Why a Common VPN Can Be a Small Business’s Weakest Link
At-Bay’s data shows that patching VPN gateways should be top of mind for any business
Virtual Private Networks (VPNs) are essential for modern business operations, connecting remote employees, branch offices, and other decentralized entities securely to the company’s central network. Today’s most popular VPN solutions boast a plethora of capabilities and often involve intricate software architectures, making them essential yet complex tools for maintaining day-to-day business connectivity.
VPNs are frequently targeted by cybercriminals due to their inherent need to be accessible via the public internet, making them visible and thus more susceptible to potential attacks. The complexity of VPN systems also means they have multiple points of potential failure; misconfigurations, substandard management, or neglected software updates can create exploitable openings in a network’s defenses.
Over the past year, there has been a notable uptick in attacks that have taken advantage of the vulnerabilities within these systems. These security flaws often include zero-day vulnerabilities—flaws previously unknown to vendors—which need urgent patching. Poor cyber-hygiene practices exacerbate these risks, making timely remediation crucial to preventing serious breaches.
From a vulnerability perspective, cybercriminals have plenty to choose from. According to MITRE’s Common Vulnerabilities and Exposures (CVE) Database, there have been 74 vulnerabilities related to VPNs disclosed as of October 2023, already surpassing the total found in 2022 (72), 2021 (52), and 2020 (54).
Furthermore, cybercriminals frequently take advantage of “self-managed VPNs,” a version of the technology that is implemented on-premises and maintained in-house by IT teams. Our data shows that self-managed VPNs are associated with a considerably higher risk of a security incident than businesses that don’t use VPNs, use more secure cloud-hosted VPNs, or other remote access technology.
This abundance of vulnerabilities in VPNs translates into increased risk in our claims data. When examining data from 2023, we found that companies that used common self-managed VPNs experienced 2.25X higher probability of having a cyber claim than those who did not use them.
When measured for ransomware, companies that used self-managed VPNs experienced 3.7X higher probability of having a claim than those that did not use a self-managed VPN.
To be clear, our claims data does not point to these products being directly responsible for every claim. While self-managed VPNs may not be the initial attack vector in particular incidents, companies using them have a much higher rate of attacks. This could be because of other on-premises systems, or because cybercriminals target these companies knowing that they have an old technology stack.
Our data shows that some of the most widely used self-managed VPNs on the market are actually some of the riskiest. Because usage of these products is so widespread, we are not surprised to see them show up in a significant number of our claims. Because they are so widely used, they have become a frequent target due to volume.
When examining claims data, we found that organizations using the worst-performing self-managed VPNs — products from Cisco, Fortinet, and SonicWall — experienced 1.4X higher probability of having a cyber claim than those that used other types of self-managed VPNs.
When measured for ransomware, organizations using these self-managed VPNs experienced 2X higher probability of having a cyber claim than those who used other self-managed VPNs.
The cybersecurity industry at large is keenly aware of the issues these particular self-managed VPNs present. Each of these products has suffered from at least one “high” or “critical” vulnerability every year since 2021. Additionally, the U.S. Cybersecurity and Infrastructure Agency’s Known Exploited Vulnerabilities (KEV) list has 20 VPN-related vulnerabilities. Fifteen of them are tied to Cisco, Fortinet, or SonicWall VPN products.
If your network operations depend on a self-managed VPN, you need an action plan to protect your infrastructure. At-Bay’s Managed Security team recommends these guidelines to help improve your security posture if switching VPNs is not a possibility.
1. Keep Up With Updates and Patches
An outdated VPN is like an aging fortress wall — it might start developing cracks, and cracks can invite breaches. Ensuring that your VPN is always running on the latest version is a definitive step towards anchoring its security. Regular software updates not only bring enhanced features, but also patch any underlying vulnerabilities, providing more robust security. Ensure that automatic software updates are turned on to keep your remote access/VPN systems up to date and secure.
Additionally, make sure management login portals are not accessible via the public internet. If having an internet-facing login portal is necessary for business operations, it should be limited to specific IP addresses.
Lastly, using end-of-life technology leaves systems vulnerable to new security threats. Without the protective measures that come from regular security updates, such as patches for newly discovered exploits, end-of-life systems become easy targets for cybercriminals. Furthermore, as end-of-life technologies are replaced by more modern and secure alternatives, the pool of expertise available to manage and secure these outdated systems dwindles, increasing operational risks and the potential cost of maintenance.
2. Add MFA to User Authentication
Using multi-factor authentication (MFA) on your VPN can make a world of difference. This should especially be used for administrative accounts, as cybercriminals often target these in the hopes of having the highest level of system access possible to carry out their attacks. Make MFA mandatory for all users and device administrators.
3. Leverage Outside Experts to Extend Your IT Team
Maintaining self-managed VPNs demands considerable effort, which can overwhelm organizations that lack the specialized in-house expertise required for consistent execution.
Moreover, IT teams, despite their proficiency, should not be presumed to have mastery over the intricacies of VPN management and security on top of their existing responsibilities.
An alternative can be leveraging a Managed Detection and Response (MDR) service that continuously monitors the company’s network for potential threats. An MDR team can proactively advise an organization on best practices for security policy enforcement and further secure the VPN gateways, freeing up resources that can be better deployed in support of the core business.
Small and medium-sized businesses add substantial cybersecurity risk when they operate a self-managed VPN. Our data strongly signals that self-managed VPNs are routinely exploited by cybercriminals, which can lead to catastrophic cybersecurity incidents and substantial financial losses. Businesses need to prioritize making their VPN secure and strongly consider relying on outside experts when their own skill set falls short.
At-Bay is dedicated to helping businesses bridge all of their security gaps through InsurSec, which blends insurance and security to drive fewer losses and improve cybersecurity outcomes. By sharing this data on VPNs, we hope businesses will be able to take a proactive approach to their remote access tools and stay in line with the best security practices.