A new survey of several hundred cybersecurity professionals reveals that nearly two-thirds of their organizations are considering alternatives to virtual private network (VPN) infrastructure for providing remote access because of the technology’s vulnerability to sophisticated cyberattacks. At the same time, the vast majority of those organizations are moving to adopt zero trust security architectures to improve security.
Those are some of the top-line findings from the 2022 VPN Risk Report compiled by Cybersecurity Insiders and published on September 26 by cloud security provider Zscaler.
VPN architecture has been used for many years by organizations to provide secure remote access to employees and has been relied on heavily by many during the coronavirus pandemic to facilitate rapid and sustained shifts to telework.
“However, using VPN for remote access puts those organizations at significant risk, as traditional VPN architectures often trust too readily and excessively,” the Zscaler report says.
“Bad actors can exploit the VPN attack surface to infiltrate the network and launch ransomware, phishing attacks, denial of service, and other means of exfiltrating critical business data.”
Some of the primary findings from the survey of 351 cybersecurity professionals illustrate an increased awareness of VPN vulnerability to attacks and the continued shift to zero trust architectures. Those include:
- 44 percent of organizations saw an increase in exploits targeting their VPN since moving toward greater remote work;
- 65 percent of organizations are considering adopting VPN alternatives;
- 80 percent are in the process of adopting zero trust architectures this year;
- 68 percent say their focus on remote work accelerated the priority of zero trust projects in 2022, up from 59 percent in 2021; and
- 78 percent of organizations are concerned about ransomware attacks.
“As evident in several high profile breaches and ransomware attacks, VPNs continue to be one of the weakest links in cybersecurity,” commented Deepen Desai, Global CISO at Zscaler.
“To safeguard against the evolving threat landscape, organizations must use a Zero Trust architecture that, unlike VPN, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, minimizes the attack surface, and delivers full TLS inspection to prevent compromise and data loss,” he said.
According to Zscaler, 95 percent of the surveyed organizations continue to rely on VPNs to support a combination of hybrid and distributed work. The adoption of zero trust security architectures, however, “improves organizational security posture without sacrificing the user experience,” and “allows IT teams to keep the location of their network and applications secret, reducing the attack surface and threat of internet-based attacks.”