Unsafe VPNs are a major security worry for many firms

(Image credit: Getty)

Unsafe Virtual Private Networks (VPN) are increasingly becoming a major concern for many organizations around the world, new research has found.

A report from Zscaler, found almost nine in ten (88%) were “deeply concerned” about potential breaches that come as a result of VPN vulnerabilities. These respondents were mostly concerned about phishing attacks (49%) and ransomware attacks (40%) as a result of regular business VPN usage.

Almost half of the polled organizations said they’d been targeted by crooks who were able to exploit a vulnerability in their VPN service of choice. Most of the time, the flaws included outdated protocols or data leaks. A fifth (20%) suffered at least one attack in the past 12 months, while a third (33%) suffered a ransomware attack on VPNs.

Supply chain attacks

There is also the threat of third-party vendors being exploited, resulting in a successful supply chain attack. Outside users, including contractors and vendors, have different security standards, and rarely offer proper visibility to their partners. Furthermore, managing external third-party access is an extremely complex problem, the researchers added.

> What is ZTNA 2.0 and how does it differ from ZTNA 1.0?

> 10 of the best resources online to master ZTNA

> Here the best ZTNA solutions right now

To tackle the issue, businesses are increasingly adopting a Zero Trust architecture. Zero Trust is a security model in which users and devices are never trusted by default and always need to verify their identity, even when connected to a permissioned network such as a corporate LAN. Adopting Zero Trust means establishing strong identity verification, validating device compliance before granting access, and ensuring least privilege access.

But businesses should be careful when choosing their Zero Trust partner, warns Deepen Desai, Global CISO and Head of Security Research, Zscaler. He’s made some serious allegations towards legacy firewall and VPN vendors, claiming these organizations “spin virtual VPNs in the cloud and claiming that it is Zero Trust, and they go the extra length to hide the word "VPN". Customers need to ask the right questions to make sure that they are not getting a false sense of security with these virtualized legacy offerings in the cloud. In order to safeguard against evolving ransomware attacks, it is critical for organizations to eliminate the use of VPNs, prioritize user-to-app segmentation, and implement an in-line contextual data loss prevention engine with full TLS inspection.”

These are the best endpoint protection services around

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.