What is a VPN?

A virtual private network is a technology that allows a secure and private connection on the internet.

Why do I need a secure and private connection on the internet?

A regular internet connection is at risk of being tracked, intercepted and spied upon which is a threat to the security and privacy of your internet activity and data.

How does this happen?

Your IP address
Every device connected to the internet has a unique digital address called an IP address which is used to help it communicate with websites and other devices. The IP (internet protocol) address is a unique series of numbers separated by decimal points that identify it (eg 198.169.0.100.), as a post code would a building.
Your IP address can reveal your general geographic location, it also carries the name of your internet service provider (the company that gives you internet access).
Websites and services can use your IP address to prevent you from performing certain online activities, such as blocking you from a forum or a game if you violate the rules. Your IP address can also be combined with details from other sources to piece together data about your identity.

As you move about the internet while logged in on a device, visiting websites, clicking on links and viewing information, your IP address is left as a digital footprint which the websites and also your web browser can see. This information can be collected, analysed and sold to advertisers who will target you with things they think you are likely to buy. Your personal browsing history can also be used to target you with misinformation.

When you connect to the internet from a device on a regular network, the data you send and receive over your connection could be intercepted by hackers. If you have a firewall enabled in your router and on your device software, this risk is very much reduced, however, if you are using a public wifi connection, such as the free internet in a coffee shop or on a train, it's not difficult to hack into a laptop or mobile device that has no protection. All someone has to do is download a wireless network analyser, and with the right hardware and additional software they can often see what someone is viewing online within that network (unless they are encrypting their network traffic). Without additional protection, if you use a public Wifi connection, hackers can read your emails, text messages, steal passwords, and even hijack your website log ins.

Criminals can deceive victims in public Wifi spots by creating a rogue network which they design to mimic the legitimate network. The spoof hotspot, sometimes called an 'evil twin', will have a similar name in order to trick people to connecting. For example, if you are in a coffee shop and you see a wifi option listed, NERO_freewifi, you might mistakenly assume that it is the legitimate free wifi service and connect to it. The host hacker can then intercept data and even use tools to inject malware into the connected devices.

A virtual private network will mask your IP address and encrypt your data

How does a VPN work?

An organisation will first need to set up their corporate virtual private network from the organisation firewall or network. Client VPN software will need to be downloaded and installed onto every device that they wish to connect to the VPN. 
If the VPN isn't automatically enabled, it will be necessary for the users/employees to manually log onto the virtual private network and make sure they actually use it when they go online. Once logged in, they will  choose a  VPN server to connect to and then all internet traffic will be directed through that VPN remote server and onto the wider internet. Internet use, therefore,  is visible only as that of the VPN server rather than the device's IP address. What's more, the VPN uses data encryption which is a system that encodes your data so others can't read it. If someone accesses your VPN connection, they'll see scrambled data. Only your device and the VPN server you're using can encrypt and decrypt, or unscramble your data.
In this way, a VPN makes it more difficult for third parties to track your activities online,  steal your data and intercept your email messages. 

A VPN is virtual because it's created digitally — there isn't a physical cable that reaches from your device directly to the VPN server

A VPN is private because it encrypts your data and hides your IP address

A VPN is a network because it creates a connection between multiple computers — your device and the VPN server

Privacy and security

Many individuals (including hackers) use private VPNs as an anonymising tool to hide their IP address as they use the internet in order to bypass censorship, content block and regional restrictions. These type of VPN's usually have pre-configured firewall settings and allow the user no control over the boundary firewall. This is not compliant with Cyber Essentials.

Organisations typically use a corporate VPN to give remote employees secure access to internal applications and data, or to create a single shared network between multiple office locations. When using a corporate VPN, even on free wifi in public spaces, it would not be possible for a hacker to read your internet traffic. The motivating factor for providing a corporate VPN is to prevent data breaches. 

Single tunnel, site to site and split tunnel VPNs

A direct single tunnel virtual private network (VPN) or corporate VPN allows remote workers to route their online activity through a server that connects them directly to their company's secure private network. Through their virtual private network, they are able to safely share and access organisational data and services on the private network while using a public network (the internet).

A site-to-site VPN is also called a router-to-router VPN and is commonly used in large companies. Organisations with branch offices in different locations, use site-to-site VPNs to connect the network of one office location to the network at another office location.

A split tunnel VPN routes some of your data through an encrypted VPN connection, while allowing other apps and data direct access to the internet. This option is often used by those who want to protect sensitive data when they need to, without sacrificing their internet speeds for general web activity such as streaming music and films. Split tunnelling alleviates bottlenecks and conserves bandwidth as internet traffic does not have to pass through the VPN server. There are security risks associated with split tunnelling and some organisations do not allow some of the internet traffic to go outside of the VPN tunnel on an unencrypted link while also connecting to their network.

Not all VPNs provide the same level of security. The strength of a tunnel depends on the type of tunnelling protocol the VPN uses. Some tunnelling protocols are outdated and may not provide data encryption that is strong enough to keep out cyber criminals.

Which VPN is recommended for Cyber Essentials?

Cyber Essentials recommends using a direct single tunnel network to the corporate network – any other type is not secure enough. A corporate VPN is a secure solution that connects remote workers back to their organisation's office location, or to a virtual or cloud firewall.