← ALL POSTS
CYBERSECURITY EXPLAINER

Do you still need a VPN?

Ten years ago the answer was automatic. If your people needed to reach the office file server from home, you stood up a VPN, handed out credentials, and called it done. Today we get asked the question in two very different forms: "do we need a VPN for security?" and "should our remote staff connect over VPN?" The answers have drifted apart, so let's take them separately.

First, which VPN are we talking about?

Two different products share the name.

Consumer privacy VPNs (NordVPN, Mullvad, and the rest you hear advertised on podcasts) encrypt your traffic to the VPN provider's servers so your ISP or a coffee shop network can't see it. For a business, these do almost nothing. Nearly every service your staff uses is already encrypted with HTTPS. A privacy VPN doesn't protect your accounts, your email, or your data. If an employee travels a lot and works from hotel Wi-Fi, fine, it's a modest extra layer. It is not a security program.

Remote-access VPNs are the business kind: software on a laptop that builds an encrypted tunnel into your office network, so the laptop behaves like it's plugged in at a desk. That's the one worth a real conversation.

The problem with the traditional remote-access VPN

A classic VPN grants network access, not application access. Once the tunnel is up, that laptop can usually reach everything on the office network: the file server, the printers, the accounting workstation, the security camera system. If the laptop is compromised, or the VPN password is stolen, the attacker gets the same all-access pass. Stolen VPN credentials without multi-factor authentication have been the opening move in a large share of the ransomware cases that make the news.

VPN appliances themselves have also had a rough few years. Several major vendors have shipped serious vulnerabilities in their VPN gateways, and attackers actively scan for unpatched ones because a VPN box is, by design, exposed to the internet. A VPN you don't patch promptly becomes the front door you left open.

The zero-trust alternative

The newer model goes by "zero-trust network access" or ZTNA. Strip away the marketing and the idea is simple: instead of joining the whole network, each user gets access to specific applications, and every connection checks who you are and what device you're on. Practical versions we deploy for small teams include Cloudflare Zero Trust, Tailscale, and Twingate. Microsoft's Entra Private Access plays in the same space for shops already deep in Microsoft 365.

What this looks like in practice: your bookkeeper can reach the accounting server and nothing else. Your web developer can reach the staging box and nothing else. Access ties to their company login with MFA, so when someone leaves, disabling one account cuts everything. And several of these tools need no inbound firewall hole at all, which removes the exposed-appliance problem entirely.

The question before the question

Here's the step people skip: many businesses asking about VPNs don't need remote access to anything anymore. If your files live in SharePoint or Google Drive, your email is in Microsoft 365, your accounting is QuickBooks Online, and your line-of-business app is web-based, there is no office network to tunnel into. The office is just a place with desks and internet. In that case the right answer to "do we need a VPN?" is no, and the money is better spent on MFA enforcement, device management, and backup.

You still need something VPN-shaped when there's a real on-premises resource: a local file server, an on-site database, machine controllers on a shop floor, a legacy app that only runs on a box in the back room, or an IT person who needs to manage network gear remotely.

What we actually set up for small teams

How to know it's done right

Whatever remote access you run, it should pass these checks. MFA is required on every remote connection, no exceptions for the owner. Each user can reach only what their job needs. The gateway or appliance, if you have one, is on current firmware and someone owns patching it. Offboarding a person kills their access in one step. And you can produce a list, today, of who has remote access and to what. If any of those makes you hesitate, that's the gap. It's usually a one-or-two-day project to close, not a rebuild.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
Set up a company password manager the right way Step-By-Step Guide
Zero trust, minus the buzzwords Explainer
Set up a WireGuard VPN between two offices Step-By-Step Guide
HIPAA IT compliance: the checklist without the lawyer bill Explainer
SOC 2 prep without the panic Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston