When ‘Use a VPN’ Becomes ‘Stranger Danger’
Sometimes being in security training and awareness is like being a parent.
We oversimplify because we don’t want our employees, or our children, to come to any harm.
As a promoter of good security practices, we say things like “never click on a link in an email” when we know well and good that some links are perfectly safe.
As a parent we tell our kids “never talk to strangers,” even though we know that ultimately, they’re going to need to develop the skills to distinguish between harmless strangers and dangerous strangers.
Why do we do it? I’ll speak personally here: sometimes I do it because I don’t want to bore with all the detail. Sometimes I just don’t want to take the time. So I paint the world with a broad brush: “don’t click links,” “don’t talk to strangers.”
The More Things Change....
Sometimes, though, events force you to change it up—as I just had to do with my advice on using a VPN.
I used to advise “when you’re away from the office, always use a VPN.” I gave this advice because I expected most of that “away from office” usage came in airports, coffee shops, conferences—places where the security of the Wi-Fi network was in serious doubt. And I figured the percentage of employees using the corporate VPN all at once would be pretty small. So I adopted this blanket “use a VPN” advice.
And then the pandemic came along.
The Age of WFH
Suddenly, everyone was out of the office, and I realized that my “use a VPN” advice just no longer really fit.
First, when people set up their home network securely, they simply don’t face the same risks as being on a public Wi-Fi network. Their connection is secure and the environmental risks much diminished.
Second, not all VPNs are designed to be used by every employee at once. Under heavy load, ours bogged down a lot, making Zoom calls a real pain in the butt. But disconnect and your internet speeds—and quality Zoom connection—return.
Are there times when VPN access is needed? Yes, when I need to access a network drive that only allows local network connections, and when I know I’m sending confidential documents and I want a higher level of protection. But there will be many times when I can work along securely without my VPN connection on at all.
My conclusion: don’t be afraid to change your advice as the times and your audience changes. After all, who wants to be the parent calling out “stranger danger” to a teenager who is rolling their eyes, or the security person whose advice is out of touch with reality?