News that Virtual Private Network (VPN) provider NordVPN was breached spread quickly. While the breach of a major VPN service is newsworthy, this one wasn't particularly. A single server was compromised, one of many, and according to NordVPN only 50-200 customers were affected.
But one of the watchwords of good cyber hygiene, a VPN, was breached. The incident put NordVPN in the hot seat. They blamed a vendor. Compared to seismic events like the Capital One and Equifax data breaches, it was a non-event.
Especially in North America, where the technology has been slow to catch on, the NordVPN breach may seem overblown, but it has raised a crucial question for small to medium sized businesses and large corporations alike: Are VPNs effective?
Who Is Using VPNs?
Information about VPN use is hard to come by, and that's the general idea. VPNs are supposed to be a protective measure, one that becomes decidedly less effective if your adversaries know about it.
When businesses in North America use them, their own IT teams manage their sourcing and implementation, and no one in the cybersecurity business discloses anything about their protocols. Commercial VPN services often advertise their privacy and anonymity practices, but it is not clear how above-board their claims are. Having hard data on how customers utilize any given VPN service more or less defeats the purpose of that service.
A 2018 study regarding VPN use worldwide is worth considering.
The first takeaway was that the global market for VPNs is booming. Usage increased 185% from 2016 to 2017 and 165% from 2017 to 2018.
The second takeaway is that the growth of VPN adoption is primarily on the consumer side, not business, with 51% of users polled reporting that access to entertainment is a key factor (streaming catalogs for services like Netflix vary by country due to usage rights), followed by 34% for social media activity.
Only 30% of users worldwide use VPNs for business and work-related activity, roughly the same percentage who use them for BitTorrent-related activity.
The same study shows that VPN usage is highest in Asia and the Middle East. North America and Europe lag well behind, comprising a scant 17% of users.
While it's not exactly scientific, these figures can help ascertain a ballpark number for corporate adoption of VPNs: If less than a third of VPN use is for work, and less than a fifth of users in North America use a VPN, it's not too much of a leap to assume that most businesses in the U.S. are not.
SMB vs. Enterprise
If you are responsible for keeping your business safe, don't panic. With the growth of personal VPN use, many enterprises are phasing them out in favor of more advanced cloud-based solutions, including zero-trust architecture, software-defined perimeters, and micro-segmentation.
Implementation of these approaches requires a dedicated team of specialists, and that's where small to medium sized businesses are left literally unprotected. Even if the average SMB could afford the investment in network infrastructure (it can't), implementing it would still be a monumental undertaking and one well beyond the financial capabilities of most smaller operations.
Also worth noting: Giving experienced cloud technicians access to your network doesn't always end well, take Capital One for instance.
Can VPNs Help Your Business?
There is no shortage of misinformation about VPNs online, but if you stop reading here, remember this: Never use a "free" VPN service. As with everything else online, if you're not paying money for a product or service, you're paying with your data.
A VPN is a secure tunnel for network traffic, routing it from one place to another, typically with some form of authentication. If, for example, a user resides in a country with major Internet restrictions (think: the Great Firewall of China), he or she may connect to a VPN outside of that country and bypass local laws.
Getting around obstacles is a well-known use for VPNs but they just as readily might be deployed to erect walls around businesses and their data. With so many employees ferrying devices between their homes and offices, it's difficult to know who is accessing a company's network. Incoming traffic from another country could be a hacker probing for network vulnerabilities, or it could be vacationing employee trying to check email.
A VPN is able to authenticate employees and have them access resources on a company's network using a consistent IP address. (IP addresses otherwise change for a variety of reasons). While it may seem like a minor consideration, setting up limited network access to a static number of particular IP addresses can make a hacking attempt more visible. If a system is getting requests from devices outside of that range, it's a good indicator of suspicious activities.
Another SMB use for a VPN is to keep resources off the internet. If data breaches are the third certainty in life, data leaks and compromises have become the fourth; Brazil, Ecuador, Russia, China, and countless companies have suffered major security leaks due to the accidental exposure of a database online. The tunneling effect of a VPN can be used here to limit access to servers storing sensitive data.
Are VPNs a Silver Bullet for Small to Medium Sized Business?
VPNs are not a silver bullet.
A poorly secured lost or misplaced device connected to a company's VPN could easily lead to the loss of data. As NordVPN demonstrated, VPN providers can be breached. VPN software can also be exploited--especially the free versions. The technology is by no means perfect.
But nothing is perfect, especially in the digital world. You can use two-factor authentication, strong passwords, antivirus software, firewalls, employee training and still "get got." No cybersecurity strategy or protocol is foolproof. That said, using a VPN can add another layer to your company's cyber defenses and, with that, shrink its attackable surface, which is why you may want to consider using one.