The future of passwords

Passwords – we love to hate them.

Although they’re part and parcel with virtually every device and service we interact with, they’ve never evolved beyond their status as a nuisance.

The good news? The future of passwords is likely to be passwordless! Sounds like a dream come true, doesn’t it? It’s closer than you might think

Needless to say, the passwordless future is not a new concept. Tech giants like Google and Microsoft have been working on password alternatives for years, and now the fruits of their labour are starting to be realised.

But what does a passwordless future actually look like? And how soon can we expect it to become a reality? In this blog, we’ll sketch out the passwordless future. But first, why are companies looking to kill the password?

Why are companies pushing to end the era of the password?

Passwords are something of a necessary evil: our accounts need to be secured in order to protect our data, but the process of creating secure passwords and then memorising them is frustrating, to say the least. Especially when the average person has 100 of them to remember!

The issues go further than the volume of passwords, however. The fact is most common passwords in use are shockingly simple, easy to guess and unsecured. And, of course, once a password is acquired by a criminal through guesswork, phishing or otherwise, it can be freely shared.

In theory, by replacing passwords with alternative solutions, you can mitigate these problems, ensuring secure accounts for everyone and an end to the memory games we’re currently playing. So, what are some of these solutions? Let’s take a look.

Passwordless solutions

Biometric authentication

There’s a good chance you’re already familiar with biometric authentication. Biometrics use unique physical characteristics, such as fingerprints or facial recognition, to identify users.

This method is becoming increasingly common in smartphones and laptops, and it’s considered secure enough for online accounts and even bank transactions.

Biometric authentication is convenient and secure, as it is difficult (though not impossible) to replicate someone’s physical characteristics.

However, there are concerns about privacy and the storage of biometric data. In addition to issues around ease of use when in poor conditions, where you might be wearing gloves or covering your face.

Single sign-on

Single Sign-on (SSO) is a popular solution for managing passwords and authentication across multiple accounts. SSO allows users to log in once using one set of credentials and then access multiple accounts and applications without entering their login information again.

You’ve probably encountered Single Sign-on before, as it’s now a common option when logging in or signing up for new accounts and services. These will generally let you log in with your Google, Microsoft, Facebook or other major accounts.

This not only saves time and reduces the hassle of managing multiple passwords, but it can also improve security by reducing the risk of weak or easily guessable passwords. With SSO, you only need one secure and distinct password.

Universal keys

Universal keys are a less common, abeit promising, solution for managing authentication across multiple accounts. A universal key is a single device or piece of software that can be used to access multiple accounts and applications.

Similar to SSO, universal keys eliminate the need for multiple passwords, but they take it a step further by providing an additional layer of security. Universal keys use public-key cryptography, meaning each key has a unique identifier that a server verifies.

This makes them highly secure and difficult to hack. However, if you lose or have your physical key stolen, you’re at risk of losing access to all of your accounts.

When will passwordless authentication become the norm?

The truth is that it’s already happening. Many companies are already using passwordless solutions, and it’s likely that more will follow suit in the coming years. Microsoft, for example, is aiming to make Windows passwordless by 2025, and Google has been pushing passwordless authentication through its Advanced Protection Program.

But despite these advances, passwords are still widely used and will be for the foreseeable future.

This is partly because not everyone has access to the latest technology, and partly because some people simply prefer the familiarity of passwords.

It’s also important to note that passwordless solutions are not foolproof and can still be vulnerable to certain types of attacks.

So, what can we do to improve password security in the meantime?

Here are a few tips:

  1. Use a unique password for each account: This reduces the risk of multiple accounts being compromised if one password is stolen.
  2. Use a password manager to generate and store strong passwords: This makes managing multiple passwords easier and ensures they are secure.
  3. Enable two-factor authentication wherever possible: This provides an extra layer of security and makes it more difficult for hackers to access your accounts.
  4. Beware of phishing attacks: Phishing scams are a common way for hackers to steal passwords. They involve sending emails or messages that appear to be from a legitimate source but are actually fake. These messages often ask for sensitive information, such as passwords or credit card numbers. Always be cautious when clicking on links or downloading attachments, and never give out personal information unless you are sure it is safe to do so.
  5. Keep your software up to date: This includes your operating system, web browser, and any apps or programs you use. Updates often include security patches that address vulnerabilities and help keep your devices and accounts secure.
  6. Consider using a virtual private network (VPN) when connecting to public Wi-Fi networks: This helps to protect your internet traffic from prying eyes and can prevent hackers from intercepting your passwords and other sensitive information.

The future of passwords is passwordless, but we’re not there yet. Biometric authentication, universal keys, and SSO are just a few of the solutions that are already available, but it will take time for these solutions to reach total adoption – and to surmount concerns around privacy and security.

In the meantime, it’s on each and every one of us to take steps to improve password security by using strong and unique passwords, enabling two-factor authentication, and being vigilant against phishing scams.

By doing so, we can help protect ourselves and our sensitive information in the digital age.

Ready to start training your team to protect your business against the threats of today and tomorrow? Discover cybersecurity awareness training that engages, entertains and informs your staff.

This month in data breaches: March edition

Where there’s data, there will be criminals looking to steal and profit from it.

Data breaches are an almost-constant threat in today’s digital world, with cybercriminals finding new ways to infiltrate systems and steal sensitive information from companies and individuals.

As we approach the end of Q1, we’re looking at four major data breaches that occurred in March.

Let’s delve into what happened, why it happened, and what companies are doing to prevent similar breaches in the future.

Latitude

Latitude Financial, a financial services company in Australia and New Zealand, experienced a data breach that resulted in the theft of 14 million customer records.

The breach occurred when a third-party supplier’s IT system was compromised, providing access to Latitude’s data. The stolen data included sensitive information such as names, addresses, dates of birth, and credit card details.

This incident highlights the importance of managing third-party risks and ensuring that vendors maintain robust cybersecurity measures to protect sensitive data.

To prevent similar breaches in the future, Latitude is taking several steps, including enhancing its cybersecurity measures, reviewing its third-party supplier management protocols, and implementing additional monitoring and detection tools.

Ferrari

Ferrari suffered a data breach in March due to a vulnerability in one of their software systems. Cybercriminals exploited this vulnerability to gain unauthorised access to Ferrari’s systems and steal confidential data, including customer information and company secrets.

“We regret to inform you of a cyber incident at Ferrari, where a threat actor was able to access a limited number of systems in our IT environment,” Ferrari CEO Benedetto Vigna said in a letter sent to affected customers.

This attack emphasises the need to safeguard sensitive data from malicious actors.
To prevent a similar breach in the future, Ferrari is implementing multi-factor authentication, encryption, and monitoring tools to detect and respond to any suspicious activity.

They are also conducting regular vulnerability assessments and security audits to identify and address potential weaknesses in their IT infrastructure. Ferrari said that after receiving the ransom demand, the amount of which remains unknown, it started an investigation with a third-party cybersecurity company.

OpenAI

OpenAI, a leading artificial intelligence research organisation, experienced a data breach that resulted in the unauthorised disclosure of sensitive information.

The breach occurred due to an employee’s mistake, where they accidentally posted confidential company information on a public GitHub repository.

The information included personal project plans and internal communications. This highlights the importance of implementing strict data handling policies and providing regular security training to employees to prevent human error.

To prevent similar breaches in the future, OpenAI is implementing additional security controls and conducting a comprehensive review of its data handling policies.

They are also increasing their focus on employee training to ensure that all staff members understand the importance of protecting sensitive data and the measures they can take to prevent data breaches.

Chick-fil-A

Chick-fil-A confirmed a data breach that impacted customers at certain restaurants in the United States.

The breach occurred when a third-party vendor managing Chick-fil-A’s gift card and app system was hacked, exposing sensitive customer information such as names, mailing addresses, and balances.

Like Latitude, this attack highlights the importance of managing third-party risks and ensuring vendors maintain robust cybersecurity measures to protect sensitive data.

They have now implemented additional security controls and are comprehensively reviewing their third-party supplier management protocols. They also advised affected customers to monitor their accounts for unauthorised activity and offered free credit monitoring services.

What can we learn from these breaches?

If it wasn’t clear, data breaches can have severe consequences for organisations and individuals alike, including financial loss and damage to reputation.

Companies must prioritise cybersecurity and take proactive measures to protect their customer’s sensitive data from mistakes that could be easily avoided.

  • This includes:
  • Implementing robust cybersecurity measures
  • Conducting regular vulnerability assessments and security audits
  • Managing third-party risks
  • Providing regular security training to employees
  • Enforcing strict data handling policies

By taking these measures, your organisation can help prevent data breaches and maintain the trust of your customers.

How Bob’s Business can help protect your organisation

Given the rise in frequency and complexity of cyber threats, it’s increasingly important to give employees in an organisation the appropriate training and awareness of cybersecurity measures.

Winners of “Most Trusted Cybersecurity Training Provider 2023”, we offer engaging short-form eLearning modules designed to educate and train employees on the most effective cybersecurity practices to avoid human error.

If you want to learn more about our products and how we can help protect your organisation against data breaches, don’t hesitate to contact us today.

The psychology of phishing

Even if you think you know nothing about cybersecurity, you’ll certainly have encountered phishing before.

It’s the most common type of attack, with more than 3.4 billion phishing emails sent daily globally. That’s around 1% of all emails.

The reason why is simple: they can be devastatingly effective. Typically posing as a legitimate source, they trick unsuspecting users into giving away their private information like passwords, bank details and credentials.

While the technical aspects of phishing attacks are important, the psychological tactics that make them successful are arguably the most important of all.

In this blog, we’ll pull back the curtain on the psychology of phishing and reveal why it’s so effective.

What psychological tactics do phishing attacks use?

Trust-building

First and foremost, it’s essential to understand that phishing attacks exploit our human nature. We are wired to trust and seek connections with others, which is precisely what cybercriminals take advantage of.

They prey on our innate desires to be helpful, cooperative, and friendly.

They may create an urgent situation that requires immediate action, such as threatening to lock us out of our accounts or promising a fantastic reward.

They may even impersonate someone we know, like a colleague or a friend, to create a false sense of familiarity and trust.

Reciprocity

Another psychological tactic that cybercriminals use is the principle of reciprocity. We tend to feel obligated to return a favour when someone has done something for us.

For example, your email domain company notices suspicious activity and warning you, your local gym or children’s sports club, saying you haven’t updated your emergency contacts for a while. It might seem like someone doing something for you, but in reality, it’s to convince you to do something for them.

Need & greed

We’ve all received emails and messages offering great discounts and special offers. Cybercriminals know this and mask many of their attacks behind such offers. In many cases, this could be a gift or a prize; we are so thrilled by the offer we don’t think to stop and check if it’s legitimate.

An offer may seem too good to be true, but it’s often hard to resist the temptation of getting something for nothing.

Authority

The principle of authority is also an effective tool for cybercriminals. We are conditioned to follow and obey authority figures, such as our bosses or government officials.

Cybercriminals may impersonate a person of authority, like a bank executive or an IT administrator, to create a sense of urgency and pressure us into giving up our information.

Social-proof

Cybercriminals also use the principle of social proof to make their attacks more convincing. Social proof refers to the tendency to follow the crowd and do what others do.

Cybercriminals may use social proof by sending out fake messages that appear to be from a reputable source, such as a well-known company or a government agency.

By using the brand recognition of a trusted name, cybercriminals can create a false sense of security and convince us to take action.

Scarcity & urgency

Scarcity refers to the idea that people tend to place a higher value on rare things or in limited supply.

Cybercriminals may use scarcity by creating a sense of urgency, such as claiming that a limited-time offer is about to expire or that only a few items are left in stock. Cybercriminals can pressure us into taking action without thinking things through by making us feel like we may miss out on something valuable.

Human-error

In addition to these psychological tactics, cybercriminals also rely on human error. They know that people are busy and often distracted, so they send out messages that are designed to look like legitimate emails or websites.

They may use subtle variations in domain names or logos that are slightly different from the real ones. Cybercriminals can trick even the most diligent person into falling for their scams using these tactics.

So, what can we do to protect ourselves from phishing attacks?

The first step is to be aware of cybercriminals’ tactics, such as those mentioned above.

By understanding the psychological principles behind these attacks, we can be more vigilant and less likely to fall for them:

  • Be wary of messages that ask for personal information, especially if they come from an unknown source.
  • Double-check the sender’s email address or contact the company to verify the message is legitimate.
  • Keep software up to date and use strong passwords. Cybercriminals may exploit vulnerabilities in your software to gain access to our systems or try to guess your passwords. By keeping software updated and using unique and complex passwords, you can reduce the risk of these attacks being successful.
  • Use two-factor authentication (2FA). 2FA adds an extra layer of security by requiring a second form of authentication, such as a code sent to our phone, alongside your password. This makes it much more difficult for cybercriminals to access accounts, even if they do manage to obtain passwords.
  • Always be cautious when clicking on links or downloading attachments, especially if they are unexpected or come from an unknown source. Cybercriminals often use these tactics to deliver malware or gain access to your systems. By hovering over links to see where they lead or scanning attachments with antivirus software, you can reduce the risk of falling for these traps.

The psychology of phishing can be complex, but by understanding the tactics that cybercriminals use, we can better protect ourselves and our businesses from these attacks.

By being aware of our innate desire to trust and connect with others as well as principles like reciprocity, authority, social proof, and scarcity, we can be more vigilant and less likely to fall for these scams.

How Bob’s Business can help protect your organisation

Protecting ourselves from phishing attacks is crucial in today’s digital world, and that’s where Bob’s Business comes in.

At Bob’s Business, we understand the importance of cybersecurity and offer unique, engaging online training to empower everyone in your team to identify and respond to phishing attacks, protecting your business from the 90% of breaches that occur due to human error.

Our innovative and award-winning simulated phishing training is the best way to reduce your risk of a team member falling victim to a phishing attack. How? By sending specially tailored phishing emails that utilise the methods laid out above, and directing those that click towards our engaging and effective training.

Take action now to protect your business and your customers from cyber threats. Click here to learn more about Bob’s Phishing and start reducing your risk today with Bob’s Business.

What you need to know about the LastPass incident

Let’s be perfectly honest: nobody likes passwords. It’s the primary reason why the most commonly used passwords are as simple as they come – many of us feel as though we’ve got better things to do than memorise dozens (if not hundreds) of unique and secure passwords.

That’s why 30% of internet users utilise password managers to store their passwords and remove the need for password memorisation.

However, there’s only one constant in cybersecurity: technology can’t save us.

The recent LastPass incident is a prime example of why technologies must be paired with strong cybersecurity foundations. So, join us as we share what happened in the breach, what we can learn, how to create strong passwords and promote cybersecurity awareness training for employees.

What happened in the LastPass data breach?

LastPass is, by far, the most popular password management tool in the world. Commanding more than 21% of the market, its pitch is simple: one secure location for all of your passwords across every device.

However, in August 2022, the company announced that it had suffered a data breach, indicating that it was a minor and contained incident. What has followed has been a slow-moving disaster. Here’s the timeline of events so far:

  • August 23, 2022: LastPass informs customers that they’ve detected “some unusual activity” within the “development environment”. An initial investigation discovered no evidence of an unauthorised party accessing customer data or password vaults. The breach occurred when cybercriminals accessed a compromised developer account and stole sections of the source code.
  • September 15, 2022: LastPass says its security team has detected a cybercriminal inside its development system. This individual had four days’ worth of access, but the company claimed they’d contained the activity. The company again stressed that the development section is separate from the production environment, and therefore no customer accounts were accessed.
  • November 30, 2022: LastPass first admits that customer data was compromised due to the August breach. CEO Karim Toubba said “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. We are working diligently to understand the scope of the incident and identify what specific information has been accessed.”
  • December, 22, 2022: Shortly before Christmas, LastPass detailed the breach further, editing that customer data was significantly compromised” after an unknown threat actor copied a cloud-based backup of the customer vault data. LastPass insist, however, that this data cannot be accessed without “a unique encryption key derived from each user’s master password”.
  • March 1, 2023: LastPass informs customers that they “completed an exhaustive investigation and have not seen any threat actor activity since October 26”. However, they stress that this is an ongoing investigation and remain on a high level of alert.

While LastPass quickly responded to the incident and has maintained regular updates since, resetting the passwords of affected accounts and prompting all users to update their master passwords, it’s an eye-opening incident.

The LastPast breach highlights that even password managers, which are supposed to be the ultimate defence mechanism against password-related cyber attacks, can’t protect your data completely.

What can we learn from the breach?

The LastPass data breach serves as a valuable lesson for individuals and organisations on the importance of taking cybersecurity seriously. Here are some key lessons we can learn from this incident:

Password managers are not invulnerable

Password managers are useful for generating and storing strong passwords but are not immune to attacks. This breach demonstrates that a single compromised password can lead to multiple account breaches. In this case, the compromised developer account meant that the threat actors could gain access to everything they needed.

Therefore, it is essential to implement additional security measures and monitor password manager accounts regularly.

Multi-factor authentication is a must

Multi-factor authentication adds an extra layer of security by requiring users to provide additional information, such as a fingerprint or code sent to their mobile device, in addition to a password. Implementing multi-factor authentication can make it much harder for hackers to gain access to user accounts.

Security awareness training is crucial

Cybersecurity is not just an IT issue; it is a business issue that requires the involvement of all employees. Cybersecurity awareness training for employees can help to prevent human error that can lead to a breach. Educating employees on identifying and preventing cyber attacks can go a long way in improving an organisation’s overall security.

Regularly review and update security policies

Cyber threats are constantly evolving, and organisations need to regularly review and update their security policies to ensure they are up-to-date and effective in mitigating the latest threats.

Why you shouldn’t rely on technology to protect your passwords

The LastPass incident is a prime example of why we should not rely solely on technology to protect our passwords. While password managers are an excellent tool for generating and storing strong passwords, they can also become a single point of failure.

If a hacker gains access to a password manager account, they can potentially access all of the user’s accounts that are stored in the password manager.

Furthermore, no system is entirely secure. A determined and skilled hacker can bypass even the most advanced security measures.

Therefore, it’s important for all of us to equip ourselves with the knowledge of how to create strong passwords and promote cybersecurity awareness training for employees.

How to create a strong password

Creating a strong password is one of the most effective ways to protect your online accounts. Here are some tips on how to create a strong password:

  1. Use a combination of letters, numbers, and symbols: A password with a random combination of these elements is much harder to crack than one with only letters or numbers.
  2. Make it long: The longer the password, the harder it is to crack. Aim for a password that is at least 12 characters long.
  3. Avoid common words and phrases: Hackers use automated tools that can quickly guess common words and phrases. Therefore, avoid using words like “password,” “123456,” or “qwerty.”
  4. Use a unique password for each account: Using the same password for multiple accounts is a huge security risk. If one account is compromised, all other accounts that use the same password are also at risk.

How can Bob’s Business help your organisation?

At Bob’s Business, we know that cybersecurity training is essential to protect your organisation. That’s why we offer engaging and tailored online cybersecurity training to empower all team members to recognise and respond to cyber threats, protecting your organisation from the 90% of breaches caused by human error.

Our training is designed to be bite-sized, interactive, and easily integrated into your busy schedule. Additionally, our engaging content ensures that your team stays motivated and focused throughout the training process.

Act now to protect your organisation and customers from cyber threats by exploring our comprehensive range of cybersecurity awareness training products. Click here to start reducing your risk today.

How can GDPR training help protect your company?

It’s been hard to avoid hearing horror stories from those companies which have fallen foul of the EU’s GDPR rulings since their implementation almost five years ago, in May 2018.

Still, for most organisations, the thought of becoming GDPR compliant is daunting – the full text is an incredible 261 pages long, after all. It can lead to organisations simply hoping they’ll never be exposed.

But whilst GDPR might seem slightly confusing at first blush, the regulations are quite easy to grasp, providing you the right training.

With significant fines the reality, educating your staff on how to deal with and manage data is imperative. As such, it’s important not to gloss over and to ensure that your staff get all of the knowledge, information, and guidance they might need to operate in a GDPR-compliant manner.

What is GDPR?

GDPR stands for General Data Protection Regulation and is legislation that controls and oversees the collection and processing of personal data.

The sweeping changes were introduced in May 2018 and have made data processing a far stricter area. Indeed, the fines are substantial if an organisation breaks the new rules. The current punishments outlined fall into two administrative tiers, with fines banded in two brackets:

  • Up to €10 (£9m), or 2% of annual global turnover, whichever is greater;
    Up to €20 (£18.1m), or 4% of annual global turnover, whichever is greater.
  • With fines as daunting as these, it’s easy to see why so many companies are now ensuring that they handle data very carefully and only use it for the reasons it was given.

Why is GDPR training important?

By now, it should be clear why GDPR training is vital: it only takes one unwitting mistake to end up being slapped with one of the eye-watering, potentially business-crushing fines outlined above. 

Avoiding mistakes begins with training your staff to understand their roles and responsibilities within GDPR. 

What are the benefits of GDPR training?

Avoid penalties and fines

As we’ve already mentioned, one of the most significant benefits of GDPR training is avoiding penalties and fines. By understanding the regulations and guidelines, employees can ensure they comply with the latest GDPR compliance rulings, reducing the risk of breaches and the accompanying financial consequences.

Improve your company’s reputation

Data protection has become a key concern for consumers, and they are more likely to trust companies that take their personal data seriously. By investing in GDPR training, your company can improve its reputation and build customer trust.

Increase staff awareness

By training your staff in GDPR, you increase their awareness of data protection, privacy, and security issues. This will help them identify potential data security risks and threats, which can be mitigated or avoided altogether.

Boost employee confidence

GDPR training can also boost your employee’s confidence in their role and responsibilities. By providing clear guidance and information, staff will feel empowered to make decisions and take appropriate action, which can increase productivity and overall job satisfaction.

Secure contracts

GDPR compliance is mandatory for all businesses that process personal data, and many contracts demand GDPR compliance from suppliers, so staying up-to-date with the latest guidelines and regulations is essential. Investing in GDPR training ensures your company stays ahead of competitors and complies with the latest data protection legislation.

Protect against cyber threats

Cyber threats and data breaches are becoming increasingly common, and GDPR training can help your staff to identify and respond to these threats effectively. By understanding the importance of data protection and how to prevent cyber attacks, your business can safeguard sensitive information and protect against potential financial losses.

With GDPR training courses from Bob’s Business, your staff can better understand their roles and responsibilities within GDPR – without any confusing jargon getting in the way.

These courses are designed to break down the expectations and responsibilities of your staff whilst improving awareness of GDPR and the personal accountability that comes with it.

Furthermore, Bob’s Business courses also show measurable changes in your company’s culture. The reporting and management aspects of the course are simplified too, so you don’t have to worry about fighting your way through different statistics to show the effectiveness of the course!

Whether you’re in the public or private sector, every business is under pressure when it comes to GDPR.

With huge impacts on both your company’s reputation and resources at stake, so it’s never been more important to invest in GDPR training to ensure that the entire workforce understands the basics of the latest GDPR compliance rulings.

 

Why you need to protect your organisation from smishing attacks

Have you ever received a text message from a bank or a company asking you to verify your personal information or account details?

If you have, you might have been a target of smishing, a type of phishing attack that uses text messages to trick you into divulging sensitive information.

Smishing is a growing threat to businesses, and organisations need to be aware of this type of attack and take steps to protect themselves.

What is smishing?

Smishing is a social engineering attack where an attacker sends a text message that appears to be from a legitimate source, such as a bank or a company, asking the recipient to click on a link or provide personal information.

The link usually leads to a fake website that looks like the real one, and once the victim enters their information, the attacker can use it to steal their identity or commit other types of fraud.

These types of attacks have gone stratospheric over the last 12 months, with 2022 seeing a record number of attacks, amounting to half of mobile phone owners worldwide seeing an attack every single quarter.

What are smishing simulations?

Smishing is a severe threat to businesses, as it can result in data breaches, financial loss, and damage to reputation.

As a result, many organisations are turning to smishing simulations to test their employees’ awareness of this type of attack and to train them to recognise and respond appropriately to smishing attempts.

Smishing simulations, like phishing simulations, are designed to mimic real-life attacks and are typically conducted using a software platform that sends simulated attacks to employees’ mobile phones.

The messages are designed to look like real smishing messages and contain links that lead to fake websites or ask the recipient to provide personal information.

By conducting smishing simulations, businesses can identify weaknesses in their security systems and train their employees to recognise and respond appropriately to smishing attempts.

For example, employees can be taught to check the sender’s phone number and website URL before clicking on any links or entering any personal information.

Example case: Coinbase attack

Coinbase, a major cryptocurrency exchange, experienced a smishing attack targeting its employees this year. The attackers sent text messages to multiple Coinbase employees, pretending to be from the company’s IT department, requesting that the employees reset their two-factor authentication (2FA) tokens.

The messages included a link leading to a fake website resembling Coinbase’s legitimate 2FA page. When the employees entered their login credentials on the fake website, the attackers could steal their usernames, passwords, and 2FA tokens.

Fortunately, Coinbase quickly identified the attack and took measures to prevent further damage.

The company notified all affected employees and reset their 2FA tokens. Coinbase also launched an internal investigation to determine the scope of the attack and identify any further vulnerabilities in their security systems.

Other steps your organisation can take to protect itself from smishing attacks

In addition to smishing simulations, there are other steps that businesses can take to protect themselves from smishing attacks. These include:

  • Implementing two-factor authentication: Two-factor authentication adds an extra layer of security by requiring the user to provide a second form of authentication, such as a fingerprint or a code sent to their phone, in addition to their password.
  • Use anti-malware software: Anti-malware software can help to detect and prevent smishing attacks by identifying malicious links and blocking them before they can cause harm.
  • Educating employees: It’s important to educate employees about the risks of smishing and to provide them with training on recognising and responding appropriately to smishing attempts.

In conclusion, smishing is a growing threat to businesses, and organisations need to take steps to protect themselves from this type of attack.

Smishing simulations are an effective way to train employees to recognise and respond appropriately to smishing attempts.

By conducting regular smishing simulations, businesses can identify weaknesses in their security systems and train their employees to be more cautious when receiving text messages that ask for personal information.

Remember, it only takes one employee to fall for a smishing attack for an entire organisation to be compromised.

How Bob’s Business can help your organisation

At Bob’s Business, we understand the importance of cybersecurity for all industries, including protecting against smishing attacks.

That’s why we offer unique and engaging online cybersecurity training designed to empower everyone in your team to identify and respond to cyber threats, protecting your business from the 90% of breaches that occur due to human error.

Our training is bite-sized, interactive, and easily fits your busy schedule. Plus, it’s engaging, ensuring your team stays motivated and focused throughout the process.

Take action now to protect your business and your customers from cyber threats. Click here to discover our range of cybersecurity awareness training products and start reducing your risk today.

This month in data breaches: February edition

Data breaches are an ever-present threat to organisations. Despite advances in cybersecurity measures, the number of reported data breaches continues to rise yearly.

So far, 2023 has continued the pattern. As the calendar flipped to February, several data breaches were reported, including those affecting the NHS, Reddit, Arnold Clark, and Pepsi.

Let’s take a closer look at these data breaches and highlight how human error may have contributed to each incident.

NHS

Last month, news broke that thousands of NHS patients had their personal data leaked in a data breach.

The breach was caused by a phishing attack where an attacker accessed an employee’s email account containing confidential patient information.

The data stolen included patient names, addresses, phone numbers, medical information, as well as diagnoses and treatment details. The attacker then used this information to launch a spear-phishing attack on other NHS employees.

NHS has confirmed that the breach affected thousands of patients, and they are taking steps to prevent any further attacks.

This breach highlights the need for strong cybersecurity measures, including training for contractors and employees working with sensitive data. It also highlights the importance of regularly reviewing security policies and procedures to minimise the risk of such errors.

Reddit

In another incident, social media giant Reddit suffered a data breach in February 2023 that exposed users’ personal data, including email addresses and passwords.

The breach was caused by a third-party vendor who had access to Reddit’s systems. The attacker could gain access to the vendor’s system by using a compromised login.

Reddit quickly detected the breach and immediately reset affected users’ passwords and notified them of the breach.

As with many breaches, the Reddit breach shows just how dangerous a compromised login can be. Alongside maintaining strong vendor management practices and conducting regular security audits, all employees should be trained to build strong, unique passwords for every account.

Arnold Clark

Last month, Arnold Clark, the UK’s largest car dealership, suffered a data breach that exposed customer data. The breach occurred due to a misconfigured server, allowing unauthorised customer data access.

The breach was caused by an unsecured database that was left exposed online and affected over 2 million customers; with data including names, addresses, and vehicle registration details being exposed.

It was discovered by a security researcher who notified Arnold Clark of the vulnerability. Arnold Clark immediately secured the database and notified affected customers.

No financial information was exposed, but the incident shows the importance of properly securing and monitoring databases. Curious to know more? Read our latest blog about cybersecurity risks in the automotive sector!

Pepsi

In another incident, Pepsi suffered a data breach in February 2023 that exposed customer data. It was reported that Pepsi Bottling Ventures (PBV), a subsidiary of PepsiCo, suffered a data breach that exposed employee information.

The breach was caused by a malware attack that targeted PBV’s payroll systems. The attacker gained access to employee data, including names, social security numbers, and payroll information.

PBV quickly detected the breach and took immediate action to prevent further damage. This highlights the importance of maintaining up-to-date malware protection and monitoring payroll systems for unusual activity.

What can you learn from these breaches?

The four data breaches that occurred in February 2023 highlight the ongoing importance of maintaining robust security practices in the face of persistent cyber threats.

Organisations must take steps to prevent data breaches by implementing effective security measures, regularly conducting security audits, and training employees to detect and avoid potential attacks.

As technology continues to evolve, the threat of data breaches will continue to grow, making it essential for organisations to remain vigilant and proactive in protecting their sensitive data.

How Bob’s Business can help protect your organisation

With the increasing frequency and sophistication of cyber threats, it’s essential to have proper training and awareness around cybersecurity for all employees in an organisation.

Bob’s Business is an award-winning training provider that offers engaging and interactive e-learning modules, helping organisations of all sizes educate and train their employees on cybersecurity best practices. Get in touch today to find out more about how we can help protect your organisation from the devastating impact of a data breach.

Free Guide: The Ultimate Guide to Cybersecurity Onboarding

Are you ready to revolutionise your company’s onboarding process and instil a culture of cybersecurity from day one? Look no further than our free guide, “The Ultimate Guide to Cybersecurity Onboarding.”

Designed specifically for companies welcoming new staff, this comprehensive resource outlines the importance of cultivating positive cybersecurity behaviours early on and provides invaluable strategies for achieving that.

In today’s digital landscape, where threats lurk around every corner, instilling a security-conscious mindset is crucial. By incorporating cybersecurity principles into your onboarding program, you lay a solid foundation for your employees to navigate the intricate world of digital security confidently.

In this free guide, you’ll learn:

  • Why cybersecurity is an onboarding essential
  • How to embed cybersecurity in your onboarding
  • Ten ‘quick cybersecurity wins’ for your new team member
  • … and more!

Ready to get started? Interact with the bot below to gain instant access now! 👇

Free Guide: Remarkable Realities: Cybersecurity Edition

Think cybersecurity is dull? Think again!

Join us as we dive into some of the weird, wonderful and amazing facts from across the world of cybersecurity. We’ll share some of the barely unbelievable realities surrounding us and show you (and your team!) how it relates to your personal and organisational cybersecurity.

In this free guide, you’ll learn:

  • How a fish tank hacked a casino
  • Why millennials are the most likely to fall victim to an attack
  • The history of the first-ever virus
  • … and more!

Ready to get started? Interact with the bot below to gain instant access now! 👇

What are the cyber risks in the automotive industry?

The automotive industry is, at once, both at the forefront of technological innovation and wedded to old ways of working.

There has been a tremendous transformation over recent years, with rapid advancements in technology bringing about connected cars, electric vehicles, and autonomous driving.

However, as an industry, many classic ways of working are still in place – leaving the sector particularly vulnerable to cyber-attacks.

As such, one of the biggest risks facing the automotive industry today is cybersecurity.

Cybercriminals are increasingly targeting the industry, taking advantage of the high staff turnover, large amounts of data collected, and high-value assets.

In this blog, we will explore the cyber risks in the automotive industry, why the sector needs a solid cybersecurity programme, and how your automotive organisation can protect itself.

Let’s dive in.

Why is the automotive industry so at risk?

Collection of sensitive data

As previously mentioned, the automotive industry collects significant sensitive data from its customers, including personal and financial information. This makes it an attractive target for cybercriminals who seek to steal and sell this information on the dark web or use it for identity theft.

For example, car manufacturers collect customer data such as name, address, phone number, credit card details, and personal health information. Dealerships, leasing companies, and rental firms collect driver’s licence information, insurance data, and credit card details – in many cases, these are maintained in databases with shared passwords.

Additionally, cars have become more connected, with many new vehicles equipped with advanced infotainment systems, GPS trackers, and other technology vulnerable to cyberattacks. Such valuable data is a highly attractive target if not properly protected at every level.

Rapidly evolving technology

The automotive industry is constantly evolving, with new technologies being introduced regularly. However, this can also make it difficult for organisations to keep up with the latest security measures and stay protected against new cyber threats.

Connected vehicles

The automotive industry deals with high-value assets such as cars, which can be targeted by cybercriminals seeking to steal or damage them. In addition, connected cars with advanced technology can be remotely hacked, potentially risking lives.

High staff turnover

The automotive industry – particularly customer-facing roles, such as those in dealerships – often experiences high staff turnover, leaving organisations vulnerable to cyber attacks due to lost knowledge and experience.

Additionally, employees leaving without properly securing their devices or changing their passwords creates opportunities for cybercriminals to gain unauthorised access to sensitive data or systems.

Why does the automotive sector need a cybersecurity programme in place?

As we’ve established, it’s clear that the automotive industry is a high-risk sector for cyber attacks, given the sensitive data it collects, the rapidly evolving technology it uses, the high-value assets it deals with, and the high staff turnover rates it experiences.

Therefore, every automotive sector organisation needs a robust cybersecurity programme in place to protect itself from these threats. Here are some reasons why:

  • Protection of sensitive data: A cybersecurity programme can help protect sensitive data such as customer information and financial records. Organisations can prevent unauthorised access, theft, or misuse of sensitive data by implementing proper security measures such as firewalls, encryption, and access controls.
  • Minimisation of cyber attacks: A cybersecurity programme can help detect and mitigate cyber attacks, minimising the impact of a potential breach. Organisations can identify and address vulnerabilities in their systems by conducting regular vulnerability assessments and penetration testing, before attackers can exploit them.
  • Compliance with regulations: The automotive industry is subject to various data privacy and security regulations, such as the General Data Protection Regulation (GDPR); a cybersecurity programme can help organisations comply with these regulations, avoiding costly fines and legal penalties.
  • Protection of reputation: A cyber attack can damage an organisation’s reputation, erode customer trust, and lead to a loss of business. By implementing a cybersecurity programme, organisations can demonstrate their commitment to protecting customer data and maintaining a secure online presence, enhancing their reputation in the market.
  • Prevention of financial loss: Cyber attacks can lead to financial losses for organisations, including the cost of investigating and remediating the attack, legal fees, and compensation for affected customers. A cybersecurity programme can help prevent these losses by reducing the risk of a successful attack, minimising the damage in case of a breach, while also providing insurance coverage for cyber incidents.

The Arnold Clark data breach

UK car dealership Arnold Clark suffered a data breach in December 2022, which led to the company bringing its systems offline, including dealerships and third-party connections. The company has confirmed that specific customer details had been compromised in the breach, including names, contact details, dates of birth, vehicle details, ID documents, National Insurance numbers, and bank account details.

The incident highlighted the importance of protecting customer data in the automotive industry, which collects sensitive, personally identifiable information that threat actors target.

Companies in the automotive industry must implement suitable methods to guard sensitive data, such as data-centric security like format-preserving encryption.

Small or medium-sized organisations are just as vulnerable to large-scale attacks on their data. A smart, data-centric security strategy is critical to mitigating the devastating consequences of such attacks.

Arnold Clark has warned its customers of potential phishing attacks as it continues investigating the breach.

This attack against Arnold Clark is not the first one targeting the automotive industry. General Motors suffered a credential-stuffing attack in May 2022, and Holdcroft Motor Group was presented with a ransom demand after hackers stole two years’ worth of data.

How can your automotive organisation protect itself?

There are several steps your automotive organisation can take to protect itself from cyber risks:

  • Prioritise cybersecurity training for all employees: From top-level executives to entry-level staff, ensure that they understand the importance of cybersecurity and their role in protecting the organisation. Cybersecurity awareness training should include awareness of common cyber threats, such as phishing attacks and malware, and best practices for password management, data protection, and incident response.
  • Implement a strong password policy: A strong password policy can help prevent unauthorised access to sensitive information. Passwords should be complex, unique, and changed regularly. Read our blog on creating strong passwords here.
  • Use multi-factor authentication (MFA): MFA provides an additional layer of security by requiring users to provide two or more forms of authentication, such as a password and a fingerprint or facial recognition scan.
  • Limit access to sensitive information: Access to sensitive information should be limited to only those who require it to perform their job functions. This can help prevent accidental or intentional data breaches.
  • Regularly update software: Regular updates can help ensure that software is up-to-date and free of known vulnerabilities.
  • Implement data encryption: Data encryption can help protect sensitive information from unauthorised access.
  • Have a cybersecurity incident response plan: A cybersecurity incident response plan should be in place in case of a cyber attack. This can help mitigate the damage and minimise downtime.

How can Bob’s Business help your automotive organisation reduce its cyber risk?

At Bob’s Business, we understand the importance of cybersecurity for all industries, including the automotive sector.

That’s why we offer unique and engaging online cybersecurity training designed to empower everyone in your team to identify and respond to cyber threats, protecting your business from the 90% of breaches that occur due to human error.

Our training is bite-sized, interactive, and easily fits your busy schedule. Plus, it’s engaging, ensuring your team stays motivated and focused throughout the process.

With over 14 years of experience deploying cybersecurity training and policy compliance solutions across various automotive sector organisations, including Motability, FixAuto and SMH Fleets, Bob’s Business is uniquely positioned to help you stop cyber attacks.

Take action now to protect your business and your customers from cyber threats. Click here to discover our range of cybersecurity awareness training products and start reducing your risk today.