Cybersecurity Tip: Beware of Using a VPN

Beware of Using a VPN

71% of Canadian organizations have reported experiencing at least one cyber attack that impacted operations in some way.

You’ve seen the headlines. Data breaches here, phishing attacks there. It seems we’re always hearing about some company or organization that’s been the unwilling victim of a hacker’s latest conquest (CRA credential-stuffing attack, anyone?).

As an IT professional, your ultimate goal is to naturally avoid headlines such as these at all costs.

Yet, depending on your role within IT (i.e. whether you work for or provide services to an organization), you’ve most likely seen some close calls. Perhaps you’ve even been on the other end of an eleventh hour cybersecurity hack that you had to resolve.

But here’s the thing; how, in 2020, are companies still so vulnerable to attack?

More importantly, how do companies become better at leveraging IT within their organizations to protect their systems, their people (i.e. staff, clients, customers), and their reputations? To answer these questions and provide us with the ultimate IT insider’s perspective, we called on two experts: Enzo Logozzo of 365 iT SOLUTIONS and Sean Jennings of CIM Solutions.

 

Together, we’ve put together 3 ways organizations can identify any cybersecurity gaps and be more secure going forward. 

We’ll be sharing one tip a week for the month of October, which is Cybersecurity Awareness Month

 


Tip #1:  Beware of using a VPN

When COVID hit, many companies didn’t have secure methods in place to accommodate staff for remote access. Since the seismic shift from ‘work office’ to ‘home office’ happened so quickly, a number of businesses opted to set up their staff through a VPN.

But here’s the thing, an improperly configured VPN can be a significant security risk.

Sean Jennings of CIM Solutions explains why:  “The issue with employees using a VPN when working from home is that it opens up the office network to attack from their home network. This is because the person working from home isn’t using their computer or internet strictly for work purposes. They’re probably streaming movies in the evenings and on weekends. The kids are downloading games, music, and who knows what else. Everyone in the household is clicking on dozens, even hundreds of links. And all are completely oblivious to the fact they’ve most likely clicked on something that has opened the door to a hacker. If that’s the case, you can bet any home computer is infected with some kind of malware or hacking tool.”

This is where remote staff unwittingly set the stage for a horizontal/lateral attack.

According to Sean, that’s because most computers have reduced security and firewall policies when connected on a trusted (i.e. ‘home’) network. The moment a home-worker connects to the VPN, they’ve just provided wide-open access for anyone to slide right behind the firewall, using Joe or Jane’s computer as the gateway. Nothing gets filtered. Nothing gets blocked. Cybercriminals can just spend the entire day hacking corporate computers and servers to their heart’s content. All while intercepting any company data flowing in between.

 

Our IT insider’s tip for improving security when using a VPN:

Equip staff with a dedicated work computer/laptop:  This way the IT department can ensure the device meets proper company specs/protocols (which includes having the right security software).

Possible caveat: Even a dedicated work computer with strong antivirus software is not impenetrable to horizontal attacks (if a remote employee is connecting that device to the office using their home Internet).

Possible solution (no cost): Add a level of security by configuring/locking down the VPN to only allow network traffic (over the VPN). If the VPN connection is unavailable, outbound network traffic is blocked—decreasing the chances of infiltration by a would-be hacker.

Possible solution (low cost): There are now corporate firewalls that can be easily plugged into the work-from-home (internet) connection. These devices act as an independent network, encrypting all information going back to the corporate network (through the household VPN), providing an increased level of security.

Possible solution (high cost): Having a unique ‘work’ Internet connection installed into the employee’s home with a corporate-managed firewall connected to it is the ultimate level of security. This will keep the work-from-home computer completely separate (which equals zero exposure to possible hacks and attacks from/through the home network).