What you need to know from Microsoft’s ‘Digital Defense Report 2023’

It’s Cybersecurity Awareness Month, and, as is tradition, Microsoft has moved to release their Digital Defense Report. This year, they’re reporting on the period between July 2022 and June 2023, crunching the numbers and attempting to solidify an ever-changing threat landscape.

The report, across 131 pages, touches on the state of cybercrime, nation-state threats, the crucial cybersecurity challenges that all companies face and more.

In this blog, we’ll pull together some of the highlights and showcase some of the cybersecurity learnings that businesses need to know.

Let’s get started.

The key takeaways from Microsoft’s ‘Digital Defense Report 2023’

Good cyber hygiene is still the best defence against attacks

The report reveals that over 99% of successful cyberattacks could be prevented by following basic cyber hygiene practices.

Measures like enabling multi-factor authentication (MFA), applying zero trust principles, keeping systems patched and up-to-date, using endpoint detection and response solutions, and protecting data form a robust first line of defence for organisations of any size.

However, human error remains a primary enabler of cyberattacks.

Despite increasingly widespread security awareness training, phishing click rates have remained relatively stable.

This is largely down to the methods of training deployed by organisations. For example, the report found that video-based training only reduces phishing susceptibility by around 3% at best. More personalised, tailored training focused on actual behavioural change, like that offered by Bob’s Business, is required.

Sophisticated phishing attacks are surging

The report warns that adversary-in-the-middle (AiTM) phishing campaigns are surging dramatically.
These attacks involve threat actors using reverse proxy servers to intercept and steal login credentials and session cookies, bypassing traditional protections.

Attackers are also refining social engineering by exploiting trusted third-party communications alongside sending specially crafted phishing messages based on reconnaissance of individual targets.

Ransomware is still a top threat

Ransomware continues to plague organisations, with human-operated ransomware attacks doubling over the past year.

These intrusions often exploit unpatched systems and unmanaged devices. The report observes attackers increasingly using remote monitoring tools to conceal activity and make attribution more difficult.

Business email compromise (BEC) attacks have also skyrocketed, reaching 156,000 daily attempts globally. Threat actors hijack communication threads and leverage cloud infrastructure to conduct more sophisticated invoice and payment fraud.

Nation-states prioritise cyber espionage

The report highlights a shift amongst nation-state groups away from high-volume destructive attacks towards stealthy cyber espionage campaigns.

Key targets include critical infrastructure organisations and policymakers, alongside governments and governmental bodies.

State-sponsored groups are exploiting vulnerabilities faster, enhancing cloud operations, and increasingly using custom malware and “living off the land” techniques to hide activity.

How you can build organisational resilience

Facing this complex threat landscape, the report emphasises the importance of cyber awareness training and building organisational resilience through measures like:

  • Prioritising cyber hygiene and zero trust principles
  • Providing personalised, skills-focused security training
  • Leveraging emerging technologies like AI to analyse threats and automate response
  • Implementing robust identity management and phishing-resistant MFA
  • Ensuring devices and systems are kept fully patched and up-to-date

In short, Microsoft asserts that organisations that take a strategic, resilience-focused approach to cybersecurity are best positioned to protect themselves against both commoditised attacks and sophisticated, targeted threats.

At Bob’s Business, we’ve helped millions of employees to take responsibility for their organisations’ cybersecurity through effective, engaging and entertaining training.

With over 70 interactive and gamified courses, we give your team the knowledge they need to spot and stop attacks, alongside how to build good cyber hygiene.

Ready to learn more? Discover our range of solutions or chat with a member of our team.

Why online training is the most cost-effective way to train your staff

In business, success hinges on the delicate balance between income and expenses, and when it comes to expenses, there are few more debated than that of employee training.

In the current financial climate, it’s more important than ever to make employee training as cost-effective as possible whilst still regaining the same effectiveness.

However, traditional training methods can come with hefty costs, including travel expenses, facility rentals, and printing materials.

That is where online training steps in. It’s a cost-effective solution that not only reduces training expenses but also upskills your workforce.

Since the Covid-19 pandemic, the eLearning industry has seen exponential growth, with demand increasing by up to 400%. These factors have changed how we learn due to the ongoing change in technology. According to a recent study, an eLearning solution can save businesses up to 66% on training costs.

As one of the original online providers of cybersecurity courses for organisations, we’re uniquely qualified to explain why online training is the most cost-effective way to train your staff and why you should choose it over traditional training approaches.

Let’s get started.

Why is online training so cost-effective?

Employee time

In traditional training settings, employees often need to take significant time away from their regular work, including travel time, attending classes, and waiting for scheduled sessions to start.

This time away can result in productivity losses and additional expenses that businesses may not have accounted for. Online training, however, reduces these time-consuming factors.

Employees can access training materials from their desks, allowing them to learn at their own pace and during hours that suit them and the company.

This flexibility minimises downtime, maximises productivity, and ensures that important tasks are not delayed due to training requirements!

According to a Brandon-Hall Study, eLearning typically requires 40% to 60% less employee time than learning the same material in a traditional classroom setting.

With online training, businesses can capitalise on the hours that would have otherwise been spent on travel and idle waiting, making it a cost-effective solution for organisations of all sizes.

Travel costs

Travel expenses can quickly add up. Sending employees to off-site training locations often involves:

  • Train tickets
  • Hotel accommodation
  • Meal expenses
  • Transportation to and from the training venue

These costs can take a big chunk out of a company’s budget.

A study found that 85% of every pound spent on classroom training is spent delivering it, for example, on instructor time and travel.

Online training eliminates the need for these expenses. Employees can access training materials from their desk, homes or even during their journey into work!

The location of training becomes irrelevant. This not only saves on travel costs but, also, provides a more convenient and comfortable learning environment for employees.

With online training, travel costs are removed, making it a smart financial choice for organisations.

Scalability

Scalability is a key advantage of online training, for large, growing, and/or remote businesses.

Online platforms, however, can cater to a larger number of learners without the costs associated with gathering employees in a single location.

This online scalability guarantees consistent training across multiple locations, whether multiple offices or remote workers, without the need for several training sessions in different places – Pretty great, huh?

This cost-effective approach ensures that training can effectively scale with the organisation’s growth and changing needs.

Facility costs

In-person training often requires hiring a venue space. The expenses don’t stop here, it can include set-up costs, the cost of equipment, the venue might even charge for using their employees.

These logistics can be time-consuming and costly.

If, for example, the booking of a room is £300 for the day and you need 5 training sessions, that’s £1,500 spent on the venue.

That’s before any training has even started.

Online training eliminates the need for physical facilities altogether. Employees can access training materials from their own desks or devices.

This streamlined approach not only saves money but also removes the hassle of coordinating venue logistics.

By choosing online training, businesses can allocate their funds to more essential areas of employee development, making it a sensible financial decision.

Learning material costs

Think about it – when you enter a traditional training session, what is often handed out first? A notebook and pen, right?

Imagine providing this for multiple employees in numerous training sessions – those seemingly small costs start to add up.

And let’s not forget about all the other printed materials that often end up misplaced, forgotten, or simply, tossed aside once the session ends –a waste of money and resources.

Now, contrast that with online training. Online learning materials are neatly organised on online platforms accessible to all employees whenever they need them.

As well as this, any tweaks or updates to the content can be made in just a few clicks; no costly reprints needed.

This means employees always have easy access to the most up-to-date learning materials.

It’s a cost-effective choice that makes sense for businesses of all sizes.

New employees

Immediate online training for new employees is cost-effective due to its proactive approach to cybersecurity. Waiting for scheduled in-person sessions can leave new hires vulnerable, seen as potential weak links in security.

By providing instant online access to cybersecurity training, businesses can reduce their threat level.

Employees are immediately educated about security essentials, potential threats, protective measures, and reporting procedures.

This can enhance a company’s cybersecurity posture and minimise the potential costly consequences of successful attacks.

It is a wise investment in protecting your company from increasingly clever cyber threats, ultimately saving time associated with breaches and downtime.

Continuous learning

Online training offers the flexibility to adapt quickly. A training session can be created and delivered instantly online when a new threat emerges.
`
This ensures that employees stay up-to-date with the latest cybersecurity practices and aware of emerging threats.

By embracing continuous learning through online training, businesses can maintain a strong defence against increasing cyberattacks and reduce the potentially costly consequences of a successful attack.

As employers adopt online learning to develop their workforce, they are estimated to bring in 26% more revenue.

Online training is the new proactive and cost-effective approach to cybersecurity!

Flexible training

Online training provides a flexible approach tailored to your business’s specific requirements.

You have the freedom to customise the training content to meet the specific cyber needs of your employees or the internal policies.

Online platforms offer the opportunity to establish social forums, enabling employees to share their experiences, including raising awareness about recent phishing emails they’ve received.

This creates a strong cybersecurity culture within your organisation.

This adaptability ensures that your training aligns precisely with your business objectives, making it a valuable and cost-effective resource.

It empowers your employees to learn and grow in a manner that best benefits your organisation’s success.

Need more reasons to choose online training?

More reasons to choose online learning:

  • Gamification: Training is most effective when employees are motivated. Online training games can tap into natural competitiveness, which makes learning enjoyable.
  • Accessible to all: Online training is available to everyone, regardless of location, language, health or situational challenges.
  • The greener option: Studies show online courses use 90% less energy and emit 85% less CO2 per student compared to traditional in-person courses.
  • Time efficiency: Corporate eLearning typically requires 40–60% less time from employees than traditional classroom instruction.

If you’ve gotten this far, we assume you’re coming around to online learning as the most effective way to train your employees.

We agree. That’s why our training is 100% eLearning and hosted on our innovative in-house LMS. With over 15 years of experience, we’re here to help make your training beautifully simple. Discover our wide range of courses and get started today.

Bob’s Business announces CyberLearn, our innovative in-house LMS

At Bob’s Business, we’re always striving to deliver outstanding training experiences to our customers. It’s been our goal since we were founded in 2007, and it’s as accurate in 2023 as it was all those years ago.

Now, in what marks the sounding of the starting gun for our next phase of business evolution, we’re delighted to announce that our in-house Learning Management System’s full launch is complete.

That’s right – CyberLearn is live for all.

Developed in conjunction with Can Studios, CyberLearn is a customised version of their Training Post learning management system, tailored to our unique needs. This offers a host of benefits for organisations, including:

Tailored Learning Experience: With CyberLearn, we introduce a new era of personalised learning experiences. The platform’s versatile architecture allows for bespoke features and functionalities, ensuring that businesses receive training solutions tailored to their unique requirements.

Agile Development: Empowered by CyberLearn, we’re accelerating the pace of feature development and deployment. This agility translates to faster response times to customer needs and rapidly integrating new, value-driven features into the platform.

Scalability and Flexibility: CyberLearn has been architected to seamlessly scale with the evolving needs of businesses. The platform accommodates growth from small enterprises to large corporations while maintaining optimal performance and user experience.

Robust Data Security: By leveraging CyberLearn, we control data security measures completely. This ensures the utmost protection of organisational information, fostering an environment of trust and confidence.

“Our transition to CyberLearn is a testament to our dedication to innovation and customer-centric focus. This milestone reflects our commitment to equipping businesses with a dynamic learning platform that adapts to their needs and helps build positive cultures,” remarked Melanie Oldham, OBE, CEO at Bob’s Business.

“We are thrilled to collaborate with Bob’s Business in this endeavour. The specialised version of our Training Post LMS speaks to the flexibility and robustness of our platform. By joining forces, we are elevating the e-learning experience for Bob’s Business’s clients and showcasing the adaptability and power of Training Post.” commented Paul Hilton, CEO of Can Studios.

Ready to learn more about our Learning Management System? Contact a team member and discover how it can level-up your organisation’s training.

This month in data breaches: September edition

September has left the building, but while the kids are (finally!) back in school, for many businesses, the headaches have only just begun.

We speak, of course, about cybersecurity breaches. In this blog, we’ll look into how even the most security-conscious individuals and organisations can fall victim to cyberattacks – alongside sharing how your company can stay protected against similar threats.

Let’s get started.

September’s biggest data breaches

Topgolf Callaway

American sports equipment manufacturer giant Topgolf Callaway faced a significant data breach last month, putting the sensitive data of over a million customers at risk.

The company promptly emailed customers, explaining that a third party had breached their systems and accessed data, including names, shipping addresses, email addresses, phone numbers, order histories, passwords, and answers to security questions.

Fortunately, payment information remained secure and was not compromised in the breach.

This breach is particularly concerning because it also exposed data from affiliated brands under the Topgolf Callaway umbrella.

All affected customers were required to reset their passwords as a precautionary measure.

The identity of the party responsible for this breach remains unknown. However, the stolen data poses a serious threat, as it can be exploited for identity theft and phishing attacks.

This serves as a reminder of the necessity of a response plan.

By immediately informing those affected and enforcing a password reset, you can lessen the impact of an incident and heighten everyone’s awareness against potential follow-up attacks, such as a phishing email.

Digital ID and The Greater Manchester Police

Thousands of Greater Manchester police officers and staff have had their personal details compromised. This attack is linked to a third-party supplier, Digital ID, responsible for identity cards and lanyards for UK organisations.

The breach involved the theft of officers’ warrant card information, including names, ranks, photos, and serial numbers, through a ransomware attack.

While financial data remains secure, there are concerns regarding the safety of undercover officers and ongoing investigations.

The National Crime Agency (NCA) is actively investigating the Digital ID breach. Greater Manchester Police is working closely with the Information Commissioner’s Office (ICO), which will conduct its own enquiry.

This incident emphasises the risks of outsourcing sensitive data to third parties and highlights the pressing need for ongoing vigilance, especially in law enforcement and public safety organisations.

Pizza Hut Australia

Pizza Hut Australia also fell victim to a cyber-attack in September, exposing customer information and order details.

The breach came to light in early September, prompting immediate action from the company.

Phil Reed, the CEO of Pizza Hut Australia, informed customers via email about the incident. He stated that an ‘unauthorised third party’ had accessed some of the company’s data.

In response, Pizza Hut took swift action to secure its systems, engaged forensic and cybersecurity experts, and initiated an investigation to determine the extent of the breach.

The compromised data includes customer details and online order information, such as names, delivery addresses, email addresses, and contact numbers.

For registered accounts, encrypted credit card numbers and passwords were also accessed.

Approximately 193,000 customers were impacted and received guidance on avoiding potential future scams.

This incident highlights the importance of working with cybersecurity experts to minimise the impact of data breaches.

By collaborating with cybersecurity professionals, organisations can improve their overall security measures and decrease the likelihood of such incidents occurring in the first place.

What your organisation can learn from September’s data breaches

September’s data breaches stress a crucial lesson: cyber threats affect all.

Here are valuable lessons your organisation can take from these incidents to improve your cybersecurity systems.

  1. No one is exempt: Cyber threats spare no one. Regardless of the size or industry of your organisation, it’s important to remain alert to attacks. Regular assessments can help identify vulnerabilities and weaknesses before attackers do.
  2. Effective response planning: Developing and regularly updating an incident response plan is crucial. It enables swift and effective action during a breach to mitigate its impact.
  3. Third-party risk management: If your organisation relies on third-party suppliers like Digital ID, ensure they adhere to robust cybersecurity standards. Protecting your data is a shared responsibility.
  4. Education and awareness is key: Educate your employees on essential cybersecurity practices, including phishing awareness, password security, and defence against social engineering tactics.
  5. Invest in training: Invest in cybersecurity training for your employees. A well-informed employee is a critical defence against cyber threats.

How can Bob’s Business help you avoid cyber breaches

At Bob’s Business, we offer affordable awareness training solutions designed to give employees the knowledge they need to protect their data and their organisation.


As part of our dedication to supporting organisations in strengthening their cybersecurity, we’ve created a free Cybersecurity Awareness Month Pack for your organisation.

This resource pack is designed to help you improve your security and reduce the risk of cyberattacks. Click here to get your free pack.

Cybersecurity Awareness Month 2023 at Bob’s Business

October is Cybersecurity Awareness Month, and this year is particularly special as we mark the 20th anniversary.

Since 2003, the National Cyber Security Alliance has teamed up with the government and private industries to increase cybersecurity awareness in a bid to help users prevent cyber attacks.

This year’s theme is “Secure Our World”, as it aims to promote cybersecurity tips and best practices that are not restricted to October but can be followed throughout the year.

In this blog, we’ll take a closer look at some of the significant data breaches from the past year, and review the NCSA’s recommended best practices for cybersecurity going forward.

Let’s get into it!

What can we learn from the last 12 months of data breaches?

Northern Ireland Police (PSNI)

In August, a monumental data breach occurred when sensitive information, of nearly 10,000 PSNI staff, was exposed online for three hours.

This breach highlighted the importance for ongoing employee training and awareness initiatives, especially in large organisations where attacks can have a long tail and substantial impact.

MOVEit

June 2023 witnessed a widespread data breach affecting over 100 organisations. The Clop ransomware gang constructed the breach.

This incident has reminded us of how important it is to implement strong cybersecurity measures. This includes proactive security measures, keeping your security up to date, and having an incident response and reporting plan to respond to incidents like this.

NHS

During the year, thousands of NHS patients’ data leaked due to a phishing attack.

The attacker accessed an employee’s email account containing confidential patient information, highlighting the risks of phishing.

This stressed the importance of thorough employee training and regular security policy reviews.

Pepsi:

In February, Pepsi experienced a data breach from a malware attack on its payroll systems.

This breach exposed employee data, including names and social security numbers, stressing the need for continuous software monitoring and updates.

These 2023 data breaches provide a reminder of the significance of cybersecurity awareness and the best practices to follow to protect sensitive information.

Four key practices for year-round cybersecurity

Create strong passwords and use a password manager

We have all encountered a friend or colleague with a password that ends in the infamous “123.”

These kinds of passwords, while easy to remember, are also the first ones potential hackers might guess.

It’s no secret that they provide little protection.

Three tips to strengthen your password security:

  1. Use three random words: Picking three unconnected, random and memorable worlds will ensure your password is easy to recall but hard to crack.
  2. Mix in numbers and symbols: By incorporating a combination of numbers and symbols, you significantly increase the complexity of your password.
  3. Never use the same password twice: It’s a golden rule of password security – never reuse passwords across different accounts.

However, remembering unique and complex passwords for every service can be tricky, which is why using a secure password manager is recommended.

A password manager can safely store all your passwords with the only requirement of remembering one password.

Turn on Multi-Factor Authentication

Multi-Factor authentication (MFA) is like an extra lock for your digital doors, available to all and strongly recommended. If someone somehow guesses your password, MFA acts as a second line of defence.

Even with your password, they can’t access your information without your active involvement. Users should set up MFA in a way that requires a secondary code sent to another device when a password is entered.

This extra step helps to verify your identity.

Recognise and report phishing

Phishing attacks are a growing problem and have evolved significantly over the last 20 years, becoming increasingly sophisticated.

This Cyber Awareness Month aims to educate users on how to spot and report phishing attacks before any consequences occur.

Telltale signs of phishing:

  • Urgent or alarming language
  • Requests for personal and financial information
  • Poorly written or misspelt messages
  • Incorrect email addresses, domain names, or links (e.g., “facbook.com”)

Reporting protocols:

  1. If you suspect phishing, report it to protect yourself and others.
  2. When in doubt, forward the message to your security team.
  3. Don’t reply, click on attachments, or follow any links, including “unsubscribe” links. .

By following these simple steps, you can play a crucial role in staying safe from phishing attempts and keeping your information secure.

Update your software

Although that “new update available – click now” button might sometimes seem inconvenient, skipping these updates can leave you open to attacks.

Updates fix problems and patch security holes, preventing hackers easy access.

  • Check for notifications: Keep an eye on notifications from your devices and applications, and manually check for updates in web browsers and antivirus software. Install Updates
  • Act promptly: When software updates pop up, especially the important ones, don’t delay. Install them right away.
  • Turn on automatic updates: Protect your data further by turning on automatic updates. Your devices will handle updates as soon as they’re available.

How can Bob’s Business help you this cybersecurity month and beyond?

At Bob’s Business, we know that raising employee awareness is a year-round process!

That’s why we offer uniquely engaging training courses to enhance your security and truly effective phishing simulations for organisations of all sizes.

In addition, this Cybersecurity Awareness Month, we have created a free Cybersecurity Awareness Month Pack, especially for your organisation.

This pack will provide you with the resources to enhance your security, including checklists, email templates, and password guides! Interact with the bot below 👇

Free Cybersecurity Awareness Month pack

It’s Cybersecurity Awareness Month, and we’re thrilled to announce the release of our Free Cybersecurity Awareness Month Pack! 🎉

This pack will equip you and your team with resources to enhance your cybersecurity awareness throughout October and beyond. Here’s what you’ll find in the pack:

  • Cybersecurity Awareness Quick Wins Checklist: A handy guide to quickly bolster your cybersecurity defences with actionable tips and best practices.
  • Cybersecurity Awareness Month Desktop Wallpaper: Keep the importance of cybersecurity at the forefront of your mind with a stylish desktop wallpaper.
  • Email Footer Promoting Good Cyber Health: Easily add an email footer to your communications, spreading awareness about cybersecurity best practices.
  • Reusable Blog on the Importance of Reporting: Give your team a heightened understanding of the importance of reporting with a blog to use on your website or via email.
  • Four Email Templates for Your Team: Effortlessly communicate the importance of cybersecurity to your team with our pre-designed email templates, discussing common social engineering techniques.
  • Guides on Passwords, Onboarding, Phishing, and Remarkable Realities: Dive deep into crucial aspects of cybersecurity with our comprehensive yet approachable guides.

Ready to get started? Interact with the bot below to gain instant access now! 👇

What is social engineering?

When most people think of cyber threats, they picture complex coding and hackers exploiting software vulnerabilities.

However, one massive threat is often overlooked and misunderstood – social engineering.

But, what exactly is a social engineering attack?

Picture a scenario where hackers don’t rely on cracking complex codes.

Instead, they employ a different strategy: charm and familiarity. They convince users to hand over sensitive information willingly.

It’s a clever but simple tactic that can severely impact a company.

To shed light on this underestimated cyber threat, we will uncover further insights into how this attack occurs and how to prevent it from affecting your company.

Let’s get into it!

What is a social engineering attack?

Social engineering is like hacking the human mind.

Instead of targeting software or hardware, attackers manipulate human emotions, trust, and vulnerability to achieve their goals.

They exploit human traits such as curiosity, obedience, and the willingness to assist others. By posing as trusted contacts, they can extract sensitive information without the user realising they’re compromising the company’s security.

Methods of social engineering

Phishing

One of the most widespread social engineering techniques is phishing. Attackers send deceptive emails or messages that appear to come from trusted sources, aiming to persuade victims into revealing sensitive information like passwords or financial details.

For example, a user might receive an email that appears genuine from their bank, asking them to verify their account information by clicking a link.

Pretexting

In pretexting, the attacker constructs a fictional scenario to gain personal information. They may impersonate a co-worker to gain trust.

For instance, a pretexting scammer might pose as an employee and request the payroll department to update their banking details, claiming it’s necessary to receive their salary.

Baiting

Baiting involves tempting victims with enticing offers or items, such as free software downloads or free vouchers.

These tempting rewards come with a catch – malware or malicious software. Once downloaded, it can compromise the system’s security.

Tailgating

Also known as piggybacking, this technique involves gaining physical access by following an authorised person into a secure building or area.

This attack can be as simple as exploiting a person’s natural inclination to be courteous by holding a door open. This can allow an attacker to enter an area, steal information, or insert malicious media into a computer.

Vishing (voice phishing)

Vishing employs phone calls to trick individuals into disclosing sensitive information, like debit card numbers or login credentials.

Attackers frequently impersonate trusted entities such as banks or government agencies. Victims might feel pressured to share information due to fear or a sense of urgency.

How social engineers gain access to sensitive data

  1. Social media
    Social engineers closely study their targets’ social media profiles, gathering personal information that can aid in password guessing. This also assists them in creating a deceptive persona that appears trustworthy, leveraging this familiarity to manipulate victims.
  2. Building rapport
    Hackers may engage in seemingly harmless conversations over an extended period, gradually building trust and rapport with their targets. This can make the victim more likely to share sensitive information.
  3. Targeting the weakest link
    Social engineers frequently concentrate on individuals seen as the most vulnerable, such as new employees or those with limited cybersecurity knowledge.

Real-life case: Caesars Entertainment

To truly understand the severity of social engineering attacks, let’s look at a real-world example involving one of the giants in the hospitality and casino industry – Caesars Entertainment.

Caesars Entertainment fell victim to a social engineering attack in September 2023.

Hackers managed to compromise the personal data of a significant number of loyalty programme customers. This breach stemmed from a social engineering tactic that exploited an IT support contractor.

The attackers, although unidentified, are believed to be part of a relatively inexperienced and young hacking group suspected to have bases in the UK and USA.

Rachel Tobac, CEO of SocialProof Security, an expert in social engineering prevention, highlighted a concerning trend: many organisations predominantly focus on defending against email-based threats, leaving them ill-prepared to counteract phone-based attackers effectively.

This highlights the pressing need for heightened awareness revolving around social engineering attacks.

How to prevent social engineering attacks

Prioritise employee awareness

Your employees are the first defence against social engineering attacks. Educate them about the various methods social engineers employ – stressing the importance of vigilance and scepticism.

Create a culture of cybersecurity awareness where employees actively identify and report suspicious activity.

Verify calls and emails

Train your employees to verify the authenticity of calls and emails, especially those requesting sensitive information or urgent actions.

Encourage them to rely on trusted contact information from official company sources, rather than solely trusting information provided in the communication.

Implement two-factor authentication (2FA)

Utilise 2FA wherever possible to add an additional layer of security. This can safeguard sensitive accounts and systems, even if login credentials are breached.

Conduct regular training

Schedule regular training sessions and simulations to evaluate your employees’ ability to recognise and respond to social engineering attempts.

These exercises help strengthen cybersecurity awareness and readiness.

Establish reporting protocols

Create clear and user-friendly protocols for reporting suspicious activities or potential security breaches.

Ensure that employees are well-informed about how and where to report such incidents, with the assurance that their concerns will be taken seriously.

Secure physical access

Implement physical security measures to prevent unauthorised access to sensitive areas within your organisation. This includes the use of access controls, keycards, and CCTV.

Stay informed

Stay up-to-date with the latest social engineering tactics and trends. Being aware of evolving methods is essential for staying protected against these attacks.

How Bob’s Business can help

At Bob’s Business, we understand the importance of raising employee awareness through ongoing training.

We offer tailored courses to enhance your company’s security, covering everything from employee training on social engineering attacks to simulated phishing exercises.

With our expertise, you can empower your team to defend against these threats, strengthening your cybersecurity.

Click here to learn more about our range of social engineering and cybersecurity courses for your team.

Back to school: protecting students, staff, and data in education

The new school year is about to kick off, and with it, a buzz of excitement among students and staff for new beginnings and opportunities.

However, this period also brings an elevated risk of cyber threats.

According to UK government statistics, the education sector ranks as the country’s second most targeted sector for cybercrime.

In this blog, we will explore the importance of cybersecurity in education and provide insights to assist educational institutions in practising secure cybersecurity measures – especially during this heightened period of cyber threats.

What cyber risks will students encounter?

Phishing

New email addresses and unfamiliar sources:

Phishing emails pose a more significant concern as the school year begins.

Here’s why: at the start of the year, there is an influx of new students and staff, resulting in numerous new names and email addresses being added to the system.

This can make it challenging to distinguish trusted sources from unfamiliar ones.

Communication patterns and onboarding:

Many new users may not yet be familiar with the typical communication patterns within the educational institution.

This lack of familiarity can create challenges in recognising safe emails from potentially malicious ones. Cyber attackers take advantage of this by sending phishing emails, such as “Click here to set up your new account,”.

Attackers assume that amid all these unfamiliar emails, users will be less suspicious and believe it to be part of the onboarding process.

Concerning urgency and information overload:

Another significant issue arises from the surge of important messages at the beginning of the school year.

These messages may include crucial information like new deadlines, enrolment details, and administrative announcements.

Phishing emails often create a sense of urgency, claiming immediate action is required to avoid consequences.

Users are more likely to act hastily without scrutinising the email’s authenticity.

System updates

During the summer holiday there is reduced activity, which can lead to a backlog of pending system updates and security measures.

These updates may not be fully implemented until the new academic year begins, creating vulnerabilities that cybercriminals are eager to exploit.

Weak password security

As the new year starts after a prolonged break, many individuals might not have logged into their accounts for an extended period of time.

Consequently, they might struggle to remember their passwords, leading to a surge in password reset requests.

Additionally, some individuals may opt for easily guessable passwords in a hurry, unknowingly compromising security.

Lack of cybersecurity education

The start of the school year introduces new students and staff, many of whom may still need proper cybersecurity education or have forgotten essential security measures during the break.

This knowledge gap can make them vulnerable to phishing attacks, malware, and other online threats.

The risks associated with poor security in education

Data breaches and privacy violations

Phishing attacks, weak password security, and a lack of cybersecurity education can lead to data breaches within educational institutions.

If cybercriminals successfully attack systems, they can gain access to sensitive student and staff data, including personal information, financial records, and academic records.

Such breaches compromise individual privacy and expose the institution to legal liabilities, reputational damage, and financial losses.

Disruption of academic activities

System vulnerabilities resulting from delayed updates can disrupt academic activities. Cyberattacks can lead to a lack of critical systems and resources that support teaching, learning, and administrative functions.

These disruptions can result in a general loss of productivity, negatively impacting the overall educational experience.

A drain on resources

Addressing the aftermath of cyberattacks, including data breaches and system compromises, often requires significant resources.

Compromised institutions must work to recover and restore compromised systems, which can be time-consuming and expensive.

These unexpected costs can strain the budget of educational institutions, diverting funds from other essential educational initiatives.

How to protect your institution

Cybersecurity training and awareness programmes:

Implement regular and mandatory cybersecurity training and awareness programmes for all students and staff members.

These programmes should cover topics such as identifying phishing emails, creating strong and unique passwords, recognising common cyber threats, and understanding the importance of data security.

Through education, institutions empower individuals to play an active role in cybersecurity defence.

Multi-factor authentication (MFA):

Enforce multi-factor authentication (MFA) across all institutional accounts and systems. MFA adds an extra layer of security by requiring users to provide two or more forms of verification before granting access.

This additional security measure helps protect accounts from unauthorised access, even if passwords are compromised. It significantly reduces the risk of unauthorised access.

Regular system updates and patch management:

Establish a robust system for regularly updating and patching all software, applications, and systems within the institution’s network.

Ensure that critical security patches are applied promptly to address known vulnerabilities. This proactive approach reduces the risk of cyberattacks targeting outdated or unpatched software.

Additionally, schedule system updates during periods of reduced activity, such as at the end of the day or periods when the device isn’t in use, to minimise disruptions to academic activities.

How Bob’s Business can help your educational institution

At Bob’s Business, we provide engaging eLearning cybersecurity training that helps to protect educational sector organisations like the University of Northampton and DMAT Schools.

Our training empowers every team member to recognise and effectively respond to cyber threats, protecting your organisation from the 90% of breaches attributed to human error.

Our training modules are conveniently designed in bite-sized portions, ensuring interactivity and easy integration into your busy schedule.

Eager to learn more? Explore our selection of cybersecurity awareness training products by clicking here.

Five crucial lessons from breached businesses

Cyber breaches are relentless and pose ongoing challenges for organisations to protect their data.

The reality is that no organisation, regardless of size or industry, is immune to the potential consequences of a data breach (we hate to be the ones to tell you!).

In this blog, we will focus on learning from real-life examples of businesses that navigated and recovered from cyber breaches.

Examining their experiences gives us insights into practical strategies for enhancing resilience and security.

Let’s get into it!

Activision

In early December 2022, Activision, a prominent video game maker, fell victim to a data breach.

Hackers exploited an employee through SMS phishing, gaining unauthorised access to the company’s internal systems.

An in-depth analysis of the leaked data by ‘Insider Gaming,’ a respected video game publication, revealed that the breach exposed extensive employee details such as full names, email addresses, phone numbers, salaries, and work locations.

Following an investigation, it was determined that no sensitive employee data, game code, or player data was accessed.

Notably, a Slack account owned by an Activision employee provided hackers an entry point, enabling them to deceive other employees into clicking malicious links.

This breach was attributed to human error, as an unwitting employee clicked on malicious links within an SMS phishing text, inadvertently enabling the breach.

Upon discovering the breach, Activision’s dedicated information security team swiftly initiated countermeasures to address the SMS phishing attempt and rectify the situation.

Activision’s rapid response and comprehensive investigation effectively curtailed the breach’s impact.

This incident shows the importance of addressing human error and rapidly securing sensitive information.

It serves as a reminder that continuous cybersecurity training and vigilant practices are essential within organisations to avoid similar breaches.

Cathay Pacific

In October 2018, Cathay Pacific, Hong Kong-headquartered airline, unveiled a security breach that had occurred in 2014 yet had remained completely undetected.

This incident involved unauthorised entry by hackers into their systems, compromising sensitive passenger data, which included personal information like names, contact details, and passport information.

A hacking group had utilised password-stealing malware to breach administrative systems, affecting 9.4 million global passengers.

The breach was attributed to human error, as a lack of robust password security measures allowed hackers to exploit cyber vulnerabilities and gain access to the airline’s systems.

In response to this breach, Cathay Pacific undertook a series of comprehensive measures to enhance their cybersecurity.

These measures included a dedicated focus on data governance, network security protocols, stringent access controls, comprehensive cybersecurity education programs for employees, and an advanced incident response framework.

Cathay Pacific also acknowledged the ongoing need to invest in evolving IT security systems due to the continuously escalating landscape of cyber threats.

As a consequence of this breach, the UK Information Commissioner’s Office (ICO) imposed a fine of £500,000.

This incident prompted the company to reiterate its commitment to collaborating with authorities and emphasise its dedication to protecting personal data.

This case highlights the crucial significance of proactive cybersecurity measures and the persistent drive for continuous enhancements to mitigate evolving cyber threats effectively.

Marriott Hotel & Resorts

In January 2020, Marriott Hotel & Resorts experienced a significant security breach caused by hackers exploiting vulnerabilities in a third-party application used for guest services.

The breach resulted from the compromised credentials of two Marriott employees, granting unauthorised access to 5.2 million guest records.

A human error led to records containing sensitive data such as passport details, contact information, gender, birthdates, loyalty account specifics, and preferences being compromised.

Marriott’s security team promptly intervened after detecting irregular activities and resolved the breach by the end of February 2020.

Subsequently, Marriott Hotels & Resorts faced a fine of £18.4 million.

The hotel chain contacted affected guests through emails, established a dedicated website, and introduced a call centre to assist guests.

These resources included a step-by-step guide to respond to the breach and details about enrolling in a personal information monitoring service for those affected.

A spokesperson from Marriott stated “Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems.” The U.K.’s Information Commissioner’s Office (ICO) subsequently reduced the data breach penalty for Marriott to £14.4 million.

This adjustment underscores Marriott’s commitment to prioritising the security and privacy of guest data going forward.

How you can protect your business from cyber attacks

  1. Implement strong password policies:
    Enforce complex passwords and regular updates for all accounts. Consider multi-factor authentication to add an extra layer of security.
  2. Regular employee training:
    Educate your employees about the latest cyber threats, phishing scams, and best practices for identifying and reporting suspicious activities.
  3. Update software and systems:
    Keep all software, applications, and systems updated with the latest security patches. Outdated software can be vulnerable to known exploits.
  4. Network security measures:
    Employ firewalls, intrusion detection systems, and encryption protocols to safeguard your network and data from unauthorised access.
  5. Data backups and recovery plans:
    Regularly back up your critical data to secure locations. Develop a robust data recovery plan to ensure business continuity in case of a cyber attack.

By adopting these proactive measures, your organisation can significantly reduce the risk of falling victim to cyber-attacks and protect sensitive information from potential breaches.

How Bob’s Business can help you

At Bob’s Business, we understand human error’s vital role in cyber attacks and the critical importance of protecting your organisation against potential breaches.

Our comprehensive cybersecurity awareness training empowers your employees with the knowledge and skills they need to become the first line of defence against cyber attacks.

Get in touch with us today to learn how Bob’s Business can partner with your organisation to enhance cybersecurity awareness and ensure a safer digital environment for your business.

This month in data breaches: August edition

The kids might be on their break, but cybercriminals and scammers haven’t slowed down, with August witnessing multiple notable data breaches with widespread implications for organisations like yours.

Let’s take a closer look at the causes of these breaches, the promptness of their handling, and explore potential strategies that could have averted these data breaches.

August’s biggest data breaches

Northern Ireland Police

On the 8th of August, the Northern Ireland Police encountered a data breach, exposing sensitive information.

For three hours, names, ranks, grades, work locations, and departments of nearly 10,000 PSNI staff were made public.

This breach, stemming from human error, has been deemed “monumental,” given the elevated terror threat level in the region.

The fallout from this breach is profound, directly impacting thousands of officers’ safety.

PSNI Assistant Chief Constable Chris Todd has confirmed steps have been identified to avoid similar errors from happening again.

John Edwards, the Information Commissioner at the ICO, emphasised that this incident’s gravity lies in demonstrating the substantial consequences that minor human errors can trigger.

This serves as a reminder of the importance of implementing robust measures for protecting personal data, especially in sensitive contexts.

The ICO is actively investigating the situation, collaborating with the PSNI to gauge the extent of data accessed during the exposure and devise effective mitigation strategies.

This event highlights the importance of ongoing, comprehensive personnel training to minimise the risk of human errors that can trigger such incidents.

The Electoral Commission

The Electoral Commission recently admitted to a security breach that originally took place in in 2021 that only came to public attention ten months later.

The breach, attributed to a hostile cyber attack, went unnoticed for a year, compromising data from 40 million votes, including names and addresses of registered voters from 2014 to 2022.

The breach’s origin, whether connected to a hostile state or a criminal cyber gang, remains uncertain.

Notably, private safety-related information and overseas voter addresses were untouched. The National Crime Agency is now prioritising efforts to bolster the electoral system’s cyber resilience.

This incident underlines the vulnerability of sensitive research data.

The breach’s prolonged invisibility highlights the necessity for secure monitoring and management practices.

It serves as a reminder that comprehensive cybersecurity measures are paramount for protecting against breaches and data compromises.

Discord.io

Discord.io, an online service facilitating customised links for Discord channels, has fallen victim to a data breach effecting an estimated 760,000 users.

Sensitive details, including passwords, usernames, Discord IDs, and billing addresses, are believed to have been exposed.

The third-party service has now shut down as a result. The breach was discovered when data was offered for sale by a Discord user on a hacking forum.

The exposure of billing addresses is relevant only to those who purchased before the service adopted Stripe.

While the compromised passwords were encrypted to industry standards, users with non-unique passwords are advised to update them across other platforms where similar passwords are used.

This incident underscores the importance of robust cybersecurity practices and the need to ensure password uniqueness to minimise risks stemming from breaches.

For guidance on creating the perfect password, click to read our comprehensive guide.

What can your organisation learn from these breaches?

By understanding the underlying causes of these breaches and implementing preventive measures, organisations can significantly mitigate their exposure to such risks.

  1. Prioritise ongoing personnel training to minimise the risk of human errors.
  2. Maintain consistent security monitoring and management practices.
  3. Ensure password uniqueness to minimise risks stemming from breaches.
  4. Implement robust cybersecurity measures such as firewalls, intrusion detection systems, and encryption protocols.
  5. Develop a comprehensive incident response plan and conduct drills for effective breach mitigation.

How Bob’s Business can help protect your organisation

As cyber threats intensify, ensuring that your employees receive effective cybersecurity training is more critical than ever.

As the UK’s Most Trusted Cybersecurity Awareness Training Provider, we offer your organisation engaging and interactive eLearning modules perfectly created to empower your employees with the expertise to secure your organisation.

Get in touch today to learn more about how we can help protect your organisation.