How Secure Is a VPN & Should You Still Use One?

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

A VPN is a useful tool to hide the data you send and receive online from hackers or other prying eyes. By rerouting your online search history to a different server, VPNs protect your important information, including details regarding your identity. This can protect you from identity theft.

VPN definition

A VPN is a virtual private network, which is a program that can help you establish a relatively secure, protected network for your internet connection. VPNs are particularly helpful when you are using shared or public WiFi. They can also disguise your online identity to a certain extent, which can help you protect yourself from identity theft. When you use a VPN, you essentially create a secure “tunnel” between your device and the worldwide web or another device. Although a VPN diverts your internet traffic to a different server, the process is encrypted more thoroughly than your standard ISP. VPNs will not sell your information to advertising agencies. These ad agencies will try to target online ads to you, but they can also become the focus of data breaches themselves. Identity thieves steal personal information for a lot of reasons. They can take over your accounts and steal money from you, but more often, they open new accounts in your name, which can damage your credit score, file false tax returns in your name and steal money from the government, and commit other types of fraud using your personal information. It can be extremely difficult to prove you are not this thief later. Hackers also use this personal information to break into corporations and steal even more personal information. VPNs are one of the best ways to protect personal and company identity.

How do VPNs work?

Internet traffic is routed through servers that are contracted with your internet service provider (ISP), which generates your IP address. Your ISP uses your IP address to track everything you do online and log it in their servers. However, this can also allow any data you send through the internet to be intercepted and tracked by hackers, even if you are on your personal WiFi at home. Additionally, ISPs often share your information with advertisers. If you have ever noticed changes to targeted advertising on social media and online articles after you search for a product once, this means your ISP has released your data to marketers. When you use a VPN, the program hides your IP address by redirecting your internet use through a remote server, which is managed by your VPN host rather than your ISP. This means the VPN host becomes the source of your data, and both third parties and your ISP cannot see or track data that you send and receive online. Rerouting your data to a different, remote server allows the VPN to turn that data into encrypted “gibberish,” so it is useless to hackers who try to steal it. By sending your data through a different server and then encrypting it, VPNs make your information less appealing to hackers since it is difficult to unencrypt and associate with your identity. This makes important information about you, your company, and others using your computer safer from cyberattacks directed at your ISP.

Types of VPNs

There are different types of VPN to meet different needs. 

  • Site-to-site VPN: Like peer-to-peer sharing, this type of VPN works on intranet, rather than the larger internet, to hide local users’ info but allow them to share resources or data between their specific devices. If you have multiple locations or branches in your company, each with their own local area network (LAN), which connects to a wider area network (WAN), this can be a secure way to send files to servers within your company while managing multiple geographic locations.
  • Client-to-server VPN: This VPN works well for companies with sensitive information that have several remote workers. Employees sign into their institutional login from home, using a secure VPN connection, which acts as though they are working in the office. The user will not be connected through their home ISP, but through the VPN provider. The VPN does not create an encrypted tunnel, as many commercial versions of VPNs do, but instead automatically encrypts data made available to the user. Since data is encrypted early and there are fewer points of failure, it is much tougher for hackers to steal information.
  • SSL VPN: This is another type of VPN that is excellent for remote workers, who may be using their personal devices to log into institutional pages. This VPN can be loaded onto mobile phones, tablets, laptops, and even desktop computers, as long as the device has an HTML-5 capable browser. This VPN spoofs the user’s location to something that protects the company. 

Since VPNs are increasingly popular, some companies like Microsoft offer built-in VPNs that use native protocols like L2TP, PPTP, IKEv2, and SSTP. While these are very secure, they may not offer all the features your company needs to ensure privacy and security. You can use these for your own purposes at home, but there are some details you may want to consider rather than automatically using these VPNs for your organization.

What does a good VPN provide?

A VPN should be able to:

  • Encrypt your data. VPNs encrypt your data in their servers, and require an encryption key to access it. Secure encryption makes it difficult to find or guess the encryption key to your data, so hackers cannot use information they might steal, even if they brute force attack the server. Encrypted data includes not only usernames and passwords you use online, but also your IP address, search history, and trackers like cookies that might be sold to third parties, legitimate and not.
  • Disguise your location. When you use your ISP normally, the provided IP address tags where you are located in the world. Using a VPN means you can reroute your information through a server in another location, either randomly or through a location of your choice. Since this location is not typically associated with your identity, it can help disguise who you are, so your internet history is less able to be associated with your online identity.
  • Secure data transfer. Sending and receiving data can be very sensitive, especially within companies. When more workers were on site, data transfer could be managed, but now that many more people work remotely, a VPN can help secure the transfer of sensitive, copyrighted, or medical information.
  • Provide a “kill switch.” If your VPN connection is interrupted, your VPN should automatically notice this downtime and terminate certain programs that are running, which reduces the likelihood that your data will be compromised.
  • Give you two-factor authentication. The best VPNs use several authentication measures with encrypted data to check anyone who logs in. One way to do this is to generate a unique random code whenever you attempt to log into an institution. This code might be sent to your mobile phone, rather than your email, to ensure privacy. Entering this code verifies you are legitimate.
  • Enable legacy systems to work remotely. Older computer systems that may not have great protection can be better protected with a VPN. A VPN can also provide a layer of protection for internal institutional systems that are cobbled together.

History of VPNs

Data security concerns have existed as long as human civilization, so it is no surprise that protection measures and theft have moved online. Since the early days of ARPANET, security experts and computer scientists have worked on encryption for security and privacy. In the 1960s, encryption was associated with protecting the United States’ national secrets while allowing government and military officials to communicate through the earliest versions of the internet. This work led to the development of the first Transfer Control Protocol/Internet Protocol (TCP/IP). There are four levels to TCP/IPs:

  1. Link
  2. Internet
  3. Transport
  4. Application

On the internet level, local devices, potentially on local networks, could be connected to the larger network. However, these connections exposed clear security flaws in the system. Some of these security flaws were solved with password protection, but once the internet became a commercial entity rather than a government and military communication service, computer scientists struggled to find better ways to protect users. In 1993, a team at AT&T Bell Labs and Columbia University created the first attempt at a VPN, called Software IP encryption protocol (swIPe). By 1996, Microsoft developed peer-to-peer services called Peer-to-Peer Tunneling Protocol (PPTP). Around the same time, antivirus software became more affordable and better at protecting against malicious attacks on consumer and corporate computer systems. However, the arms race against hackers continued. The first true VPNs were developed for larger companies in the early 2000s, protecting intellectual property and other sensitive information within corporations, nonprofits, and healthcare organizations. However, massive data breaches that began in the 2010s showed the need for consumer-level VPN services. With some of the most severe data breaches occurring in 2016, the sale of personal VPNs picked up, with the number of VPN users worldwide increasing fourfold in two years.

VPN security & best practices

As you shop for a strong VPN, here are some additional considerations: 

  • Privacy: You want to use a VPN to protect your privacy, so it is important your VPN respects and protects your identity. Search for information on the “no log” policy, which means they do not log your internet traffic or other personal information on their server.
  • Data limits: Having strict data limits on a personal-use VPN might not be such a big deal, but a company’s VPN needs to provide enough bandwidth for your whole organization.
  • Server location: Can you choose which location your servers are in? Does the VPN offer servers in the location you want?
  • Multiple devices: If you need access from multiple devices, either for personal or company reasons, it is important to know how many different devices can use this service. Consider not only how many employees you have, but also how many devices each might use.
  • Cost: Of course, price is a factor. There are VPNs available for free, which can work for one person when they access the internet. For institutional use, however, these VPNs will likely not provide the right amount of encryption and location access you need. 

References

What Is a VPN, and Why You Need One. (August 2021). PC Magazine.

VPN Connection Types. (September 2021). Microsoft Documentation.

8 Reasons Everyone Should Use VPN – Including Non-Techies. (August 2021). Forbes.

Device Security Guidance: Virtual Private Networks (VPNs). National Cyber Security Centre.