Why Corporations Need to Give Employees Personal VPNs
Late last year, the House Energy and Commerce Committee’s Subcommittee on Oversights and Investigations released its Cybersecurity Strategy report, which starts by observing that current IT strategies aren’t working. It then lays out steps to tighten them up. A small piece of this cybersecurity puzzle is ensuring that employees don’t unwittingly provide entree to the corporate ship when they travel for business while surfing the web on their personal time.
Frequent business travelers today need to travel armed and prepared to protect corporate data from cyberattacks. Typically, corporations provide their roaming workforce with a corporate VPN (Virtual Private Network), which locks down the employee’s connection to company network servers when they are using public wifi, like such as in an airport or hotel room. But companies should also supply their traveling employees with a personal VPN. Both are critical for a “Defense in depth” strategy.
You don’t want employees conducting private business on your corporate VPN because you can’t predict what sites they choose to access, the content they choose to stream or what they choose to re-tweet. Some companies heavily restrict access on their corporate network to a subset of sites, but this is not always feasible due to the nature of some jobs. If employees are engaging in unsavory or illegal activity via the corporate network, the corporation could be at risk.
Conversely, employees want autonomy in their downtime, so they’re less likely to conduct their personal business on the corporate VPN (which should be prohibited). But when employees go off private networks and use public wifi in airports, hotel rooms and cafés, they become a “third party” attack vector to your company. Essentially, they are easy prey not only to having their private information stolen and used by cyber criminals, but as targets for the corporation itself.
Even though its risk has been well-publicized, free wifi is a habit that’s hard to break. I was surprised to learn from a recent PC Magazine article, which cites statistics from a Pew Research Center study, that even though most people claim they’d use a VPN because of the risk about wifi, their desire to access content -- from bank accounts to their Amazon profiles -- overshadows any worries about safety: only 29% in the study have ever used one for personal reasons.
So let’s assume that your employees are using public, unencrypted networks. Cyber criminals could find dirty information on that person and blackmail them into gaining access to your corporate data. If employees use their corporate computer for personal use over public wifi, hackers could gain access to past corporate search history or temporary files that were downloaded for business. The less dramatic and more likely scenario is that your employee is using the same password for his corporate and personal accounts (a common practice), and the hacker listening in on network traffic steals the personal account password. Cyber criminals will then successfully use that information to try accessing the corporate network.
As a reformed blackhat hacker and security researcher at Stanford and MIT, I study and use the cyber kill chain, which is a methodology for how hackers break into systems. Hackers spend most of their time on reconnaissance -- scoping out what information he needs to access corporate services. Employee passwords are an easy catch.
If you think the risk of these scenarios is low, you’d be incorrect. It’s the reality of our world today, and the repercussions are terrible. Corporate travelers to China, for example, are primary targets. United States citizens traveling to China who connect to a network there will be spied on. The government is trying to get information about that person’s employer for corporate espionage (something China has been charged for time and again). Business travelers to China are advised to bring burner devices. But what if your employee is in China for pleasure? Without a personal VPN, your company is still at risk.
This is not a full solution; VPNs are a small part of the total cyber security puzzle. And, while I cannot say for sure how often corporations have been trounced through unprotected networks -- what company would publicize such a breach? -- it has certainly happened. Corporations would be well-served with a “Defense in depth” strategy that provides layers of protection. Minimizing your third-party risk that is your employees while they are off-the-clock by paying for a personal VPN for them is an additional layer of security for your organization. You can market it as a benefit for them, but really, it is for your company’s protection.