More recently, VPNs have largely been consumer-focused because of how they anonymize activity online and— in some instances—circumvent geo-restricted content. With an IP address in a different country, the users can access that content as if they lived there. However, VPN usage started out almost exclusively for business, allowing employees to have a direct, secure connection to workplace systems without compromising the data and communications in transit.

Cybersecurity has grown in sophistication to ward off more intricate attacks. The cost of global ransomware damages was expected to exceed $5 billion (U.S.) in 2017, according to a cybercrime report from IDG Communications.

“[Enterprises] need to lock down their internal networks with a securely encrypted layer placed over their Internet service,” says Benjamin Van Pelt, Founder and CEO of TorGuard, a VPN provider. “A VPN encrypts data so it can’t be used or understood by corporate spies. Your Internet Service Provider (ISP) might also routinely log anything from sensitive correspondence to contracts and trade secrets that you transmit. Encryption makes the data worthless to anyone who hacks your ISP.”

Building a tunnel

Employees are increasingly mobile and using multiple devices, meaning attackers can exploit the vulnerabilities they create. Public Wi-Fi networks— particularly at hotels and airports— are among the riskiest because attackers could set up dummy networks that route traffic through them, Van Pelt adds.

Unsuspecting employees connecting to such networks could expose more than just the data stored on their devices if they “phone home” and log in to their company systems. VPNs can encrypt information between users so that it is anonymized and indecipherable to an unauthorized viewer.

It is also possible to use an encrypted VPN that identifies each user logging into the company’s system through unique IPs assigned to specific users. “Each of these unique IP addresses can be assigned to specific employees who have access to sensitive systems,” he says. “If I assign a specific VPN IP address to the system administrator, only that person is able to access areas of the network assigned to them. Access using any other IP address will be denied. It’s one of the most effective ways to improve security and protect business portals from unauthorized access.”

Ensuring data protection

New data protection and privacy regulations in Canada under the Personal Information Protection and Electronic Documents Act (PIPEDA) sets out rules on how businesses handle and store personal information. The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25, 2018.

There are no specific rules governing the use of VPNs, but doing business in other countries can pose other risks. Both China and Russia moved to ban all VPNs outright in 2017, with China recently opting to allow only state-approved VPN services to operate in that country.

Since businesses primarily use these services so employees can secure data when working remotely, the restrictions could also block certain applications or programs they are required to use for their respective roles. Van Pelt believes double-layered encryption technology could be a workaround that blocks government censors from spotting the secure VPN tunnel.

“The primary reason that these businesses use a VPN is to keep their data secure when employees are working outside the office,” he says. “My advice to businesses is the same, whether they operate entirely in Canada or internationally: If you’re not fully in control of your network, then you want to use a VPN.”