The transition to remote working arrangements in 2020 saw a surge in the use of Virtual Private Networks (VPNs), including by many first-time users. Although instrumental to the way many of us are now working, there are a number of security risks in their use that need to be managed to optimise their benefits.
What is a VPN?
VPNs are a useful tool for supporting remote working because they allow employees to securely access company networks and resources over the internet.
As explained by CISCO, a VPN is an encrypted connection over the internet from a device (such as a phone or a laptop) back to, for example, a corporate network, designed to prevent an unwanted third party from 'eavesdropping' on the traffic. The encryption scrambles data as it passes through the internet so that it can’t be eavesdropped on, which is particularly beneficial when using shared, open, and less trustworthy public Wi-Fi networks in places like shopping centres, airports and hotels.
Although VPNs are a popular business tool, some people also use VPNs on their personal, non-work-related devices due to their security and privacy benefits. For example, many websites collect information about their visitors, including the visitor’s unique IP address. However, when using a VPN, that IP address becomes invisible and is replaced instead by the VPN’s IP address, making it difficult for websites to track a visitor’s browsing history or location.
Optimising a VPN’s security
VPNs enhance privacy and offer employees a solution for remotely accessing their organisation’s resources. However, there are a number of associated security and performance considerations.
- VPNs are not immune to security vulnerabilities and need to be kept up-to-date just like other applications to ensure a door to your corporate network is not left ajar for a motivated hacker.
- Your VPN login credentials can be phished from you or your employees and then used by a cybercriminal to access your network, raid your corporate and customer data and perform other malicious activities.
- Not all advertised VPNs are reputable and trustworthy – during 2020, there were reports of opportunistic scammers creating fake VPNs designed to steal your sensitive information rather than protect it. Similarly, some VPN services are sub-par when it comes to privacy and security, which could leave your data at risk. Even though your activities are obfuscated from the wider internet, they are still visible to your VPN provider who could be logging and collecting your data and selling it on to a third party.
- VPNs can impede and slow down the performance of your internet connection, particularly impacting bandwidth-hogging activities such as video streaming.
In 2019 and 2020, a series of critical security flaws were discovered in VPN platforms offered by several major providers. Threat researchers have reported multiple instances of hackers actively exploiting these vulnerabilities. While security patches were issued, some customers were slow to implement them and so remained vulnerable longer than necessary.
You can optimise the security of your VPN by employing a few protective strategies:
- Check the legitimacy and reputation of a VPN product, as you would with any other security product, to ensure you’re not unwittingly being scammed or buying something sub-standard.
- Enable multifactor authentication (MFA) for VPN accounts where available, to create an additional barrier for an unauthorised party armed with login credentials.
- Apply software updates to your operating systems and applications, including your VPN, as soon as they become available.
- Train your people on how to recognise and report social engineering activity, including phishing.
- Reconfigure on-premises infrastructure to optimise the VPN experience for your employees.
Want to know more?
Read the Australian government's guidance on using virtual private networks.