VPNs and the Pandemic
As the CEO of your company, you have dealt with a LOT of stuff over the last few years, most notably - in terms of your company, at least - a major shift to a Work-From-Home (WFH) model. According to the Bureau of Labor Statistics, WFH hours increased by 1000% from April to December of 2020. This created an enormous problem for businesses, particularly those who were unequipped to move to this kind of work model. What is interesting about this is that the WFH trend didn't really go away. Nearly thirteen percent of companies are still completely WFH, and nearly twenty-nine percent are some form of hybrid model. In other words, almost forty-one percent of companies still need a security infrastructure in place for remote work.
The most notable problem was connecting employees to office networks, while keeping data secure as it transfers between their home networks and the enterprise networks. The last thing you want is to begin transferring sensitive data outside of your network with no way to ensure its security.
It's no secret that data breaches have cost companies trillions of dollars just in the last ten years. A few examples include the 2013 Target breach, which cost the company nearly $300 million; the 2014 Sony hack, which cost the company around $35 million; and the 2019 Marriot breach, which cost the company more than $28 million. On average, data breaches in the US cost companies $9.5 million each year, with a global average cost of $4.35 million.
I don't want to presume, but if you're reading this article, you probably can't afford that, either in dollars OR reputation. Securing data transfers while your employees work from home is a necessity.
This left many decision-makers with a complicated choice: They could supply every employee with a company-issued device that would have company-approved security software. The cost for that would be astronomical, especially during a time of financial uncertainty. The obvious fix to that was to let employees use their own devices. However, this came with its own set of problems, because there was no way to ensure that an employee's personal device was secure.
In the late 1990s, a technology developed that allowed end users (people on computers) to create a virtual "tunnel" that would allow data moving between two computers to be encrypted. Called the "Peer-to-Peer-Protocol" (PTTP), the original specifications were published in 1999, and by the early 2000s, corporations were beginning to adopt this technology (if you want to read the actual specifications, you can click here).
In terms of network security, this was a complete game-changer because it, essentially, created private network within a company, allowing devices within that network to transfer data securely across the network. As wi-fi developed, the technology entered the public consciousness, evolving into what would become known as a Virtual Private Network, or VPN. For many people, it became the go-to solution for public wi-fi (or as a way to circumvent internet censorship, but that is a different topic altogether).
Unfortunately for all of us, bad actors figure out ways around security. It's a common issue in cybersecurity, and is basically the same principle as weapons escalation: with each weapons or defense upgrade, someone comes along and develops a more powerful weapon. VPNs are no different, and this large shift to a WFH model revealed that. A study issued in 2022 reported a 44% increase in VPN attacks.
Now, if you're confused about this, you're not alone. For nearly a decade, VPNs have been touted as the solution to a secure internet. This is unfortunate, because it's due in part to misinformation from security professionals, but it's also due in part to simply misunderstanding how cyberattacks work because, as it so happens, VPNs face many of the same vulnerabilities that other networks face:
1) Phishing/credential theft - this common problem does not appear to be going away anytime soon. The basic idea is a bad actor either forces his way into your network, or he manages to steal credentials from an unwittingly helpful employee.
2) VPN hijacking - Just like a "regular" network can be breached and hijacked, so can virtual networks.
3) Man-in-the-Middle (MitM) - These happen when an unsavory character is able to intercept the traffic between your devices. It's one of the main reasons cybersecurity professionals tell you to never use public wi-fi: it's usually unencrypted and visible to anyone with the tools to access it.
There are others, but these three alone are pretty significant. The question, though, is: What do all these mean? They mean that someone can get into your network - even your VPN - through a variety of methods, and once in, can gain access to sensitive information such as user credentials, activity and security logs, they can upload malware, and basically perform a host of other problems.
However, this does not mean that all is hopeless; we need not descend into spirals of despair and darkness. There are solutions.
How to Prevent and Minimize Successful Attacks
Network Administration practices are key to helping prevent this. Recent studies have revealed that 48% of companies keep former employees on their database and network long after said employees have left the company, and roughly 20% of companies have experienced cyberattacks from former employees. As the CEO, one thing you can check is to make sure your CISO/Security team is removing former employees expediently.
Another strong practice is to require password complexity, routine password changes, and multi-factor authentication (MFA). While I cannot stress enough the importance of password complexity, your network admin should also be making sure that employees change their passwords every three months (or immediately if there is a known breach). Why is this important? Because passwords are surprisingly easy to crack, and once a username-password combination is discovered, it is usually sold very quickly on places like the dark web. It is actually this last part that makes MFA so important.
You can change your password regularly, and you can change it after an account has been hacked, but what do you do in that time between when it is hacked and when you discover the hack? How do you prevent the bad actor from logging into your account with your freshly-stolen credentials? Multifactor authentication is a vital step in protecting accounts because it only notifies the user of a login attempt after the username and password have been entered correctly. However, it requires an action on his or her part to confirm that login, even if the login is an attempt from a bad actor. Imagine you're sitting at lunch when you receive a text from your bank, giving you the requested security code needed to complete your login . . . a login you never initiated.
Now you know two things: the first, is that someone out there has your username and password, which means you'll need to log into your account to change that. The second is that whoever this is isn't getting your code (since it came to you), and can therefore not get into your account, even though he or she has the credentials.
Setting up MFA for users who need to get into your network is one of the best ways to prevent unauthorized access, especially from stolen credentials (MFA is, incidentally, one of the key components of Zero Trust Policy, something we'll get to in a little while). If your organization isn't using Multifactor Authentication, look inro it.
Software Updates
Software development can be tricky. Even some of the simplest programs have hundreds - thousands - of lines of code, and it's not only easy to overlook a bug, but bad actors scour lines of code and program interactions in order to find any type of vulnerability they can. Unfortunately, the smallest line of code can introduce a huge vulnerability. Fortunately, software developers know this, and they are constantly updating their products to patch and secure these vulnerabilities (Microsoft, for example, releases new versions of its software on the second Tuesday of every month, a day they lovingly call "Patch Tuesday"). Your security team needs to have a routine in place to update software on a regular basis.
Pentesting
We get it: pentests can be expensive. Depending on the pentest, the cost can range anywhere from $20,000 to $50,000. However, security teams have their hands full monitoring traffic and checking for active threats - hackers who are actually gaining access to your network - and potential threats - vulnerabilities that exist but aren't (currently) under attack. And while the best teams are going to be examining the network for vulnerabilities, a professional penetration test will help provide a comprehensive (and thorough) exam without the added distractions of day-to-day activities. In other words, a pentester's entire job is to examine the network for vulnerabilities. And while we won't go into the details of pentesting here, just know that this process is not only vital to the security of your network, but it is also a compliance requirement in many countries (for example, it is part of PCI-DSS compliance, which deals with entities that store and processes card payments).
Employee Training
This is it. This is the big one. If you do nothing else (which we do not recommend), this is the one you really need to focus on. The largest threat to any enterprise is still the people. This isn't to say that people are a liability that need to be disposed of - far from it. But most people simply don't know about safe practices, and if they do know about the practices, they don't necessarily know the why behind them.
Training your employees on key concepts, such as not clicking on links or downloads in emails, can help cut your cyber risks dramatically. According to a 2021 Cisco report, 46% of attacks in the financial sector were directly attributed to phishing, 29% in health care, and 13% in the manufacturing industry. Teaching your employees about the techniques used - and how to avoid falling for them - can save your company a lot of money, time, and headaches.
Zero Trust
A (relatively) new solution in the cybersecurity world that may be used to help mitigate the risks of VPNs is something known as Zero Trust Architecture (ZTA). This starts from the premise that everyone seeking access to your network is a bad actor, and they have to prove their legitimacy in order to gain access. The entire approach is built on the idea that you should "never trust, always verify."
The traditional approach to cybersecurity is often depicted as a castle: your defense is the moat around the castle, but everyone within the castle is free to come and go, moving throughout the castle. This sounds good, but imagine a bad actor has managed to get into your network and now, because all the security is on the perimeter of the network, the bad actor can move laterally throughout your network. Zero Trust removes this risk by granting your security team control on a granular level, while also reducing the complexity of security. After all, having your employees confirm their access through MFA for every step of their job would slow down productivity. A well-constructed ZTA would keep your operations running smoothly, but would also protect it more thoroughly.
This kind of granular (which is just industry lingo for "tighter, more nuanced") control will help reduce the impact of security breaches that may occur. And while you still want to do everything in your power to keep bad actors out of your network, this added layer of defense is a much-needed tool in your security team's arsenal.
Takeaway
The big takeaway here is that VPNs are a necessary aspect of remote work, but they are not the end-all, be-all of security. You need a robust ("defense-in-depth," if you want to sound like a cybersecurity professional) approach to security. Updates, policies, and training are all vital to your company's security posture, as you may be aware, and these needs do not magically go away with the use of VPNs. If anything, they gain even more importance, as many are tempted to relax their stance on security with VPN usage. And with the emergence of Zero Trust Architecture, the face and scope of cybersecurity may change dramatically for both on-premises and remote work.
Running a company is difficult, and recent events have upended many of the comforts and habit we developed. The protocols and procedures we developed in response to that were good, but they also revealed some flaws that had gone unnoticed before this. We hope this guide has been helpful, but if you have any questions, please drop them below!
Commentaires