Over the past two months, we’ve had the opportunity to share a lot of interesting and important data on organizational risk, security and productivity as it relates to remote work. First, in late May we revealed just how much time workers were spending streaming Netflix, YouTube and other video content on corporate-owned devices.
And just two weeks ago we reported that in the space of a single month, 300 remote workers were exposed to 76,440 potentially dangerous websites. This equates to each remote worker clicking 59 malicious URLs each week (or 8.5 per day), putting themselves at greater risk from bots, phishing websites, malware and adware.
While these reports provided a realistic representation of remote work’s unintended consequences, the data derived almost entirely from NetMotion users that serve in both decision making and non-decision-making roles. So, to truly understand the mindset of IT and security leaders from a global perspective, we commissioned one of the largest remote work surveys since the pandemic began.
In total, we analyzed 633 responses from IT and security leaders (c-suite executives, directors and architects) across mid-market organizations and enterprises in both the public and private sectors. Participants were located across North America, the UK and Australia.
Today we share the survey results and corresponding analysis in conjunction with the launch of our new security platform, the first to unify a mobile-focused enterprise VPN with a software-defined perimeter (SDP).
The state of the enterprise VPN
In recent months, companies like AppGate, NetSkope and Trugrid, among others, haven’t been shy proclaiming the “VPN is dead,” missing no opportunity to bash the technology as insecure and a user experience nightmare. AppGate is so ‘all in’ with the message that the VPN has gone the way of the dinosaur that the company’s entire RSA theme and digital advertising campaigns are built around this concept. Truth be told, companies like AppGate are forced to say this because they don’t offer a VPN.
Despite these hyperbolic marketing efforts, our survey found the opposite to be true. That is, 87% of enterprises use a VPN today, 63% of them will still be using a VPN at the end of 2022 and 45% of organizations intend to continue using a VPN for more than three years.
While we agree that enterprise VPN’s will eventually evolve into software-defined perimeters, the transition will not occur overnight. That’s in large part because 98% of organizations still have at least one on-premise application, our survey found. And even as digital transformations are facilitating the corporate transition to the cloud, more than 75% of organizations have at least four on premise applications, if not more.
COVID-19 accelerates interest in software-defined perimeters
Software-defined perimeters (SDPs) are not new. The concept was first introduced in 2014 by the Cloud Security Alliance but, in reality, it didn’t gain much traction until the end of the decade, when organizations began evaluating the technology more seriously.
As recently as 2018 the number of vendors providing SDP solutions (also referred to as zero trust network access or ZTNA) was scarcely more than ten. Fast forward to 2020 and that number has climbed to over 30. An indication of the category’s extraordinary growth can be seen in its robust M&A landscape. Verizon acquired Vidder SDP in late 2018, followed by the acquisition of Impulse by OPSWAT, Luminate by Symantec and Meta Networks by Proofpoint in 2019.
Validating the growing interest in SDP, we found that 80% of organizations reported that they were now more likely to evaluate an SDP or ZTNA solution due to their greater need for remote access as a result of the pandemic. Astoundingly, 70% say they are now considering adopting a solution in the next 12 months.
Something that has come sharply into focus is the massive blind spot that companies face when it comes to securing remote workers. Employees sit in their homes, in hotels, in airports and in cafes, connecting to dozens of different networks. For most IT teams, it’s almost impossible to get visibility into the devices, networks and activity of these remote workers – certainly much less than when an employee is in a company office.
Our survey found that 64% of IT and security leaders are not satisfied with their visibility into remote workers. You can access the full report here to learn more.
With almost two-thirds of IT and security teams wanting more visibility, clearly there is a huge gap between where we are today and where we need to be. This is why software-defined perimeter (SDP) technology, based on a zero-trust architecture, is such a huge step forward.
Risks of remote work shine bright as work from home continues
When it comes to securing remote access, it stands to reason that you can only protect what you can clearly see. The opposite is also true; where there is little visibility and oversight of employees’ activity, then the security risk increases. Not being able to get insights into what’s happening becomes a major security concern.
In our survey, almost half of the respondents consider remote workers to be exposed to either high or extremely high risk. The overall picture is unmistakable – a full 97% believe that remote workers are exposed to greater risk than traditional office workers.
We also asked survey respondents to identify the riskiest activity for their remote workers. Although things like shadow IT and accessing unknown or insecure Wi-Fi connections were also important, risky URLs and accessing inappropriate content were by far the greatest fears. Want more insights? Download the full report here.
These findings are in line with other studies, such as the 2020 Verizon Mobile Security Report, which revealed that the average person connects to three insecure hotspots per day. Also, of note, in the same report, Symantec provided data showing that compared to the office environment, home internet connections were 1.7 times riskier, hotel connections were over 50 times riskier, and public Wi-Fi hotspots were a staggering 95.7 times riskier.
The remote work experience leaves much to be desired
Most workers will agree that they simply want to be productive and get their jobs done. Today, however, the tools and applications that have worked best inside an office environment may not work for a decentralized workforce. Likewise, the firewalls and other security infrastructure that protect office workers don’t extend well to remote workers. In a 2019 report, we found that the most frustrating problems facing remote workers included network disconnects, cumbersome reauthentication processes, slow network speeds and difficulties accessing corporate networks.
Even with fast home internet, remote workers often face frustrating network slowdowns, whether downloading data or when communicating with colleagues over any number of popular video conferencing tools such as Microsoft Teams, WebEx or Zoom. The transition to remote work has not gone smoothly for many employees, with 89% reporting that they have experienced problems connecting to the data and applications they need while working from home.
Any remote access solution will have an impact on the way employees interact with their colleagues and connect to data. A combination of the wrong tools or burdensome security restrictions can quickly lead to shadow IT and other risky behaviors. The goal should always be to improve the user experience.
Planning for a permanent remote working environment
For the majority of mid-market and enterprise organizations, COVID-19 accelerated the digital transformation process and forced greater consideration of remote work. While workers will eventually return to the office, a significant number of employees will remain remote for the foreseeable future, if not by necessity then perhaps by preference.
As such, any organization still using a blend of different hosting options for its enterprise resources should use both a VPN and an SDP solution to ensure security and positive user experience. Making the transition to cloud is difficult, and IT departments need solutions that fit the business’s requirements today, with the ability to scale to meet the increasingly zero-trust oriented needs of tomorrow.
Using two disparate solutions for SDP and VPN can be potentially problematic – issues highlighted by Gartner as creating “policy duplication” or “technology overlaps.” To avoid this kind of unnecessary duplication and complication, IT and security leaders should look to vendors that can provide a single, cohesive platform for both solutions. The goal should be to eliminate the impact of these concerns and transition towards zero trust in a seamless way. For more information on how NetMotion can help facilitate this transition, visit our SDP solutions page.