The massive work-from-home movement exposes cybersecurity weaknesses when protecting remote workers. While attackers have short term opportunities to pounce on any organization struggling to secure their remote workers, the schemers are playing the long game by focusing on those organizations that make perfect targets. Hospitals and other health care providers are ideal targets for ransomware as they adopt telemedicine because they have life-or-death urgency in getting back up and running quickly.[i] We can no longer assume that work is a place; it’s what we do whenever and wherever we are.
VPNs are considered an essential security technology. They provide privacy, yet we need to examine them for security, scalability, and usability. Are they still worthy of continuing as the backbone of today’s secure business communications?
Security researchers and attackers continue to discover vulnerabilities in VPNs and how to exploit them. Hackers attack VPNs because they know their weaknesses. VPNs are designed to encrypt communications and extend the enterprise network to your remote location. However, VPNs do not prevent attacks from ransomware, phishing, malware, and weaponized documents from succeeding in compromising the remote user. A remote user connecting over VPN to a website with a drive-by download in place will still be compromised.[ii]
VPNs do not stop attacks that were in progress before employees went remote. “Our analysis indicates that the employees’ computers were already hacked before COVID-19 made the news, but were lying dormant behind firewalls, blocking their ability to go to work on behalf of the threat actors,” explained Lari Huttunen, Senior Analyst at Arctic Security. “Now those zombies are outside firewalls, connected to their corporate networks via VPNs, which were not designed to prevent malicious communications.”[iii]
Scalability is a critical success factor when employees have to go remote and work from home. IT typically size VPNs to support 10% of the employees, but now 100% require a VPN connection. Employees can find themselves adopting the mantra “the early bird gets the worm” after starting work only to find no VPN connections are left. Facing a looming work deadline while waiting for a VPN connection to free up tempts employees to go rogue and bypass their VPN.
Usability is an essential concern for remote employees. Once they can get a VPN connection, many have experiences where VPNs introduce latency. The end-user has no idea understanding that the slow speed may be due to a hub-and-spoke model which backhauls traffic to HQ or the VPN client chooses the wrong server location. When residential internet becomes business internet, VPNs can drop unexpectedly or take circuitous routes. It’s no surprise that only 5% of internet users in the USA and 25% globally use a VPN.
If VPNs are not a panacea for securing remote workers, can IT Security teams count on employees having a corporate device? Unfortunately, there may not be a budget or availability to provide a managed device for every employee. In other cases, employees become used to grabbing an unmanaged device when their corporate device isn’t handy. Unmanaged devices come with limits, starting with minimal security layers. Antivirus and host firewall on the device are necessary but not sufficient for secure remote access. And who knows if they are connecting to a Wi-Fi router which may still have the default password? Installing additional software to encrypt the data and monitor the device may not be possible.
There’s no going back; remote work is here to stay. If you’re still fighting VPNs and unmanaged devices with your remote employees, learn about how to make business continuity simple and effective by downloading this infographic.