Cybersecurity is an issue that affects all of us, even though most know little about it. Since the very beginning, the cybersecurity industry has been trying hard to complete the Sisyphean task of getting the average computer user to not be careless with their security. Most people have only a surface understanding of how their computers work; they aren’t in a position to make informed decisions about their digital security. And you cannot really blame them: digital systems are growing more complex every day, and it’s not like employees are getting the proper education on cybersecurity and risk management.
This is where bad people with bad intentions thrive: they send malicious emails to company emails, impersonate customers and even CEOs to make employees click links to phishing sites. And, as digital literacy in most of the workforce stays insufficient, companies look like extremely vulnerable, yet valuable, targets. And there’s little you can do if it’s your company that’s on the line, short of switching off your work network, going back to filing paperwork in metal cabinets and doing things like our ancestors in the Stone age.
If you are like me, you might be thinking about extensive cybersecurity training for each employee. You might also be thinking about how training everyone on your network to use it safely would take far too long and could potentially lead to a significant financial cost. Most of the time, it’s only top financial institutions that can afford it. A much cheaper and easier option is to set up automated security systems that limit network activity. For many businesses, this means configuring their network firewall to blacklist any services they don’t want employees accessing. Alternatively, businesses may only enable access to sites that are on an approved whitelist.
Why Use a Firewall within the Company?
There are a number of reasons a business might have for blocking a specific website. For example, antivirus companies share blacklists of websites and IPs that are known to point to malicious services. Companies don’t want employees accidentally letting a virus or malware into their systems, so they will use a firewall to prevent access to those sites. Other times it’s the opposite. A company firewall might prevent most hackers from accessing a device on a network without proper credentials. Just between us – the good ones still slip through, because hacking is as much social engineering, as it is technical.
But it’s not just security that concerns businesses; many also want to be sure their employees aren’t using company time to manage their personal lives. A firewall means that companies can stop employees from accessing social media sites, or even using the associated apps while on the corporate network. Scrolling news feeds is work for media analysts, but it’s distracting employees in all positions, and most employers think that losing focus on work has grave consequences.
Recommended for you: Cybersecurity Risk Assessment & Management Tips for Small Businesses.
VPNs and Proxies
In any case, humans are animals of habit. We love to get what we want, and nowadays, preventing us from reaching our favorite website is a losing battle. With every new networking product coming out, firewalls are losing control of their network’s internet use. In fact, a savvy employee could unlock and access services that are supposed to be blocked in under five minutes. And they don’t really need specialized equipment or knowledge; anyone who is determined to get around your firewall will be able to do so. Even children at school manage to access any site they want, imagine what a news-depraved 40-year-old could do!
The most popular method for avoiding a firewall is by using a VPN or proxy. In fact, many businesses operate their own VPNs or proxy networks to facilitate remote working and ensure the security of remote connections, so employees are getting around to having a tunneled connection to access certain websites. Adding them to millions of freely available proxy servers makes it extremely unlikely that a firewall will be useful.
Both a VPN and a proxy work on the same principle: they place an intermediary server between a client and a host, so it becomes possible to make the host server believe the connection is coming from a different device. Just like a real legal proxy, this intermediary server handles everything on the web by representing the real user.
1) VPN
With a VPN, the data exchanged between the user and the VPN server is protected by encryption. The user sends encrypted requests to the VPN server. The server decrypts these requests and passes them on to the host server. The host sees the VPN server just like any other client and fulfills the request. The VPN server then encrypts the result and returns it to the user. Note that the encryption terminates at the VPN server.
2) Proxy Server
A proxy server applies the same principle, only in a slightly different way. By default, data exchanged between a client device and a proxy server is not encrypted – anyone can intercept and read it. However, a proxy server is generally more difficult for hosts to detect than VPNs are because they are real devices, not some server blocks in a data center. As a result, proxies can be used to access websites where VPNs have been blocked. But, again, the security side is even worse.
Man, in The Middle
The security side of things is even worse because VPNs and proxies are popular with internet users looking to enhance their online privacy and security. In reality, there are caveats to both of them. As with most cybersecurity measures, a VPN or proxy service is only as good as the service operator. The act of using a VPN or proxy does not make you more secure by itself; that relies on everything being configured correctly. Also, all of your users should understand how the services work and what their limitations are. In the end, a user must trust the proxy or VPN provider to not steal or leak any valuable information.
If you control the intermediary servers yourself, you can audit them to ensure they are handling your data appropriately. However, when these servers are under the control of someone else, you can only ever trust them as much as you trust the person who controls them. If these intermediary servers are compromised, any advantages you gain from using them are instantly lost.
A bad actor can use the servers to snoop on everything that goes on in your business. Worse still, if an employee who uses a compromised VPN believes it is properly encrypting their data, they might be lulled into a false sense of security and end up taking more risks than they otherwise would. Nobody can see them, right? Whoever controls these intermediaries will then have access to every piece of sensitive personal and corporate data that flows through them. And that’s where creating a firewall for the office network backfires. Instead of protecting devices, data, and employees, it makes them use dubious software from suspicious providers. Instead of technology, the security of a business becomes based on faith.
A Losing Battle?
In light of all this, there is a lesson to be learned. Most business leaders agree that some degree of control over their network is essential. Enabling employee’s free internet access doesn’t just make it possible for them to accidentally stumble onto malicious websites; it also means that an intruder who breaches your network can use it to connect to any server they choose. By having just one of your key systems connect to a booby-trapped server, an attacker could end up infecting your entire network. While rare, these things also happen with company firewalled networks.
When you consider just how easy it is for a determined employee to get around your firewall and access whatever they want online, you have to ask yourself whether it is worth trying to stop them, to begin with. Blocking employees’ access to social media platforms seems like an obvious move if you want them to be more productive. But could it potentially be causing more harm than good in the long run?
Unless you control the VPN or proxy server, you have no way of auditing it properly to make sure that it isn’t leaking sensitive data. Instead of relying on one of these methods to prevent your employees from accessing anything they shouldn’t, it is much more effective to work with your employees and to educate them about how to use your corporate network responsibly.
You may also like: VoIP Vulnerability & Security Risks: All You Need to Know.
Final Words
In recent years, major hotel chains, airlines, hospitals, and governmental organizations have leaked massive amounts of data. We’ve come to a tipping point where we cannot rely solely on technological solutions to protect our systems. We need to have a 360-degree outlook on cybersecurity and treat every employee as a potential weak link. Now is the time to start doing risk management courses and security training for every single individual that has access to your company’s network. It makes sense. Blocking news sites with company firewalls – don’t.