

  • 31% of businesses and 26% of charities had undertaken cyber security risk assessments in the last year, rising to 63% of medium businesses and 72% of large businesses.
  • 33% of businesses and 23% of charities deployed security monitoring tools, rising to 63% of medium businesses and 71% of large businesses.
  • 43% of businesses and 34% of charities reported being insured against cyber security risks, rising to 62% of medium businesses and 54% of large businesses.
  • 11% of businesses and 9% of charities said they review the risks posed by their immediate suppliers, with this being more common for medium businesses (28%) and large businesses (48%).

Board engagement and corporate governance:

  • 75% of businesses and more than six in 10 charities (63%) reported that cyber security is a high priority for their senior management. This proportion is higher among larger businesses (93% of medium businesses and 98% of large businesses, vs. 75% overall) and high-income charities (93% of those with income of £500,000 or more, vs. 63% overall).
  • Three in ten businesses and charities (both 30%) have board members or trustees explicitly responsible for cyber security as part of their job role, rising to 51% of medium businesses and 63% of large businesses.
  • 58% of medium businesses, 66% of large businesses, and 47% of high-income charities have a formal cyber security strategy.

Seeking external information and guidance:

  • Four in ten businesses (41%) and charities (39%) reported seeking information or guidance on cyber security from outside their organisation in the past year.
  • 39% of businesses and 32% of charities have taken action on 5 or more of the 10 Steps to Cyber Security, rising to 80% of medium businesses and 91% of large businesses.
  • 12% of businesses and 11% of charities are aware of the Cyber Essentials scheme, with awareness being higher among medium businesses (43%) and large businesses (59%).

Incident response:

  • 22% of businesses and 14% of charities have formal incident response plans in place, rising to 55% of medium businesses and 73% of large businesses.
  • 34% of businesses and 37% of charities reported their most disruptive breach outside their organisation.

Cyber crime:

  • The survey estimates that 22% of businesses and 14% of charities have experienced cyber crime in the last 12 months, rising to 45% of medium businesses, 58% of large businesses and 37% of high-income charities.
  • 3% of businesses and 1% of charities have been victims of fraud as a result of cybercrime, with the proportion being higher among large businesses (7%).
  • The survey estimates that UK businesses have experienced approximately 7.78 million cyber crimes of all types and approximately 116,000 non-phishing cyber crimes in the last 12 months. For UK charities, the estimate is approximately 924,000 cyber crimes of all types.

Sector differences in prioritisation:

  • Businesses in information and communications (65% a “very” high priority), finance and insurance (61% say it is a “very” high priority), and health, social care and social work (62% a “very” high priority) sectors tend to treat cyber security as a higher priority than others.
  • Unlike previous years, food and hospitality businesses now regard cyber security as a higher priority than businesses overall (72% vs. 75% of businesses overall).
  • Businesses in the agriculture sector tend to regard cyber security as a lower priority than those in other sectors (59% say it is a high priority, vs. 75% of businesses overall).

Regional differences in prioritisation:

  • In 2023, businesses in the South East tended to prioritise cyber security higher than the average UK business (80% said it is a high priority, vs. 71% overall).
  • In 2024, the region with the highest prioritisation on cyber security compared to total businesses is the North West (83% said it is a high priority, vs. 75% overall).

Roku data breach explained: Everything you need to know

Roku, a well-known streaming service offering access to platforms such as Netflix and Disney Plus, recently reported its second breach of 2024.

With two breaches occurring within just four months, questions are beginning to rise about the company’s security measures and reputation.

Let’s explore how such a major player in the streaming industry continues to struggle with their cybersecurity.

Let’s take a look inside…

On March 8th, Roku reported a cyberattack that affected around 15,000 users, and a month later on April 12th, a second incident was reported where 576,000 additional accounts were affected.

It was through the investigation and close monitoring that the second incident was discovered.

Among the affected accounts, approximately 400 fell victim to hacker activity. Unauthorised purchases on the streaming service were made, although no sensitive information was compromised.

Roku promptly addressed the issue by issuing refunds to the hacked accounts.

According to Roku, both attackers employed a technique known as credential stuffing, utilising stolen login credentials to gain unauthorised access to user accounts.

Roku stated ‘It’s possible third-party sources provided the login information’.

Additionally, the company highlighted the role of poor password hygiene among users, which could have contributed to the breaches.

In response to the breaches, Roku has implemented a forced password reset for all users, irrespective of whether they were directly affected by the breaches. Since, Roku have implemented a mandatory two-factor authentication requirement for all accounts,

What role did human error play in this breach?

This breach highlights the vulnerability stemming from human negligence towards cybersecurity.

The technique used, called credential stuffing, thrives on exploiting weak password practices overlooked by many users.

By reusing passwords or choosing weak ones, users inadvertently made it easier for attackers.

Users need to take ownership of their own cybersecurity, especially when trusting large companies, assumed to have strong security.

This incident shows that even big corporations can fall victim to cyber threats, emphasising the collective responsibility of everyone in strengthening cyber defences.

What is credential stuffing?

Credential stuffing is a type of cyberattack where hackers use stolen usernames and passwords from one source and try them on multiple websites or services.

It’s like trying a key that you stole from one door on many different doors, hoping it will unlock some of them.

This technique relies on the fact that many people reuse the same passwords for different accounts, making it easier for hackers to gain unauthorised access.

It’s a sneaky way for cybercriminals to break into accounts and potentially access sensitive information or carry out fraudulent activities.
Strong password practices your organisation can implement to prevent credential stuffing

One of the most effective ways to mitigate the risk of breaches, such as the recent incidents experienced by Roku, is by enhancing password practices.

Here are some essential steps to take to strengthen password security:

  • Create unique and complex passwords for each online account. Avoid common phrases, predictable patterns, or easily guessable information such as birthdays or pet names.
  • Utilise passwords that are at least 12 characters long and include a combination of uppercase and lowercase letters, numbers, and special characters. Longer, more complex passwords are more difficult for attackers to crack.
  • Never use the same password across multiple accounts. Reusing passwords significantly increases the risk of credential stuffing attacks, as compromised credentials from one platform can be leveraged to access others.
  • Use reputable password managers to securely store and generate strong, unique passwords for each account. Password managers alleviate the burden of remembering multiple passwords while enhancing security.
  • Remember to regularly update passwords, ideally every three to six months, to reduce the likelihood of unauthorised access due to compromised credentials.
  • Enable two-factor authentication wherever possible. 2FA provides an additional layer of security by requiring users to verify their identity through a second method, such as a one-time code sent to their mobile device.

How Bob’s Business can help your organisation

At Bob’s Business, we understand the importance of strong cybersecurity measures in protecting your organisation against breaches.

Our comprehensive cyber courses are tailored to provide organisations with the knowledge and tools needed to mitigate cyber risks effectively.

Through engaging and informative training modules, we educate users on the importance of strong password practices, the dangers of credential-stuffing attacks, and the implementation of two-factor authentication.

Our platform equips users with practical skills to identify and respond to potential threats, fostering a culture of cybersecurity awareness and resilience within your organisation. Explore our range of courses here.

Why HR’s role in cyber risk management is growing

Many businesses make the mistake of thinking that cyberattacks only target bigger, higher-profile companies, simply because those stories garner news coverage.

The reality? Small businesses are the most at risk of attack.

Hackers look to take advantage of the smaller IT and training budgets to find vulnerabilities that can be used for financial gain.

This blog explores the increasing role of HR in cyber risk management in creating a stronger defence for organisations.

The role of HR in cybersecurity

While IT provides expertise in installing hardware security solutions, such as antivirus and antimalware software, firewalls, and SSL certificates, HR is the expert in policies and people.

One of the biggest risks to an organisation’s cybersecurity is employee errors, both accidental mistakes and intended data security breaches.

A University study found that employee mistakes cause 88% of data breach incidents.

Therefore, HR has a significant role to play in developing a culture of employees who are cyber risk-averse and display the required behaviours to help keep the organisation protected from cyberattacks.

Why the role is growing

Historically, protecting IT systems was seen as a problem for the IT department, and HR would have minimal involvement in cyber risk management.

However, more organisations are realising that HR has a crucial role in helping them establish strong cyber risk management processes.

How HR can help develop a culture of cyber security

While IT teams diligently defend against digital threats, HR plays a vital role in ensuring the entire company is equipped to minimise errors and enhance cyber resilience.

By promoting a positive cyber culture, HR lightens the load on IT, reducing breaches, costs, and downtime.

  • Awareness and education: HR can drive cybersecurity awareness by conducting comprehensive training and providing access to webinars, ensuring all employees understand its importance.
  • Learning and adaptation: HR can facilitate regular workshops and upskilling opportunities in cybersecurity, enabling employees to adapt to evolving threats effectively.
  • Overcoming challenges: HR can address resistance to change by fostering open communication and transparency about cybersecurity, ensuring alignment with organisational objectives.

Read more here about how leaders can create a strong cybersecurity culture.

How HR can develop a high-quality cybersecurity risk management framework

Policies

HR should ensure that comprehensive company policies, such as those related to information security, social media use, and cybersecurity, are in place.

Although the IT team will have the main responsibility for writing policies that sit within their domain, HR should have a policy management process to ensure that policies are kept up to date and are easily accessed by employees – for example, published on the company intranet site.

Setting data and access controls

Another area HR can support cybersecurity in is by ensuring that access levels are appropriate.

Access to systems and data should be restricted; this ensures that only those who are essentially required to can access data for their job responsibilities.

Background checks

Internal fraud is a problem that can lead to data breaches and HR can implement strict screening processes when recruiting, such as background checks and references.

This can help to detect candidates who represent a higher risk to the organisation.

Training and regulatory compliance

HR is responsible for regulatory compliance, including mandatory training.

Traditional regulatory compliance training is not always effective for organisations seeking to increase employee knowledge and develop a culture of high cybersecurity awareness.

Remember, almost 90% of breaches start with simple human error!

Incident response planning

HR has a vital role in maintaining incident response plans. Working closely with IT and other departments, HR selects suitable individuals for key roles within the incident response team.

HR also oversees their actions to ensure they fulfil their duties effectively during incidents. This careful oversight ensures the response team is prepared to handle cybersecurity incidents as they occur.

How Bob’s Business can help your organisation

Bob’s Business is committed to ensuring not only the effectiveness of your IT defences but also the readiness of your employees.

We work closely with your HR team to identify organisational vulnerabilities and provide tailored courses that can be delivered to employees.

By leveraging our expertise and innovative approach, we empower organisations to navigate the complexities of cybersecurity with confidence.

With Bob’s Business by your side, you can effectively minimise errors, reduce breaches, and mitigate the impact of cyber incidents on your business operations.

The state of cybersecurity, Q1 2024 edition.

Q1 of 2024 is already behind us, and while the weather might be improving, the cybersecurity threat landscape certainly is not.

Rapidly advancing AI, evolving scams, and higher-than-usual staff turnover in many organisations have created a perfect storm for cybercriminals, resulting in major breaches and increased vulnerabilities.

At Bob’s Business, we partner with several companies to support organisations through those challenges, develop their security posture, and promote positive outcomes in all forms of cybersecurity challenges.

While we’re the experts on all things cybersecurity education, we’re proud of our partnerships, and so we’re opening the floor to just a handful of our trusted partners for their thoughts on The State of Cybersecurity. Let’s get to meet our panellists:

Meet the panelists


Simon Nicholls, UK VP of Sales at Keepnet Labs

Simon Nicholls is the UK VP of Sales at Keepnet Labs, a company transforming cybersecurity by prioritising the human element through a holistic platform that integrates cutting-edge technology, behavioural psychology, and nudge theory. Simon joined the business as the first VP of Sales and is helping to scale the EMEA operation from the ground up.


Rowan Sinclair, Founder & CEO at Nayaka Security

Rowan Sinclair is the founder and CEO of Nayaka Security, a next-gen security specialist that helps SMEs navigate the wild and wonderful landscape of cybersecurity. With a handpicked suite of leading cybersecurity tools and a focus on education and awareness, Nayaka Security empowers clients to proactively protect their digital assets, forging a secure future for businesses in the digital age.


Karl Greenfield, CEO at Pentest Cyber

Karl Greenfield has been involved in cybersecurity since the 1980s and has led many successful teams and task forces globally, most recently as CEO of Pentest Cyber Ltd; specialising in the provision of Cyber Essentials Plus and high-end penetration testing services, with a focus on providing “result-driven” objective testing services beyond “auto-scans” to a discerning international audience.


We asked them a series of questions about the state of the industry and what they think the future holds for cybersecurity.

What notable cybersecurity threats have emerged or evolved so far in 2024?


Simon: In a similar trend analysis to the Allianz Risk Barometer, we have seen the largest emerging risk in 2024 as mobile devices. Specifically, in this area, there has been an astronomical rise in attacks targeting employees’ MFA. Over a period of 90 days, Okta’s network logged approximately 113 million attacks targeting MFA. Email security is a well-developed space in cyber, but mobile device security has fallen behind, meaning it is the go-to attack vector for many hackers in 2024.


Rowan: Automated social engineering incorporating LLM (Large Language Models) via LinkedIn / Teams / Slack. However, traditional click-a-link phishing is still prevalent, with users consistently falling prey. In my inbox, in particular, I’ve noticed DocuSign, payroll, and faux-supplier phishing attempts.


Karl: The prevalence of AI-augmented techniques in everything including cybersecurity attack and defence can no longer be ignored. The persistence with which the commodity attacks can now be deployed means that any momentary drop in defences for e.g. patching or reconfiguration that would previously be well covered by “good luck alone” can now be enough to result in compromise.

What innovative approaches or strategies are being used to improve cybersecurity awareness and promote a security-conscious culture within organisations?


Simon: Behavioural-based learning is a key element of a solid human risk management strategy in 2024. A blanket approach to improving cybersecurity awareness isn’t sufficient. Our clients are specifically interested in tracking user behaviour across all known attack vectors and training the users that need it most with targeted and tailored training to their knowledge gaps.


Rowan: As the average staff age staff decreases (or we get older), the importance of shorter, bitesize content is important to trap attention spans. On-the-spot training with email security solutions like Tessian or Egress has also helped increase security awareness.


Karl: Blending several approaches together as a bespoke “force multiplier”. PTC’s “Cyber-Capability-As-A-Service” combines pen-testing with managed accreditation. Cyber Essentials Plus is a favourite since NCSC reported 50% uptake increase in a year. Add the need to build, maintain and monitor cybersecurity culture tailored to each environment. We use Bob’s Business’ strengths to convey subjects clearly, to the largest audience. Key to our needs is the integral automation of admin tasks, scheduling and deployment of learning opportunities against organisational deadlines.


How can organisations better prepare and adapt to the evolving cybersecurity landscape?


Simon: Knowledge is preparation. Immersing yourself in the new advancements in cybersecurity will help keep companies 1 step ahead. Attending well-respected events and a select number of webinars/round tables with topics that align with the overall security strategy is the best way to keep abreast of these developments in the most time-efficient way.


Rowan: Constant surveillance such as automated pen-testing solutions, rigorous IDAM, advanced inbound and outbound email security, and, of course, a fully managed user awareness training so IT teams don’t drop the ball on creating a security awareness culture.


Karl: Start by deploying basic defences such as those inherent in gaining “Cyber Essentials Plus”.“Work up” bespoke to your situation, either by your own organisation’s design or in consultation with an expert such as PTC. Remember no two networks are the same so you must tailor your approach to your unique circumstances. One size, and very rarely, one product seldom “fits all”.


What cybersecurity trends and challenges do you anticipate for the remainder of 2024 and beyond?


Simon: Consolidation is a real trend amongst CISOs. With more security tools than ever on the market, CISOs have the challenge of building a robust toolkit for their security teams without the need for them to log in to multiple different platforms every day to do their job effectively. Identifying top-class consolidated solutions to help resolve this issue and reduce overall security spend will be a challenge and trend this year.


Rowan: As a trend, more security for Kubernetes-based businesses and an increased number of solutions incorporating quantum-resistant algorithms. On the challenge side, security continues to be ROI deficient at an SME level meaning continued difficulty demonstrating its value to senior management until ultimately the organisation is hit by a data breach.


Karl: AI will continue to change things in ways that we can only presently imagine. High-skilled, experienced personnel will remain essential and will become even more scarcely available when needed. New geopolitical developments will continue as a vector for “baddies” to seek to exploit us. The good news is that by taking a structured and measured approach to deploying basic defences, we can continue to protect ourselves effectively.

Partner with Bob’s Business

Eight in ten businesses say that cybersecurity is a high priority for their management boards. Bob’s Business offers a range of solutions designed to reduce their risk of breaches by up to 74%.

With generous compensation, hands-on support and unique differentiation in the market, we’re the best choice for companies looking for a trusted partner within the cybersecurity education space.

Learn more and book in time for a partnership chat here.

The seven video conferencing mistakes you can’t afford to make

When was the last time you stepped out of the office for a face-to-face meeting?

With the rise of online meetings, chances are it’s becoming a rare occurrence.

The perks of not commuting, seamless long-distance communication, and more have made virtual meetings the go-to choice.

But, amidst the convenience, it’s crucial not to overlook the security risks.

As we navigate through the rise of webinars, online meetings, and virtual hangouts, it’s vital to ensure we’re following best practices to keep cyber threats at bay.

The seven video chat mistakes that you simply can’t afford to make

Leaving your microphone on

Let’s start with a classic – leaving the microphone on.

Of course, we all know that video conferencing often takes place within the home, where a myriad of distractions can lead to all sorts of requirements for off-mic moments.

The problem is that pesky microphone recording every word you say.

It’s a privacy nightmare, and without a little awareness, you might find yourself caught out saying something you regret.

This could include conversations around you that contain sensitive information such as GDPR-related discussions or the exchange of passwords, posing a significant privacy and cybersecurity risk to the organisation.

The fix for this one is simple, just remember to turn off your microphone when you’re not speaking!

Sharing your screen with valuable information on it

One of the biggest advantages that video conferencing brings to the business world is the ability to quickly and easily share what’s on our screens with everyone else.

In a world where the majority of our work is done on computer screens, it’s a real positive.
However, it’s more than just the work we do on our screens. Everything from curiosity in Google searches to tabs with classified information are visible if they’re on screen when you share with your workmates, creating a potentially awkward situation.

Some platforms allow you to share only ‘one tab’ or’ one window’ at a time.

This feature allows you to selectively choose what content is visible to others, adding an extra layer of security to your virtual meetings.

You should always check your screen carefully before you share it with your team – you’ll be glad you did!

Sharing photographs of your meetings online

One trend that has led to security risks within online meetings is sharing pictures of video calls.

Popular video conferencing solutions like Zoom require a meeting ID number to join—one that’s visible on screen—and sharing pictures of that meeting means that anyone with a supported device can dial into your call.

With so many vital, highly confidential meetings being held worldwide, it’s crucial that your private information is kept that way—no matter how proud you are of your meeting—so keep your meeting pictures off social media.

Do you remember when Boris Johnson shared an image of the first virtual cabinet meeting back in 2020, exposing the meeting ID and cabinet members’ usernames? – A huge breach of government security, and one that caused real headaches for Government security officials.

Not warning your cohabitors that you’re on a call

We’re all in this together and, for many of us, that means family and cohabitors spending our time under the same roof. It’s a tricky situation, but one that we have no choice but to handle.

If you don’t have a dedicated office space where you can focus solely on your work, it’s crucial that you let the people you’re sharing a space with know that you’re going to be on a call.

We’ve seen plenty of widely shared incidents of unwitting people wandering into compromised positions, so take the time to ask for a little privacy.

Missing end-to-end encryption

It’s important to consider encryption when choosing video meeting platforms.

Without end-to-end encryption, there’s a risk that cyber hackers could intercept sensitive information exchanged during meetings.

Look for video meeting platforms that offer encryption features to protect your data in transit, making it harder for unauthorised parties to access.

Failing to update software

Keeping your video conferencing software up to date is essential for maintaining security.

Neglecting software updates leaves your system vulnerable to cyber threats. After all, there’s a reason why that update was pushed live.

Make sure to regularly update your software to patch security vulnerabilities and strengthen your defences against potential attacks.

Implementing automated update mechanisms can simplify this process and ensure that your video meeting stays secure against growing cybersecurity threats.

Not securing your call

You’d make sure the door was shut before holding a private meeting, wouldn’t you?

Therefore, it goes without saying that you should lock your video call to stop individuals from joining without permission.

Whether you’re using Google Hangouts, Zoom, Skype, or any other video conferencing tool, you’ll find a range of security features that ensure only those who are invited can access the call.

Take the time to review and adjust default settings, such as enabling password protection and waiting rooms, to enhance the security of your virtual meetings.

How Bob’s Business can help you

With the rise of virtual meetings, ensuring the security of your online interactions is crucial.

Our tailored cybersecurity training equips you with the knowledge and skills needed to navigate virtual meetings – and all things cyber – safely.

Our courses cover all aspects of secure online communication, from understanding the risks of leaving your microphone on to securing your calls with password protection.

With practical guidance on adjusting default settings and implementing encryption features, we empower you to confidently navigate virtual meetings and mitigate potential threats.

Our innovative online cybersecurity awareness courses are designed to offer real, actionable advice in fun, short and unique animations – so why wait? Interact with the bot below to find out more.

Vans data breach explained: Everything you need to know

Imagine the sinking feeling of a critical system failure right before a major product launch.

Now imagine having to communicate to millions of customers that their records were exposed in a data breach.

That’s the harsh reality Vans’ parent company, VF Corporation, faced in December 2023.

This breach is a stark reminder for CISOs and CEOs: even industry giants are vulnerable.

While details remain under investigation, the incident highlights the ever-present threat of cyberattacks and the crucial role strong cybersecurity plays in protecting your organisation’s reputation and customer trust.

Let’s dig into the details & explore how your organisation can avoid this same fate.

A look inside the Vans data breach

In December 2023, VF Corporation, Vans’ parent company, fell victim to a cyber-attack.

While the initial details were murky, a later filing with the US Securities and Exchange Commission confirmed the hackers’ haul: an astounding 35.5 million customers’ personal data.

Here’s what we know so far:

While the exact cause remains under investigation, VF Corp. suggests unauthorised actors gained access to their systems.

Thankfully, financial information like credit card details seem to be safe.

However, the stolen data reportedly includes names, email addresses, phone numbers, billing and shipping addresses, and, potentially, purchase history.

The aftermath: Vans emailed customers in March 2024 to inform them of the breach and potential risks associated with compromised data.

They also offered guidance on how to avoid phishing scams that might capitalise on the situation.

From clicks to consequences: Why this matters

Vans’ data breach serves as a stark reminder of the ever-present threat of cybercrime. But beyond the initial shock, it raises crucial questions:

  • Human error or sophisticated attack?: While details are limited, the incident highlights the vulnerability of even established companies to human error. Remember, even a single unprotected email can be a gateway to a massive data leak.
  • Beyond financial loss: The repercussions of a data breach extend far beyond monetary compensation. Breaches erode customer trust, a vital asset in today’s competitive retail landscape.
  • A wake-up call for all: This incident isn’t just about Vans. It’s a cautionary tale for every company entrusted with customer data. Strong cybersecurity practices are no longer a luxury; they’re a necessity.

How to avoid a similar fate

The good news is that businesses can take proactive steps to minimise the risk of data breaches. Here are some key strategies:

  • Educate your employees: Regular cybersecurity training empowers employees to identify phishing attempts, handle sensitive data responsibly, and adhere to company security policies.
  • Embrace awareness: Don’t let cybersecurity training become a one-time event. Regular awareness programs ensure employees stay updated on the latest threats and best practices.
  • Passwords matter: To add an extra layer of security, enforce strong password policies, including mandatory changes and multi-factor authentication.
  • Encryption is key: Encrypt sensitive data at rest and in transit to minimise the damage if a breach occurs.
  • Control who sees what: Implement access controls, granting access to sensitive data only to those who absolutely need it.
  • Prepare for the worst: Develop a comprehensive incident response plan outlining steps to take in case of a breach. This includes communication protocols and measures to mitigate the impact.
  • Security audits: Conduct regular security audits to identify vulnerabilities before hackers do.
  • Security is everyone’s job: Foster a culture of security within your organisation. When employees understand the importance of data protection and feel comfortable reporting potential security incidents, everyone wins.

How Bob’s Business can help protect your organisation

The Vans data breach is a cautionary tale. It highlights the importance of robust cybersecurity practices and the devastating consequences of even a single misstep.

By prioritising employee training, implementing strong data security measures, and fostering a culture of security awareness, businesses can take control of their data destiny and protect the trust of their customers.

Remember, in the age of cybercrime, prevention is always better than cure.

Here at Bob’s Business, we’re here to help you grind to a halt on data breaches before they land you in a precarious situation.

From employee training and phishing awareness programs to security audits and incident response planning, we offer a comprehensive toolkit to safeguard your customer data.

Click here to learn more about our cyber solutions.

How to create a proactive incident response plan

Have you ever heard the saying, “Fail to prepare, prepare to fail”?

It is especially relevant in cybersecurity practices.

With AI enabling scammers and hackers to create more sophisticated attacks at scale, being prepared for the worst-case scenario is vital for business success.

While taking steps to prevent attacks is vital, having a strong incident response plan is just as important. It’s like having a safety net – it can minimise the impact of a cyber incident and save you time and money.

Keep reading to learn how to create a strong response plan to keep your organisation safe.

What is a response plan?

Defining the phrase

A response plan is a structured framework outlining the steps to be taken in the event of a cybersecurity incident.

An incident response plan offers a clear approach to:

  • Identifying the issue
  • Containing the breach
  • Mitigating the attack
  • Recovering from security incidents
  • Preventing future incidents

It outlines the roles and responsibilities of individuals or teams involved in the response process, establishes communication processes, and defines escalation processes.

The benefits of a response plan

Stronger cybersecurity resilience

Being proactive means preparing for potential cyber threats in advance. By doing so, businesses can identify vulnerabilities, set up defences, and establish response strategies.

This makes them more resilient against cyber-attacks.

Secured business continuity

With a proactive plan in place, businesses can ensure that essential services continue uninterrupted even during cyber incidents.

This minimises downtime, protects data integrity, and maintains customer trust, keeping operations running smoothly.

Savings on costs

Investing in proactive measures can save businesses money in the long run.

By addressing security issues early, companies can avoid expensive consequences such as data breaches, legal fines, and damage control.

Regular security checks and employee training also help prevent incidents, reducing financial losses.

Reputational protection

A well-executed response plan defends against financial losses and shields a business’s reputation.

Clear and prompt communication during and after an incident shows professionalism and accountability. This builds trust with customers and partners, enhancing the business’s image and loyalty.

Faster recovery

With a response plan ready to go, businesses can respond quickly and efficiently to cyber incidents. This enables faster recovery times and reduces the overall impact on operations.

A step-by-step response plan

Step 1: Establish an incident response team

Designate individuals responsible for responding to cybersecurity incidents. Clearly define their roles and responsibilities.

Step 2: Communication

Create a clear communication strategy for reporting incidents internally and externally. Ensure prompt internal communication to halt the breach, followed by updates to stakeholders once the risk is contained.

Step 3: Incident identification criteria

Define clear criteria for identifying security breaches based on their severity and impact on the organisation.

Step 4: Containment

Develop a plan for containing the breach, including monitoring systems and analysing affected areas to determine the extent of the violation and the necessary containment measures.

Step 5: Investigation and analysis

Conduct a thorough investigation and analysis of the incident to determine its cause and impact. Identify vulnerabilities and weaknesses in systems or processes that contributed to the breach.

Step 6: Mitigation and recovery

Implement strategies to mitigate the impact of the incident and recover affected systems and data. Prioritise critical systems and services to minimise downtime and disruption to business operations.

Step 7: Security experts

Consider contacting planned external experts who can offer additional guidance in resolving the incident. Ensure these experts have access to the required resources and support to address the situation effectively.

Step 8: Enhance security measures

Take steps to enhance security measures based on lessons learned from the incident. This may include implementing additional safeguards, updating security policies, or improving security controls.

Step 9: Training, improvement, and awareness

Conduct training sessions to improve incident response capabilities and raise awareness of cybersecurity risks among employees.

Continuously review and update training programs to address the growing threats and vulnerabilities.

How Bob’s Business can help your organisation

At Bob’s Business, we’re dedicated to ensuring your organisation is prepared for any cybersecurity incident.

Through a comprehensive review of your current cybersecurity measures, we identify vulnerabilities and tailor training specifically for your business’ blind spots.

Our courses are built on two principles—behavioural science and psychology—to deliver truly exceptional results to organisations of all sizes in the public and private sectors.

Ready to build your cybersecurity culture? Discover our range of cybersecurity awareness training solutions.

What is cyber insurance?

In an ideal cyber world, a company would achieve foolproof cybersecurity, ensuring hackers fail every time

However, cyber insurance can be a valuable asset for many organisations to protect against the inevitability of human error.

As cyber-attacks become more sophisticated, the risks they pose also increase.

These attacks aren’t mere inconveniences, either. Indeed, they can result in significant financial loss, reputational harm, and legal liabilities.

Accordingly, many businesses purchase cyber insurance to help reduce the strain caused by a cyber-attack and enable them to bounce back from a breach.

But what is cyber insurance, and how could it benefit your organisation? Join us as we explore the topic.

Understanding cyber insurance

Cyber insurance is a specialised form of insurance designed to provide financial protection against losses resulting from cyber-related incidents.

Its purpose is to help businesses mitigate the financial impact of cyber-attacks and data breaches by covering various expenses and liabilities associated with such events.

These policies typically offer several types of coverage tailored to address different aspects of cyber risk management:

  • Data breach response: This helps cover the costs of responding to a data breach, such as investigating what happened, notifying affected customers, and managing the fallout to protect reputations.
  • Business interruption: If a cyber attack disrupts business operations and causes a loss of income, this coverage can help make up for that lost revenue and cover any extra expenses needed to get back on track.
  • Liability: This protects businesses from legal claims and expenses if a business is sued because of a cyber incident like a customer’s data being compromised due to negligence.
  • Cyber extortion: If cybercriminals demand a ransom to release data or systems, this coverage can help resolve the situation, including covering the ransom payment if needed.
  • Cybercrime: This covers losses from various cyber crimes, such as fraudulent transactions or scams that target your business.

Assess your business’s cyber risk profile

Understanding your business’s digital risks is key. Review your cyber risk profile closely to identify potential threats and weaknesses.

Just like checking for leaks in a roof before a storm, assessing your cyber risk profile helps you prepare for cyber trouble by choosing the right type of insurance.

Consider the cyber threats that could affect your business, such as data breaches or scams.
Then, think about how these threats could harm your operations and finances.

For example, a data breach could lead to a loss of customer trust and expensive legal bills.
The right insurance can help to mitigate these consequences.

If you’re unsure where to start, insurance companies can help identify your vulnerabilities and tailor a cyber insurance policy to fit your needs.

Evaluating the limitations and benefits

Recognising that cyber insurance policies often come with limitations and exclusions is important. These can vary, but common ones include things such as acts of war or intentional acts by employees.

It’s crucial to be aware of these limitations as they can affect the adequacy of your coverage.

Despite these limitations, cyber insurance provides significant benefits. It offers financial protection against unforeseen cyber incidents, which can save your business from large costs.

For example, it can cover expenses related to data breach response, business interruption, and legal liabilities.

By understanding both the benefits and potential limitations, you can make an informed decision about whether cyber insurance is the right choice for your business.

How to integrate cyber insurance into cybersecurity processes

Tailored coverage

Work closely with your insurance provider to tailor a cyber insurance policy that aligns with your business’s unique risk profile.

Ensure that the policy provides adequate coverage for potential cyber incidents, including data breaches, business interruptions, and legal liabilities.

Incident response planning

Develop a strong incident response plan that outlines the steps to take in the event of a cyber incident.

This plan should include procedures for initiating insurance claims and utilising coverage effectively to mitigate financial losses and restore normal business operations.

Employee training and awareness

While cyber insurance acts as a safety net, cybersecurity awareness training remains a vital part of any cybersecurity strategy. Indeed, many insurers require employees to undergo regular cybersecurity awareness training as part of their agreement.

Educate your employees about the importance of cybersecurity best practices and the role they play in protecting the business from cyber threats.

Regular policy review

Review your cyber insurance policy regularly to ensure that it remains up-to-date with your changing business needs and cyber threats.

Update your policy as necessary to address any new risks or vulnerabilities.

By incorporating these strategies into your cybersecurity processes, you can effectively integrate cyber insurance into your overall risk management strategy.

At Bob’s Business, we are committed to helping organisations strengthen their defences against cyber attacks. That’s why we’re an Aviva Specialist Partner, offering Aviva customers our award-winning, industry-leading cybersecurity awareness & education products at a discounted rate.

We offer tailored solutions to address your cybersecurity challenges and blindspots with gamified eLearning that your employees actually enjoy!

Explore our range of courses here.

The psychology of authority in phishing (and how to stop it)

You’ve heard the warnings: don’t click suspicious links, be wary of urgent emails, and never share your password.

Yet, even the most tech-savvy individuals fall victim to phishing scams. Why?

It’s because phishers don’t just rely on technical trickery; they exploit a powerful human instinct: our inherent trust in authority.

Imagine receiving an email from your CEO or bank demanding immediate action.

The pressure mounts and you might find yourself clicking a link or opening an attachment without thoroughly scrutinising it.

Our vulnerability to authority and time pressure is what phishers leverage to steal sensitive information and wreak havoc on organisations.

Phishing attacks are the most common cyber threat, costing businesses an estimated $23 billion globally in 2023.

But why are these seemingly obvious scams so successful? The answer lies in a powerful psychological phenomenon: the allure of authority.

This blog delves into the psychology behind phishing and the allure of authority. We’ll explore real-world examples, examine the impact of these attacks, and ultimately discuss why cybersecurity awareness training is crucial for every organisation.

Let’s dig into it.

Everything you need to know about authority in phishing

The allure of authority

Phishers don’t just throw random titles around. They meticulously craft their emails to mimic trusted sources, often impersonating:

  • Banks and financial institutions: “Your account has been flagged for suspicious activity. Click here to verify your details.”
  • IT departments: “Important system update required. Click the link to avoid disruptions.”
  • Government agencies: “Urgent tax notification. Download the attached document for further details.”

Phishers exploit a cognitive bias called the “asymmetry of power” by masquerading as entities we’re conditioned to trust.

We tend to perceive those in authority as having superior knowledge and expertise, making us more likely to comply with their requests, even if presented in an unusual manner.

This exploitation of trust isn’t a new idea. In the infamous 1961 Milgram experiment, psychologist Stanley Milgram demonstrated how readily individuals comply with authority figures, even when instructed to administer supposedly harmful shocks to another person.

This experiment highlights the power of authority and its potential to override our moral compass in certain situations.

Furthermore, phishers leverage the power of social influence.

Humans are inherently social creatures, and seeing others succumb to authority figures (even a fabricated one in an email) can increase our own susceptibility.

Imagine receiving an email seemingly from your CEO or manager, urging immediate action. It’s easy to see how even the most vigilant individuals might fall prey to such tactics.

The urgency factor

Phishing emails often employ urgency tactics to heighten the sense of fear and immediacy.

Phrases like “urgent action required,” “account suspension risk,” or “limited-time offer” create a sense of time pressure, bypassing our rational thinking and pushing us to click the malicious link or open the attachment.

This tactic exploits our natural mental shortcuts, where readily available information (like the urgency mentioned in the email) is more persuasive than seeking out additional evidence.

When authority and urgency combine

In a meta-analysis of Bob’s Phishing campaigns, we revealed that when phishing emails look like they’re from an internal source and threaten a danger, like those outlined above, phishing success rates can hit a 94% click rate.

It’s an astonishing reminder that no matter how aware of phishing threats we believe ourselves to be, the right combination of elements can bypass our internal defences.

Why cybersecurity awareness training is your ally

While the tactics may seem simple, the consequences of falling victim to a phishing attack can be devastating.

Data breaches, financial losses, and reputational damage are just some of the potential repercussions.

This is where cybersecurity awareness training steps in as your organisation’s shield against these threats.

Here’s how training empowers your employees:

  • Demystifying the tactics: Training equips employees with the knowledge to identify the red flags in phishing attempts. They learn to recognise suspicious sender addresses, generic greetings, poor grammar, and illogical urgency.
  • Empowering critical thinking: Training goes beyond just identifying red flags. It encourages employees to question everything, verify information with official sources, and avoid clicking suspicious links or opening attachments.
  • Building a culture of security: By creating a cybersecurity awareness culture within your organisation, you foster open communication, allowing employees to report suspicious emails and seek clarification when unsure. This collaborative approach strengthens your overall defence against cyber threats.

Remember, cybersecurity is a shared responsibility.

It’s not just about the latest technology; it’s about empowering your workforce to be the first line of defence.

By investing in cybersecurity awareness training, you equip your employees with the knowledge and skills to navigate the ever-evolving digital landscape safely.

Understanding the psychology behind phishing tactics, particularly the allure of authority and urgency, is crucial for proactively protecting your organisation.

By prioritising cybersecurity awareness training, you empower your employees to become active participants in keeping your valuable data and systems secure. Want to learn about our cybersecurity solutions that will actually engage your employees? Click here to find out more.

Meet the women shaping the cybersecurity industry

Whilst the demand for cybersecurity expertise has never been so high amongst organisations, there remains a significant skills shortage within the industry.

Indeed, according to UK Government research, 50% of all UK businesses have a basic cybersecurity skills gap, and 33% have an advanced skills gap. It’s a situation that makes the relative rarity of women in cybersecurity all the more confusing.

Just 24% of all cybersecurity employees worldwide are women, a dramatic increase from the 11% in 2017, but still far from parity.

While progress is being made, we still have a long way to go regarding improving diversity in our sector.

In this blog, we’re chatting with female role models in the sector leading the way for a change. Let’s get started.

Meet the panelists


Melanie Oldham OBE, Founder and CEO of Bob’s Business

Melanie’s journey began back in 2007 when she was tasked with supporting the IT team at the Mid Yorkshire Chamber of Commerce to develop a method of translating cybersecurity into a format that staff would easily understand.

16 years later, Melanie has become a leading voice and respected force in the infosec sphere, dedicating herself to raising cybersecurity awareness within organisations and breaking down the barriers between IT teams and their staff. In the 2022 New Year’s Honours List Melanie was awarded an OBE for Services to Cybersecurity.


Carolyn McKenna, Head of Security Demand, Capability & Awareness at Smart DCC

Carolyn is the Head of Security Demand, Capability & Awareness at Smart DCC – the company that has designed, built, and now manages the technology infrastructure that underpins the smart meter roll-out for Great Britain.

With a background in Information Security compliance, as well as Business Continuity Management Systems, she worked in the telecoms sector for over 25 years, before moving over to Smart DCC and the energy sector in 2018.


Anya Bridges, Junior Project Manager, Bob’s Business

Anya joined Bob’s Business in September 2020, aged just 16, as a Cybersecurity Apprentice keen to discover a sector firmly on the rise.

Since then, she’s enjoyed her own remarkable rise through the ranks, receiving promotions to Cybersecurity Technician and, most recently, Project Manager. The latter is a role she’s also undertaken at the Yorkshire Cyber Security Cluster (YCSC), before graduating to the Steering Committee.

Along the way, she’s received awards and PRINCE 2 Qualifications.


Cathryn O’Shea, Online Security and Support Manager at Cornerstones Education

When Cathryn graduated from the University of Huddersfield in 2014 with a degree in music, she had no idea what she wanted to do with her career.

She took an office administration job at Cornerstones Education, which was just about to launch its first online platform for schools. Cathryn helped populate the platform with content and users and built an effective customer journey.

The big challenge came when schools started asking security-based questions about their system, especially with the introduction of the GDPR, so Cathryn and the team decided to go all out and implement ISO 27001 across the business.


Caroline Kaye, MD and Principal Consultant at CRK Consulting Limited

Caroline is a mum of two, running her own consultancy business, CRK Consulting Limited, delivering ISO 27001, ISO 9001 and GDPR to businesses across the UK.

Educated to a degree level in IT and working in numerous IT roles, cybersecurity seemed a natural way forward for Caroline. The first opportunity to implement an Information Security Management System came when she worked for an IT company, and ISO 27001 certification was required to secure a large contract.

Fast-forward to today, and 2024 marks the 10th anniversary of Caroline running her own business, in that time she has worked across multiple industries such as manufacturing, software development, education and training, market research and finance, and has never looked back.


We asked them a series of questions about their achievements, the state of the industry and what they think the future holds for women in cybersecurity.

What are your greatest achievements within the cybersecurity industry?


Melanie: “Helping IT & compliance teams break through the communication barriers that exist between them and end users. Getting everyone to understand the benefits of adopting good cybersecurity practices and how a subject that creates so much resistance can really be made simple.”

“Organically growing a project that was a passion into an award-winning, internationally recognised business that provides employment and stability to a diverse hugely talented team of individuals.”


Carolyn: “I think my greatest achievement to date is creating Smart DCC’s first intake of Degree Apprentices. We partner with Manchester Met University on their Digital & Technology Solutions Degree Apprenticeship, with four fantastic colleagues now in their final year of the course – following Cybersecurity or Data Analytics pathways. It’s such a privilege to be involved in shaping early careers.”


Anya: “As a young woman in tech, my achievements in cybersecurity include receiving the Special Recognition Award for Cyber Apprentice of the Year in 2023 and leading on impactful processes and projects for the business.”


Cathryn: “When Cornerstones planned to implement ISO 27001 in January 2018, I was promoted to Online Security and Support Manager, given the standard, and given four months until the certification audit to get things in place.”

“With the help of my fantastic team, Cornerstones are now fully certified, and is successfully monitoring and maintaining their Information Security Management System.”


Caroline: “When my clients have that light bulb moment when it all falls into place and makes sense, this gives me a warm fuzzy feeling inside knowing that I can walk away from the company and they no longer need my services. They have the skills and confidence to manage their own systems and risks. That’s a job well done.”

What advice would you give to women seeking a career in cybersecurity?


Melanie: “I think it’s essential to acknowledge bad things are going to happen, but what’s important is how quickly you dust yourself off and rise to the challenge. Accepting this has helped me develop a resilience that keeps me going when curve balls come bounding in and knock me off my feet!”

“It’s tough when your kids say ‘Mummy I hate your work, I want you to stay with me today!’ But it makes me smile when they say ‘My mum teaches people to stay safe and not be silly online’. Knowing that I am helping secure their future makes it all worth it and I have made it my personal mission to make the online world a safer place”.


Carolyn: “For girls still in school I would encourage them to step outside of what might be seen in their families or culture as traditional roles. My own daughter is 23, and works in Security Architecture at Fujitsu, having completed a Cyber Degree Apprenticeship herself.
Diversity in Security is paramount – if we all come from the same kind of background, we will all think in the same way. We need gender diversity, neurodiversity, cultural diversity and so much more in security to ensure we truly are ‘covering all bases’ regarding our ways of thinking, security controls and designs.”

“Get involved in initiatives such as Cyber First Girls Competition run by the National Cyber Security Centre, look for summer school events for cybersecurity run by companies and universities and don’t be afraid to step out of your comfort zone!”


Anya: “For women entering cybersecurity, my advice is to build a strong foundation of connections, engage in continuous learning, network actively, showcase your skills online, and most importantly have confidence in yourself.”


Cathryn: “It’s an exciting time to join the industry as the world of technology is evolving rapidly so it’s never straightforward! There’s a wealth of information, networks and support so you’re never alone.”

“I landed in this role completely out of my depth and I’m learning something new every day. Make friends, network, and don’t be afraid to challenge people and speak out.”


Caroline: “Go for it, find what area of cybersecurity best suits you, technical or governance for example, seek new challenges and opportunities, and accept that you will make mistakes, this is the best way to learn. Lean on other experts in the area, the people I have come across in this industry are so helpful and willing to share knowledge. Don’t be afraid to ask for help.”

“There are so many ways of learning, information and contacts are at your fingertips. Don’t be a know-it-all, sit back listen to people’s opinions, if you don’t agree, be constructive and work together – no one knows everything.”


What is it like to be a successful woman in an industry predominantly made up of men?


Melanie: “Initially, I found it quite awkward but now love the fact that I am able to inspire and energise an audience of IT professionals, that historically I was intimidated by. Knowing they really appreciate and respect my views and experiences is fantastic.”


Carolyn: “Whilst the industry is still predominantly male, I am definitely seeing more women these days, which is fantastic news. When I joined Smart DCC six years ago, I was the first and only female for over a year, with very few female applicants coming through – now 36% of our Senior & Wider Leadership Team is female!”

“I see many inspiring women at industry events now who have created their own successful cyber businesses, so the balance is slowly getting there. It is important to work in an environment where diversity and inclusion are evident so that you feel comfortable having your voice heard.”


Anya: “Being a woman in a male-dominated industry involves inspiring others, advocating for diversity, and navigating challenges with resilience. Despite occasional obstacles, the experience has been so fulfilling. I have been very fortunate to have a great team around me, and my male colleagues have consistently provided support and encouragement whenever I’ve needed it.”


Cathryn: “Rewarding! I’m in a unique position in that I work very closely alongside other successful women in the industry who have brought a wealth of experience to help us navigate the world of cybersecurity. Despite the challenges we’ve faced along the way, the rewards have definitely been worth the effort.”

“Outside of the workplace I conduct and play in both brass and concert bands, and I have come up against similar challenges because of my age and gender. It has given me the confidence to stand my ground as my career in the cybersecurity industry progresses.”


Caroline: “Liberating. One of my line managers (male) told me that I would never be a success after having children and choosing to work part-time, from that point he constantly ‘kept me in my place’ and told me that I wasn’t good enough. Looking back, I realise he was threatened by my skills and knowledge, eventually making me stronger and more determined. Since running my own business, I don’t see or have experienced any gender inequalities or even notice anymore that I’m the only female in the room, as my presence and input is valued, based on my experiences and knowledge gained over the years.”

“When I do take a step back and reflect, it makes me proud that I can run a successful business in a male-dominated environment, what a great message and role model for my daughter – my aim has been achieved.”