Bring your own device (BYOD)/Unsecured personal devices

The combination of remote working, and the increased need for online communication and file sharing, has seen the lines between business and personal devices become increasingly blurred. A common solution is to implement a Bring Your Own Device (BYOD) policy, which allows the use of personal devices, as long as they have sufficient security software and employees follow company policies around passwords and physical security.

BYOD unfortunately creates significant risks and usually does not comply with best practices, e.g., connecting to unsecured Wi-Fi or failing to install security patches, which can create vulnerabilities ripe for exploitation. These vulnerabilities may also create risks to your personal cybersecurity, as well as your workplace or business.

Staff (phishing/social engineering)

Regardless of where your staff is working from, human error remains a common cause of data breaches. For this reason, employees are one of the most targeted points of entry for an attack. The approach may come in the form of phishing or social engineering to trick users into clicking on a malicious link or sharing sensitive information.

The biggest danger here is that the individual will likely be unaware that they have been manipulated, giving the ransomware or other malware time to spread across the network.

Employees should be trained on identifying suspicious activity and how to report it quickly. Furthermore, they should only use devices that have business antivirus and anti-malware installed to scan for and prevent unauthorized app installations and other threats, to catch issues that may otherwise fall through the cracks.

Websites

Hackers see websites as a data-rich route into a business network. Once a target company’s website has been hacked, malware can be deployed, or data can be stolen and used for social engineering. While large sites are usually high-profile targets, smaller companies should not assume that their data isn’t valuable enough to be targeted.

Website attacks include Distributed Denial of Service (DDoS), which generates a flood of traffic to disrupt a site’s performance.

SQL Injection attacks insert malicious code into your website that can circumvent security and make it easier to steal data, including logins and payment details, and redirects users to a fake version of the site. With such a diversity of motives, protection is vital for your website. Alongside training and firewalls, strict access control policies should be in place to ensure that only those who actively require access can make changes. Penetration testing should be used to simulate a cyberattack, helping you to evaluate the network's security performance and identify vulnerabilities.

Internet of Things

The influx of smart devices into our daily lives has been dramatic. From voice assistants in speakers to printers, doorbells, cameras, and thermostats, their convenience is often prioritized over security. This can make Internet of Things (IoT) devices a target for attackers to spy on you. If one device gets hacked, it could allow cybercriminals to take control of other IoT devices connected to the same network.

Passwords

Password security is a very common, and always recommended, practice for preventing a data breach. However, it is often undermined by complicated requirements. When employees are working, they want to log in quickly and work on their projects, instead of having to reset and change passwords that are difficult to remember. As a result, poor habits such as creating weak passwords (short, easy to remember), sharing passwords, and writing them down on paper are still prevalent.

Training will help to raise awareness, but in this case, practical solutions are needed to balance security with convenience.

Password managers are an excellent solution to the ‘too many passwords’ problem. The strength of passwords can be controlled, access can be shared safely, and new passwords can be automatically generated to speed up the sign-in process and keep accounts secure. Plus, the user only has to remember one password – that of the password manager itself.

Multi-factor authentication should be used alongside strong passwords wherever possible to verify the identity of the user through their device, location, or biometrics, in addition to their password.

Increased use of the cloud and online tools

Cloud storage and cloud-based tools offer many benefits for business users, particularly those with employees working remotely. Third-party cloud services, often known as software as a service (SaaS), provide software through an internet connection rather than having to be installed and maintained on-site. The benefits of this include access to higher levels of processing power, affordability, and remote access to software and tools.

However, any data that is stored outside of your secure network could be at risk of data breaches, or worse, a server attack. Introducing a third-party provider also brings with it a lack of control over their data usage and policies.

To protect your cloud-based data, multi-factor authentication and effective cloud security solutions, such as the Avast Business Hub, are essential.

Unsecured Wi-Fi

There are many risks when connecting to unsecured Wi-Fi. Without encryption, everything you do online can be viewed. This includes browsing history, login information, and data transfer. With this information, a hacker could steal sensitive data and gain access to business accounts. Identity theft is also likely, with your information being used for a social engineering attack on your colleagues.

Unsecured Wi-Fi is most commonly found at train stations, airports, and cafes labeled as ‘free Wi-Fi’ or ‘hotspots.’ This type of connection should only be used as a last resort and only for browsing – never for transactions or any sites that require a login.

Rather than using an unknown connection, users on-the-go should instead use their mobile phones and tablets for a secure connection.

Home Wi-Fi should also be carefully checked to ensure that the correct security settings are in place.

Unencrypted file sharing

In a hybrid work environment, the ability to directly share documents is essential for collaboration and productivity. But if files are sent without encryption, a data breach becomes a significant possibility.

While it is the IT department’s responsibility to ensure that the tools (e.g. firewalls) and processes in place are effective in securing files against emerging threats, individuals must also be proactive. Employees must follow security best practices, such as only using authorized security tools when sending and receiving files to prevent avoidable mistakes.

Find out more about data in transit encryption.

Shadow IT

Shadow IT refers to the security threat that occurs when unauthorized devices or software connect to the company network without the knowledge or permission of IT staff. It is a growing threat, as highlighted in our 2021 Mobile Workforce Report.

Shadow IT is often not deliberate, and can be as simple as an employee logging into work accounts on a personal device, or using unauthorized software and tools on a work laptop.

A lack of resources during the pandemic has helped to make Shadow IT more widespread, as some companies encouraged staff to use personal devices due to a lack of resources.

Whatever the reason, connections that are unknown to IT staff are increasing the attack surface of the network and creating additional entry points for hackers to exploit.

Network

When reviewing network security, there are two broad aspects that need consideration. Physical network hardware is a common entry point for attacks in traditional office spaces. This includes routers, servers, and physical storage. These elements need a combination of physical security and software-based solutions to keep them secure.

The range of different types of network attack continues to grow - from ransomware and malware, to phishing, which could collect account information used for routers and other physical elements, and potentially hand the network’s access control over to the hacker.

The second type is software-based security for network traffic. This includes antivirus, server security, and firewalls. Implementing these measures and conducting regular backups will help to minimize the impact of a data breach or attack.

Another common concern is a man-in-the-middle attack, which can intercept communications for a long period without detection, putting even more secure information at risk of theft. For this reason, regularly patched network and server security software is vital for identifying attacks that don’t want to be found.

Physical security in public

Device security is not only about software. For those who are working while traveling, physical security is a significant security risk. The most common examples of this would be losing your phone or leaving a business laptop on a train.

Physical security also involves confidentiality, and this should be a significant consideration while using a device on the go. Maintain your security by not allowing other passengers to see your screen, and avoid talking loudly about business affairs and sensitive topics – both could provide information that could be utilized for spear phishing.

As a security entry point that is dependent on the individual user, training should be given to all staff about the security risks and expectations of working remotely.

What can be done to protect against a cyberattack or data breach?

Securing the network perimeter

While most businesses were forced to quickly accommodate remote working during the pandemic, the fundamentals of business security remain the same, regardless of an employee's location. While ‘the office’ is no longer restricted to a single, physical room or building, securing the network perimeter is still one of the most important steps your business can take to ensure that customer trust, revenue, and productivity are maintained, and that downtime in the event of a cyberattack is minimized.

Hybrid working is a challenge for businesses of all sizes, but the reasons why typically vary. A small company usually does not have the financial resources that their larger counterparts have access to, and they will also have fewer employees and devices to monitor and manage.

The key to success is education. Providing at least a minimum level of security training for staff alongside best practice will help staff to quickly flag suspicious activity and minimize avoidable threats. Avast’s Cybersecurity Basics Quiz is an excellent way to get an understanding of the level of security knowledge your team has and identify which aspects require additional training.

Protect your business with advanced antivirus

Protect your business from these point of entry threats and other complex cyberattacks, by using Avast Business cybersecurity solutions for your small business or home office.