As adversaries increasingly set their sights on vulnerable enterprise VPN software to infiltrate corporate networks, concerns mount about VPNs themselves being a source of cyber risk
Virtual Private Network (VPN) services have emerged as essential tools for modern businesses in recent years, doubly so since helping save the day for many of them amid the pandemic-fueled, pell-mell rush to remote work in 2020. By creating an encrypted tunnel for corporate data traveling between company networks and employee devices, VPNs help secure sensitive information without compromising employee productivity or crippling companies’ mission-critical operations. As many organizations have since settled into a hybrid workplace model that mixes in-office and on-the-go work, remote access VPNs have remained a staple in their network connectivity and security toolkits.
On the other hand, VPNs have also come under increasing scrutiny due to a surge in security vulnerabilities and exploits targeting them, sometimes even before patches are rolled out. Since VPNs potentially represent the keys to the corporate kingdom, their appeal to nation-state actors and cybercriminals alike is undeniable. Adversaries are dedicating substantial resources to scouring for weak points in corporate software stacks, which exerts further pressure on organizations and underscores the importance of robust risk mitigation practices.
In an era where the mass exploitation of security loopholes, large-scale supply-chain attacks, and other breaches of corporate defenses are increasingly common, concerns are mounting not only about the ability of VPNs to help safeguard corporate data against bad actors, but also about this software itself being yet another source of cyber-risk.
This begs the question: could business VPNs be a liability that increases your organization’s attack surface?
Keys to the kingdom
A VPN routes the user’s traffic through an encrypted tunnel that safeguards the data against prying eyes. The main raison d’etre of a business VPN is to create a private connection over a public network, or the internet. In so doing, it gives a geographically dispersed workforce access to internal networks as if they were sat at their office desks, essentially making their devices part of the corporate network.