The use of anonymous virtual private networks (VPNs) doubled between 2015 and 2016, according to a report by Dtex Systems. Considering how the FCC just recently sold out your privacy rights to Internet Service Providers, and the resulting flood of VPN articles that ensued soon after, I wouldn’t be surprised if that number jumped even more.
A word of warning to employers, however: if you’re alerted to an employee using a VPN at work, consider it a red flag. The report cites the fact that 95% of organizations have employees who try to override security restrictions. The objective? Well, usually data theft. VPN use is a good indicator of this type of behavior, along with anonymous web browsing (think TOR), or testing system vulnerabilities via hacking programs. Unfortunately, this kind of insider activity has been responsible for some of the year’s largest incidents. As Dtex CEO Christy Wyatt points out, “With limited visibility into user risk, companies face unlimited exposure which can have heavy legal and/or financial implications.”
All this is a reflection of what has been the trend for the past several years. Insider threats remain a substantial risk to organizations, nearly to the same degree as external attackers. The vast majority of the time, moreover, it’s not even intentional—a study from Willis Towers Watson states that 90% of these risks are the result of human error. I’m not sure if that makes the situation better or worse.
Another found that, of 300 CISOs surveyed, 81% expressed concern that data breaches in their organizations go unaddressed. 70% were unsure about the steps to take post-breach, and 78% weren’t even confident their company could detect a breach. Well, that’s just great. Here we thought companies were lagging behind on proactive measures in order to focus on response capabilities, but it turns out that substantial deficiencies persist even in that dynamic.
If C-suite executives themselves are uncertain or unclear about the direction of their cybersecurity policies, is it that shocking that their employees account for such a high rate of data incidents? If anything, when the direction of federal agencies tasked with protecting consumers gets skewed, they should be putting in extra effort to secure their most critical information.