Despite VPN-targeted attacks continuing to grow, almost all (95%) of the surveyed organizations still rely on this network access to support their hybrid workforce, Zscaler’s latest VPN Risk Report found. The good news is the majority of them (80%) have already started their zero-trust journey. 

Since the COVID-19 pandemic hit, more organizations shifted to remote or hybrid work models. Most of them still heavily rely on traditional VPN tools for access management. “Legacy network security architectures are pervasive and deeply entrenched in corporate data centers, making it difficult to challenge the status quo and adopt new architectures,” researchers pointed out.

However, VPNs are becoming a popular target for bad actors. The VPN Risk report surveyed 351 cybersecurity professionals and found that 78% of them expressed concerns about ransomware attacks and 44% of them have witnessed an increase in exploits targeting their business VPNs last year. 

“As evident in several high profile breaches and ransomware attacks, VPNs continue to be one of the weakest links in cybersecurity. Their architecture deficiencies provide an entry point to threat actors and offer them an opportunity to move laterally and steal data,” Deepen Desai, global CISO at Zscaler, said in a statement. 

“Bad actors can exploit the VPN attack surface to infiltrate the network and launch ransomware, phishing attacks, denial of service, and other means of exfiltrating critical business data,” echoed Holger Schulze, CEO and founder of Cybersecurity Insiders, who conducted the research. “As reported by countless news articles about VPN exploits, almost 500 known VPN vulnerabilities are listed on the CVE database.” 

VPNs grant a greater degree of access and trust than a zero-trust architecture which can be summarized in the often-quoted phrase — “never trust, always verify.” This plus the growing VPN threats drives more companies to consider adopting VPN alternatives, the report showed.

Nearly seven out of 10 surveyed companies stated they are accelerating their zero-trust projects, while 78% expected their future workforce will be hybrid, which indicates a long-term need for this strategy.

“To safeguard against the evolving threat landscape, organizations must use a zero trust architecture that, unlike a VPN, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, minimizes the attack surface, and delivers full transport layer security (TLS) inspection to prevent compromise and data loss,” Desai said.

To enhance its zero-trust service, Zscaler’s latest move is completing its acquisition of ShiftRight and integrating the company's security workflow automation technology with its Zero Trust Exchange platform — a cloud-native security platform built on zero-trust architecture.