Why is "Using 'virus' as a general term for all malware." a common mistake in Securing data on a network, including the internet?

Why it happens: Common informal usage. How to avoid it: Virus is ONE TYPE of malware (attaches to a file). Worm, ransomware, spyware, trojan are others. Use specific terms. Source: Edexcel 4IT1 examiner reports.

Why is "Believing a firewall alone is enough security." a common mistake in Securing data on a network, including the internet?

Why it happens: Marketing emphasises firewalls. How to avoid it: Firewalls block network traffic; they DON'T stop phishing, social engineering, or malware in legitimate downloads. Layered security is essential.

Why is "Recommending complex short passwords over long passphrases." a common mistake in Securing data on a network, including the internet?

Why it happens: Old advice. How to avoid it: LENGTH matters more than complexity. A 16-character random passphrase is stronger than an 8-character mix of symbols.

Why is "Recommending SMS-based MFA as the most secure option." a common mistake in Securing data on a network, including the internet?

Why it happens: SMS is common. How to avoid it: SMS is vulnerable to SIM-swap attacks. Authenticator apps (Google Authenticator, Authy) or hardware tokens (YubiKey) are more secure.

Why is "Saying 'encryption is too slow for everyday use'." a common mistake in Securing data on a network, including the internet?

Why it happens: Outdated belief. How to avoid it: Modern CPUs have hardware encryption acceleration. AES-256 adds <2% overhead in most cases. Always encrypt by default.

Why is "Treating storage and backup as the same." a common mistake in Securing data on a network, including the internet?

Why it happens: Both involve copying files. How to avoid it: Storage = primary working copy. Backup = separate copy for recovery. Storing files on a NAS isn't a backup — if the NAS fails, data is lost.

Why is "Assuming 'cloud storage = automatically secure'." a common mistake in Securing data on a network, including the internet?

Why it happens: Provider marketing. How to avoid it: Cloud storage CAN be very secure IF properly configured (encryption, access control, MFA). Default settings often leave data exposed.

ConnectivityPearson Edexcel IGCSE ICT 4IT1

Securing data on a network, including the internet

Q: Why is "Treating storage and backup as the same." a common mistake in Securing data on a network, including the internet?

Why it happens: Both involve copying files. How to avoid it: Storage = primary working copy. Backup = separate copy for recovery. Storing files on a NAS isn't a backup — if the NAS fails, data is lost.

Q: Why is "Assuming 'cloud storage = automatically secure'." a common mistake in Securing data on a network, including the internet?

Why it happens: Provider marketing. How to avoid it: Cloud storage CAN be very secure IF properly configured (encryption, access control, MFA). Default settings often leave data exposed.

Work through the notes, try the practice questions, then take the quiz. The report tells you exactly what to revise next.

PreviousNext

Learn this Topic

Start with the slides for the quick version, then go deeper with the full study notes.

Short Study Notes in the form of Slides

Read the notes first. If the method in a worked example clicks, you're ready for the questions.

Short Study Notes — Securing data on a network, including the internet

Start with these resources to cover the key concepts, then work through the practice questions.

Page 1 / 0

Detailed Notes

Full prose, callouts and a recap — built for A* mastery, not just a quick scan.

Take these study notes with you

Download a branded PDF — full prose, callouts, recap and memorise list for Securing data on a network, including the internet, ready to print or save offline.

Securing Data on a Network — Edexcel IGCSE ICT (4IT1) Detailed Notes

Threats (malware, phishing, hacking, DoS), defences (firewalls, antivirus, encryption, MFA, biometrics), and the principles of layered security (defence in depth).

What you’ll learn

Mapped to the Pearson Edexcel IGCSE 4IT1 syllabus (2026 onwards).

Identify the main types of network security threats.
Describe defences against each threat type.
Explain multi-factor authentication and its security benefits.
Apply encryption to data at rest and in transit.
Discuss password strength factors.
Recommend a layered security strategy for a network.

The threat landscape

Malware, phishing, hacking, DoS, insider risk.

Malware — malicious software. Subtypes:

Virus — attaches to a host file; spreads when the file is opened or shared.
Worm — self-replicating, spreads automatically over networks.
Ransomware — encrypts victim's files, demands payment.
Spyware — secretly collects data (keystrokes, screen captures).
Trojan — disguises itself as legitimate software.
Adware — displays unwanted ads, may track usage.

Phishing — social engineering via fake emails/messages/websites. Tricks users into revealing passwords or downloading malware. Variants:

Spear phishing — targeted at specific individual.
Whaling — targets senior executives.
Smishing — SMS phishing.
Vishing — voice phishing (phone calls).

Hacking / unauthorised access — exploiting software vulnerabilities or weak credentials to enter systems.

DoS / DDoS — overwhelming a server with traffic. Distributed DDoS uses many compromised devices (botnets).

Insider threats — disgruntled or careless employees. Often the largest risk.

Physical theft — laptops, USB drives, paper documents.

Misconfiguration — accidentally exposing data via wrong permissions.

Defences — layered security

No single defence is enough. Layer protections.

Defence in depth — multiple layers so a single breach doesn't expose everything:

1. Perimeter (network edge):

Firewall — filters incoming/outgoing traffic.
IDS/IPS — Intrusion Detection / Prevention System.
Web filter / content security.

2. Network:

Network segmentation (separate guest Wi-Fi, IoT, internal).
VPN for remote access.
WPA3 Wi-Fi encryption.

3. Endpoint (devices):

Antivirus / EDR (Endpoint Detection and Response).
Software-level firewall.
Device encryption (BitLocker, FileVault).
Patch management — keep OS and apps updated.
Mobile Device Management (MDM) for corporate phones.

4. Identity / authentication:

Strong passwords + password manager.
Multi-Factor Authentication (MFA).
Biometrics where appropriate.
Single Sign-On (SSO) with strong central auth.

5. Data:

Encryption at rest (storage) and in transit (HTTPS, TLS).
Access controls — least privilege principle.
Data Loss Prevention (DLP) tools.

6. Human:

Security awareness training.
Phishing simulations.
Clear policies (password, BYOD, acceptable use).

7. Recovery:

Regular backups (3-2-1 rule).
Incident response plan.
Disaster recovery testing.

Encryption — at rest and in transit

Two phases — protect storage and movement.

Encryption at rest — data is encrypted while stored.

Full-disk encryption (BitLocker, FileVault, LUKS).
Encrypted databases.
Encrypted cloud storage.
Protects against device theft.

Encryption in transit — data is encrypted while moving.

HTTPS / TLS for web traffic.
VPN for remote network access.
Encrypted email (S/MIME, PGP).
Wi-Fi encryption (WPA2/WPA3).
Protects against eavesdropping.

Modern standard: AES-256 (Advanced Encryption Standard, 256-bit key).

Used by governments, banks, military.
Practically unbreakable with current technology.
Hardware-accelerated on modern CPUs — negligible overhead.

Key management is the hard part:

If you lose the key, you lose the data forever.
If an attacker gets the key, encryption is useless.
Use hardware security modules (HSMs) for sensitive keys.
Password manager helps users keep strong, unique credentials.

Passwords and Multi-Factor Authentication

Long passphrases + MFA = strong identity defence.

Password strength:

LENGTH is the dominant factor.
12+ characters minimum; 16+ ideal.
Random or passphrase ('tractor-banana-elbow-purple').
Different password per service.
Use a password manager — humans can't remember many strong passwords.

Password attacks:

Brute force — try every combination.
Dictionary — try common words and patterns.
Credential stuffing — reuse leaked passwords from one site against another.
Phishing — trick user into revealing password.

MFA — three factor categories:

Something you KNOW — password, PIN.
Something you HAVE — phone, hardware token, smart card.
Something you ARE — fingerprint, face, iris, voice.

MFA combines AT LEAST TWO different categories.

MFA implementations:

Password + authenticator app (Google Authenticator, Authy).
Password + hardware token (YubiKey).
Biometric + PIN.
Smart card + password (corporate).

MFA blocks 99%+ of automated attacks. Even if password leaks, attacker can't log in without the second factor.

SMS-based MFA is vulnerable to SIM-swap attacks — use authenticator apps or hardware tokens for high-value accounts.

Backups — the last defence

If everything fails, backups restore the business.

Backups protect against:

Ransomware — restore unencrypted versions.
Hardware failure — disk crash.
Accidental deletion — recover lost files.
Disasters — fire, flood, theft destroying primary.

3-2-1 rule — industry standard:

3 copies of data.
2 different media types (e.g., HDD + cloud).
1 off-site copy.

Backup frequency:

Daily for most business data.
Hourly or continuous for transactional / critical systems.
Weekly minimum for personal/home users.

Test restores regularly — untested backups often fail when needed. At least quarterly for businesses.

Immutable backups — write-once, cannot be modified or deleted. Critical for ransomware defence.

Human factors — training, policy, culture

Most breaches start with human error.

Statistics: 80%+ of breaches involve human factors — phishing clicks, weak passwords, lost devices, accidental sharing.

Training topics:

How to spot phishing emails.
Password best practices.
Safe Wi-Fi use (avoid public; use VPN).
Device handling (lock when away, encrypt).
Reporting suspicious activity.

Policies:

Acceptable Use Policy.
Password policy.
BYOD (Bring Your Own Device) policy.
Data handling policy (sensitive data classification).
Incident response plan.

Culture:

Reward reporting suspicious activity, don't punish.
Run phishing simulations.
Make security easy (password managers, SSO, MFA).
Regular updates of training.

A well-trained workforce is the single highest-leverage security investment.

How it’s examined

Paper 1: Identify threats (4–6 marks); describe defences (4–6 marks); explain MFA (4–6 marks); discuss encryption (4–6 marks); recommend security for a scenario (8–10 marks).

Frequent stems: 'Name three types of malware…', 'Describe how a firewall protects…', 'Explain why MFA is more secure than a password…', 'Recommend security measures for [business]…'

Sources: Pearson Edexcel International GCSE in Information and Communication Technology (4IT1) Specification — Issue 3; Edexcel 4IT1 Examiner Reports (2022–2024). Last reviewed 2026-05-19.

Master this Topic

Worked examples, formulae, definitions and the mistakes examiners flag — everything you need to push from a pass to an A*.

Take this whole topic with you

Download a branded revision sheet — worked examples, formulae, definitions and common mistakes for Securing data on a network, including the internet, ready to print or save as PDF.

Step-by-step worked examples — Securing data on a network, including the internet

Step-by-step solutions to past-paper-style questions on securing data on a network, including the internet, written exactly the way a tutor would explain them at the board.

1Identify the type of security threat
Getting started• Edexcel 4IT1 style — short-answer (6 marks)• threats, AO1
Question
Identify the threat type: (a) Software that locks files and demands payment. (b) Fake emails tricking users into revealing passwords. (c) Self-replicating program that spreads between computers. (d) Overwhelming a server with traffic to crash it. (e) Software that secretly records keystrokes. (f) Unauthorised access to a network or device.
Step-by-step solution
1. Step 1
  Match each behaviour to the standard threat name.
Answer
(a) Ransomware.

(b) Phishing.

(c) Worm (or virus — virus typically attaches to a file).

(d) Denial of Service (DoS / DDoS) attack.

(e) Spyware / keylogger.

(f) Hacking / unauthorised access.
Examiner tip
Phishing tricks the USER. Hacking exploits the SYSTEM. Both end in unauthorised access but the route differs.
2Match the defence to the threat
Building confidence• Edexcel 4IT1 style — short-answer (5 marks)• defences, AO1, AO2
Question
State which defence is MOST effective against each threat: (a) Phishing emails. (b) Network-borne malware. (c) Unauthorised Wi-Fi access. (d) Eavesdropping on public Wi-Fi. (e) Lost or stolen laptop with sensitive data.
Step-by-step solution
1. Step 1
  Different threats need different defences.
Answer
(a) Staff training + email filtering — phishing tricks humans, so training is key.

(b) Antivirus + firewall — detect and block malware.

(c) WPA2/WPA3 encryption + strong Wi-Fi password.

(d) VPN + HTTPS — encrypts traffic over public Wi-Fi.

(e) Full-disk encryption + remote wipe + strong device passcode.
Examiner tip
Single-defence answers cap at half marks. Modern security is LAYERED — defence in depth.
3Rank these passwords by strength
Getting started• Edexcel 4IT1 style — short-answer (5 marks)• passwords, AO1, AO2
Question
Rank these passwords from WEAKEST to STRONGEST and explain why: (a) password (b) JohnSmith (c) j0hn $m1th2024 (d) tractor-banana-elbow-purple (e) X8#mPq2!vL9$
Step-by-step solution
1. Step 1
  Length, character variety, predictability.
Answer
Weakest to strongest:

(a) password — common dictionary word. Cracked instantly.

(b) JohnSmith — personal information, easily guessed.

(c) j0hn$m1th2024 — mixed chars but still predictable (date, name substitutions).

(d) tractor-banana-elbow-purple — long passphrase, harder to brute-force than (c).

(e) X8#mPq2!vL9$ — fully random mixed chars at 12 chars — strongest.

Modern recommendation: long passphrases (d) are easier to remember and very strong. Length beats complexity.
Examiner tip
Modern security advice: long, random passphrases > short complex passwords. 'tractor-banana-elbow-purple' is stronger than 'X8#m'.
4Calculate password cracking time
Higher• Edexcel 4IT1 style — calculation (5 marks)• password-strength, AO1, AO2, AO3
Question
A password uses lowercase + uppercase + digits (62 possible characters) and is 8 characters long. Assuming a cracker can try 1 billion passwords per second, calculate the worst-case time to crack.
Step-by-step solution
1. Step 1
  Combinations = character set ^ length. Time = combinations ÷ rate.
Answer
Total combinations = 62⁸ = 218,340,105,584,896 ≈ 2.2 × 10¹⁴.

Time = 2.2 × 10¹⁴ ÷ 10⁹ = 218,340 seconds = ~2.5 days.

Average (halfway) = ~1.25 days.

With 12 characters: 62¹² = 3.2 × 10²¹ → ~100,000 years.

With special characters (94 set), 12 chars: 94¹² = 4.7 × 10²³ → 15 million years.

LENGTH is the dominant factor in password strength.
Examiner tip
Even modest cracking rates (10⁹/sec) shred short passwords. 12+ characters is the modern minimum; passphrases of 16+ are ideal.
5Calculate maximum data loss between backups
Building confidence• Edexcel 4IT1 style — calculation (5 marks)• backup-frequency, AO1, AO2
Question
A business backs up data once per night at 2am. They average 50 transactions per hour during the working day (9am–5pm, 8 hours). Calculate (a) maximum transactions lost if a failure occurs at 4:59pm, (b) typical loss if failure is mid-day at 12:30pm.
Step-by-step solution
1. Step 1
  Time since last backup × transaction rate.
Answer
Last backup: 2am.

(a) Failure at 4:59pm: 8 working hours since start, so 50 × 8 = 400 transactions lost (worst case in a day).

(b) Failure at 12:30pm: 3.5 working hours = 50 × 3.5 = 175 transactions lost.

Mitigation:

More frequent backups (e.g., every 4 hours: max loss ~200 transactions).

Continuous replication / cloud-sync: max loss ~minutes.

Transaction log shipping: max loss ~zero.

Decisions depend on the BUSINESS VALUE of lost transactions vs cost of frequent backups.
Examiner tip
Backup frequency directly determines maximum data loss. Business-critical systems need near-zero-loss backups (continuous, log shipping).
6Estimate encryption performance overhead
Higher• Edexcel 4IT1 style — calculation (4 marks)• encryption-overhead, AO1, AO2
Question
AES-256 encryption adds ~10% CPU overhead. A file server processes 1 million requests/day, each taking 50 ms unencrypted CPU time. Calculate (a) total CPU time/day without encryption, (b) with encryption, (c) the daily extra CPU time.
Step-by-step solution
1. Step 1
  Multiply requests × time per request; apply overhead.
Answer
(a) Without encryption: 1,000,000 × 50 ms = 50,000,000 ms = 50,000 seconds = ~13.9 hours of CPU time.

(b) With 10% encryption overhead: 50,000 × 1.10 = 55,000 seconds = ~15.3 hours.

(c) Extra CPU time = 5,000 seconds = ~1.4 hours/day.

Modern CPUs have hardware AES acceleration → real overhead often <2%, making encryption negligible.
Examiner tip
Hardware encryption (AES-NI on modern CPUs) makes encryption almost free. The performance argument against encryption is outdated.
7Explain multi-factor authentication (MFA)
Higher• Edexcel 4IT1 style — explain (6 marks)• mfa, AO1, AO2, AO3
Question
Explain what multi-factor authentication is, the THREE factors it can use, and why it is more secure than a password alone.
Step-by-step solution
1. Step 1
  Define + factors + comparative security.
Answer
MFA requires the user to provide TWO OR MORE different types of proof before granting access.

The three categories of authentication factors:

Something you KNOW — password, PIN, security question.

Something you HAVE — phone, hardware token (YubiKey), smart card.

Something you ARE — fingerprint, face recognition, voice, iris scan (biometrics).

MFA combines at least two of these from DIFFERENT categories.

Common implementations:

Password + one-time code from authenticator app (Google Authenticator, Authy).

Password + SMS code to phone.

Fingerprint + PIN (banking apps).

Smart card + password (corporate).

Why MFA is more secure:

A password alone can be PHISHED, GUESSED or LEAKED.

A leaked password gives full access to the account.

WITH MFA, the attacker also needs the second factor — they'd need to physically possess your phone, or your fingerprint.

Even if password is leaked, the second factor blocks them.

Studies show MFA blocks 99%+ of automated attacks.

Trade-offs:

Slightly more friction at login.

Lost phone = lockout (mitigate with backup codes).

SMS-based MFA is vulnerable to SIM-swap attacks; app-based is better.
Examiner tip
A* answers: (1) define MFA, (2) list the THREE factor categories, (3) explain WHY it's more secure, (4) acknowledge trade-offs.
8Recommend security measures for an online business
Stretch• Edexcel 4IT1 style — extended (10 marks)• security-design, AO1, AO2, AO3
Question
An online retailer with 50 staff handles customer payment data. Recommend SIX security measures to protect their network and data.
Step-by-step solution
1. Step 1
  Cover all layers: network, device, user, data.
Answer
1. Firewall at network edge (next-generation firewall with IPS/IDS).

Blocks unauthorised inbound traffic.

Detects intrusion patterns and alerts.

2. Antivirus/EDR on all endpoints.

Detects and removes malware.

Endpoint Detection and Response (EDR) catches behaviour-based threats.

3. Encrypted communications (HTTPS / TLS) for customer transactions + VPN for staff remote access.

Prevents eavesdropping.

Customer data in transit is protected.

4. Multi-factor authentication (MFA) for all staff accounts.

Blocks 99%+ of credential-based attacks.

Essential for admin and payment-system access.

5. Strong password policy + password manager.

Long passphrases (12+ chars).

Different password per service.

Password manager provides usability.

6. Regular backups + offsite (cloud) copy.

Daily incremental + weekly full backup.

Cloud backup is critical for ransomware recovery.

Test restores monthly.

Additional measures candidates may mention:

PCI-DSS compliance (for payment cards).

Network segmentation (separate POS from office network).

Staff training on phishing.

Patch management — keep OS/software updated.

Logging + audit trails.

Incident response plan.

Penetration testing.

Conclusion: for an online retailer handling payments, security is layered AND continuous. No single measure is enough — defence-in-depth combines multiple controls.
Examiner tip
A* answers (1) name 5–6 distinct measures, (2) explain HOW each defends, (3) acknowledge that defence is LAYERED.
9Evaluate whether cloud storage is secure enough for sensitive data
Stretch• Edexcel 4IT1 style — extended (8 marks)• cloud-security, AO1, AO2, AO3
Question
A solicitor's firm is considering moving client documents (legal contracts, personal data) to cloud storage. Evaluate whether this is sufficiently secure.
Step-by-step solution
1. Step 1
  Balanced view: security benefits, risks, mitigations.
Answer
Security BENEFITS of reputable cloud storage:

Enterprise-grade security infrastructure. Cloud providers (Microsoft, Google, AWS) invest billions in security — far more than a small firm could afford. Multiple data centres, physical security, intrusion detection, redundancy.

Automatic encryption. Data encrypted in transit (TLS) AND at rest (AES-256). Even if storage media is stolen, data is unreadable.

Automatic backups + version history. Provider keeps multiple copies. Accidental deletion is recoverable.

Compliance certifications (ISO 27001, SOC 2). Independently audited.

Easier MFA + access control than self-hosted.

Security RISKS:

Vendor compromise — if the cloud provider is hacked, data could be exposed.

Misconfigured permissions — users accidentally share publicly.

Data sovereignty — where is data physically stored? GDPR / UK Data Protection Act may require EU/UK location.

Lock-in — extracting data later may be difficult.

Reliance on internet — outage means no document access.

Insider threats at the provider — employees with admin access.

Mitigations:

Choose a reputable, well-certified provider.

Verify data centre location matches legal requirements.

Enable encryption (often default, verify).

Apply strong access controls + MFA.

Audit shared links and permissions regularly.

Use end-to-end encrypted services for the most sensitive data.

Maintain local encrypted backups as a fallback.

Recommendation:

For a solicitor's firm, reputable cloud storage WITH proper configuration is generally MORE secure than self-hosted storage on an office server — provided:

Data is encrypted at rest.

Access uses MFA.

Provider is contractually compliant with UK GDPR.

Periodic audits verify security.

Conclusion: cloud storage is sufficiently secure for sensitive legal data IF properly configured. The challenge is configuration discipline, not the cloud's inherent security.
Examiner tip
A* answers (1) balance benefits AND risks, (2) propose specific MITIGATIONS, (3) give a reasoned recommendation. Pure 'cloud is good/bad' answers cap at 4/8.

Key Formulae — Securing data on a network, including the internet

The formulae you need to memorise for securing data on a network, including the internet on the Pearson Edexcel IGCSE 4IT1 paper, with every variable defined in plain English and a note on when to use it.

Password combinations
$Combinations = Character Set Size ^ Password Length$
When to use
Estimating brute-force resistance.
Example
62⁸ = 2.2 × 10¹⁴ combinations for 8-char alphanumeric.
Time to brute-force a password
$Time = Combinations ÷ Cracking Rate$
$Cracking Rate$
Passwords tested per second (varies by attacker)
When to use
Comparing password strength.
Example
2.2 × 10¹⁴ ÷ 10⁹/sec = 2.5 days.
Maximum data loss between backups
$Max Loss = (Time since last backup) × Transaction Rate$
When to use
Sizing backup frequency for data criticality.
Example
8 hours × 50 transactions/hour = 400 transactions max loss.

Key Definitions and Keywords — Securing data on a network, including the internet

Definitions to memorise and the exact keywords mark schemes credit for securing data on a network, including the internet answers — sharpened from recent examiner reports for the 2026 Pearson Edexcel IGCSE 4IT1 sitting.

Malware
Examiner keyword
Malicious software designed to harm or exploit a device — viruses, worms, ransomware, spyware, trojans.
Virus
Examiner keyword
Malware that attaches to a host file and spreads when the file is shared or executed.
Worm
Examiner keyword
Self-replicating malware that spreads automatically across networks without needing a host file.
Ransomware
Examiner keyword
Malware that encrypts the victim's files and demands payment for the decryption key.
Spyware
Examiner keyword
Malware that secretly collects information (keystrokes, screen captures, browsing) and sends it to attackers.
Phishing
Examiner keyword
A social-engineering attack using fake emails, messages or websites that trick users into revealing credentials or downloading malware.
Hacking
Examiner keyword
Unauthorised access to a computer system or network, typically exploiting software vulnerabilities.
DoS / DDoS attack
Examiner keyword
Denial of Service: overwhelming a server with traffic to make it crash or become unresponsive. Distributed DoS uses many devices simultaneously.
Firewall
Examiner keyword
Hardware or software that monitors and filters network traffic, blocking unauthorised connections based on rules.
Antivirus
Examiner keyword
Software that detects, blocks and removes malware. Modern versions use behaviour analysis (EDR) alongside signature databases.
Encryption
Examiner keyword
The process of converting data into an unreadable form using a key. Only those with the correct key can decrypt and read it.
MFA (Multi-Factor Authentication)
Examiner keyword
Authentication requiring TWO OR MORE different types of proof: something you know, something you have, or something you are.
Biometrics
Examiner keyword
Authentication using physical traits — fingerprint, face, iris, voice. Hard to replicate but not impossible.
WPA2 / WPA3
Examiner keyword
Wi-Fi Protected Access — the encryption standard for Wi-Fi networks. WPA3 is the most modern and secure.
VPN (for security)
An encrypted tunnel that protects data in transit over public networks, especially when working remotely.
HTTPS / TLS
Encrypted version of HTTP for secure web traffic. Padlock icon in browsers indicates HTTPS is active.
Backup
A copy of data stored separately, used to recover from loss. Should follow the 3-2-1 rule (3 copies, 2 media, 1 off-site).

Common Mistakes and Misconceptions — Securing data on a network, including the internet

The traps other students keep falling into on securing data on a network, including the internet questions — taken from recent Pearson Edexcel IGCSE 4IT1 examiner reports and mark schemes — and how to avoid them.

✕Using 'virus' as a general term for all malware.
Edexcel 4IT1 examiner reports.
Why it happens
Common informal usage.
How to avoid it
Virus is ONE TYPE of malware (attaches to a file). Worm, ransomware, spyware, trojan are others. Use specific terms.
✕Believing a firewall alone is enough security.
Why it happens
Marketing emphasises firewalls.
How to avoid it
Firewalls block network traffic; they DON'T stop phishing, social engineering, or malware in legitimate downloads. Layered security is essential.
✕Recommending complex short passwords over long passphrases.
Why it happens
Old advice.
How to avoid it
LENGTH matters more than complexity. A 16-character random passphrase is stronger than an 8-character mix of symbols.
✕Recommending SMS-based MFA as the most secure option.
Why it happens
SMS is common.
How to avoid it
SMS is vulnerable to SIM-swap attacks. Authenticator apps (Google Authenticator, Authy) or hardware tokens (YubiKey) are more secure.
✕Saying 'encryption is too slow for everyday use'.
Why it happens
Outdated belief.
How to avoid it
Modern CPUs have hardware encryption acceleration. AES-256 adds <2% overhead in most cases. Always encrypt by default.
✕Treating storage and backup as the same.
Why it happens
Both involve copying files.
How to avoid it
Storage = primary working copy. Backup = separate copy for recovery. Storing files on a NAS isn't a backup — if the NAS fails, data is lost.
✕Assuming 'cloud storage = automatically secure'.
Why it happens
Provider marketing.
How to avoid it
Cloud storage CAN be very secure IF properly configured (encryption, access control, MFA). Default settings often leave data exposed.

Practice questions

Exam-style questions with step-by-step worked solutions. Try one before checking the method.

Past paper style quiz

Get a report showing which sub-topics you've nailed and which ones still need work.

Securing data on a network, including the internet

Short Study Notes in the form of Slides

Short Study Notes — Securing data on a network, including the internet

Detailed Notes

What you’ll learn

How it’s examined

1Identify the type of security threat

2Match the defence to the threat

3Rank these passwords by strength

4Calculate password cracking time

5Calculate maximum data loss between backups

6Estimate encryption performance overhead

7Explain multi-factor authentication (MFA)

8Recommend security measures for an online business

9Evaluate whether cloud storage is secure enough for sensitive data

Password combinations

Time to brute-force a password

Maximum data loss between backups

Malware

Virus

Worm

Ransomware

Spyware

Phishing

Hacking

DoS / DDoS attack

Firewall

Antivirus

Encryption

MFA (Multi-Factor Authentication)

Biometrics

WPA2 / WPA3

VPN (for security)

HTTPS / TLS

Backup

✕Using 'virus' as a general term for all malware.

✕Believing a firewall alone is enough security.

✕Recommending complex short passwords over long passphrases.

✕Recommending SMS-based MFA as the most secure option.

✕Saying 'encryption is too slow for everyday use'.

✕Treating storage and backup as the same.

✕Assuming 'cloud storage = automatically secure'.

Practice questions

Past paper style quiz

Assess your understanding