Businesses are putting too great a reliance on VPNs to keep their organisations secure, according to managed service provider, Memset. A poorly managed VPN can expose an otherwise secure organisation to the unknown business and data security practices at the other end of the tunnel. This is of a special and growing issue among organisations’ supply chains, which have been shown to be the weak link in security, according to the most recent Government Cyber Governance Health Check report.
Thomas Owen, Head of Security at Memset commented:
“Site-to-site VPNs are often used to provide suppliers and third parties with reliable, encrypted access to otherwise locked-down portions of your internal network. This might be to enable support, or to allow the third party to interact with your data or systems. Acting in this mode, a VPN effectively connects one network to another by placing an encrypted wrapper around the traffic.
Acting similarly to a joining corridor between two independent buildings, the corridor may provide protection from the outside, but each party may now be sharing the contents, culture, personnel and practices of the other. In the same way a VPN can lead to sharing unintended traffic or access between two networks. Where one organisation has strong security controls and the other weak, this can provide an easy path for attackers into the soft underbelly of your digital estate. Not only can it lead to serious operational disruption, it can also cause significant financial and reputational damage.”
Many businesses, but especially SMEs, often deploy one or two ‘security’ controls and consider themselves to be secure enough. However, a ‘defence-in-depth’ approach, where multiple types and layers of controls overlap and support one-another is the only path to meaningful security in today’s world. It is highly likely that one or more secure elements of an organisation’s infrastructure will be breached. It is only when a combination of tightly interlocked measures is in place that attacks can be repelled.
VPNs have also been the recent target of Advanced Persistent Threat (APT) actors and the National Cyber Security Centre (NCSC) has published warning and advice to organisations on how to detect malicious activity, showing the growing vulnerability of this technology.
Owen continues: “VPNs are a relatively safe pipe, but without compensating controls you give up control of what flows through it. If an organisation has over-invested in ‘edge’ controls to ‘build a strong wall’, a VPN can also unwittingly cause all of these to be bypassed. Cyber security leads need to widen their circle of concern outside of their organisation and work with their compatriots through the supply chain to handle data security effectively. This is particularly important as under the new GDPR norms, data processors and controllers share liability. Therefore, businesses must think about the security of the supplier before sharing access or organisational data.”