Corporate VPNs security risks: not enough protection

The VPN technology alone is not secure enough to keep cyber criminals at bay.

Virtual Private Networks (VPNs) are the backbone of today's businesses, and represent a reliable and trusted way to store and access sensitive business data.

However, with so many employees working from home amidst the recent pandemic, sensitive corporate information is maintained, accessed, and shared outside of the office more frequently than ever before. This greatly increases the risk of data leak though opening doors for definite VPN security risks.

For this reason, it is now critical to set up systems that capture the metrics on the performance and availability of VPN services to make sure they are sealed tight and up-to-date.

Reducing the VPN security risks

An easy way to reduce the security risks of VPN is to use the multi-factor authentication (MFA). MFA requires a second source of user validation, tied to a certificate-based system - such as entering a key texted to a secure phone or using a pre-generated token. Adding multi-factor authentication to high-value online accounts is probably the prime security precaution an organization can take.

An even higher level of reducing the VPN security risks can be achieved by adding a geolocation feature which allows for monitoring data access and defining access limitations based on employee location. With geolocation analysis, organizations can monitor all the discrepancies between user location data received from GPS and IP address.

The best strategy

The best option to reduce the security risks of VPN and increase the corporate protection against cyber threats would be to combine VPN access policies with network segmentation policies. However, third-party access to an organization’s network can bring significant challenges. If the vendor happens to be penetrated, cyber criminals can abuse the VPN access to get to the vendor’s network and begin the recon and exfiltration work. Nevertheless, by implementing a modern remote access solution, organizations can monitor who has privileged access to the corporate’s network and how it is being used. Recording the activities through session monitoring reduces the VPN security risks, allowing organizations to identify who these privileged users are and estimate their IT permission levels.

VPNs and more

To minimize the security risks of VPN, third parties should only be granted access to the systems they need to perform their jobs successfully. Unfortunately this level of layered control cannot be done effectively through VPN alone. Corporates should look into the privileged access solutions, such as privileged access management (PAM). PAM allows organizations to give vendors access to their network without a VPN connection and enables IT staff to control, monitor and manage access to critical systems by privileged users, including third-party vendors. This allows organizations to see who their privileged administrators are and gives insight into how those accounts are used. By introducing the appropriate level of privileged access controls, PAM helps to reduce organization’s attack surface. It helps preventing the damage arising from external attacks as well as from negligence inside the organization.

The human factor

The first step in reducing VPN security risks and protecting company’s sensitive data is to make sure all employees know that data security is a priority. Believe it or not, some employees may assume that if they are not working directly with customer data or if they don’t operate at upper levels within the company hierarchy, they don’t need to worry about data security. Organizations cannot just assume that their employees already know about cyber security practices and their role in it.

No jeopardy to data security

It is both employer and employee responsibility to make sure that teleworkers are equipped with up-to- date infrastructure to support the latest data and security measures. Cyber criminals are looking for open WiFis and encryption that can be easily broken. If your employee’s router is older than their phone, it should be replaced.

People are able to self-manage securely when the right processes are in place. The work-from-home trend does not have to jeopardize data security. Once telecommuters are educated and cyber security procedures are implemented, we can all feel confident that our standard practices support the protection of sensitive business data.

VPN technology alone is not bringing enough security against cyber threats as human error is still the top cyber security risk for organizations. But in combination with employee education regarding cyber risks and additional VPN security layers, working from home may remain secure for corporates for years to come.

Lili Wagner-Andrianne - Business development manager, Comarch

Want to learn more?

Tell us about your business needs. We will find the perfect solution.