NSA Issues Warning and Advice for Businesses using VPNs

The NSA has issues warnings and advice for businesses using a VPN, to reduce potential data breaches and attacks.

The National Security Association (NSA) has announced a series of precautions and best practice guidelines for businesses using VPNs, amid concerns that the increased amount of homeworking is making companies more vulnerable to online attacks.

Issued last week, these recommendations have some focus on common sense – such as not relying on default settings that are easier to crack – plus give IT departments in-depth technical solutions to mitigate the risk of attack.

See our guide to the best VPNs for business

Why is the NSA Issuing Warnings Now?

With many of us now working from home, companies are seeing a huge drive in traffic from outside of their usual office infrastructure. This makes network security management far more complex, and throws up a host of new issues. For some companies, this sift could be the new normal, with tech giants such as Twitter and Facebook telling their staff that they can work from home indefinitely.

Many other businesses could well follow suit, especially if their employees demand it. According to a recent study, 54% of us want to mainly work from home from now on. While that means fewer rage-inducing commutes and longer lie-ins for most staff, for IT departments, it can cause a real headache.

The NSA recognises this, and has been proactive in warning the public and businesses about online threats. This hasn’t always been the case, but this year alone we’ve seen NSA statements about mail hacking by the Russians, and warnings about Windows 10 exploits.

The NSA’s VPN Suggestions

The NSA has issued two documents to help businesses protect themselves from attacks and breaches stemming from VPN issues. One is intended as a summary of advice, while the other is a more practical guide with configurations, aimed at IT experts.

The suggestions can be condensed into the following five subject matters:

Don’t rely on default settings

This one is pretty straightforward, but that doesn’t mean that it should be discounted. Many of us don’t bother to delve into all the possible setup options when installing new tech, including VPNs, and that makes them more vulnerable.

Hackers may have a good knowledge of the VPN software they are trying to attack, including the least resistant path of entry – in most cases, this will be exploiting the default settings.

To ensure that you don’t make life easy for hackers, the NSA suggests that default settings are changed. It recommends that you don’t give in to the temptation of using a setup wizard or similar, as this could make your VPN platform vulnerable to those in the know.

Keep your VPN updated

Ensuring that your software is up to date is sound advice whether you’re running a VPN or simply playing Candy Crush. As new exploits are found in existing software versions, they become a focal point for hackers who rush to breach the software before it can be closed.

Yes, software updates can be annoying, but skip one, and you could well be missing out on an essential fix for a known issue that could expose sensitive company data.

Implement traffic filtering rules

In order to protect business systems, it’s important to keep a tight control on who is accessing them, and where they are accessing them from. The NSA recommends strict filtering rules on the ports, protocols and IP addresses of network addresses.

If it isn’t possible for businesses to be filtered to a specific IP address, then the NSA recommends adopting an Intrusion Prevention System in front of your VPN gateway.

Remove unused or non-compliant cryptography suites

Some VPN suits leave non-compliant cryptographic algorithms in place, which can be a security risk as they can be exploited through downgrade attacks. Through these, a hacker could force a VPN to accept obsolete cryptography suits, leaving them vulnerable to decryption from bad faith actors.

The NSA suggests removing this risk by ensuring that only compliant ISAKMP/IKE and IPsec policies are in configured, with those that aren’t compliant, removed from the VPN. It also suggest regularly checking that only complaint policies are configured, as they can be reintroduced through the use of graphical interfaces or user error.

Verify only CNSSP 15-compliant algorithms are in use

The CNSSP 15-compliant algorithms are the same as those used by government agencies to protect their own systems, so as you can imagine, they’re pretty robust. The NSA believes that your business should be as protected as they are, and suggest that you ensure that your company uses the same standard.

You can see the recommendations in full on the NSA website, which offers two guides on the subject – an executive summary, and a configuration guide.

The Best VPN for your Business

Even before the current pandemic, many businesses were choosing to adopt VPN software to help mitigate the dangers of a global workforce that isn’t always working in the office. A VPN allows employees to safely access company environments via a secure connection, protecting both the company and the user.

We’ve tested several VPNs and rated them according to value, speed, and of course, security. In our testing, it’s PureVPN that came out on top as the most secure, thanks to its detail-obsessed approach to security, coupled with an easy to use interface that makes it’s a breeze to use.

A great VPN choice for businesses
In Short


  • Easy-to-use admin control panel
  • Proactive intrusion protection system
  • 24/7 priority support


  • Isn't the fastest VPN on the market
  • NordLayer is cheaper
About our links

If you click on, sign up to a service through, or make a purchase through the links on our site, or use our quotes tool to receive custom pricing for your business needs, we may earn a referral fee from the supplier(s) of the technology you’re interested in. This helps Tech.co to provide free information and reviews, and carries no additional cost to you. Most importantly, it doesn’t affect our editorial impartiality. Ratings and rankings on Tech.co cannot be bought. Our reviews are based on objective research analysis. Rare exceptions to this will be marked clearly as a ‘sponsored’ table column, or explained by a full advertising disclosure on the page, in place of this one. Click to return to top of page

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Written by:
Jack is the Deputy Editor for Tech.co. He has over 15 years experience in publishing, having covered both consumer and business technology extensively, including both in print and online. Jack has also led on investigations on topical tech issues, from privacy to price gouging. He has a strong background in research-based content, working with organisations globally, and has also been a member of government advisory committees on tech matters.
Explore More See all news
Back to top
close Step up your business video conferencing with GoToMeeting, our top rated conferencing app – try it free for 14 days Try GoToMeeting Free