In addition to VPNs, you may have heard of Tor as another tool for more securely using the internet. It is important to understand what both are, why you might use one or the other, and how both might impact your organization.
Tor is a protocol for transmitting data anonymously over the internet by routing messages or data through a decentralized network. You can learn more about how Tor works here, but in short, it routes your traffic through multiple points along the way to its destination so that no single point has enough information to expose who you are and what you are doing online at once.
Tor is different from a VPN in a few ways. Most fundamentally, it differs because it does not rely on trust of any one specific point (like a VPN provider).
This graphic, developed by EFF, shows the difference between a traditional VPN and Tor.
The easiest way to use Tor is through the Tor web browser. It operates like any normal browser except that it routes your traffic through the Tor network. You can download the Tor browser on Windows, Mac, Linux or Android devices. Keep in mind that when using Tor Browser, you are only protecting the information you access while in the browser. It does not provide any protection to other apps or downloaded files that you might open separately on your device. Also keep in mind that Tor does not encrypt your traffic, so - much like when using a VPN - it is still essential to use best practices like HTTPS when browsing.
If you would like to extend the anonymity protections of Tor to your entire computer, more tech savvy users can install Tor as a systemwide internet connection, or consider using the Tails operating system, which routes all traffic through Tor by default. Android users can also use the Orbot app to run Tor for all internet traffic and apps on their device. Regardless of how you use Tor, it is important to know that when using it, your internet service provider cannot see what websites you are visiting but they *can* see that you are using Tor itself. Much like when using a VPN, this could raise the risk profile of your organization considerably, because Tor is not a very common tool and therefore stands out to adversaries that may be monitoring your internet traffic.
So, should your organization use Tor? The answer: it depends. For most at-risk organizations a trusted VPN that is properly used by all staff at all times is easiest, most convenient, and in the age of greater VPN usage globally, less likely to raise red flags. However if you either cannot afford a trustworthy VPN or operate in an environment where VPNs are routinely blocked, Tor can be a good option, if legal, for limiting the impact of surveillance and avoiding censorship online.