Are VPNs really secure?

March 20, 2021
What to consider before installing employees’ devices with a VPN

Many companies that supply their employees with devices to work remotely typically make sure that these gadgets are installed with virtual private networks (VPNs). Since the onset of the pandemic, more company-owned devices have been issued due to a majority of employees still working from home, thus causing an increased need for VPNs. In fact, during the early stages of COVID-19, VPN usage increased 124% per week between March 8 and March 22 to ensure that sensitive company information remained secure among scattered workforces.

By using a VPN, users can access networks that might not be trustworthy and ensure that they are safely connected. Users can also be confident that their data is encrypted from end-to-end and that their location remains unknown - especially when connecting to unsecure, public networks in places such as coffee shops and hotels. With undisclosed locations, users can avoid regionally blocked services when they’re abroad, like streaming platforms and social media, and, more importantly, stay undetected by hackers who are looking for vulnerabilities and private information.

VPNs will also provide security for users’ data and the content they are viewing, along with their website traffic and activity. This means, for example, that if a user is looking at private company financial information while using a VPN, the activity and movement - along with the financial information itself - will not be tracked and there will be no record of visiting the website, thus preventing a hacker from spying and obtaining any sensitive information to exploit.  

However, despite the benefits of these private networks, there has been a rise in VPN vulnerabilities, and hackers are taking advantage of this. According to the Zscaler 2021 VPN Risk Report, 94% of companies that were surveyed are aware that cybercriminals are increasingly targeting VPNs to gain access to network resources, yet 93% of them are still leveraging VPN services. What’s more, this report states that about 70% of these companies claimed that they increased their VPN services by some capacity during the pandemic, showing how valuable VPNs are and how important security is - however they are insufficient at protecting companies’ information if they are not managed properly. As more companies consider VPNs for their networks amid the continued work from home environment, what should decision-makers and IT managers consider ensuring they are getting the best use out of VPNs and that they are working as intended?

Challenges with VPNs

While VPNs have proven to be beneficial, there currently lacks industry standards to abide by and a reliable way to test these services before they’re released in the market. This increases the likelihood of potential vulnerabilities which can lead to hacks and data exploitation. Additionally, VPNs have two main challenges when it comes to implementing and using them.

  1. Is the VPN connected? Some VPNs can be difficult to set up. Once the VPN is connected, it can sometimes disconnect unbeknown to the employees. Because of this, they also might not know when it happened or how long their information has been exposed, which can leave openings for hackers. This means that it is important that VPN services are providing VPNs that can connect automatically to prevent unintentional disconnections from taking place.
  2. Is the VPN securing data as intended? Since there is a lack of visual cues, it is also challenging for employees to know if the VPN is working after it’s installed and connected, especially since, more often than not, the users don’t have a security background. In fact, testing has shown that there is a lack of, or incredibly weak, encryption in many VPN services, which shows that it is important to have standards in place to ensure strong end-to-end encryption.

Additionally, IT managers typically don’t take into consideration if the smartphones and other networks that their employees are using and connecting to are secure. It’s likely that these connections don’t have a VPN on them, thus leaving an opening for hackers. For example, if an employee is using a mobile app for company-related expense tracking, hackers can tap into that information since the phone is not protected. They can then use this information to masquerade as the employee since the login credentials for the expenses app and employee database are likely the same. This means that it is important that companies consider the security of all the devices that employees are using, should ensure that VPNs are properly installed on these devices, and provide best practices to keep data secure.

Choosing a VPN and Best Practices

There is an abundance of VPN options to choose from, but it’s hard to decipher which is the best choice due to a lack of transparency and concrete information from VPN providers. After companies have distributed devices there are some best practices that employees should be encouraged to follow to ensure that their data is remaining safe.

  1. Location test: In order to check if a VPN is working, employees should use a “find my location” feature on their devices. This will provide the employee with a location, and if the location is accurate, it means that the VPN is not working since it should be able to shield a user’s true location.
  2. Avoid free VPNs: Free VPNs shouldn’t be considered for use. Though tempting, when a VPN, or any mobile app, is free, it is likely that the users’ data are being collected and sold to third parties, or the costs are paid through third-party advertising. Choosing the right VPN might mean paying for one but it will keep online data secure.

The Need for Security Standards in VPNs

While VPNs provide many benefits, there are also challenges that come from using a VPN. From uncertain connections and encryption to unclear information from VPN providers who have unknown names, it is difficult to determine which VPN is right for a company and its employees. This means that it is important that prevalent technology companies consider entering the market to instill trust and confidence among users.

In order to successfully enter the VPN market, these companies should work alongside leading industry organizations that understand the risks and requirements needed to create a secure VPN. These organizations bring together major industry players and are working to create adoptable, global standards and testing, which require VPNs to have no universal passwords, standard cryptography, security by default, automatic connection when in use, end-to-end encryption, and regularly released updates and maintenance. By implementing these requirements on a global scale, industry organizations can help VPN providers and tech companies ensure that the VPNs work as intended and that companies and their employees are protected from any potential vulnerabilities.

As work from home is here to stay, more companies will be considering VPNs to protect critical and private information from hackers. While these solutions can show great benefits to organizations, they do still come with some security risks. VPNs should be carefully reviewed, selected and monitored closely by IT professionals to ensure the best possible outcome, however, the only way to guarantee that companies are secure is if testable, global standards are created by leading organizations and implemented across products. This will increase the transparency of the product's security among stakeholders and will allow companies to have peace of mind that their sensitive data and information are safe from the wrong hands.

About the author:
Brad Ree is the chief technology officer of ioXt. In this role, he leads ioXt’s security products supporting the ioXt Alliance. Brad holds over 25 patents and is former Security Advisor Chair for Zigbee. He has developed communication systems for AT&T, General Electric, and Arris. Before joining ioXt, Brad was vice president of IoT security at Verimatrix, where he led the development of blockchain solutions for ecosystem operators. He is highly versed in many IoT protocols and their associated security models.