Zscaler, Inc. has released the findings of its annual VPN Risk Report, conducted by Cybersecurity Insiders, which shows a growing number of VPN-specific security threats and a need for zero trust security architecture in enterprise-level organisations. The 2022 report surveyed over 350 IT professionals in North America at organisations with global workforces. Despite high awareness of VPN risks, remote work forced many companies to rely more heavily on legacy access methods during the pandemic. At the same time, cybercriminals continue to take advantage of long-standing security vulnerabilities and increased attacks on VPNs. This year’s Zscaler VPN Risk Report includes analysis of the state of the remote access environment, the most prevalent VPN risks, and the growth in adoption of zero trust.

Commenting on the release, Deepen Desai, Global CISO, Zscaler, said, “As evident in several high-profile breaches and ransomware attacks, VPNs continue to be one of the weakest links in cybersecurity. Their architecture deficiencies provide an entry point to threat actors and offer them an opportunity to move laterally and steal data. To safeguard against the evolving threat landscape, organisations must use a zero trust architecture that, unlike VPN, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, minimises the attack surface, and delivers full TLS inspection to prevent compromise and data loss.”

Zero trust secures remote access 

While more and more companies have employees returning to the office, 95 per cent of surveyed workplaces still rely on VPNs to support a combination of hybrid and distributed work environments that often span multiple geographies. In addition to remote employees, large organisations often extend network access to other external stakeholders, including customers, partners, and contractors. In many cases these users are connecting from untrusted devices on insecure networks, are granted far more freedom than necessary, and result in additional security risks. Unlike cumbersome, insecure VPNs, zero trust architecture improves organisational security posture without sacrificing the user experience. In addition, zero trust allows IT teams to keep the location of their network and applications secret, reducing the attack surface and threat of internet-based attacks.

Status quo falls behind as VPN risks continue to grow

The increase in the number of remote workers across industries has resulted in a sharp spike in cyberattacks that are tailor-made to target VPN users. As VPNs grant a greater degree of trust to users when compared to zero trust architecture, cybercriminals are more active in seeking to gain unauthorised access to network resources through exposed attack surfaces. According to the report, 44 per cent of cybersecurity professionals have witnessed an increase in exploits targeting their business VPNs in the last year, demonstrating the risks associated with this technology when deployed to support remote users.

Legacy network security architectures are pervasive and deeply entrenched in corporate data centers, making it difficult to challenge the status quo and adopt new architectures. So it should come as no great surprise that nearly all of the organisations surveyed continue to use VPNs despite knowing they are being targeted by ransomware and malware. Meanwhile, incumbent network security vendors have a vested interest in maintaining the remote access status quo. Organisations should be wary of legacy network access approaches that rely on cloud-based VPN, and examine vendors’ architectures to understand whether they will bring significant benefits in risk reduction and user experience. VPN technology carries the same fundamental shortcomings and risks in cloud virtual machines as it does on appliances, and should be avoided in favor of more modern approaches.

VPN alternatives gain traction

Ongoing risks from legacy VPNs have created a gradual shift towards zero trust security, which provides greater control and flexibility for effective remote access management. 78 per cent of organisations surveyed for the VPN risk report indicated that their future workforce will be hybrid, creating an ongoing need for this type of security infrastructure in the enterprise.

Since the shift to remote and hybrid work environments, 68 per cent of surveyed companies have indicated that they are accelerating their zero trust projects. Unlike VPNs, zero trust architecture treats all network communications as potentially hostile and requires tightening access using identity-based validation policies. This ensures IT and security teams can restrict users from off-limits applications and prevent malicious intruders from taking advantage of granted access to move laterally within the network. Zero trust security architecture also reduces network risk by eliminating the attack surface, masking activity from internet-based threats and connecting them directly to the applications and resources they need.