Telephone Location

Is a VPN secure?

Is a VPN secure?

10 Sep 2025

Is a VPN secure?

For years, businesses have relied on Virtual Private Networks (VPNs) to secure remote access to internal systems, but times have changed and so have the threats.

Today, VPNs are increasingly viewed as outdated, risky, and insufficient for securing modern, cloud-connected workplaces. In this blog, we’ll explain exactly why VPNs are no longer fit for purpose, what risks they pose to your business, and what you should potentially be using instead.

 

What is a VPN?

A VPN is like a secure tunnel that allows employees to access your internal business systems from outside the office. It was designed to protect data sent between a user’s device and your network, especially over public Wi-Fi or untrusted internet connections.

But here’s the problem, once someone is in the tunnel, they can often access far more than they should.

 

Why VPNs Have Become a Cybersecurity Risk

1 = All-or-Nothing Access (Too Much Trust)

Most VPNs give users access to the entire internal network. That means once someone logs in, whether it's a staff member or a hacker, they can move freely from system to system.

VPNs operate at the network layer (Layer 3), providing broad access without context or segmentation.  It’s like giving someone a key to the entire office building, even if they only need to use the printer in one room.

 

2 = Stolen Credentials = Full Access

VPNs usually rely on passwords — and attackers know it. Phishing, credential stuffing, or brute-force attacks can easily compromise VPN logins.

Without robust MFA, VPN access is single-point-of-failure and even with MFA, access isn't scoped or risk-aware.

 

3 = No Device Validation or Health Checks

VPNs don’t check whether the connecting device is secure. That means someone could connect using:

  • An infected personal laptop
  • A jailbroken phone
  • An unpatched OS

The security gap is that VPNs trust devices by IP, not by integrity or compliance status.

 

4. Poor Fit for Cloud & Hybrid Environments

VPNs were built for perimeter-based security, but modern apps and data live in the cloud.

  • Microsoft 365
  • Salesforce
  • Google Workspace
  • Remote DevOps environments

VPNs slow access, break functionality or get bypassed entirely.

 

5. Limited Visibility and Logging

VPNs provide little detail on what happens after a connection is made.

You know that “someone” connected, but not what they did, where they went or if they behaved maliciously which has a material Security Impact meaning the Inability to detect lateral movement or insider threats.

 

6. Performance Bottlenecks = Productivity Loss

VPNs often route all traffic through a single concentrator or data centre. This creates latency, slows app performance, and frustrates users, especially remote teams or global staff.

 

Real-World examples and risks of VPNs

  • 2021 Colonial Pipeline breach started with a compromised VPN password
  • 2023 NHS supplier breach involved unauthorised remote access via VPN
  • 95% of ransomware attacks in mid-sized businesses start with compromised credentials which are often VPNs

 

What Should Businesses Use Instead of VPNs?

Solutions like Zero Trust Network Access (ZTNA)

What is ZTNA?

Zero Trust Network Access is a modern security model that assumes no user or device should be trusted by default, even inside the network. Instead of broad network access, ZTNA verifies every request based on:

  • User identity
  • Device health
  • Location
  • Risk level
  • Least-privilege permissions

Think of it as access with conditions and constant checks.

 

VPN vs. Zero Trust, a Quick Comparison

Feature

Traditional VPN

Zero Trust Network Access

Trust model

Connect first, verify later

Never trust, always verify

Access scope

Entire network

Per-app or per-resource

Device checks

No

Yes (posture-aware)

Risk-based access

No

Yes

Visibility & control

Minimal

Granular, continuous

Cloud-native support

Poor

Native

 

Why This Matters to UK & Ireland Businesses

With increasing regulatory pressure from NIS2, UK GDPR, and Cyber Essentials, outdated VPN models no longer meet compliance expectations, especially around:

  • Access control
  • Data protection
  • Breach detection and response

Insurers are also asking tougher questions about remote access. VPN-only environments may now lead to higher premiums or claim rejections following breaches.

 

How LoughTec Can Help

At LoughTec, we help businesses of all sizes transition away from risky legacy VPNs to modern, secure access frameworks that align with best practices and compliance.

Our team can:

  • Audit your current VPN setup
  • Design a Zero Trust access model
  • Deploy identity-based access control
  • Provide training for end users and IT admins
  • Monitor and manage your security posture 24/7 via our SOC

 

VPNs had their day, but that day Is over

As cyber threats grow more sophisticated and businesses become more distributed, relying on traditional VPNs is no longer safe — or smart. If you're still using VPNs as your primary security measure for remote access, it's time to rethink your strategy.

Zero Trust is the future. VPNs are the risk.

 

Ready to improve and secure your remote access?

Let’s talk about how we can help you phase out VPNs, reduce risk, and build a more secure, scalable access strategy tailored to your business.

 

Frequently Asked Questions (FAQs)

What is a VPN and how does it work?

A VPN (Virtual Private Network) creates a secure, encrypted connection between a user's device and a company’s network. It was designed to protect data in transit over public or untrusted internet connections, often used for remote work. However, once connected, VPNs typically provide broad access to internal systems.

 

Why are VPNs considered a security risk now?

VPNs are risky because they grant overly broad access to networks, rely heavily on passwords, lack context awareness (e.g. device health, location), and provide limited visibility into user activity. If compromised, a VPN can become a gateway for attackers to move laterally across your entire infrastructure.

 

Can a hacker bypass a VPN?

Yes. If a VPN credential is stolen through phishing or reused passwords, an attacker can log in undetected. Many VPNs lack multi-factor authentication or device posture checks, making it easy for attackers to gain access.

 

What’s the difference between VPN and Zero Trust?

A VPN assumes trust once a user is connected whereas Zero Trust assumes nothing. Zero Trust verifies every user, device and action, regardless of network location and enforces access to only what’s needed, using identity, risk level, and behaviour to make decisions.

 

Are VPNs still useful for businesses?

VPNs may still serve limited use cases (e.g. legacy applications), but they are no longer recommended as the primary method of securing remote access. Modern businesses should transition to Zero Trust Network Access (ZTNA) for better security, control and compliance.

 

What are alternatives to VPNs for secure remote access?

Alternatives include:

  • Zero Trust Network Access (ZTNA)
  • Identity and Access Management (IAM)
  • Secure Access Service Edge (SASE)
  • Privileged Access Management (PAM)

These tools provide secure, context-aware access without exposing the broader network.

 

Are VPNs compliant with UK and EU regulations?

Not always. VPNs alone do not meet the requirements of frameworks like NIS2, ISO 27001, or UK GDPR, especially in areas such as access control, audit logging, and breach response. Using VPNs without additional controls can increase compliance and insurance risks.

 

What should I do if my business still uses VPNs?

Start by reviewing your current remote access strategy. Consider moving toward a Zero Trust model with per-application access, stronger identity verification, and real-time monitoring. A cybersecurity partner like LoughTec can help assess and upgrade your environment.

 

Contact LoughTec today for a free security consultation

 

LoughTec are cyber security experts, if you want to find out more on how LoughTec can help protect your business in many ways, see some further recommended information and options below.

Click to find out more about how much a cyber attack could potentially cost your business

Click to find out more about Security Operations Centre SOC 24-7-365 protection.

Click to find out more about Staff Cyber Security Awareness Training.

Click to find out more about Ransomware Protection.

 

You can also see more about us in our case studies and testimonials sections.

 

 

Back Top
Cyber Security Support

Stay Protected
Stay Ahead

Airtight IT • Cyber Security
LoughTec support, manage
and protect your IT Infrastructure

Enquire Now
WhatsApp Contact

Or call us on 028 8225 2445

Cyber Security Support

We are a social company - Follow Us: