For years, firms that electronically handle private or otherwise sensitive documents have used a business VPN to protect from breach when employees were not in the office. The VPN, or virtual private network, creates a secure connection from the remote device (most likely a personal device) to the servers and/or computers physically sitting within the walls of the office. The level of security this set-up provided used to be sufficient for even the most sophisticated law firm or investment bank not even five years ago, however the COVID-19 pandemic has created a perfect storm of circumstances for those with nefarious intentions.
The main issue with Remote Access VPN is that they are just no longer capable of providing the security required to keep businesses safe. Cybersecurity threats have increased unabated, with a 148% increase in the month of March alone. Even before the pandemic hit, back in 2019 Gartner’s June analysis predicted that by 2023 60% of enterprises will phase out their Remote Access VPN in favor of Zero-Trust Network Access.
You may be asking yourself, “well if it was adequate before, what’s the problem?” There are a few reasons but one of the most obvious is just sheer opportunity. From a global perspective, the pandemic has initiated a permanent shift where more people are working from home and this has put an immense strain on networks that never needed to support so many people accessing their work stations from outside the office. That, coupled with the fact that cyberthreats have become more sophisticated, they have successfully exploited two core vulnerabilities with VPN; “End User” and “Gateway.”
Let us first look at VPN end user vulnerabilities. The mortal flaw of VPN is that it establishes too much trust between the remote device and the corporate network. When you look at this set up on the surface everything looks secure, but the trust between the two can be exploited quite easily. Even if a firm has in-office network security protocols that rival Fort Knox, when you allow remote workers to use personal devices to connect it will dramatically increase the risk because personal devices typically lack the same safeguards that are installed on company issued devices.
Threats like email phishing, data breach and malware attacks are more likely to succeed when an employee is away from the company network. Think about the analogy of the Trojan Horse from Homer’s Odyssey. Every time a personal device accesses a company network using a VPN, it is the equivalent of opening your doors to an outside attack.
The second core vulnerability is the VPN gateway. Like many other pieces of technology, VPNs need to be constantly updated, or patched, to improve security. Due to the nature of VPN it is exposed to virtually anyone with a computer and internet access, thus targeted more than most systems. As a result it is imperative that not only the VPN but also the actual device that establishes a VPN “tunnel” be updated more frequently, however those updates are installed much less frequently because of the needed down time. Because companies rely on their VPN to be available at all hours it makes those updates quite difficult and some go unpatched for months or even years, making a company more vulnerable to attacks.
There are many examples in recent memory to illustrate how VPN gateway vulnerabilities can be exploited but Travelex is one that really stands out. Travelex is one of the world’s leading foreign currency exchanges operating in 30 countries and services over 40 million customers every year. Because of an issue that had not been patched, the entire business came to a screeching halt for two full weeks. The attack cost over $30 million and on April 22 of this year, Travelex was up for sale.
The evidence paints a grim picture of the future but fortunately there are better solutions. Zero-trust network access does not create any trust between the remote devices and the company network. Authentication typically takes place in the cloud or away from the company network before even being granted access. These systems support any type of device (personal or company issued) to interact with the company network because the authentication takes place before any type of access is granted. On top of that, they are automatically updated to new threats.
For business leaders COVID-19 has forever changed the blueprint on how to build and protect a successful business, with remote work now being a core tenet. Many organizations that have been thrust into this new reality have never had to think about supporting their employees in a safe and secure environment, and the task can feel insurmountable.
Magic Desk has over 50 years of combined experience navigating these scenarios and we are always here to lend a hand. Contact us at https://magicdesk.io/contact-us/. We want to help!