88% of companies are concerned about (un)secured VPNs

Virtual private networks (VPNs) are appreciated by many as a solution to the protection problems of hybrid working. But to do so, they must be used in the right way.

Zscaler’s VPN Risk Report highlights the concerns shared by IT and cyber security professionals about the security of their networks. As many as 88% of organisations are very concerned about potential breaches arising from vulnerabilities in these VPNs.

Half of respondents are concerned about phishing attacks and two-fifths are concerned about ransomware that hijacks computers and encrypts data, as a result of regular use of virtual private network technology.

In fact, nearly half have already been targeted by cyberattackers who exploited issues such as outdated protocols and data leaks. Thirty-three percent fell victim to ransomware via a VPN in the last year.

In addition, 9 out of 10 point to the possibility of attackers exploiting third parties such as suppliers and contractors to gain access to their networks.

This explains why 92% recognise “the importance of adopting a Zero Trust architecture”, as Deepen Desai, Global CISO and head of security research at Zscaler, points out. Sixty-nine percent already plan to replace their current VPN strategies with a ZTNA (Zero Trust Network Access) philosophy.

“Many companies continue to use a VPN to provide remote access to employees and third parties, which unwittingly provides a huge attack opportunity for threat actors,” Desai notes.

“Legacy firewall and VPN vendors are offering virtual VPNs in the cloud claiming to be Zero Trust, and going to great lengths to hide the word ‘VPN’,” he continues.

“Customers need to know how to ask the right questions to ensure they are not creating a false sense of security with these virtualised legacy cloud offerings,” he continues.

“To protect against ever-changing ransomware attacks, it is critical that organisations eliminate the use of VPNs,” he explains, and that they “prioritise user-to-application segmentation and implement an inline contextual data loss prevention engine with comprehensive TLS inspection”.

Zero trust means that users connect to applications and resources they need directly, but not to networks.

Beyond concerns about the risk posed by external users, companies are identifying experience issues. 72% of users say they are dissatisfied with VPNs because of slow and unsecured connections.

Twenty-five percent are also frustrated by slow applications and 21 percent report having to deal with frequent connection interruptions.