Virtual private networks have been a central part of digital security for most organizations. However, some organizations are questioning the effectiveness of VPNs when considering the work from home environment we are in.
The pandemic has caused many businesses to quickly shift how they operate. Cybercriminals are analyzing these changes and looking for points of vulnerability. One area they are keying in on is employees who are working from home.
The reason work from home employees are vulnerable is because they are accustomed to being in an office environment where they are protected from many cybersecurity concerns. Now that they are working from home, some employees are not cognizant of the steps they need to take to protect their devices and the information stored therein.
The Reasons for the Growing Concern with VPNs
VPNs became popular in the work environment because they were sold as a way to prevent outside access to an organization’s corporate network. They also allow customers to bypass content blocks on local networks.
However, the increasing number of people working from home has caused experts to question the security validity of VPNs from now on. There has even been an argument that, like popular technologies of old, VPNs are a technology that should be retired from the corporate environment. With the unfamiliar work from home environment, many of you may see VPNs as an aging and vulnerable technology.
A push is being made by some to replace VPNs with a software-defined perimeter driven approach. This approach would reduce the access that individual users have to information, an application, or a product. This minimizes the attack surface, making a secure network easier to defend.
Ludovic Rembert from Privacy Canada created a 2020 VPN report showing that there are several security recommendations that are offered for configuring a VPN and making sure that the VPN provides the highest level of security. One of the key features of his report was the growing popularity of TLS based encryption of traditional L2TP or IPSec which provides a more robust end to end encryption practice while offering additional protection against MITM attacks. While some of these suggestions are practical within an office setting, they are not always enforceable with work from home employees.
The bottom line is that an employer cannot directly control their employees’ home network. Besides the home network challenge, remote workers may be using equipment that has not been configured or supplied by the company’s IT department, which further complicates the situation.
With or without a VPN, if a family computer is being used to connect to an office network, anything that is on the computer, be it malware or viruses, can reach the office. Therefore, many argue that a stronger approach to cyber security is needed.
Educate Remote Employees to Take Cyber Security Seriously
If an organization’s employees are not properly trained on cyber security, they will pose a risk. Once employees understand the importance of cyber security and they have the tools to keep their equipment and their network safe, most people can self-manage.
Many employees who are now required to use a VPN do not completely understand how it works. This opens them up to vulnerabilities, especially to tailored phishing attacks designed to capitalize on the coronavirus pandemic.
Educating remote workers is not a one and done nothing. It is a continual process. Some organizations have routinely provided cyber security training and share with their work from home employee’s information about cyber breaches that have affected other enterprises. The goal is to inundate work from home employees with the right amount of information so that they are aware of the impact their actions can have on the company while simultaneously avoiding sending so much information that work from home employees see it as background noise.
Organizations have the responsibility to periodically examine the logs of their VPN authentications. Although this is a monotonous task, it allows them to ensure that only authorized users have access to their VPN.
Reasons Why Remote Workers Should Use VPNs
There are powerful voices advocating for the use of VPNs and their effectiveness. Much depends on remote workers adhering to their company’s IT policies. If a remote worker uses a VPN, their company laptop, and other software in the same way they would if they were working in their office, they can work in a secure manner.
VPNs provided by employers allow employees to work with confidence. When properly used, VPNs encrypt connections, so the connections cannot be sniffed. Passwords and other sensitive information is safe. For all the security a properly configured VPN provides, it should not be the only tool used by an organization to protect their remote workers.
If VPNs Are Used, Employers Should Take Steps to Improve Basic VPN Infrastructure
Since there are more people working from home than ever before, employers may need to improve the basic VPN infrastructure in their organization. This could mean increasing network bandwidth for VPN servers, deploying additional VPN servers, and taking a proactive approach to VPN server management and security.
Increasing the network bandwidth for an organization’s VPN servers might mean making sure that there are enough pathways between the Internet and each VPN server and that they have enough bandwidth.
An organization may need to use additional VPN servers. This improves VPN availability, especially if servers are deployed in strategic locations based on the location of employees. Load-balancing can help an organization’s VPN infrastructure to be more flexible and resilient. This will send users to the best server available based on their location and the demand being put on the servers at the time.
Organizations should also maintain their servers in optimal condition. They should be fully patched. This minimizes the chances of compromise and gets rid of flaws in the VPN software that could negatively impact server performance. Distributed denial of service protection measures should also be used so that VPN servers and the networks they are connected to are not overwhelmed by distributed denial of service attacks.
If your organization requires your employees to frequently handle sensitive information while working from home, you need to take concrete steps to minimize the risk of that data being compromised. This could include having a separate VPN for users who need to access sensitive information and limiting access to this information to company issued devices. Multi factor authentication should be required for VPN users, especially those who are handling sensitive information.
The work from home environment has changed the way organizations view cyber security. It will be interesting to watch and see the role that VPNs will play as the work from home environment continues to exist.