Image: Scott Graham (unsplash)
A new report from Zscaler illuminates how institutions voice grave apprehension regarding their network security, attributing this unease to VPN-related risks.
The paper emphasizes the necessity for businesses to scrutinize and revise their security stance. The urgency is triggered by the ever-escalating threat of online criminals, exploiting VPN weaknesses to their advantage.
The document revealed that an overwhelming majority, 92%, of those surveyed, acknowledge the crucial need to integrate a zero-trust model. Alarming is the fact that many institutions continue to utilize VPNs for remote access by employees and third-party vendors, inadvertently presenting an attractive attack surface for malicious entities. These insights were shared by Deepen Desai, Global CISO and Head of Security Research at Zscaler.
He added that conventional firewall and VPN providers have been promoting virtual VPNs as zero-trust solutions, even going to lengths to avoid the term “VPN”. Clients must remain vigilant and ask the necessary questions to ensure they are not lulled into false security by these virtualized legacy offerings. In order to defend against evolving ransomware attacks, Desai underscores the importance of eliminating VPN usage, focusing on user-to-app segmentation, and employing an in-line contextual data loss prevention engine with full TLS inspection.
The Threat of Unsecure VPNs
Significantly, 88% of organizations voice deep worries about potential breaches due to VPN vulnerabilities. Their primary concerns revolve around potential phishing attacks (49%) and ransomware attacks (40%) stemming from regular VPN usage.
Approximately half of these organizations have found themselves targeted by online attackers who successfully exploited a VPN vulnerability such as outdated protocols or data leaks. Among these, one in five underwent an attack within the past year.
Ransomware has particularly become a formidable foe for organizations. Around a third of them succumbed to ransomware attacks on VPNs within the past year.
Legacy Networking Hazards
Despite extensive security measures, studies indicate that 90% of organizations remain deeply worried about third-party vendors, susceptible to exploitation by attackers to indirectly gain backdoor access into their networks.
External users like contractors and vendors are seen as potential risks due to the varied security standards, lack of visibility into their network security practices, and the complexity of managing external third-party access.
Traditional networking and security architectures that manage access to internal applications by granting users direct access to the network are proving problematic. These methods inherently trust users who can confirm their credentials at the access point, which becomes an issue if those credentials are stolen.
A zero-trust strategy proposes users connect only to the apps and resources they require, bypassing networks. User-to-application and application-to-application connections avert the risk of lateral movement and prevent infected devices from compromising other resources. Moreover, users and apps become invisible to the internet, hence undetectable or invulnerable to attacks.
Transition to Zero Trust
Beyond security concerns, 72% of users express dissatisfaction with their current VPN experience due to slow and unreliable connections. A noteworthy 25% are frustrated by slow application speeds, while 21% deal with recurrent connection disruptions.
Unreliable internet connectivity leads to subpar user experiences, resulting in frustration and decreased user engagement. Moreover, the complexity and inconvenience of authentication could lead to lost productivity, diminished revenue, and elevated risk of data loss from users attempting to circumvent inefficient VPN services.
Organizations are beginning to identify the issues caused by antiquated VPNs in both security and user experience, and are gravitating towards a Zero Trust architecture.
A compelling 92% see the significance of adopting a zero-trust approach to protect their assets and data, a 12% increase year-over-year. Around 69% are already in the planning stages to replace their existing VPN solutions with Zero Trust Network Access.
The report urges organizations to adopt a zero-trust architecture to effectively diminish the risks tied to VPN vulnerabilities and safeguard their sensitive data and applications from digital attacks.