When it comes to protecting business data, mistakes happen – we’re only human! But the risk of human error is vastly increased when we lack a foundational understanding of cybersecurity. In the 10-question quiz below, we invite employees to test their basic knowledge of cybersecurity.
The results and article below provide a learning resource for staff and managers alike to discover more about online protection. We recommend that you bookmark this page and work through the information at your own pace.
Take the cybersecurity quiz
Business cybersecurity: What you need to know
Every staff member, every shared file, and every device poses a potential risk to your company. Business leaders who are not making cyber protection a top priority are increasing their chances of falling victim to a malicious attack, or losing data due to poor management.
So, what do managers and employees need to know about cybersecurity?
While the quiz above asks some basic questions about cybersecurity, there is plenty more to know and learn. Below, we explain some of the common attacks faced by businesses as well as the challenges business leaders must overcome when securing their digital assets.
Common types of attack
As cybersecurity solutions evolve, so too do the type of attacks threatening businesses. Knowing what the most common attacks are and how they work can help you to stay vigilant and embed data protection into company policy and culture.
Here are four common attacks on businesses:
Malware, or malicious software, gets access to your device without your knowledge to cause general mayhem: giving bad actors access to your files, using your device as a base to spread viruses across a network, generating revenue for the developer, stealing login details, and so on.
There are many types of malware and we expect that even businesses with limited security knowledge will have heard of one the most well-known: ransomware.
Ransomware is a type of malware that gives a hacker access to your files. The cybercriminal will then block your access to those files and demand that a ransom be paid in exchange for the safe return of your data (of course, payment is no guarantee that your data will actually be returned).
Malware can enter your system in many ways, including through email or via a shared connection with a device that’s already infected. A Trojan is – as you may expect if you know the classic tale of subterfuge from Ancient Greece – malware disguised as legitimate software. You may think you are downloading a harmless app to your computer or mobile, while in fact, you are allowing a virus to access your device.
Most of the time, you won’t know that malware is attacking your network until it has already wreaked havoc; you may wonder why your device seems slower than usual, or why your memory is suddenly full. This is why anti-malware is an important part of business security; it stops malicious software before it reaches your device.
Learn more about the different types of malware, from spyware to botnets, in our guide.
Email attacks used to be fairly easy to spot – an email with poorly written language and an over-dramatic sense of urgency asking you to click a strange-looking link or send some money. However, they are now far more sophisticated and can be used to steal information such as credit card details using techniques such as phishing.
Phishing emails, or phish, are sometimes referred to as spam, but they are not the same. Spam simply means unwanted emails, or junk mail, and most well-known email providers are good at filtering out what they think you won’t be interested in. Phishing, on the other hand, are emails that appear to be legitimate and from a trusted source, like a bank or charity.
Spearphishing is even sneakier. Assailants will spend time researching a company or individual and identifying who they should imitate and who they should target to get the best chance of success. For example, they might set up a replica account for the CEO and email an assistant to send bank login details. While phishing emails are sent en-masse, spearphishing is highly targeted.
Read our in-depth guide on types of phishing attacks and how to spot them.
The average employee may have heard the terms ‘malware’ or ‘phishing’, even if they don’t know what it means. But we’re betting that not so many will have heard of SQL injection.
SQL, or ‘Structured Query Language’, basically refers to the language used in database management. For example, if you want to know the local branch of a retailer, you might visit their website and type the location into a search bar. SQL is used to read that search, or query, and return relevant results from a database stored on the web server.
During an SQL injection attack, weaknesses in a website’s development are used to upload, or inject, malicious code into the database. The code gives the hacker access and control to the web server’s database to make changes and steal data as they please.
If you save logins, email addresses or any kind of personally identifiable data that’s accessible by your website, your customers and your business could be at risk. And if you enable any kind of transactions on your website, this could be extremely damaging.
Read how your business should be securing its web servers and why.
Any action that you take on your device is a request that must be fulfilled; for example ‘send this email’, ‘close this application’, or ‘open this link’. If you’ve ever had too many tabs open on your browser, you’ll know how multiple requests will slow down your device – and you’ll also know how frustrating this can be when you’re trying to meet a deadline or complete a report. This unresponsive state is what denial of service (DOS) attacks are trying to achieve but on a bigger scale.
DOS attacks start with malware. Once your device becomes infected, the DOS software makes request after request until your system is completely overloaded and potentially, your entire business network. Your company must block the device from the web server until it can remove the offending malware.
DDoS, or Distributed Denial of Service, is an advanced version of a DOS attack that uses multiple compromised devices, rather than just one, to conduct the assault.
Once malware enters a device it can spread to other computers, and create a network. This network of infected devices is called a botnet and gives the perpetrator the power to overwhelm systems with requests from multiple points. So unlike DOS, blocking a single source from your server is no use – the attack will simply continue from another compromised device.
DDoS attacks are usually saved for enterprises, public authorities, and financial institutions.
You can learn more about the current threat of DDoS attacks here.
What are the common challenges facing businesses?
There are many issues that businesses must tackle to ensure the advanced protection of their digital assets. While business leaders must understand these to draft policies and implement security measures, all staff should have a basic knowledge of why these issues are important.
Below are some of the main considerations for businesses, and what staff need to know about them.
The cloud has undoubtedly revolutionized workplace practices and supported the digital transformation for many businesses. Benefits include being able to access files online anywhere and anytime, enabling remote collaboration, and providing an easily scalable solution for growing businesses.
Cloud computing can be more risky than traditional computing as there are multiple users and more devices with network access. This opens up potential access points for cybercriminals to steal data, and it can also make data compliance harder to achieve.
Robust cybersecurity measures are easier to implement in the cloud, which is why SMBs can benefit from the move from traditional servers. However, to ensure vigilance, employees should know the risks involved in seemingly simple actions such as sharing a file with new users or moving data between folders.
Read our article on data security issues in cloud computing.
Caution and commonsense can only go so far when it comes to cybersecurity. It doesn’t matter how careful you are about avoiding unsafe websites or blocking emails from unrecognized contacts: cybercriminals are clever and use multiple methods of attack to exploit your business, and human error is inevitable. As such, businesses must install antivirus software from a trusted supplier like Avast Business.
A reputable and effective antivirus solution will include features such as:
- a secure email gateway to block suspicious email traffic
- an advanced firewall to filter out untrusted network connections
- a data shredder to safely and permanently delete sensitive files
- a software update program to tackle vulnerabilities in applications.
This list is not exhaustive but gives you a flavor of what you should expect from your company’s cybersecurity solution. Importantly, free antivirus software and software designed for personal use should not be used in a business setting.
Learn more about why antivirus is essential for businesses.
A business’s data is one of the most valuable assets it has. Nowadays, file management is almost completely managed online, and just as a business wouldn’t leave the door to their physical file archive unlocked, so too must digital data be protected.
Data encryption is like locking a filing cabinet – a key is used to lock, or encrypt, the data, and only someone with the same key can open it. Without a key, the data is unusable. This is especially important for data in transit – that is, being sent or shared via email, or being moved to or within cloud-based storage – because this is when it is most vulnerable to attack.
Discover how data in transit encryption works.
In cybersecurity, the term ‘attack surface’ refers to all the potential points of data breach and attack. The bigger a company's attack surface is, the harder it is to manage. For example, if a business has two employees, each with a laptop and a work mobile, and access to a single shared folder on a single server, then the attack surface is fairly small. Managers know who has access to which devices, and which data. However, if a business has hundreds, or even thousands of employees, with multiple servers, the attack surface is vast.
Endpoint protection works by securing each device and preventing attacks from spreading from a single point to the rest of the network. Modern endpoint protection solutions often combine antivirus with other tools that offer extra layers of security around sensitive files and programs, such as patch management, for a comprehensive solution.
As an employee, you should have access to a company policy on cybersecurity that explains what measures are in place, who is responsible for data protection, and what to do if an attack happens. This document helps to ensure a multi-layered approach, from password management to antivirus software, and sets out expectations of employees.
Data protection and compliance should be covered within the policy. There are various regulations around data handling and storage, that are usually specific to a region and/or industry. All employees have a duty to work to these standards.
Check out our cyber protection policy template.
We asked 2,000 employees from a range of industries in the US and UK to answer questions about cybersecurity. The results highlight the importance of putting your cybersecurity knowledge into context, for example, what are the specific challenges facing your industry?
Here are three examples of our findings:
1. Non-profit and social services
Our respondents, who were all office-based employees, voted on the top three most important aspects of cybersecurity: installing antivirus/anti-malware, installing firewalls, and using strong passwords. However, when breaking this down by industry, we can see that non-profit and social services chose a different top three: installing antivirus/anti-malware, training for staff, and using strong passwords.
None of these options are more or less important – they should all be part of a unified strategy – but it’s interesting to see differing perceptions. In this case, non-profits might place more emphasis on training due to smaller teams and tighter budgets meaning each staff member has broader responsibilities than in other industries.
2. Government and public sector
We discovered that people working in government and the public sector are more reliant on their IT department than employees in other industries. Governments will have huge teams dedicated to IT and online protection due to the sensitivity of the data being handled.
Also, 45% of the government and public workers we quizzed think that they would be held responsible for a data breach, more than in other industries. Together, these results suggest that government and public sector workers are more nervous about personal liability, and prefer to look to IT professionals to manage cybersecurity.
While IT professionals will have a much more in-depth knowledge of cybersecurity, awareness is important for all staff – each employee is part of the company’s defense against attacks and data breaches.
3. Manufacturing, shipping, and distribution
People working in manufacturing, shipping, and distribution are three times more likely than those in non-profit and social services to believe they can spot a cyberattack. They are also less likely than other industries to know that attacks can go undetected for long periods.
These findings show a particular need for staff in these industries to have better awareness of how cyberattacks work. If employees think they will know when a breach happens, there is a risk of complacency – a massive challenge in cybersecurity. While there are ways to spot an attack, such as a slow computer or unexplainably low storage, cybercrime is constantly evolving and cybercriminals are finding new ways to slip through defenses unnoticed.
Knowing this fact should make staff working within manufacturing, shipping, and distribution more aware of the benefits of multi-layered protection, from strong passwords to updating software.
Advanced business protection
If you’re a small business owner or an IT professional working in a large business, Avast Business can help you achieve peace of mind when it comes to securing your company’s digital assets. With 100% cloud-based layered endpoint protection and network security that’s easy to deploy and manage, our software provides the ideal solution for the modern workplace.