VPNs, Passphrases and Two-Point Authentication: What is Really the Best Way to Protect Your Data?

The U.S. Congress recently voted to allow internet providers to track and sell their customers’ browsing histories. In the wake of that vote, Google reported a surge in requests for information about virtual private networks (“VPN”) and other mechanisms to protect their privacy.

VPN technology can be an effective shield between a user’s computer system and the prying eyes of internet providers, cyber attackers, and other parties that might try to profit off of a user’s online activity. VPN also has potential to protect corporate networks against hacking and other unauthorized incursions. A corporation can further enhance its network protection by combining VPN technology with passphrase and two-point authentication. Understanding how each of these mechanisms work is the key to successfully implementing them into a corporate information systems network.

A VPN inserts an encrypted connection between a corporate network and an internet service provider. Without an encrypted connection, all internet traffic that passes through a corporation’s servers is visible to its internet service provider (“ISP”) and to any hackers that are able to access those servers. Once the encrypted VPN connection is implemented, only the VPN and authorized users are able to see that traffic. Data becomes invisible to both the ISP and to hackers.

A hacker might still be able to access a corporate network via stolen login credentials and other illicit means, but a corporation can add a further hurdle to a network login by requiring users to enter passphrases instead of passwords. By one definition, a passphrase is little more than a longer version of a password. Cybersecurity experts often tell users to devise passwords that are random combinations of 7 to 10 upper- and lower-case letters and numbers, rather than simple names or words. A passphrase goes beyond this recommendation to include several words and spaces. Users like passphrases because they are generally easier to remember than complex passwords.

A corporation can add an additional login hurdle with two-factor authentication. This requires a user to enter the standard login credentials of a username and password or passphrase, and then adds a second authentication factor that the user must satisfy before network access is granted. The second authentication factor might require a user to respond to a question that only he or she would be able to answer, to enter a separate unique code sent to their smartphone, or to verify his identity with a biometric identifier such as a fingerprint.

Each of these security mechanisms will only be as strong as their weakest links. In 2011, for example, hackers stole data from RSA Security, a company that provides two-factor authentication systems, thus theoretically enabling the hackers to bypass the security of clients that used those systems. Cybersecurity experts also note that a company’s employees’ are frequently the absolute weakest link due to their propensity to use simple passwords and to reuse those passwords for multiple different logins. To counter this weakness, security companies are now combining VPN with two-factor authentication.

The wrinkle in any strategy that combines multiple network security mechanisms is that the hacking community responds to each new security hurdle with new hacking techniques that bypass those hurdles. Corporations can continue to add new security mechanisms, but they also need to understand that those hurdles will never be perfect. When a hacker does successfully breach a network, a corporation can prepare itself to handle any direct and third-party liabilities with cyber security insurance. That insurance can provide compensation that enables a corporation to recover lost data and to replace servers that may have been damaged or destroyed as a result of an unauthorized incursion into the corporation’s networks. More significantly, it may be able to help the corporation respond to demands for compensation from clients whose data might have been lost, and to pay fines that regulatory organizations might impose on the corporation if it is deemed to be at fault for the data loss.