By Julian Weinberger, CISSP, Director of Systems Engineering for NCP engineering.
Data privacy scandals have fueled a rising interest in virtual private network (VPN) software among consumers. Many people have adopted them for protecting their data at public Wi-Fi hotspots, or to digitally encrypt their information against possible surveillance by governments or service providers when traveling.
A wide range of consumer VPNs is now available for PCs, smartphones and other mobile devices. According to GlobalWebIndex, 26% of consumers use VPNs to encrypt their data connections while online. Unfortunately, there are plenty of hidden risks that users may not be aware of.
Due to security concerns, business often does not allow employees to use their own consumer VPNs for work. Instead, businesses choose to implement a commercial, enterprise-grade VPN service for the entire organization to use. This is really the only way to guarantee that confidential business information is protected as it moves across the Internet.
To understand why consumer VPNs are ineffective for protecting corporate data, let’s take a look at five common issues associated with consumer VPNs:
- Data Leakage
A key motivation for acquiring a VPN is to encrypt Internet digital communications and render it unintelligible to outsiders. Yet, coding and configuration errors in a small number of consumer systems actually allow data to pass outside the encrypted tunnel, thus defeating the whole purpose.
Some consumer VPNs even monitor user traffic and have the ability to share it with third parties such as advertisers, government departments and data brokers. Despite a company’s advertising promises to respect user privacy, their legal policies hold no guarantees when it comes to protecting users.
- Limited Scope
One of the main attractions of a VPN is to bypass local Internet censorship laws that may be applied for television streaming services or for GDPR compliance reasons. By establishing an encrypted link to a provider’s many VPN servers around the world, users hope to access content via an IP address outside local restrictions.
A few consumer VPNs, however, mislead users with respect to their international credentials. Some may claim to have hundreds of servers in many different countries when in fact they only have a relatively small number grouped together in just a few areas. In this case, they adjust the routing data to make it look like they are providing a service in one country when in reality it is happening somewhere else entirely.
- Fake Reviews
As the consumer end of the VPN market is very crowded, vendors are forced to compete for attention. While positive reviews on third-party websites are prized, the authenticity may vary.
Oftentimes, independent websites have more in common with advertisements than honest evaluations by independent journalists and are known to publish a five-star review in exchange for a small fee. This makes it very difficult for the average consumer to get genuine, unbiased information to help them choose between various solutions and providers.
- Manual Log-in
In an ideal world, a VPN connection should be always-on, or at the very least activated with a simple click or swipe. They should also support all of your devices (desktop, tablet, smartphone, and TV) with the same account.
Yet, some VPN solutions expect users to enter their log-ins every time they go online. This is not only inconvenient but also impractical as the majority of users tend to forget to turn on their VPNs.
- Poor Privacy Protection
Privacy policies for VPNs at the consumer end of the market can fall way short of the standard multi-page documents that we associate with major software brands. In flagrant disregard for the law, some consumer VPN providers have no privacy policy for people to view online at all.
Among those that do, a significant number choose to be circumspect about what they do with users’ data and others do not back up advertising promises with commitments written into their policies.
Protecting Corporate Communications
Of course, there are some basic VPNs in the market that do exactly what they are supposed to do. Businesses, however, have more complex needs.
Businesses are responsible for protecting their customers’ privacy and must stay compliant with data protection laws. It’s simply too risky for companies to allow everyone to use their own personal choice of VPN for remote connections when sharing company confidential information.
To guarantee secure data communications, employees must use an enterprise-grade VPN system managed by IT support staff from a single, central point of control. A centrally managed professional VPN service automatically encrypts all company data connections to protect customers’ personally identifiable information (PII) and comply with privacy laws.
Overall, while consumer VPNs may be fine for protecting the privacy needs of individual consumers, the fact that they are not all created equally with robust security features makes them unsuitable for use in a business context.
About the Author
Julian Weinberger, CISSP, is Director of Systems Engineering for NCP engineering. He has over 10 years of experience in the networking and security industry, as well as expertise in SSL ‐ VPN, IPsec, PKI, and firewalls. Based in Mountain View, CA, Julian is responsible for developing IT network security solutions and business strategies for NCP.NCP engineering can be emailed at [email protected], followed on Twitter at @NCP_engineering and reached online at https://www.ncp-e.com/en/.