English

Why Your VPN Is Not as Secure as You Think by Anna Stergioula

With hacks and data breaches becoming more frequent and more costly organizations need to find a way to secure their systems. One potential barrier to a secure system is that many IoT devices were not built with security in mind. Often they have very basic interfaces and cannot support such simple security measures as two-step authentication. On many IoT applications it is challenging to install patches and updates or to regularly change passwords.

Out of Date Devices Could Be Putting Your Network at Risk

a server room
Cameras, routers, printers, sensors: all have internal firmware, which usually works for years without an update. As a result, there are many IoT devices in the field with different versions of kernels, frameworks, web-servers, and applications. Even if manufacturers could develop patches, the logistics of upgrading the software or firmware can be extremely challenging. Many IoT devices do not support OTA updates.

IoT security breaches are costly operationally, financially, and reputationally. In 2017, the average cost of one data breach for organizations was $3.62 million. If securing the device is not possible or practical then we must find other ways to make our systems secure.

With many IoT devices unable to be adequately secured it’s understandable that enterprises are turning to VPNs in order to protect their devices. However, although VPNs can have a place in the security ecosystem, there are a number of threats which they can’t protect against.

Physical Breaches of IoT Devices

With the focus on remote hacking attempts it can be easy to forget about the security risks that come from physical objects connecting to a network.

A hammer, a camera and a lightbulb
An infected laptop or flash drive which is plugged into a system can infect your whole network of devices. It’s important to maintain a strict, rational protocol about outside devices being brought into a network. Every time an employee, freelancer or contractor connects a device to your system, no matter how harmless it may seem, they introduce an element of risk.

Treat your network like a quarantine area; introduce and enforce a stringent security protocol. A VPN cannot protect your network from someone connecting an infected laptop or memory storage device. Organizations with a high security risk may even want to consider blocking off USB ports.

Bad Password Protocol

This comes down to simple human error and our inability to remember a series of secure passwords. Password fatigue is a big contributor to employees utilizing insecure passwords. It is estimated that the average American has about 200 accounts that require some sort of password identification. With that number of accounts it’s not surprising that people choose overly simple passwords or reuse their personal passwords at work. However, this is a terrible practice. If hackers gain access to one of these employees personal accounts then they will be able to access any work accounts which share the same password. Sorry to say that often employees’ poor password protocol is responsible for security breaches.

Mobile phone screen with VPN
Many organizations either have weak password protocols or they are not implemented by managers. A survey of 500 information technology administrators and enterprise employees found that one in five employees are not aware whether their company has instituted a password policy and nearly one in three don’t know if they adhere to it.

This is not something that a VPN can help with. In addition, it can be possible for hackers to steal the private key of the site to site VPN or the credentials for the client-access VPNs.

Two-Factor Authentication Mitigates the Risks but Cannot Eliminate Them

Organizations need to wake up to this threat and start employing further security measures. Two-factor authentication and systems which pick up unusual user behavior and flag the possibility that an employee’s account has been compromised are good options.

However, two-factor authentication is not always possible for IoT devices. Often, these devices come equipped with limited computing power. They cannot necessarily have robust protection mechanisms like an antivirus, two-factor authentications and key certificate exchanges run on them. Two-factor authentications are not always foolproof either. Many two-factor authentication systems use text messages, meaning that gaining access to someone’s phone is an easy way to bypass 2FA.

There is also sadly the issue of disgruntled former employees who know the VPN settings accessing sensitive information after their removal. A robust password protocol with systems in place to remove employees when necessary is vital to keeping your IoT network secured.

A More Secure Option

Several people fist bumping
VPNs can offer an extra layer of protection but, as we’ve seen, it is not sufficient on its own. Every organization needs a comprehensive security policy which covers password protocol and physical devices as well as remote connections.

In addition to the problems listed above, when using a VPN data is still routed over the Public Channel and is therefore still exposed to security threats.

Pod Connect offers a solution. Pod Connect is an enhanced connectivity solution designed for security-sensitive applications such as healthcare, banking, or government services. Unlike a VPN, Pod Connect links directly from the Pod network into your data center or a cloud service, without ever touching the internet.

You get the advantages of a VPN but using private, dedicated connections. This ensures that data is transmitted quickly and safely without risk of interference. This is ideal for mission-critical applications working with sensitive data.

Learn More About Our Arsenal of IoT Specific Security Solutions.

Anna Stergioula

Technical Account Director and Head of Security

Living proof that women are a force in tech, Anna not only works tirelessly to support customers but also travels the world promoting the security of the IoT.

Posted: March 06, 2019