Navigating the Risks of VPNs and Remote Work on Home Computers
Key Points
- Many organizations use VPNs for their home computer users to access internal systems and applications while working remotely.
- While VPNs are generally considered secure, they come with many security risks that could potentially leave your organization vulnerable.
- Some common threats associated with using a VPN on a home computer are compromised credentials, malicious actors, malware infections, and data leakage.
- To mitigate these risks, organizations should consider alternative strategies such as secure remote access solutions and issuing employees with dedicated equipment for remote work purposes.
The rise of technology has made it easier for employees to access their work resources and files anywhere in the world. However, this ease of access comes with its own set of challenges, particularly when it comes to security. One of the greatest concerns for organizations is how to keep their data safe when employees are files from their home computers. One solution that many organizations and employees are turning to is Virtual Private Networks (VPNs).
VPNs are typically used to securely connect to a remote network, encrypting the connection and protecting data as it travels over the internet. At home, VPNs can be used to access an organization’s intranet or other resources. However, though VPNs offer some security benefits, organizations and employees need to be aware of some risks of using VPNs on home computers.
While some may find the use of VPNs for remote working on home computers acceptable, its usage poses a significant threat because it opens a potential entry point for attacks on your environment. Everyone must consider the potential risks and implement additional security measures to protect the organization’s data. Organizations must provide employees with clear guidelines and training on how to use VPNs securely to minimize the risk of security breaches.
What Are the Dangers of Home VPN Usage for Remote Work?
Home VPN usage for remote work can be dangerous if not properly monitored and managed. The most common threats are compromised credentials, malicious actors, malware infections, and data leakage. Employees not being properly trained on VPNs can lead to mistakes such as using weak passwords or not regularly updating the VPN software.
Some of the dangers of using a VPN on a home computer are:
Lack of Control
Organizations have limited power to manage a user’s home computer. While network access control solutions can verify antivirus signature versions and other basic hardware features, they cannot inventory a home computer to ensure it is properly secured and maintained. These challenges, even when the computer is linked to a bastion host, can lead to data leakage from keystroke loggers and screen-capturing malware, which could put both the data and the organization in a difficult position.
Organizations should consider alternative strategies such as cloud portals or secure remote access solutions to mitigate risks. These solutions are secure and can provide the flexibility needed to ensure that data is protected and available when needed. Organizations should also educate their remote workforce on the importance of data security, best practices, and resources to help them protect their home computers. Employee training and education should also include alerting employees about phishing emails and malicious websites, as these can be used to gain access to an organization’s data.
Reduced Protection Against Malicious Software
As home users typically have administrative privileges on their personal computers and often do not create additional standard user accounts for regular use, they are more prone to falling victim to malware because of this decision. The majority of malware that infects devices needs administrative rights to do so. Home users rarely place limitations on their accounts because they view it as an inconvenience, but this places the computer in a prime position to be infected. Older operating systems are less equipped to defend against malware that requires administrative rights to infiltrate the system.
Multiple Family Members Sharing a Computer
If multiple family members share a computer, it can make using VPNs more difficult. It’s important to ensure that all users have their own accounts with unique passwords and that the computer has up-to-date antivirus software. Organizations should ensure that employees are using a dedicated computer for work, as this will reduce the risk of malicious actors gaining access to sensitive data.
When multiple family members use the same device, there is a significant risk of infection or one bad decision by one family member impacting the other users. Fast user switching adds to this issue as it leaves other user profiles in memory, making them vulnerable to attacks from other active profiles. This could allow malicious individuals to compromise an active VPN session despite the user having no ties with the organization.
We recommend that employees not use personal computers for work when sharing a computer. We recommend using a dedicated work computer for sensitive workplace activities and staying away from home computers for work purposes. This way, users can ensure that any information related to the organization stays secure and protected from external threats.
Inability to Secure a Shared Personal Computer
VPNs can help protect an organization’s data, but they are limited in securing a shared personal computer. VPNs can encrypt the data while transmitted, but they can’t update the computer’s security software or scan for malware. Since many home users are unaware of the need for security software, they are more likely to neglect updates or forget to install them.
The certificate embedded into the connection or user profile to validate it is only as secure as the security maintenance of the host. Poorly maintained hosts can be vulnerable to connection hijacking by malicious actors, which can lead to data breaches. Organizations should ensure that the host is properly secured and equipped with strong authentication protocols and two-factor authentication to mitigate this risk. If the host cannot adequately be secured, an alternative method of connecting with coworkers and resources is needed.
Limited Security Tools and Policies
As mentioned, most home users have limited security tools and policies. Utilizing only an anti-virus or firewall may not be sufficient to protect against attack vectors like phishing or malicious downloads.
With no monitoring from security professionals, home users may be unaware of malicious activities until it’s too late. While some home users may think that their chances of being a target of a malicious attack are slim, the reality is that it can happen if they aren’t careful. Even those who are careful may be vulnerable to threats if they use an outdated antivirus or lack the proper security tools and policies.
Organizations should take measures to ensure the safety of their data against malicious actors by deploying the latest security tools, such as firewalls and password managers. Utilizing Endpoint Detection and Response (EDR) or Endpoint Privilege Management (EPM) solutions can further minimize the risk of vulnerable settings being exploited. These solutions will monitor any malicious activity, alerting administrators to take action when needed.
Enabling Remote Work Without Compromising Security
Organizations must make sure remote work can be conducted without compromising security. Implementing other secure alternatives to allowing VPN software to be installed on personal computers is a viable option. Other ways to enable secure remote work include:
- Issuing corporate-provided devices, like laptops and mobile phones, to all employees, so they can access company resources. For those who cannot use a corporate device, organizations can allow staff to access company resources using secure remote desktop solutions.
- Using remote access tools configured to use multi-factor authentication (MFA) and encrypted connections. MFA ensures the user is who they claim to be before accessing company resources, and encryption ensures that data is protected from eavesdropping.
- Using cloud-based services to provide secure access to sensitive resources. Employees can access cloud-based services from anywhere with proper authentication, and these services can be configured with strong security protocols.
Closing Thoughts
Organizations must realize the risks of allowing employees to use their home computers for work. While VPNs can provide an added layer of security, they can also weaken security if not properly maintained. Organizations can greatly reduce the risk of data breaches or malicious attacks by ensuring that resources are secured and limiting personal device access. Minimizing the risk of a data breach or malicious attack is critical for any organization. It starts by understanding the security risks associated with allowing home users to access company resources.