You are here
Is VPN enough to secure your organisation from hackers?
The coronavirus pandemic has forced thousands of companies to make leaps in their digital transformation journey. Before, businesses and public sector agencies were already challenged by remote access, bring your own device (BYOD) and cloud adoption. Now, the coronavirus has raised the stakes.
Teleworking, or remote working, is putting great strain on remote access systems. It is likely that you have experienced slow connections, website crashes, or sketchy videoconferences. However, not many are aware of the risks that come with using Virtual Private Networks (VPNs) — a tool that grants administration privileges to those who require access to the system, including employees and vendors.
Before the pandemic, risks posed by third-party access were already one of the core cybersecurity challenges of our time. Many organisations are now relying even more heavily on IT service providers to help them adapt to the new normal. Additionally, these IT service providers, who have been used to retrieving data directly from onsite servers, have to adapt their work processes overnight to accommodate remote working. This can affect the security of both their own operations and the client systems they service.
Amid the crisis, some companies have been able to provide employees with computers that are closely managed and locked down. But for many, the ability to do that was limited. Some enterprises and public sector organisations simply can’t afford the cost of issuing a corporate computer for every employee who works outside the office. This leads to employees having to rely on their own personal computers while telecommuting, which poses huge BYOD-associated security risks, such as those caused by cheap firewalls and an absence of restrictions via whitelisting, in addition to remote access risks. It certainly doesn’t help matters when many organisations are using a mixture of unsecured and outdated remote access tools to connect employees to their corporate network.
Third-party risk & VPNs
The vendor (or third party) attack vector has been well documented since Target’s 2013 credit card data breach. That breach was infamously perpetrated by an attacker who gained initial access to the network via a third-party vendor’s VPN account used for monitoring heating, ventilation and air conditioning (HVAC) equipment in Target stores. Interest in vendor access security risk has exploded since then. The 2019 Privileged Access Threat Report disclosed that, on average, organisations have 182 vendors logging into their systems every week. A Ponemon Institute survey revealed that 59 per cent of companies experienced a breach due to third parties in 2018. Now is the time for organisations to improve their ability to manage third-party risks.
One of the most common tools for remote access — the VPN — is unfit for the purpose of managing privileged vendor remote administration of business systems, whether as part of a staff augmentation use case or for troubleshooting purposes. Among its security deficiencies, the VPN:
- Creates a full tunnel of access, potentially leaving core systems with no inherent resistance to a compromised edge device or account;
- Punches big holes in the network segmentation model; and
- Lacks privileged access management (PAM) features
What’s the solution?
With an increase in cyber-attacks against remote workers during Covid-19, it is imperative for organisations to secure end-users’ machines, and prevent malware and ransomware from being introduced into the corporate environment.
The resulting increase in demand for cybersecurity services has stretched service desk teams thin. Even with more work and less resources, the teams must still address the risk created by remote users who are more likely to self-provision tools and applications, which may inadvertently introduce malware or ransomware into the network.
And at the root of this problem is a common security headache — administrative rights. Users either have no administrative rights and can’t do anything at all, or have full administrative rights and too much control.
Your employees need to connect only to systems and applications needed for their field of work. Your IT service desk needs to support employees in their homes around the world. Your third-party vendors and contractors need to continue performing critical tasks on your network. And each of these needs have to be met securely — without maxing out your infrastructure and VPN. It certainly seems too hard to achieve, but it’s not.
IT services company BeyondTrust offers a solution for this by combining secure remote access with least privilege. This way, you can enable your remote employees, support staff, and third-party vendors to connect securely to the endpoints and systems they need without requiring a VPN, allowing your workforce to be productive without introducing security risks or straining your network. Using this combination of secure remote access with least privilege, employees working from home should be able to connect back to their desktop or workstations at the office from any modem browser, and support staff can see and control remote computers and devices. The BeyondTrust Privileged Access Management platform also allows your support staff to access the camera of a remote employee’s mobile device to assist in setting up hardware and peripheral devices. Every connection should be centrally-managed, permission-based, and recorded for security compliance.
In addition to maximising the use of a remote access tool with all the security features you need, enforcing least privilege will help you to secure those endpoints by elevating privileges only at the application level and whitelisting applications to protect against malware.
These times of unprecedented disruptions can create increased risk. There are ways you can support your remote workforce and third-party vendors without compromising security.
To learn more about how to protect remote endpoints from attacks and malware, download this quick guide: Enable & Secure Your Remote Workforce.