Since the shift to remote and hybrid work, 44% of organizations have witnessed an increase in exploits targeting VPNs, and many are moving toward zero-trust security, according to a report from Zscaler. Reliance on VPNs for remote access is putting enterprises at significant risk as social engineering, ransomware, and malware attacks continue to advance, exposing businesses to greater risk, according to a new report by cloud security company Zscaler.More than 95% of organizations surveyed are now leveraging a VPN service for secure remote access, up from 93% last year, the report said, adding that there are almost 500 known VPN vulnerabilities listed on the CVE (common vulnerabilities and exposures) database.“It is unsurprising that VPN is no longer able to keep up with the hybrid and remote access requirements of today. VPNs were created at a time when network topologies were vastly different when there was a single corporate network everyone was accessing,” said Ananth Nag, senior regional vice president at Zscaler, whose product line includes Zero Trust Exchange, a cloud-native security platform.More than 350 IT professionals in North America at organizations with global workforces were surveyed for the report. Since the shift to remote and hybrid work, 44% of the organizations have witnessed an increase in exploits targeting their VPNs, and 71% are concerned that VPN networks will jeopardize their security measures, the report said.Majority of companies have 3 or more VPNsThe size and complexity of an organization typically drive the complexity of remote access infrastructure and management proportionally. A majority of companies (61%) surveyed have three or more VPN gateways, and 38% have more than five. Each gateway requires a stack of appliances, often including the VPN, internal firewall, internal load balancer, global load balancer, and external firewall. “The more gateways an organization has, the more expensive secure remote access becomes and the more complicated it is for IT to administer and manage,” the report noted.About 74% of organizations report that applications run in data centers, while 49% use private clouds, 45% use Azure, 44% use AWS, and 22% use Google Cloud.Single infected device can infect entire networkAbout 97% of organizations say they understand that their VPN is prone to cyberattacks and exploits, but still use the technology, the report said. “Breaches show that it only takes one infected device or stolen credential to put an entire network at risk, which is why cybercriminals are targeting users by accessing through a VPN,” the Zscaler report noted. “Today applications are moving to the cloud, a network the enterprise does not control. Users expect to seamlessly work off-network and from any device, anywhere,” Nag said. “Remote access VPNs worked well in the network-centric world, but in the age of cloud and mobility, where there are virtual perimeters around the user, device, and application, they lack applicability.”Companies shift to zero trustOngoing risks from legacy VPNs have created a gradual shift toward Zero trust security architecture, with 80% of companies actively planning or implementing a zero trust model, the report said.Zero Trust architecture, unlike VPNs, does not bring the users on the same network as business-critical information, prevents lateral movement with user-app segmentation, according to Zscaler. “The strategy of gaining access permission at the outset followed by virtual internal freedom no longer meets organizations’ needs,” Nag said. Related content feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security brandpost Sponsored by Microsoft Security How Microsoft and Amazon are expanding the fight against international tech support fraud By partnering with other companies to share vital information and resources, Microsoft is taking the fight to ever-evolving support fraud in 2024…and beyond. By Microsoft Security Dec 05, 2023 1 min Security news analysis Russia's Fancy Bear launches mass credential collection campaigns The campaigns exploit Outlook and WinRAR flaws to target government, defense, and other entities, and they represent a change of tactic for the APT28 group. By Lucian Constantin Dec 05, 2023 5 mins Advanced Persistent Threats Critical Infrastructure Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe