We’re sorry, your browser appears to be outdated.
To see the content of this webpage correctly, please update to the latest version or install a new browser for free, such as Avast Secure Browser or Google Chrome.

Not sure which solution is right for your business?

Points of Entry: Cybersecurity Vulnerabilities in the Hybrid Workplace

Hackers are always looking for ways to gain access to business networks. This is often done through social engineering - tricking employees into inadvertently sharing private information and installing spyware, malware, and viruses.

As our original Point of Entry infographic shows, the traditional office has a range of entry points that could potentially be used to gain access to your business network. However, a lot has changed over the last five years. With a global shift towards hybrid working, catalyzed by the pandemic, what new vulnerabilities are being exposed?

To find out, we have looked at the three modern workplace environments – the traditional office, working from home, and working on the go – to identify the most common entry points for attacks in a modern, hybrid working environment.

  • Points of entry for the hybrid workforce

    Hackers are always looking for ways to gain access to business networks. This is particularly true now that hybrid working has become common. Many people are working at home or on the go in addition to the traditional office, dramatically increasing the size of the threat landscape for many companies.

    Find out how hybrid working is impacting the points of entry used by hackers and learn about the most common threats to your network.

  • BACK

    Traditional Office

    The traditional office has range of entry points that could potentially be used to gain access to your business network.

    From network vulnerabilities to weak passwords and social engineering, discover which entry points are commonly used to gain access to your business network.

    Click on the hotspots for more information about the threats.

  • BACK

    Working on the Go

    Working while on trains, planes and busses is a great way to stay connected and make use of the time when travelling long-distance. But are you aware of the risks this could be causing for your company’s data and network security?

    Using unencrypted Wifi services, Shadow IT and the physical security of devices could all have significant consequences if users are not aware of the threat.

    Click on the hotspots for more information about the threats.

  • BACK

    Working from Home

    As a result of the pandemic, working from home has become familiar to many office workers around the world. While there are personal benefits in terms of work-life balance, how has this change impacted the number of points of entry a business must protect?

    Risks include increased use of personal devices, reliance on online tools and the possibility of complacency leading to phishing attacks.

    Click on the hotspots for more information about the threats.

Bring your own device (BYOD)/Unsecured personal devices

The combination of remote working, and the increased need for online communication and file sharing, has seen the lines between business and personal devices become increasingly blurred. A common solution is to implement a Bring Your Own Device (BYOD) policy, which allows the use of personal devices, as long as they have sufficient security software and employees follow company policies around passwords and physical security.

BYOD unfortunately creates significant risks and usually does not comply with best practices, e.g., connecting to unsecured Wi-Fi or failing to install security patches, which can create vulnerabilities ripe for exploitation. These vulnerabilities may also create risks to your personal cybersecurity, as well as your workplace or business.

Staff (phishing/social engineering)

Regardless of where your staff is working from, human error remains a common cause of data breaches. For this reason, employees are one of the most targeted points of entry for an attack. The approach may come in the form of phishing or social engineering to trick users into clicking on a malicious link or sharing sensitive information.

The biggest danger here is that the individual will likely be unaware that they have been manipulated, giving the ransomware or other malware time to spread across the network.

Employees should be trained on identifying suspicious activity and how to report it quickly. Furthermore, they should only use devices that have business antivirus and anti-malware installed to scan for and prevent unauthorized app installations and other threats, to catch issues that may otherwise fall through the cracks.


Hackers see websites as a data-rich route into a business network. Once a target company’s website has been hacked, malware can be deployed, or data can be stolen and used for social engineering. While large sites are usually high-profile targets, smaller companies should not assume that their data isn’t valuable enough to be targeted.

Website attacks include Distributed Denial of Service (DDoS), which generates a flood of traffic to disrupt a site’s performance.

SQL Injection attacks insert malicious code into your website that can circumvent security and make it easier to steal data, including logins and payment details, and redirects users to a fake version of the site. With such a diversity of motives, protection is vital for your website. Alongside training and firewalls, strict access control policies should be in place to ensure that only those who actively require access can make changes. Penetration testing should be used to simulate a cyberattack, helping you to evaluate the network's security performance and identify vulnerabilities.

Internet of Things

The influx of smart devices into our daily lives has been dramatic. From voice assistants in speakers to printers, doorbells, cameras, and thermostats, their convenience is often prioritized over security. This can make Internet of Things (IoT) devices a target for attackers to spy on you. If one device gets hacked, it could allow cybercriminals to take control of other IoT devices connected to the same network.


Password security is a very common, and always recommended, practice for preventing a data breach. However, it is often undermined by complicated requirements. When employees are working, they want to log in quickly and work on their projects, instead of having to reset and change passwords that are difficult to remember. As a result, poor habits such as creating weak passwords (short, easy to remember), sharing passwords, and writing them down on paper are still prevalent.

Training will help to raise awareness, but in this case, practical solutions are needed to balance security with convenience.

Password managers are an excellent solution to the ‘too many passwords’ problem. The strength of passwords can be controlled, access can be shared safely, and new passwords can be automatically generated to speed up the sign-in process and keep accounts secure. Plus, the user only has to remember one password – that of the password manager itself.

Multi-factor authentication should be used alongside strong passwords wherever possible to verify the identity of the user through their device, location, or biometrics, in addition to their password.

Increased use of the cloud and online tools

Cloud storage and cloud-based tools offer many benefits for business users, particularly those with employees working remotely. Third-party cloud services, often known as software as a service (SaaS), provide software through an internet connection rather than having to be installed and maintained on-site. The benefits of this include access to higher levels of processing power, affordability, and remote access to software and tools.

However, any data that is stored outside of your secure network could be at risk of data breaches, or worse, a server attack. Introducing a third-party provider also brings with it a lack of control over their data usage and policies.

To protect your cloud-based data, multi-factor authentication and effective cloud security solutions, such as the Avast Business Hub, are essential.

Unsecured Wi-Fi

There are many risks when connecting to unsecured Wi-Fi. Without encryption, everything you do online can be viewed. This includes browsing history, login information, and data transfer. With this information, a hacker could steal sensitive data and gain access to business accounts. Identity theft is also likely, with your information being used for a social engineering attack on your colleagues.

Unsecured Wi-Fi is most commonly found at train stations, airports, and cafes labeled as ‘free Wi-Fi’ or ‘hotspots.’ This type of connection should only be used as a last resort and only for browsing – never for transactions or any sites that require a login.

Rather than using an unknown connection, users on-the-go should instead use their mobile phones and tablets for a secure connection.

Home Wi-Fi should also be carefully checked to ensure that the correct security settings are in place.

Unencrypted file sharing

In a hybrid work environment, the ability to directly share documents is essential for collaboration and productivity. But if files are sent without encryption, a data breach becomes a significant possibility.

While it is the IT department’s responsibility to ensure that the tools (e.g. firewalls) and processes in place are effective in securing files against emerging threats, individuals must also be proactive. Employees must follow security best practices, such as only using authorized security tools when sending and receiving files to prevent avoidable mistakes.

Find out more about data in transit encryption.

Shadow IT

Shadow IT refers to the security threat that occurs when unauthorized devices or software connect to the company network without the knowledge or permission of IT staff. It is a growing threat, as highlighted in our 2021 Mobile Workforce Report.

Shadow IT is often not deliberate, and can be as simple as an employee logging into work accounts on a personal device, or using unauthorized software and tools on a work laptop.

A lack of resources during the pandemic has helped to make Shadow IT more widespread, as some companies encouraged staff to use personal devices due to a lack of resources.

Whatever the reason, connections that are unknown to IT staff are increasing the attack surface of the network and creating additional entry points for hackers to exploit.


When reviewing network security, there are two broad aspects that need consideration. Physical network hardware is a common entry point for attacks in traditional office spaces. This includes routers, servers, and physical storage. These elements need a combination of physical security and software-based solutions to keep them secure.

The range of different types of network attack continues to grow - from ransomware and malware, to phishing, which could collect account information used for routers and other physical elements, and potentially hand the network’s access control over to the hacker.

The second type is software-based security for network traffic. This includes antivirus, server security, and firewalls. Implementing these measures and conducting regular backups will help to minimize the impact of a data breach or attack.

Another common concern is a man-in-the-middle attack, which can intercept communications for a long period without detection, putting even more secure information at risk of theft. For this reason, regularly patched network and server security software is vital for identifying attacks that don’t want to be found.

Physical security in public

Device security is not only about software. For those who are working while traveling, physical security is a significant security risk. The most common examples of this would be losing your phone or leaving a business laptop on a train.

Physical security also involves confidentiality, and this should be a significant consideration while using a device on the go. Maintain your security by not allowing other passengers to see your screen, and avoid talking loudly about business affairs and sensitive topics – both could provide information that could be utilized for spear phishing.

As a security entry point that is dependent on the individual user, training should be given to all staff about the security risks and expectations of working remotely.

What can be done to protect against a cyberattack or data breach?

Securing the network perimeter

While most businesses were forced to quickly accommodate remote working during the pandemic, the fundamentals of business security remain the same, regardless of an employee's location. While ‘the office’ is no longer restricted to a single, physical room or building, securing the network perimeter is still one of the most important steps your business can take to ensure that customer trust, revenue, and productivity are maintained, and that downtime in the event of a cyberattack is minimized.

Hybrid working is a challenge for businesses of all sizes, but the reasons why typically vary. A small company usually does not have the financial resources that their larger counterparts have access to, and they will also have fewer employees and devices to monitor and manage.

The key to success is education. Providing at least a minimum level of security training for staff alongside best practice will help staff to quickly flag suspicious activity and minimize avoidable threats. Avast’s Cybersecurity Basics Quiz is an excellent way to get an understanding of the level of security knowledge your team has and identify which aspects require additional training.

Protect your business with advanced antivirus

Protect your business from these point of entry threats and other complex cyberattacks, by using Avast Business cybersecurity solutions for your small business or home office.


Almost done!

Complete installation by clicking your downloaded file and following the instructions.

Initiating download...
Note: If your download did not start automatically, please click here.
Click this file to start installing Avast.