UK Online Safety Act Sparks Major Concern About VPN Usage in Businesses

With the new Online Safety Act now in force, platforms serving the UK must enforce strict age verification methods before allowing users to view adult content and sensitive material. This change has triggered a dramatic 1,400% increase in VPN sign-ups within days of the new legislation being passed, especially from young users looking to bypass these restrictions.

What does this mean for businesses?

Businesses may now feel like they must download and implement VPNs to enable access to various platforms, be it for marketing, social media, or international content. While VPNs are intended to ensure accessibility, it is important not to rely on them as they introduce various cybersecurity threats that cannot be ignored.

Here’s an overview of the hidden threats of VPN usage for both staff and businesses:

VPN providers may be unreliable

Free or poorly managed VPN services frequently track your online activity, resell your personal data, or may even contain malware in extreme cases. A 2016 study found malware in 38% of Android VPN apps. Many free providers rely on monetising their users’ data rather than securing it. The implications of this to your business is that your sensitive business activity and information may be exposed through untrustworthy servers.

VPNs do not offer complete protection from cyber threats

While a good quality VPN will offer some protect from cybercrime, it is not a complete shield. VPNs work by encrypting your internet connection and hiding your IP address, which can help protect against criminals looking to target your network, like those lurking on public WiFi. However, a VPN will not offer protection against phishing attacks, social engineering, malware attacks, or other threats that will exploit human error or vulnerabilities in your system.

Increase risk without 2SV in place

When an employee of your organisation logs into a corporate VPN, that single credential often provides access to all of your business’ sensitive information, system, and data. If the password used is weak, reused, or stolen through a phishing or malware attack, the hacker can move through your system undetected just as your employees can, having access to all the same things. Without having an additional layer of verification such as 2-step verification (2SV), there is no effective barrier to stop them in their tracks.

What should businesses do?

• Choose a trusted VPN provider that has been thoroughly vetted, has clear privacy policies, and most importantly, has paid tiers. We understand that, with the rising costs of running a business, paying for a VPN may be at the bottom of your list. However, most business VPNs do not cost more than £20 per month, a small price to pay to keep your business safe!

• Always pair your VPN with another layer of identity verification, such as 2-step verification, especially if your staff are working remotely and logging in from public or residential WiFi.

• Ensure your staff undergo regular Security Awareness Training to keep them up to date on their cybersecurity knowledge. These sessions are designed from small businesses and cover relevant topics such as phishing, malware, and credential abuse.

• Security settings can become outdated as staff change, software updates roll out, or new systems are added. Regularly audit who has VPN access, whether 2SV is correctly enforced for every account, and whether old or unused accounts have had their access revoked. These checks ensure only authorised individuals can use the VPN and access your company’s systems.

The cyber security ripple effects of the Online Safety Act are reshaping how businesses are managing remote access. Turning to VPN usage might now be an operational necessity; however, unvetted or free VPN access exposes your business to real cyber threats. While VPNs remain a valuable tool, it is important to remember that they must be paired with other cyber security protocols such as employee training and additional verification. Businesses must steer clear of quick fixes and instead encourage multi-layer, strong cyber security that aligns with the new regulations.

The SWCRC works with businesses of all sizes in the South West region of England, providing expert guidance tailored to your industry, and fully funded services that will boost your company’s cyber resilience. Through our services, which are backed by Police and delivered by experienced cyber professionals, you will receive practical cyber support to train your staff and take the necessary steps to protect your business from the most common cyber threats.

Is your business affected by the recent change in legislation? Do you now need to use a VPN to keep your business operating as it should, but you’re not sure where to start? We can help!