Since the introduction of the Online Safety Act, VPN use has surged in the UK. One provider reported a 1,800% rise in daily sign-ups.
Unfortunately, certain VPNs may pose a risk to your business’s cybersecurity. So in this post, we’ll discuss how a VPN policy can help you protect your business without infringing on your employees’ rights.
Want to discuss your cyber security risks? We have a team of experts on hand to help. Call us on 0208 290 9080 or email us at cyber@anthonyjones.com.
What is a VPN?
VPN stands for virtual private network. It’s a means of using encryption to extend a private network across a public network, such as the internet.
Many businesses use VPNs to allow employees to remotely access their secure private networks via the public internet. But growing numbers of UK residents are using personal VPNs outside of the work context.
What is a Personal VPN?
With a personal VPN, you can browse the internet as if you were based in another country. This means that users can protect their personal data while browsing online. It also means they can access sites that are currently restricted under the Online Safety Act.
Do Personal VPNs Pose a Risk to Businesses?
Certain personal VPNs may pose a risk to your business’s cybersecurity. Some VPNs are secure and reliable. Others are not quite what they claim to be.
Research by Arizona State University and Bowdoin College suggested that some VPN apps, while claiming to be independent, are secretly part of larger conglomerates. These apps share servers and other systems, which could leave them vulnerable to data leaks and cybersecurity breaches.
So, when a user accesses the internet using such a VPN, they might think that they’re using a secure, independent service. But in practice, their data may be moving through an insecure network, potentially with ties to shady organisations or foreign governments.
Why is This a Business Risk?
If an employee uses one of these VPNs while working remotely, then sensitive data, including login details, might get leaked. This could allow cybercriminals to access your systems.
Accessing your systems via an insecure VPN could even allow cybercriminals to monitor your systems via malware or spyware. This could also leave your employees – and by extension, your business – vulnerable to a costly ransomware attack.
There could be regulatory issues, too. If you are in a tightly regulated sector, such as finance or healthcare, then these unverified and insecure VPNs could violate certain data protection legislation.
Does Your Business Need a VPN Policy?
It is not illegal to use VPNs in the UK, and many individuals rely on them to protect their personal data online. As such, you should not ban your employees from using VPNs outright. Indeed, as we mentioned above, many businesses use VPNs to allow their employees to securely access their private systems while off-site.
Nonetheless, unverified personal VPNs can pose a risk to your business’s cybersecurity. As such, you might introduce certain policies and procedures concerning how and when employees use VPNs. This is particularly important when it comes to employees who work from home.
What to Include in Your VPN Policy
Make it Clear That Employees Should Only Use Verified VPNs
If the VPN is free to use, it’s a major red flag that it might be unverified and insecure. If the VPN isn’t charging money upfront, then they’re probably monetising their user’s data through selling it to advertisers, or to cybercriminals.
An authentic VPN will charge for its use, and it will provide users with support services and warranties.
You can do your research and provide employees with a list of safe and reliable VPNs. You could also list unverified VPNs, and discourage employees from using these.
The Arizona State University and Bowdoin College study discovered that the following unverified VPNs might belong to one of three shady “families”:
- Turbo VPN
- Snap VPN
- VPN Proxy Master
- Robot VPN
- Global VPN
- XY VPN
- Melon VPN
- Super Z VPN
- Touch VPN
- X-VPN
- Fast Potato VPN
Restrict The Use of Personal VPNs During Business Hours
You cannot prevent your employees from using personal VPNs in their own time, or on their own devices. But you can restrict them from using them during business hours, and on company devices.
If you work in a tightly regulated sector, such as finance or healthcare, then you might want to implement a blanket ban on personal VPN use during business hours, and on company devices. As we mentioned above, using VPNs in such sectors could lead to regulatory issues.
If you work in a sector where the regulations aren’t so tight, you could be a bit more flexible in your VPN policy. Tell employees that, while they’re free to use VPNs, they must first get clearance from your IT team.
The IT team could investigate the employee’s chosen VPN, and they could also advise the employee on how to use the app while keeping their data, and the business’s data, as safe and secure as possible.
Adding VPNs To Your Wider Cybersecurity Policy
- Make your policies regarding VPN use as clear as possible. You could run dedicated training sessions to help staff understand the business risks of using VPNs, while advising on best practice. Depending on your sector, this could extend to never using a personal VPN for business purposes. But it could also involve providing employees with a list of approved providers, along with a list of prohibited providers.
- Your IT team should use tools that can detect VPN use on your systems, along with the employees that are using them. Depending on the circumstances you could then intervene, to ensure the employee is using a verified app that will not compromise your business’s data.
- Aim to provide any employees who work from home with whatever devices they need for their work, and make it clear that they should never use such devices for personal reasons. You could also make it clear that employees cannot install new apps or extensions on these devices without first consulting IT.
We Can Help You Protect Your Business Against Cybercrime
Mark Stevenson from Anthony Jones says:
“If you’re aware of the danger of cyberattacks, then you have a responsibility to cover your business against risks. In the event of a data breach, cyber insurance will cover your business’s liability as well as your ability to manage the impact on both your systems and finances.
“Personal VPNs can create certain complications when it comes to cybersecurity. But if you can evidence the steps you take to manage these risks, then you could make a saving on the cost of your cybersecurity cover.”
If you have any questions about business insurance, or if you want to ensure your business has adequate cyber insurance in place, we have a team of experts ready to help. Call us on 0208 290 9080 or email us at cyber@anthonyjones.com.
