Cybercrime has surged since the outbreak of the COVID-19 pandemic and the subsequent global shift to hybrid work, with global cybercrime costs predicted to grow by 15 percent per year over the next five years, reaching $10.5 trillion annually by 2025.
To protect their employees and avoid potentially costly cybersecurity incidents, many organizations are strengthening their digital defenses by investing in virtual private networks, or VPNs for short.
But do VPNs actually protect employees from today’s cybercriminals, or are they just an unnecessary expense? To answer this question, let’s start by explaining how they work.
What Is a VPN and What Does It Do?
A virtual private network (VPN) is essentially a tunnel between a client device and a remote VPN server. All data that goes through this tunnel is encrypted and thus protected from third parties.
The VPN server may additionally extend the connection to the public internet, allowing the client to hide their true IP address behind the IP address of the server when browsing the web, downloading files, or streaming audio and video content.
VPNs are typically divided into two main categories:
- Personal: VPN services that belong in this category are aimed at users who want to improve their online privacy and access geo-restricted content, among other things.
- Business: Often set up by businesses themselves, VPN services in this category are intended to securely connect remote employees to a specific company network, allowing them to access sensitive internal resources.
In other words, personal VPN services are meant to protect end-users, while business VPN services are meant to protect businesses—the technology is the same, but the goals are different.
Employees who don’t understand this important distinction sometimes use their business VPN service to access inappropriate content, only to be surprised when the IT department sends them a warning with a list of visited websites.
Indeed, the VPN service provider can always see all traffic that goes through its servers, making it paramount to select someone who is trustworthy when using a third-party VPN service.
Which Threats Can a VPN Stop?
VPNs protect their users by encrypting their data and hiding their true IP addresses. As such, they are very effective when it comes to stopping the following two threats:
- Man-in-the-middle (MITM) attacks: As the name suggests, MITM attacks involve an adversary acting as a middle man between the client and the server. Employees may encounter this attack when connecting to public Wi-Fi hotspots, not all of which are as legitimate as they seem to be. Without the encryption provided by a VPN, a MITM attack can allow the attacker to steal sensitive data, including passwords, while it’s traveling from point A to point B.
- Distributed denial-of-service (DDoS): Just like a burglar can’t steal your priced possession if they don’t know where you live, a hacker can’t perform many targeted attacks, such as distributed denial-of-service attacks, if they don’t know your real IP address because it’s hidden behind the IP address of the VPN server. That said, DDoS attacks against individuals (many of which don’t even have a static IP address) are quite rare.
The ability to effectively stop MITM attacks alone makes a VPN a must-have tool for organizations with remote employees.
What Are the Limitations of a VPN?
As useful as a VPN can be, it can also create a false sense of security unless its users are educated about its limitations. Here are some commonly encountered threats a VPN can’t protect against:
- Malware: A VPN doesn’t act as a content filter, so it won’t prevent employees from clicking on malicious links and opening infected attachments. When used to connect to a specific company network, a VPN can make it possible for the malware to spread to other devices connected to the same network unless the company’s anti-malware software detects it.
- Social engineering: Phishing, vishing, and other social engineering attacks are not something a VPN can stop because they target what many cybersecurity professionals refer to as the weakest link in the cybersecurity chain: people. While information about IP addresses can help cybercriminals make their social engineering attacks more believable, it’s rarely critically important.
- Cryptojacking: In recent years, cryptojacking scripts, which hijack the victim’s computer to mine cryptocurrencies like Bitcoin, have become widespread on the web. Such scripts don’t need to know what the victim’s real IP address is to use its computing resources, so a VPN can’t do anything about them.
To protect themselves against these and other threats, employees should be provided with regular cybersecurity training and supported by state-of-the-art defenses, such as endpoint detection and response (EDR).
VPNs don’t address network security as deeply as Zero Trust Security. Therefore, Zero Trust is a more secure replacement for a VPN.
A VPN is a useful tool that can greatly improve employees’ privacy and security when remotely connecting to company resources or accessing the internet using a public Wi-Fi network. But just like cybersecurity tools, even virtual private networks have their limitations, and it’s important to be aware of them.