Of the 351 cybersecurity professionals interviewed for the report, 95 percent said their organizations use VPNs to support their remote and hybrid work environments. Nearly half of the respondents said they’ve seen a rise in exploits targeting vulnerabilities in VPNs.
The Threat to VPNs
Zscaler noted that “cybercriminals continue to take advantage of long-standing security vulnerabilities and increased attacks on VPNs.” Last year, the North Korean hacker group Kimsuky took advantage of a VPN software bug to hack the South Korean Atomic Energy Research Institute’s VPN. Ransomware appears to be the number one threat to VPNs. The other threats that cybersecurity professionals are most concerned about include social engineering, malware, web application-based exploits, and DDoS (distributed denial of service) attacks. Large organizations are especially susceptible to these threats because they tend to have multiple VPN gateways. “The more gateways an organization has, the more expensive secure remote access becomes and the more complicated it is for IT to administer and manage,” the report said. The consequences of cybercriminals breaching an organization’s network are immense. To prevent this scenario, a majority of the participants said their organizations are looking at alternatives to replace VPNs. Since 2021, the demand for zero trust architecture has risen from 59 to 68 percent, according to the report. Today, up to 80 percent of companies have adopted or are looking to switch to the zero trust security model. Earlier this year, the White House released a zero trust federal cybersecurity strategy as federal agencies move towards using the zero trust security model.
Why Organizations Need Zero Trust Security
Cyber threats are the number one global risk, according to the Allianz 2022 Risk Barometer. This threat is particularly heightened for organizations that have numerous people accessing their systems. Organizations tend to “extend network access to external stakeholders, including customers, partners, and contractors” who may connect from untrusted devices on insecure networks. The risk is exacerbated when these parties’ access to the organization’s network is not limited. “To safeguard against the evolving threat landscape, organizations must use a Zero Trust architecture that, unlike VPN, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, minimizes the attack surface, and delivers full TLS inspection to prevent compromise and data loss,” Deepan Desai, the CISO of Zscaler, said. The zero trust security model is a novel cybersecurity strategy that assumes every layer of a network is vulnerable and aims to apply strict access controls and user authentication. “Zero Trust architecture improves organizational security posture without sacrificing the user experience,” Zscaler explained.