OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

VPN Use in the Age of Fumbled Data Privacy

vpn use with data privacy

Taking initiative over one’s own privacy and security online is more important than ever. Not only are bad actors operating at an all-time high, but organizations that consumers have trusted for years have been forced into the spotlight over their mishandling of user data.

These risks could lead to adverse impacts for employers who allow poor cybersecurity practices into the workplace if they don’t take the initiative to educate their employees.

OpenVPN surveyed 1,000 full- and part-time employees to gauge their awareness of VPN use and the tech giants who abuse data privacy.

VPN awareness

Most employees — 77% — say they’re familiar with how a VPN works. But shortcomings in their VPN use still puts many at risk.

For example, 48% of employees use a VPN in some way. But of those, only slightly over half (52%) use a paid VPN — one that requires a monthly or annual user fee. The remainder use a free VPN, where the potential sale of user browsing data presents a security concern.

Additionally, 44% use a VPN at all times, but over half of them use a free VPN when doing so. These users even stress themselves out with the hazardous practice — 80% of free-VPN users feel concerned about the dangers of free VPNs.

The Onavo Protect VPN debacle

Until 2019, Facebook offered Onavo Protect, a free mobile VPN app, on both the Apple App Store and Google Play Store. While it claimed to keep personal data safe and monitor app use to help users preserve their mobile data, it actually allowed Facebook to spy on users’ browsing activity and use that information for market research.

In August 2018, Apple pressured Facebook into taking it down because it violated its App Store rules. In January 2019, it was discovered that Facebook was still using the Onavo Protect code in its Facebook Research app, leading Apple to punish Facebook by forcing it to take the research app down and by temporarily suspending its internal iOS apps for its employees. In February 2019, Facebook fully retired the Onavo VPN by taking it off the Google Play Store.

Put simply, Facebook’s Onavo Protect tool abused VPN technology. A VPN encrypts user data and hides their true IP address so that no one on the network — from bad actors to a nosy internet service provider — can access it. They’re used all over the world to protect privacy and freedom of speech and information, but Facebook used their own to invade their users’ privacy.

But because of Facebook’s carelessness, many had their privacy jeopardized. Of those familiar with the Onavo Protect VPN, 57% had used the VPN app themselves. The brush with compromised data privacy seems to have scared them into safe practices — many are now extremely cautious about their privacy and VPN activity, and they’re also apprehensive of other tech companies’ intentions.

  • 64% now use a paid VPN.
  • 70% now use a VPN at all times during work and personal use.
  • 60% think it’s extremely likely that other tech giants will face data privacy issues like Facebook.

The bigger impact of fumbled data privacy

The Onavo Protect controversy is just one aspect of Facebook’s struggles with data privacy, and it was even one of the lesser-known controversies the social media behemoth faced, with only 19% of respondents familiar with it.

Conversely, 51% were familiar with the Cambridge Analytica data breach, and 43% were familiar with leaked Facebook data on Amazon cloud servers. Interestingly, a full quarter of respondents hadn’t heard of any of these scandals at all.

But for those who have, their outlook on Facebook has been severely affected. Seventy-one percent said the scandals have negatively impacted their view of Facebook, and four out of five expect Facebook to face at least one more data privacy issue in the next year.

  • 51% expect one to three issues in the next year
  • 20% expect four to six issues in the next year
  • 13% expect more than seven issues in the next year

Negative views and predictions for further data privacy issues have many consumers considering quitting social media. More than a third (34%) have thought about quitting one or more social media sites, and 20% have already quit one or more social media sites as a direct result of Facebook’s multiple data privacy incidents.

Respondents know Facebook isn’t the only tech behemoth feeling the heat as of late. Eighty-eight percent believe it’s likely that data privacy controversies will continue to arise with other tech giants such as Google and Amazon. In fact, 37% trust large tech corporations less than before the data privacy issues arose because they don’t think the tech companies have properly addressed the problems.

How can employers set their employees up for security success

With the average office worker spending about 1,700 hours per year on the computer, significant risk falls on the employer when employee cybersecurity practices are lax. But employers can manage employee security risk through a few strategies.

  • Social media – Employers shouldn’t shy away from adjusting their own social media policy in light of Facebook’s data privacy struggles. They certainly wouldn’t be the only ones: According to respondents, 36% of employers have blocked social media altogether or limited employees’ access as a direct result of the data privacy controversies. By cutting out social media in the workplace, you reduce the risk that data-hungry social media sites absorb sensitive work information only to handle it carelessly.
  • Education – All employees should take part in regular cybersecurity training. According to a recent OpenVPN poll, only 23% of organization hold mandatory cybersecurity training sessions more than twice per year, but a quarterly cadence is recommended. These trainings should cover topics such as secure practices for working remotely, how to protect your device, and password hygiene. Informing employees about the dark side of poor security practices goes a long way — since cybersecurity doesn’t fall in the average employee’s job description, many were simply never trained to think from this perspective, and a little regular education pays dividends.
  • BYOD – These days, there’s no way around allowing BYOD (bring your own device) in the workplace. While risks can come with it, businesses can manage those risks through measures like mobile device management (MDM). Doing so gives the employer power to turn off certain features and block forms of communication on employees’ personal devices at work. It also allows employers to ensure the devices comply with all security measures, such as updated software, two-factor authentication and active malware scanners.

As cyberthreats continue to rise, the average employee’s security knowledge and practices won’t cut it, especially when tech companies we all touch don’t put data privacy first. Employers will bear the brunt of this risk in the workplace. In order to negate that risk, employers have a responsibility to educate their employees and give them the tools and understanding they need to protect themselves.

  • 51% expect one to three issues in the next year
  • 20% expect four to six issues in the next year
  • 13% expect more than seven issues in the next year

Negative views and predictions for further data privacy issues have many consumers considering quitting social media. More than a third (34%) have thought about quitting one or more social media sites, and 20% have already quit one or more social media sites as a direct result of Facebook’s multiple data privacy incidents.

Respondents know Facebook isn’t the only tech behemoth feeling the heat as of late. Eighty-eight percent believe it’s likely that data privacy controversies will continue to arise with other tech giants such as Google and Amazon. In fact, 37% trust large tech corporations less than before the data privacy issues arose because they don’t think the tech companies have properly addressed the problems.

How can employers set their employees up for security success

With the average office worker spending about 1,700 hours per year on the computer, significant risk falls on the employer when employee cybersecurity practices are lax. But employers can manage employee security risk through a few strategies.

  • Social media – Employers shouldn’t shy away from adjusting their own social media policy in light of Facebook’s data privacy struggles. They certainly wouldn’t be the only ones: According to respondents, 36% of employers have blocked social media altogether or limited employees’ access as a direct result of the data privacy controversies. By cutting out social media in the workplace, you reduce the risk that data-hungry social media sites absorb sensitive work information only to handle it carelessly.
  • Education – All employees should take part in regular cybersecurity training. According to a recent OpenVPN poll, only 23% of organization hold mandatory cybersecurity training sessions more than twice per year, but a quarterly cadence is recommended. These trainings should cover topics such as secure practices for working remotely, how to protect your device, and password hygiene. Informing employees about the dark side of poor security practices goes a long way — since cybersecurity doesn’t fall in the average employee’s job description, many were simply never trained to think from this perspective, and a little regular education pays dividends.
  • BYOD – These days, there’s no way around allowing BYOD (bring your own device) in the workplace. While risks can come with it, businesses can manage those risks through measures like mobile device management (MDM). Doing so gives the employer power to turn off certain features and block forms of communication on employees’ personal devices at work. It also allows employers to ensure the devices comply with all security measures, such as updated software, two-factor authentication and active malware scanners.

As cyberthreats continue to rise, the average employee’s security knowledge and practices won’t cut it, especially when tech companies we all touch don’t put data privacy first. Employers will bear the brunt of this risk in the workplace. In order to negate that risk, employers have a responsibility to educate their employees and give them the tools and understanding they need to protect themselves.

DOWNLOAD A COPY OF THE STUDY

Share