In the past, traditional security solutions for a remote workforce have primarily come down to the use of a VPN. Business VPNs make it easy for employees to access the company’s network from anywhere. However, they may also expose the network to increased cyber security threats. So, how safe are business VPNs really?
What is a VPN and how does it work?
A Virtual Private Network (VPN) is a service that creates an encrypted connection from one network to another. It allows employees to easily access the organisation’s private network, data, and applications remotely and aims to ensure that web traffic containing proprietary information is not exposed to the public internet
A VPN works by creating a virtual point-to-point connection and disguises data traffic online to protect it from external access.
Generally, there are two types of VPNs for business use:
- Remote access VPN
- Site-to-site VPN
A remote access VPN creates something like an encrypted tunnel between a network and user to provide its secure access.
A site-to-site VPN gives users access to a connection to two or more networks, say between branch offices and a head office. However, this solution doesn’t work outside the office branch, so it can’t be used for remote working.
In each instance, the VPN is part of a perimeter-based security philosophy whereby, as the name suggests, tools and devices are set up around the boundary of a network to keep it secure.
The obvious downside to entirely relying on this philosophy for security, however, is that once a bad actor breaches the perimeter, there are limited protections for the network, and a cyber criminal has all-but unfettered access to the whole shebang.
How secure is a business VPN?
VPNs are far from entirely safe. They’re not designed to replace security safeguards like anti-virus software, and they should belong to part of a wider security posture.
In one study of IT professionals working at organisations that used a VPN for network access and/or security measures, almost 40% of respondents believed that their network had already been breached.
These same IT professionals also listed “security” as their main pain point in working with VPNs.
Of note, the study was conducted just before the pandemic hit. The pandemic put an extra strain on IT teams who needed a fast and effective back-up plan to accommodate the sudden shift to a predominantly remote workforce.
Even today, remote and hybrid working has become the favoured mode for most workplaces.
However, this rapid growth in employees working from home combined with the increased use of cloud-based applications has meant that IT departments have had the difficult task of balancing performance and security.
As a result, cyber criminals are targeting these vulnerabilities by breaching usernames and passwords to access VPN services and exploiting vulnerabilities in the VPN service itself. Organisations often don’t realise that they’re in danger, and are skipping critical patches that help maintain security, only compounding the risk further.
In another study conducted in 2021, 94% of the organisations surveyed reported that they know that their VPNs are vulnerable to cyberattacks and exploits and 72% were concerned that their VPN may jeopardise the ability to keep their environment secure.
Yet many businesses still choose to take this path.
What’s the alternative to a business VPN?
Given the current landscape where remote or hybrid working has become the preferred environment, getting serious about securing remote users is critical to keeping any organisation’s network and data protected.
Cyber criminals aren’t letting up. And, we can make a good prediction that targeted attacks on business VPNs aren’t going away anytime soon.
Many organisations are now looking to alternative solutions that move away from perimeter-based security architecture and towards a Zero Trust Network Access (ZTNA) and/or Zero Trust Architectures (ZTA) strategy.
Rather than barricading the boundary and hoping nothing gets through like in a perimeter approach, a Zero Trust strategy requires content inspection before granting access to a company’s network and data.
Zero Trust’s granular-level control complements the cloud-based identity-driven approach to network access of a Secure Access Service Edge (SASE) security solution. These strategies are designed for cloud-native environments and therefore deliver the security needed to best weather an unpredictable future.
The path forward
A 2021 study showed that 72% of organisations are in the early stages of planning or have already adopted a Zero Trust approach to their security, with almost 60% stating that the focus on remote work has accelerated this as a high priority.
Business VPNs and perimeter-based security strategies may work for some businesses, but they’re not airtight. Zero Trust Network Access as part of a Secure Access Service Edge security solution is, by far, your strongest defence.
What to read next: