4 Security Threats VPNs Cannot Block
Virtual private networks (VPNs) have been a staple in the management and security of IT networks across the world. While cyberattacks and the proliferation of malware continue to grow in commonality, VPNs coupled with other security tools have helped provide secure environments for both businesses and consumers.
As standards shift and new advancements in technology are developed, additional threats arise and provide new challenges. One such change is the recent shift to remote work which has brought a new set of problems for IT professionals to face. While conventional security methods focused on perimeter security, remote work has added additional security issues that surmount the protection VPNs offer.
Remote work introduces new and unregulated devices to previously well-protected networks. Rather than using closely monitored PCs within a controlled environment, employees are now bringing their own devices into the mix. Even if employees are given specific “work” laptops, they are most likely utilizing a public or personal Wi-Fi network to conduct work. This can expose a typically well-regulated and protected enterprise network to a whole new set of threats and attacks.
In this article, we explore 4 common threats that cannot be solved by the limited functionality of VPNs, along with the appropriate steps needed to mitigate them.
1. Spyware
VPNs do a great job at protecting and encrypting information sent between networks, however, they do not protect against malware or eavesdropping programs on devices. Data is a highly coveted and valuable asset to a wide variety of companies, including those with questionable motives. This has led to many programs and apps having built-in functions to collect and send personal data off to be sold or used.
VPNs can help hide IP addresses, but the data collection industry has evolved beyond them. Using things such as unique audience identifiers, cookies, and browser fingerprints, data can still be collected and stored in data management platforms (DMPs). DMPs allow companies to track and maintain a database of user preferences, personal information, and history based on individual profiles beyond just an IP address.
Combating the massive issue of privacy invasion is a daunting task to take on. Laws are still being made and changed to better protect the privacy of internet users. Here are a few ways organizations can take to better secure their data and protect themselves from tracking.
- Implement DNS Encryption and/or use a filtered DNS service
- Implement blocking of tracking at the network layer (ie UTM firewall)
- Block application layer tracking such as cookies and browser fingerprints
- Limit the ability of users to install untrusted browser extensions using group policies
Another great method for thwarting spyware is using an enterprise anti-spyware solution which includes centralized management to allow installs on devices across the company network. These solutions will block the execution of spyware and prevent it from installing in the first place.
2. Worms
Worms have been around for quite a while and are an extremely difficult malware to get rid of. Worms have the ability to replicate and affect connected devices, which is one of the primary reasons why they are so difficult to remove. Since VPNs focus on encrypting traffic and providing a secure connection, they do not exert much control over what can come and go within that connection. This allows the worm to freely move about the network despite the use of a VPN.
While VPNs might not be the solution to combating worm-like malware, there are plenty of options in the form of anti-virus and anti-malware software. These can provide preventative measures as well as resources to remove existing malware from devices. Another more in-depth solution is to utilize a Software Defined Perimeter (SDP) to protect enterprise-level networks through micro-segmentation and controlled access. This solution is much more intricate than installing an anti-virus, it can provide network security to a much greater extent.
3. Phishing
Phishing is a type of cybercrime designed to steal personal information like passwords, credit card numbers, and more. It can come in a wide variety of forms and cybercriminals are constantly designing more intricate scams to fool unsuspecting victims. In the 2020 Cyber Security Breaches Survey, it was reported that 48% of businesses had experienced a security breach or attack within the last 12 months and 86% of those were due to phishing attempts.
With the high value placed on personal data, cybercriminals are willing to go above and beyond to design elaborate schemes to trick people into giving out their personal information. These types of scams can range from fake websites made to look and act like a legitimate one (including a very similar URL) to a fake email from a coworker or manager.
VPNs have a difficult time protecting from phishing attempts because it is highly reliant on the individual using the device. The cyberattack can start off as a simple email with a link to a malicious website or malware-infected attachment. That is why one of the most important ways to combat phishing is educating staff on what to look for. While a good firewall and filter will help clear out some phishing attempts, it only takes one to get through to cause disaster.
4. Device Vulnerabilities
Operating systems and software come with inherent flaws no matter how much testing is done prior to release. Cybercriminals look to take advantage of these flaws within the programming to gain access to the device and the valuable personal data on it. As these holes are discovered, security patches and updates are released to fix the problem and prevent any future exploitation.
Because these are flaws built directly into the operating system or software (including some VPNs), a VPN cannot do much to prevent these types of attacks. Organizations looking to protect against these vulnerabilities need to ensure all devices connected to their network are up to date and running the latest version of software.
Fully Secure Remote Work Environment
While VPNs provide a good solution for securing remote connections, they fall short on several security threats. By following the tips above, business organizations will be one step closer to ensuring a secure remote working environment.
Business organizations also need to implement additional passive and active security layers to ensure maximum security. This is where experienced IT security experts such as Outsource IT can help. Contact an Outsource IT account manager to learn more about our Business IT Security services.