During Cybersecurity Awareness Month, SecurID will highlight insights and best practices to help all businesses and users do their part to protect themselves, secure remote work, and “#BeCyberSmart.”
Like most business processes, cybersecurity tends to exist on a pretty broad spectrum. For every organization that’s deploying more mature techniques like zero trust security or risk-based authentication, there are plenty that leverage traditional defense in depth approaches for their network security postures.
Providing secure remote network access by creating a virtual private network (VPN) is one of the quickest methods to provide business users with access as if they are in the office. As such, it should come as no great surprise that VPN use surged as a result of the pandemic. For many businesses just starting off on their cybersecurity journeys, VPNs represented a quick, effective and immediate way to secure hybrid work and continue operations:
- A January survey found that roughly 70% of cybersecurity professionals reported increasing their VPN capacity during the pandemic—and that roughly 35% had more than doubled their VPN capacity because of the pandemic.
- TechBullion called 2020 a “breakout year for business VPNs,” noting one study which reported that “global demand for VPNs had jumped 41% in the second half of March, and continued at 22% above pre-pandemic levels.
- In India, VPN use grew seven times over the first half of 2021. India recorded more than 348 million VPN installs in the first half of the year, representing 671% in growth compared with 2020.
That’s remarkable growth and an important first step for many businesses trying to secure hybrid work—but it’s only a first step. Because VPNs are only as good as the authentication used to access them. And in far too many cases, businesses are asking their users to access VPN using only a password to sign-in.
Given that they provide access into a business’ corporate network, VPNs can create a major vulnerability. Simply put, the risk exposure of this one entry point can be far too high—and that exposure becomes even more pronounced when an organization only relies on passwords to manage access. That risk can also be exacerbated by third-parties requesting intermittent access.
Another way of putting it: using a password to secure a VPN is like building a steel bank vault and setting the combination lock to 0-0-0. The walls might be strong, but just about anyone can stroll right in.
And in far too many cases, that’s exactly what happens.
Don’t use passwords to secure VPN
Passwords are expensive and insecure. The National Cybersecurity and Infrastructure Agency recently added single-form authentication to its list of “Bad Practices,” calling the use of passwords and usernames an “exceptionally risky cybersecurity practice.”
As a result, it’s no surprise that there have been several high-profile instances when password-protected VPNs failed to keep out cybercriminals.
One of the most memorable failures is Colonial Pipeline. According to Bloomberg, hackers breached the company’s networks through a VPN account that was a) no longer actively in use and b) not protected by MFA.
But as other recent stories have revealed, many organizations are still using passwords to ‘secure’ their VPNs.
The high costs of passwords
It’s not that passwords are particularly bad at securing VPNs—it’s that they’re bad at securing everything.
Passwords are hard for legitimate users to manage and easy for hackers to guess. They’re the #1 attack vector for bad guys—the 2020 Verizon Data Breach Investigations Report found that more than 80% of hacking-related breaches involved either brute force or the use of lost or stolen credentials.
Just last week, ZD Net reported that cybersecurity researchers “detected 55 billion new attempts at brute-force attacks between May and August 2021 alone—more than double the 27 billion attacks detected between January and April.”
Passwords are also expensive: for bigger enterprises, nearly 50 percent of IT help desk costs go to password resets. That can add up to more than $1 million in staffing.
Passwords have tremendous costs—both as security liabilities and to a business’s bottom line.
Take the next step in securing your hybrid workforce
If you’ve invested in a VPN to provide secure network access for your hybrid workforce, you’ve taken an important first step in protecting your team, assets and IP.
But there are other important steps that organizations must take to protect themselves, including using multi-factor authentication (MFA). MFA is a fundamental part of any organization’s cybersecurity stance—recently, President Biden signed an executive order directing public agencies to implement MFA. That advice was borne out by Fortinet’s recent advisory regarding an SSL-VPN vulnerability, in which the company cautioned organizations to “treat all credentials as potentially compromised” and “implement multi-factor authentication, which will help mitigate the abuse of any compromised credentials, both now and in the future.”
Other steps businesses can take to secure remote workers include minimizing hackers’ favorite vulnerability by deploying passwordless authentication and using risk-based authentication to create step-up authentication for critical assets.
Each of these steps builds on the next. And as businesses continue maturing their security practices, they can build toward zero trust principles by enforcing least privilege and always verifying access requests.
Regardless of where you are on your journey, identity is key. Knowing who your users are, what they should have access to and how you’re going to authenticate them is essential to any successful cybersecurity program.