Psychology can protect your employees against cyber attacks

Despite significant investments in cutting-edge cyber security systems, many businesses inadvertently neglect their most vulnerable asset – their employees.

It’s often not sophisticated hacking techniques that pose the most significant risk, but rather the everyday behaviours and thought patterns of individuals within the organisation.

Research consistently shows that humans can be easily manipulated into divulging confidential information by exploiting their cognitive biases and habits.

Let’s delve into why psychology is pivotal in cyber attacks and explore actionable strategies to prevent human error within your organisation.

Understanding the human element in cyber risks

According to Gov.uk, £4,590 is the average spend on cyber security for businesses in the UK, and for larger organisations, the average annual spend is as much as £387,000.

However, the bulk of this expenditure typically goes towards technological solutions like anti-malware and firewalls, with only about 10% allocated for cyber education.

This approach overlooks a critical aspect: nearly 90% of successful cyber attacks stem from human error rather than technical deficiencies.

Cybercriminals often exploit human psychology, finding it easier to manipulate individuals than to breach robust technical defences.

Recognising the significance of this human factor is essential for striking a balance between technological investments and providing adequate employee training and awareness.

At Bob’s Business, we emphasise addressing these vulnerabilities in our training programs to bolster overall business resilience against cyber threats.

Our research and solutions

In 2019, psychologist Sathpal Panesar joined Bob’s Business’ Technical Team through a Knowledge Transfer Partnership (KTP) project.

Sathpal’s efforts focused on developing the UK’s first evidence-based, psychologically-informed cybersecurity training program.
This research delved deep into the psychological aspects of cybersecurity, particularly understanding the human factors contributing to risky behaviours such as clicking on phishing emails.

The findings were not confined to theory; they were practically applied in simulated phishing campaigns to identify employee vulnerabilities and tailor behavioural responses.

In 2021, this KTP project received a ‘Very Good’ grade, a testament to its success despite the challenges posed by the global pandemic.

The training derived from Sathpal’s research enables employees to identify and mitigate risks associated with phishing, thereby protecting businesses from potentially costly cyber attacks.

Bob’s Business now employs behavioural analytics to develop customised training packages that significantly reduce the risk of employees falling victim to phishing attacks.

Practical strategies for defence

We provide practical strategies to defend your business against psychological cyber threats:

  • Understanding cognitive biases: Recognise and address cognitive biases among employees, such as misplaced trust in familiar emails or urgent requests.
  • Habit formation: Implement regular, repetitive training to cultivate security-conscious habits among your workforce.
  • Emotional awareness in decision-making: Provide training to help employees recognise and manage emotional responses to phishing attacks.
  • Scenario-based training: Engage employees with practical scenarios relevant to their daily tasks to enhance learning retention.
  • Continuous learning: Ensure training is regularly updated with the latest phishing techniques to keep employees informed.
  • Promoting open communication: Foster an environment where employees feel comfortable reporting potential threats and seeking advice.
  • Leadership involvement: Demonstrate leadership commitment to cybersecurity by actively participating in training and awareness programs.

How Bob’s Business can help your organisation

By understanding the human factor behind cyber vulnerabilities within your organisation, our eLearning programs are specifically tailored to address your organisation’s unique blind spots.

By integrating real-life scenarios and continuous updates, we equip your team with the skills and awareness needed to effectively defend against cyber threats, ensuring your organisation remains one step ahead.

Click here to explore the best security training solution for your organisation.

Allen & Overy Data Breach Explained

In the legal sector, where confidentiality is essential, the cost of a data breach can be astronomical.

Crucially, while cybersecurity is often seen as a matter for IT teams, many of these breaches are not due to external threats, but human error within the firms.

According to the Information Commissioner’s Office in the period from Q3 2022 to Q2 2023, insiders were responsible for 60% of data breaches in the UK’s legal sector.

It’s a fact that many law firms are finding out in real-time, including Allen & Overy.

Join us as we unpack the details of a recent breach and discuss how you can protect your organisation against this kind of threat.

Allen & Overy breach explained

Allen & Overy, a prestigious Magic Circle law firm based in London, fell victim to a ransomware attack in November 2023 that targeted several storage servers, causing considerable disruption.

This attack coincided with a major financial milestone – their merger with Shearman & Sterling.

The LockBit ransomware group, known for its disruptive cyber activities, claimed responsibility for the attack.

They threatened to release sensitive data unless a ransom was paid by 28th November 2023.

Fortunately, the firm’s core systems remained intact, including document management and email services.

A growing concern in the legal sector

This cyber attack is yet another warning to the legal sector following the collapse of another law firm, The Ince Group, after a severe ransomware breach.

Indeed, despite having strict cybersecurity measures in place, The LockBit group were able to exploit vulnerabilities within the organisation – notably, human error.

That’s why, at Bob’s Business, we emphasise a multi-pronged approach when it comes to protecting your organisation, focusing primarily on raising awareness among your team of what threats look like and how to mitigate them.

Insights from the National Cyber Security Centre show that law firms emerge as prime targets for cybercriminals due to the amount of confidential data they hold, presenting a lucrative opportunity for malicious actors to pursue financial gains through data breaches.

Phishing attacks could be your weak spot

Recent findings reveal that a staggering 79% of cyber-attacks are executed via phishing emails, posing a significant concern for law practices.

These deceptive emails often disguise themselves as legitimate requests for information or access, highlighting the importance of heightened vigilance among legal professionals.

The role of employees within law firms is pivotal in identifying, reporting, and responding to cyber threats.

What can you do to prevent these attacks?

Prioritising cybersecurity awareness and training programs is essential to foster a culture of cyber hygiene and ensure robust protection against evolving threats.

Tailoring these initiatives to resonate with employees’ emotional, behavioural, and cognitive aspects can drive meaningful education and instigate positive behavioural changes to bolster defences against cyber attacks.

During pivotal financial events such as mergers and acquisitions, the risk of cyber attacks escalates as cybercriminals exploit the transitional chaos to orchestrate ransomware attacks and extort firms for financial gain.

In response, law firms must remain vigilant and implement proactive measures to protect their financial data.

Recent incidents such as Allen and Overy’s data breach and the collapse of the Ince Group show the importance for law firms to remain vigilant and proactive in their cyber defence strategies.

Adopting a comprehensive, multi-layered defence approach is paramount for safeguarding sensitive information in the digital age.

How Bob’s Business can help your organisation

At Bob’s Business, we understand the important role of human error in data breaches.

We offer specialised training and awareness programmes, putting employees at the centre of everything we do.

We are the industry-leading, “Most Trusted Cybersecurity Awareness Provider of 2023” that is helping businesses like yours to reduce the chances of being hit with data breaches through engaging, relatable training courses and simulations.

Ready to start protecting your organisation? View our range of courses today.

Free Course: Internet Safety

February 6 marks Safer Internet Day, and we’re supporting this vital global initiative by offering our Internet Safety eLearning course for free.

Our Internet Safety course teaches your staff how to identify risks like malware, phishing scams, and insecure websites so they can avoid online dangers.

With our Internet Safety course, your team will:

  • Recognize common cyber threats like malware downloads and phishing emails
  • Understand how to identify secure vs insecure websites
  • Learn safe practices for submitting sensitive data online
  • Know how to close suspicious pop-ups without engaging
  • Gain the knowledge to react appropriately to dangerous sites

Ready to get started? Interact with the bot below to gain instant access now! 👇

Note: Our free internet safety course offer ends on May 1, 2024.

Get a free QR code phishing campaign

When was the last time you scanned a QR code? Did you know where it would take you, or whether it could be truly trusted?

It’s a gigantic threat to organisational cybersecurity, with QR codes now involved in 22% of all phishing attacks, a fact we revealed in our recent blog on the rising threat of QR code phishing attacks.

The good news is that we’re offering every organisation a free QR code phishing campaign* to test their staff’s vulnerability to this growing threat 😍 simply interact with the bot below to get started.

*Minimum 50 users to qualify, campaign is limited to one email.

Malvertising: Everything you need to know

As 2024 begins, we’re already facing fresh computer and data security challenges – primarily due to advancing AI technology.

It’s safe to say that cyber attacks are growing more innovative and more personal.

While some attack types, like phishing, are increasingly well known, there are other attack types which fly under the radar.

Malvertising is just one example of the latter. According to Techopedia.com, every day in 2023, there were 300,000 new malware cases; most were spread through emails and took an average of 49 days to notice.

But what do you need to know about malvertising? Let’s dig in.

What is Malvertising?

Malvertising is a compound word formed from ‘Malware’ (another composite word meaning ‘Malicious Software’) and ‘Advertising’.

Malvertising is the act of disguising malware within advertising, enticing users to click and interact to infect their system. Simply put, using advertising to encourage users to download viruses.

Cybercriminals place malicious code or software within legitimate-looking adverts, often as a pop-up.

Once clicked, the software could do any number of things, none of which will benefit your business.

The true threat of malverts is that you don’t even have to click on one to get infected. You just have to visit the wrong site.

How does Malvertising get approved?

Companies often use third-party ad vendors (or ad servers) to spread their content in a way that will make the most money for their websites.

This can be as simple as signing up to the site and submitting an ad.

Cybercriminals exploit this by initially submitting harmless and legitimate ads to gain the trust and services of the vendor.

Once the ad has been distributed, cybercriminals will switch out the legitimate content for a malvert.

After a few hours, the ad will be switched back, making it seem legitimate again.

Ad servers often have lax or automated vetting processes, making it very easy for cybercriminals to slip malverts through their systems without anyone knowing.

You might have come across a malvertising scam today without even realising it.

These cunning scams can appear on legitimate websites, including the BBC, often as display ad campaigns.

Do you recall any recent adverts you’ve seen alongside an article online?

It’s not to say they were all scams, but this highlights how these threats cleverly hide in plain sight.

Without awareness, a simple click out of curiosity could lead you into a trap!

How to spot Malvertising

Malverts often look legitimate, so spotting one can be tricky.

5 signs of malvertising

  1. Unexpected pop-ups: If you see pop-ups on a website where they usually don’t appear, be wary. Malvertising often uses pop-up ads to trick users into clicking on them.
  2. Ads that look out of place: Pay attention to ads that don’t fit the website’s usual style or content. An ad that looks odd or out of context might be a malvertisement.
  3. Offers that are too good to be true: Beware of ads that offer incredible deals or prizes. If an ad promises something that seems too good to be true, it probably is.
  4. Ads that prompt immediate action: Malvertising often tries to create a sense of urgency, like a limited-time offer or a warning about a virus on your device. If an ad urges you to act quickly, take a moment to think before you click.
  5. Poor ad quality: Look for signs of low quality in ads, such as misspellings, poor graphics, or awkward wording. Professional and legitimate ads usually have a high quality standard, so lower quality can be a red flag.

How can you protect your business from Malvertising scams?

Protecting your business from malvertising requires a mix of smart technology and raising employee awareness.

It’s not just about having the right tools; it’s also about creating a culture of security awareness within your organisation.

Implement Ad Blockers

Use ad blockers on your business’s devices. This can prevent many malverts from appearing, reducing the risk of accidental clicks.

Regularly update software

Ensure that all software, especially web browsers and operating systems, are updated. Cybercriminals often exploit vulnerabilities in outdated software.

Educate your employees

Make sure your staff are aware of the risks of malvertising. Regular training on cybersecurity best practices can be invaluable.

Use reliable security software

Invest in reputable antivirus and anti-malware software. This software can often detect and block malicious activity, including malvertising threats.

Back up your data

Regularly back up important business data. In the event of a malware attack, having backups can prevent data loss and facilitate a quicker recovery.

How Bobs Business can help your organisation

At Bob’s Business, we help educate and empower your employees to spot cyber threats such as malvertising through our engaging eLearning modules, such as ‘Internet Safety‘.

This module trains individuals and organisations in spotting malvertising online and offers practical tips to prevent falling victim to malverts.

Alongside this, we provide up-to-date insights, expert support, interactive learning tools, and customised solutions to ensure your business has the knowledge and resources to stay secure online.

Get in touch with us today to explore our cybersecurity training courses.

What is QR code phishing, and how can your business defend against it?

When it comes to phishing attacks, it’s worth staying alert to the latest threats.

Phishing attacks are the most common form of attack that businesses and organisations face; worse still, they’re constantly evolving to incorporate new technologies and psychological angles of attack.

The latest of those new technologies is QR codes, which rose to prominence during the pandemic and have since become a mainstay of modern life.

In this blog post, we’ll delve into what QR code phishing is, how it works, why it’s becoming a prominent threat, and, most importantly, how organisations can defend against it.

What is QR phishing?

We’ve all heard of QR codes, those square barcodes that have started appearing everywhere, from restaurant menus to bus stop advertisements.

But how often do you scan them without knowing exactly what they’ll do, and where they’ll take you?

Scammers have latched onto this notion and are utilising QR codes in phishing emails, sending you and your team to fake websites where they can trick you into inputting confidential data or unknowingly download malware onto your device.

What makes QR code attacks so dangerous?

QR code attacks pose a serious cybersecurity threat for several reasons. First, they exploit the convenience and ubiquity of QR codes, which most people scan without a second thought. This allows scammers to direct victims to malicious sites effortlessly.

Second, QR codes can direct users to websites that look identical to legitimate ones. Without carefully checking the URL, victims may not realise they’ve landed on a fake phishing site. This enables scammers to steal login credentials and sensitive data seamlessly.

Finally, QR code attacks can compromise devices and full networks if malware is downloaded from a scanned code. A single infected device can provide access to additional cyberattacks.

Why do QR code attacks work?

QR code phishing succeeds because these attacks leverage both psychology and technology.

On the psychological side, QR codes feel harmless to most people. We’re conditioned to scan without thinking. Technologically, QR codes are simple for scammers to generate, allowing phishing sites and malware to be embedded effortlessly.

The ubiquity of QR codes also provides billions of targets. Attacks happen everywhere codes appear – emails, ads, social media posts, and physical locations. With QR codes growing in usage, the attack surface only expands.

Ultimately, combining technological and psychological techniques makes QR phishing alarmingly effective. People underestimate the danger while scammers exploit the system.

How can you spot QR code attacks?

QR codes in emails require extra scrutiny. Here are tips to detect phishing attempts without scanning the code:

  • Inspect the sender’s email address. Does it match the company it claims to be from? Watch for slight misspellings.
  • Check for poor grammar, spelling errors, or unfamiliar tones in the email text. This signals a likely phishing attempt.
  • Be suspicious of emails with a sense of urgency, threats, or other psychological manipulation to entice scanning.
  • Mouseover links without clicking to compare destinations to text. Mismatches often reveal malicious URLs.
  • Verify the email formatting. Low-quality images or layouts may indicate a phishing attempt.
  • Contact the sender directly if you suspect an email is fraudulent. Don’t use the contact info in the questionable email.

Of course, if you suspect an email is a phishing attempt, you should always report it to your IT team.

The growing threat in 2024

The rise in QR code usage in phishing attacks has been astonishing, with 22% of all phishing attacks now including a QR code.

That number is not expected to fall in 2024, either.

With more businesses and individuals relying on QR codes for various transactions, the attack surface for cybercriminals broadens.

Awareness of this threat must be a top priority for organisations, as the potential for exploitation continues to rise.

Risks to organisations

The risks posed by QR code phishing are multifaceted – organisations may face data breaches, financial losses, and damage to their reputation.

Furthermore, compromised devices within the corporate network can serve as entry points for more extensive cyberattacks.

Educating employees about the potential dangers of QR code phishing is crucial in protecting your organisation’s cybersecurity defences.

Protecting against QR code phishing

Mitigating the risks associated with QR code phishing involves a combination of awareness, education, and technology.

At Bob’s Business, we make it our mission to give organisations the knowledge they need to combat the latest cyber threats. That’s why we’re among the first phishing simulation providers to launch QR code phishing templates for our clients.

Learn about our phishing simulation training here.

Ten actionable tips to keep your employees safe online

Have you ever considered how your business’s security relies on your employees’ online habits?

With organisations facing increasingly sophisticated cyber threats, it’s crucial to evaluate your team’s online behaviour and equip them with the essential knowledge and tools to stay safe online.

Let’s explore practical steps to enhance your team’s digital security.

The importance of employee safety online

The importance of protecting your employees online cannot be overstressed.

Each team member is a potential entry point for cyber threats, making their online safety crucial for protecting their personal information and your company’s data and reputation.

Implementing strong online safety measures minimises the risk of data breaches, financial loss, and the potential compromise of sensitive information.

Ten tips to keep your employees safe online

1. Adopt strong password policies

Emphasise the importance of strong, unique passwords for each account to enhance security. Encourage employees to mix characters, numbers, and symbols and avoid common words or phrases.

Implementing a policy for changing passwords at regular intervals helps reduce the risk of breaches, as does sharing our essential password guide with your team!

2. Regular software updates

Stress the necessity of consistently updating all software, including antivirus programs.

Educate employees on how updates often include patches for security vulnerabilities, thus protecting against new cyber threats.

Set up automatic updates where possible to ensure continuous protection.

3. Implement phishing simulations

Deploy simulated phishing training to help employees recognise and report phishing attempts. Explain the common signs of phishing, such as unexpected requests for information or uncharacteristic emails from colleagues.

Regularly update training materials to cover the latest phishing tactics.

4. Secure Wi-Fi use

Advise employees on the risks of unsecured public Wi-Fi networks, particularly when handling sensitive work-related tasks.

Encourage using secure, private networks or a reliable Virtual Private Network (VPN) when working remotely to ensure data security.

5. Two-factor authentication (2FA)

Implement two-factor authentication for an additional security layer on sensitive accounts.

Explain to employees how 2FA works and its benefits in protecting their accounts from unauthorised access.

Regularly review and update the 2FA methods to maintain security effectiveness.

6. Limit access to sensitive data

Establish clear protocols to ensure only employees needing sensitive data access have it.

Regularly review access privileges and adjust them based on current job requirements.

This minimises unnecessary risk exposure and enhances data security.

7. Data encryption

Utilise encryption to protect sensitive data when transmitted and while at rest.

Educate employees on the importance of encryption in protecting data from interception or unauthorised access. Ensure encryption standards are in line with industry best practices.

8. Regular backups

Develop a routine for regular backups of critical data. Explain the significance of backups in preventing data loss in the event of a cyber-attack or system failure.

Ensure that backup procedures are tested and updated regularly for effectiveness.

9. Clear device policies

Formulate explicit policies for using personal devices for work-related tasks. Mandate security requirements such as using antivirus software and regular security updates.

Educate employees about the risks of using unsecured devices and the importance of adhering to these policies.

10. Incident response plan

A well-defined incident response plan ensures all employees are familiar with it.

The plan should outline clear steps to be taken in the event of a suspected security breach, including who to contact and how to contain the incident.

Regular drills and updates of the plan are essential for preparedness.

How Bob’s Business can help your business

At Bob’s Business, we make cybersecurity education beautifully simple for hundreds of organisations.

Our product range is designed to give your team the knowledge they need to spot attacks, tailored to your business needs, ensuring that your team is well-prepared to tackle online threats.

Let us help you build a safer online environment for your team. Get in touch today to find out more!

Why your business needs cybersecurity training in 2024

As we enter 2024, businesses will face a range of sophisticated cyber threats, both old and new, that can compromise sensitive data, disrupt operations, and tarnish reputations.

It’s enough to make any manager’s head spin.

In light of these difficulties, investing in cybersecurity training for employees becomes not just a cautious choice but an essential strategy to protect organisational defences.

Join us as we explore this year’s challenges and how cybersecurity training can help your organisation combat these damaging threats.

Why every business needs cybersecurity awareness training in 2024

A new set of challenges:

Cloud technologies and the Internet of Things (IoT)

As businesses increasingly adopt cloud technologies and the Internet of Things (IoT) – think smart fridges and gadgets – the chances of cyber trouble increase.

Many IoT devices lack robust security measures, making them susceptible to hacking. The introduction of 5G technology further amplifies risks, enabling faster and more sophisticated attacks. To mitigate these dangers, organisations must prioritise strong security protocols, regular updates, and continuous monitoring.

Artificial Intelligence (AI)

In 2023, Artificial Intelligence (AI) became a game-changer, revolutionising industries and sparking conversations across the globe.

While its positives are undeniable, AI has brought about new vulnerabilities, enabling faster, more innovative cyber attacks on organisations.

As we step into 2024, cybercriminals are gearing up to elevate AI-led attacks, such as:

Ransomware attacks

The evolution of ransomware attacks over the last five years has been remarkable, with attacks growing more and more sophisticated, and that pattern is unlikely to change in 2024.

With AI tools enabling ransomware A/B testing at scale, cybercriminals are testing new tactics, such as double extortion and AI-driven attacks, making these threats more deceptive.

Phishing attacks

Phishing attacks are on the rise in 2024, reaching new levels of sophistication – Advanced tools like ChatGPT make phishing attempts appear genuine, posing challenges in detection. Typos and grammar errors, once red flags, might become harder to spot.

The H Factor

The Human Factor – while technological advancements contribute to the digital landscape’s complexity, it’s crucial to recognise that humans play a pivotal role in cybersecurity.

Employees, often unintentionally, become channels for cyber threats through actions such as clicking on malicious links, falling victim to phishing schemes, or using weak passwords. Indeed, Government research has found 90% of breaches occur as a result of human error.

Cybersecurity training addresses this human factor by instilling awareness and best practices, empowering employees to become protectors of organisational data.

How can cybersecurity training protect your organisation from these threats?

Adaptability to emerging threats

Cyber threats are dynamic and ever-evolving.

A comprehensive cybersecurity training programme equips employees with the knowledge and skills to adapt to emerging threats.

Organisations can proactively defend against the latest cyber risks by staying ahead of the curve.

Protecting sensitive data

In an era where data is a valuable asset, protecting sensitive information is paramount.

Cybersecurity training educates employees on data protection best practices, reducing the likelihood of data breaches that can have severe consequences, both financially and in terms of reputation.

Mitigating ransomware risks

As discussed, ransomware attacks have become more sophisticated, often targeting organisations with the potential for significant financial gain or lax security procedures.

Cybersecurity training teaches employees to recognise and respond to ransomware threats, minimising the risk of falling victim to these malicious attacks.

Building the human firewall

Employees are the first line of defence against cyber threats.

Cybersecurity training reinforces the importance of attention and compliance to security protocols, effectively turning your employees into formidable human cyber heroes who can protect your organisation’s digital assets.

Choosing Bob’s Business as your cybersecurity training partner

Bob’s Business are the UK’s Most Trusted Cybersecurity Awareness Training provider, equipping organisations with the knowledge and skills needed to protect sensitive data

  • Tailored learning solutions: We understand that every organisation is unique. Our eLearning modules are designed to cater to specific industry needs, ensuring that employees receive relevant and targeted cybersecurity training.
  • Engaging and interactive content: When training is boring, lessons don’t stick. Our gamified eLearning modules are crafted to be engaging, interactive, and memorable, ensuring employees retain crucial cybersecurity concepts and best practices.
  • Real-world scenarios: Our training goes beyond theoretical knowledge. We incorporate real-world scenarios and case studies, allowing employees to apply their cybersecurity skills in simulated environments and preparing them for the challenges they may face in the digital landscape.
  • Continuous updates: The cybersecurity landscape is dynamic, and so is our training content. We regularly update our modules to reflect the latest threats, technologies, and best practices, ensuring your employees stay ahead of potential risks.

In the face of escalating cyber threats in 2024, cybersecurity training is not just a precautionary measure; it’s imperative.

Empower your workforce with the knowledge and skills to prevent cyber threats and fortify your organisation’s defences today. Discover our range of affordable training solutions.

What you need to know from the ITRC’s ‘2023 Business Impact’ Report

2024 is here, and although the year is new; the cyber threats organisations face are not.

Now, a new report from the US-based Identity Theft Resource Center (ITRC) has confirmed that human error continues to be one of the leading causes of data breaches and cyberattacks for small businesses.

Based on a survey of over 500 small business owners and leaders, the report highlights the need for small businesses to focus on reducing insider threats through training and policies.

In this blog, we’ll share some of the key findings from the report and what small businesses across the world can do to reduce human error-related breaches.

Let’s get started!

Key findings from the ITRC Report:

  • In the past year, 73% of small businesses experienced a cyberattack or data breach.
  • Malicious insiders caused 30% of cyber incidents.
  • 21% of breaches were linked to remote workers.
  • 53% of small businesses had financial impacts over $250,000 (£197,000).
  • 85% of small business leaders feel prepared to respond to cyberattacks.

How small businesses can reduce human error in cybersecurity

While technical defences like antivirus and firewalls are important, they can only go so far.

With the ITRC’s report in mind, here are some tips for building a culture of awareness and reducing risky behaviour:

Implement robust security training

Regular security training is essential to ensure employees know how to spot phishing emails, create strong passwords, and follow safe browsing habits.

Stressing the importance of vigilance and the role each employee plays in protecting company data is key in building a positive security culture within your organisation.

Enforce strong password policies

Strong passwords are a fantastic way to prevent easily avoidable breaches. Require your employees to use passwords with a minimum of 12 characters, with upper and lowercase letters, numbers, and symbols.

Equally important is that each password your employees use is completely unique to each service. A password management tool is a great way to store those unique, complex passwords.

Limit access to sensitive data

Restrict access to confidential company data and customer information only to employees who need it for their job duties. This helps prevent insiders from intentionally or accidentally mishandling data.

Frequently backup critical data

Regular backups help minimise disruption from ransomware and accidental data loss due to human error. Test restores periodically to verify backups are working correctly.

The ITRC report is a reminder that cybersecurity requires both technological defences and thoughtful policies around employee behaviour. Reducing human error through training and smart data hygiene practices is one of the most effective ways small businesses can improve their security posture.

At Bob’s Business, we make reducing human error simple for organisations of all sizes. Whether it’s our NCSC-certified short-form training, award-winning phishing simulations or affordable culture-change solutions, we’re your ultimate cyber training partner.

Click here to learn more about our products.

Using public WiFi safely: What you need to know

Have you ever found yourself visiting a client for a coffee and needing to connect to public WiFi?

It’s a common scenario, especially in our post-pandemic work-from-anywhere world. However, while free WiFi might feel like a friendly perk, it can be anything but when it’s deployed maliciously.

In this blog, we’re going to dive deep into the risks around public WiFi, how those networks are weaponised and what you can do to protect your – and your team’s – data when mobile working.

Let’s get started.

How do cybercriminals hack public WiFi?

Cybercriminals can easily position themselves between you and the router.

“Connecting straight to the connection point” can be a deceptive tactic used by cybercriminals to intercept your information. You may unknowingly send your data to these criminals, who then relay the connection and intercept all information that flows between them. It’s important to be cautious of such tactics to prevent your personal information from being compromised.

Passwords, emails, bank details, security credentials, and access to organisations’ accounts and networks are all potentially at risk from connecting to a public WiFi hotspot.

Cybercriminals also commonly use unsecured WiFi to spread malware and ransomware, if you allow file-sharing across the network on your device, it becomes easy to infect and distribute the malicious code.

Best practices for employees on public WiFi

VPN Usage:

Install and use a Virtual Private Network (VPN) when connecting to public WiFi.

A VPN encrypts communication between the device and the router, adding a layer of security that makes it harder for cybercriminals to intercept sensitive data.

Website encryption:

Prioritise websites that use HTTPS (SSL) encryption.

This ensures that the information exchanged between your device and the website is secure. Look for “https://” in the website URL, especially when entering credentials or sensitive data.

Disable file sharing:

Turn off file-sharing settings when connected to public networks.

This minimises the risk of unauthorised access to your device and prevents the unintentional sharing of files with others on the same network.

Automatic WiFi connection:

Disable the automatic WiFi connection on your device.

Manually choose and connect to known and trusted networks. This prevents your device from automatically connecting to potentially unsafe networks without your consent.

Use antivirus and firewalls:

Ensure that your device has up-to-date antivirus software and a firewall activated.

These security measures provide continuous protection, scanning files as they are downloaded and blocking potential threats.

Be cautious:

Exercise caution when connecting to public WiFi networks.

Avoid accessing sensitive information, such as online banking or confidential work documents, when connected to unsecured networks.

By following these guidelines, employees can mitigate the risks associated with using public WiFi and contribute to maintaining a secure digital environment, even in situations where alternatives are limited.

What is Friendly Wifi?

Here at Bob’s Business, we support Friendly Wifi, the world’s first safe certification standard for public WiFi and the only symbol that shows that the WiFi service that is being used blocks out indecent and inappropriate material.

Michael Davies, a representative of  Friendly Wifi, said: “When using WiFi, most people don’t want to accidentally stumble across a site that shows images that could be offensive or just not pleasant to see, or be happily browsing and see someone close to them looking at such material – suddenly that comfortable and safe feeling disappears.  For adults, this provides a nice environment but for our kids and teenagers who are increasingly using their phones, having this safety net is essential.”

“As parents and families, the last thing you want is for the material you would be uncomfortable with to be seen by your kids so look out for the Friendly WiFi symbol and encourage your teenagers to do the same.  Seeing the symbol present will also provide peace of mind that the venue takes your online safety seriously and that it is no place for online predators.”

How to Stay Protected on Public WiFi

It’s essential always to have an up to date and activated antivirus and firewall on your organisation’s devices.

The pieces of software can continuously run in the background. Antivirus should always scan new files as they are downloading. Make sure that you are cautious about connecting to public Wi-Fi when mobile working.

You can find more tips and training about working securely on the go in our Mobile Working course, part of our leading collection of cybersecurity courses.