Highlights:

  • Large organizations often give access to their networks to customers, partners, and contractors, in addition to remote employees.
  • Since VPNs give users more trust than Zero Trust architecture, cybercriminals are more likely to try to get unauthorized access to network resources through attack surfaces that are left open.

Zscaler, Inc, a leader in cloud security, just released the results of its annual VPN Risk Report that was carried out by Cybersecurity Insiders.

The report shows that there are more VPN-specific security threats and enterprise-level organizations need Zero Trust security architecture. The 2022 report surveyed more than 350 IT workers in North America who work for companies with global staff. Even though VPN risks are now known, remote work during the pandemic forced many companies to rely more on legacy access methods.

At the same time, cybercriminals continue to use security vulnerabilities that have been there for a long time and launch more attacks on VPNs. This year’s Zscaler VPN Risk Report looks at the state of the remote access environment, the most common VPN risks, and how Zero Trust is becoming more popular.

Deepen Desai, Global CISO of Zscaler, said, “As evident in several high-profile breaches and ransomware attacks, VPNs continue to be one of the weakest links in cybersecurity. Their architecture deficiencies provide an entry point to threat actors and offer them an opportunity to move laterally and steal data.”

He added, “To safeguard against the evolving threat landscape, organizations must use a Zero Trust architecture that, unlike VPN, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, minimizes the attack surface, and delivers full TLS inspection to prevent compromise and data loss.”

Remote access is safer with zero trust

Even as more and more employees are returning to the office, 95 percent of workplaces surveyed reported using VPNs to support a mix of hybrid and distributed work environments that often span more than one country.

Apart from remote employees, large organizations often give network access to external stakeholders, including customers, partners, and contractors. Most of the time, these users connect from untrusted devices on insecure networks. They are given a lot more freedom than needed, which adds to the security risks. Unlike VPNs that are hard to use and not very safe, Zero Trust architecture improves an organization’s security without sacrificing the user experience.

Zero Trust also lets IT teams hide where their network and applications are. This makes internet-based attacks less likely and reduces the attack surface.

As VPN risks continue to grow, the status quo falls behind

A rise in the number of remote workforces has led to a spike in cyberattacks that precisely target VPN users. Since VPNs give users more trust than Zero Trust architecture, cybercriminals are more likely to try to get unauthorized access to network resources through attack surfaces that are left open. According to the report, 44 percent of cybersecurity professionals have seen an increase in exploits that target their business VPNs in the last year. This shows the risks associated with this technology when used to help remote users.

Legacy network security architectures are widespread and deeply rooted in corporate data centers, making it hard to challenge the status quo and adopt new architectures. So, it shouldn’t be surprising that almost all companies surveyed still use VPNs even though they know they are being targeted by ransomware and malware. Meanwhile, existing network security vendors have a reason to keep things as they are with remote access.

Organizations should be wary of legacy network access methods that rely on cloud-based VPNs and examine vendor architectures to see if they will bring significant benefits in terms of lowering risks and improving the user experience.

VPN technology has the same basic flaws and risks in the cloud as it does on appliances. It should be avoided in favor of more modern methods.

VPN alternatives are gaining popularity

Since legacy VPNs still pose risks, there has been a slow shift towards Zero Trust Security, which gives more control and flexibility to manage remote access. Around 78 percent of the companies surveyed for the VPN Risk Report said that their future workforces would be hybrid. This means that the enterprise will always need this kind of security infrastructure.

Since the shift to remote and hybrid work environments, 68 percent of the surveyed companies said they are speeding up their Zero Trust projects. On the other hand, Zero-Trust architecture treats all network communications as potentially hostile and needs tightened access using identity-based validation policies.

This ensures that IT and security teams can stop users from using apps that aren’t allowed and stop bad people from gaining access to move laterally through the network.

Zero Trust security architecture also lowers network risk by removing the attack surface, hiding activity from internet-based threats, and connecting them directly to the applications and resources they need.

Methodology

The 2022 Zscaler VPN report is based on the answers of 351 IT and cybersecurity professionals to a detailed online survey.

In June 2022, a survey was conducted to find out the latest VPN risk adoption trends, challenges, gaps, and solutions for businesses. The people who answered the survey ranged from technical executives to people who work in IT security.

Together, they represent a balanced cross-section of organizations of different sizes in North America that have workers worldwide.