Leonard Kleinman

expert panel

For years, VPNs were a favored security solution for both consumers and businesses. IT teams deployed them and users trusted them, because the assumption was that a VPN meant protection. But when a federal agency warns against personal VPN use, it underscores an uncomfortable reality: Some tools marketed as protection can actually expand the attack surface, expose user data or encourage habits that work against enterprise security goals. VPNs were architected for an era when the corporate network was a fortress to be protected. They provided a bridge for connected users, extending broad access and trust and encrypting data in transit. Once in, you were considered “trusted” until you disconnected. But in a distributed, cloud-first work environment, that singular stronghold no longer exists.  Rather than eliminating risk, a VPN may simply relocate it, handing it off to third-party providers whose privacy practices, security posture and incentives aren’t clear. Further, some VPNs aren’t just unsafe, they’re also unethical—actively monetizing user data and functioning less like a privacy shield and more like a surveillance layer in disguise. While it may be easy enough for private users to steer clear of VPNs, businesses are in a tricky spot. Remote workers still need safe, convenient ways to work from anywhere, especially when they’re under pressure, and they may be tempted by quick fixes that promise privacy with almost no effort. If companies want to steer employees away from risky workarounds, they need to do more than issue warnings; they need to offer secure alternatives that are truly trustworthy and easy to use. Members of the Senior Executive Cybersecurity Think Tank bring deep, hands-on expertise in zero-trust architecture, risk management, threat detection and enterprise security strategy. Below, two of them break down just how widespread VPN risk has become—and what security leaders should be promoting instead.