The Cybersecurity and Infrastructure Security Agency (CISA) issued a reminder today of security considerations regarding the use of virtual private network (VPN) solutions as telework ramps up due to spread of the COVID-19 coronavirus.
“As organizations elect to implement telework” CISA said, the agency “encourages organizations to adopt a heightened state of cybersecurity.”
CISA said security considerations to keep in mind with VPNs include:
- As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors;
- As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches;
- Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords;
- Organizations that do not use multi-factor authentication for remote access are more susceptible to phishing attacks; and
- Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.
CISA listed a number of mitigations and other guidance regarding VPN usage.