Virtual Private Networks (VPNs) have long been used by businesses to give employees secure remote access to applications and data. And no doubt, the on-going COVID pandemic has dramatically escalated the need for businesses of all sizes. But in the rush to enable remote access, some businesses have fallen short in implementing strong security postures.
To keep digital assets secure, it’s critical to not only deploy the required security controls, but also educate your employees on the cybersecurity measures they need to take. It’s risky to assume the VPN will protect your business all on its own without end-users also doing the right things.
Cybercriminals Target VPN Vulnerabilities
Adding to the urgency—as more businesses started using VPNs in the past year—cybercriminals began to find and target more vulnerabilities in VPN networks. In many cases, they discovered the latest security updates and patches had not been applied. Malicious threat actors have also increased phishing emails targeting unsuspecting teleworkers to steal their usernames and passwords.
One vulnerability cybercriminals particularly look to take advantage of is the lack of multi-factor authentication (MFA) for remote VPN access. These networks are more susceptible to phishing attacks, and if there are a limited number of VPN connections, the threat actors who gain access may make it impossible for employees to connect to the network. This can include IT resources who are trying to shut-down the threat. As a result, critical business operations may suffer.
Quick Measures to Improve Your VPN Security Posture
The help you keep your VPN secure, there are several best-practices that your IT team and your end-users can put into play. Here’s a rundown of four that can be implemented fairly quickly and at a low cost:
- Control User Access—Implement policies that allow only company-issued devices to connect to the VPN and which require remote users to connect to the corporate network only through the VPN. These measures can be achieved by loading VPN profiles on corporate devices and by prohibiting the loading of profiles on personal devices.
- Keep Applying Software Updates and Security Patches—Outdated software can leave devices particularly vulnerable. You can overcome this by requiring end-users to connect to your VPN at least once per day to ensure their devices receive updates and patches. They should also shut down devices when not working and reboot so devices run a health check that looks for OS updates.
- Implement Security Strong Security Policies—These include multi-factor authentication and data encryption. Also enforce the use of strong passwords and limit privileges so end-users can access only the files and systems they need in their role. Another key policy is the use of split-tunneling, which disables functions that utilize local networks when a VPN is connected to corporate resources.
- Educate Employees—Inform your end-users to expect an increase in phishing when they work from home, and teach them the importance of avoiding suspicious links, web pages and attachments. If they receive something from someone they don’t know or an email that spoofs an internal user that looks suspicious, ask them to forward it to IT for investigation.
In addition to these measures, also be sure to give your IT security team the tools and resources they need to ramp up their efforts to review logs, detect attacks, respond to incidents, and recover operations. Your IT team should also test the limitations of your VPN to prepare for spikes in usage and to implement modifications, such as rate-limiting, so you can prioritize users that require higher bandwidths.
Taking these measures will pay off almost immediately. With a well-armed IT team and knowledgeable end-users, you will be much better positioned to defend your digital assets!
To learn more about implementing best-practices to secure your VPN, or for help in training your end-users to be diligent about attempted cybersecurity attacks, contact us today!
