Without wasting any time, cybercriminals during the COVID-19 crisis turned their efforts into exploiting publicly known vulnerabilities in virtual private networks (VPNs). As these opportunists carefully watched business owners across the country shift their workforces remotely, they lurked in the shadows, awaiting their future victims to fall into their hands. Since then — many of them have.

When your employees are working remotely, a VPN comes in handy. Using a VPN, which extends a private network across a public network, such as the internet, a business enables its employees to access private networks from anywhere. A VPN does more than allow your employees to retrieve data from one of the servers sitting in your office in a room somewhere.

With the right solution in place, a VPN protects the user’s data from internet services providers (ISPs), government agencies, and — perhaps most importantly — cybercriminals. While online privacy is a concern for everybody using the internet, it’s of the utmost importance for companies that regularly share business intellectual property (IP) or personally identifiable information (PII).

Now, even though a VPN provides an additional layer of security for a user, there are still ways for malicious actors to exploit the tool, primarily if it has known vulnerabilities, many of which can easily be found on the internet.

To make individuals and organizations aware of vulnerabilities affecting certain VPN products, the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued alerts outlining recommendations when considering alternate workplace options, some of which include the following:

  • Update VPNs with the latest software patches and security configurations.
  • Implement multi-factor authentication (MFA), which requires a user to present two pieces of evidence when logging in to an account on, all VPN connections to increase security. If MFA isn’t in place, require employees working remotely to use strong passwords.
  • Ensure members of your IT team test VPN limitations to prepare for mass usage and, if possible, implement modifications.

Depending on the VPN tool you end up choosing for your organization, you may only get a limited number of connections, so the last item on the list above is especially important if you have many employees. You want to ensure every one of your team members has access to a VPN connection when working remotely; otherwise, you leave your business wholly unprotected from threats.

Stay vigilant during the COVID-19 crisis by staying up to date on VPN vulnerabilities cybercriminals are exploiting, ensuring your employees are using VPNs, and following recommendations by CISA and other government agencies.