For years, VPNs were a favored security solution for both consumers and businesses. IT teams deployed them and users trusted them, because the assumption was that a VPN meant protection. But when a federal agency warns against personal VPN use, it underscores an uncomfortable reality: Some tools marketed as protection can actually expand the attack surface, expose user data or encourage habits that work against enterprise security goals.
VPNs were architected for an era when the corporate network was a fortress to be protected. They provided a bridge for connected users, extending broad access and trust and encrypting data in transit. Once in, you were considered “trusted” until you disconnected. But in a distributed, cloud-first work environment, that singular stronghold no longer exists.
Rather than eliminating risk, a VPN may simply relocate it, handing it off to third-party providers whose privacy practices, security posture and incentives aren’t clear. Further, some VPNs aren’t just unsafe, they’re also unethical—actively monetizing user data and functioning less like a privacy shield and more like a surveillance layer in disguise.
While it may be easy enough for private users to steer clear of VPNs, businesses are in a tricky spot. Remote workers still need safe, convenient ways to work from anywhere, especially when they’re under pressure, and they may be tempted by quick fixes that promise privacy with almost no effort. If companies want to steer employees away from risky workarounds, they need to do more than issue warnings; they need to offer secure alternatives that are truly trustworthy and easy to use.
Members of the Senior Executive Cybersecurity Think Tank have deep, hands-on expertise in zero-trust architecture, risk management, threat detection and enterprise security strategy. Below, two of them break down just how widespread VPN risk has become—and what security leaders should be promoting instead.
“Most commercial VPNs collapse identity, device and network into a single brittle tunnel. When that tunnel is compromised, everything behind it is exposed.”
Never Trust the Network
With over 30 years of experience in IT management and cybersecurity, Scott Alldridge, President and CEO of IP Services, helps business leaders stay on top of digital risk, cybersecurity and AI through the VisibleOps Book Series. He cuts straight to the heart of why VPNs have become a liability.
“From a VisibleOps cybersecurity lens, the problem isn’t VPNs; it’s false trust,” he says. “Most commercial VPNs collapse identity, device and network into a single brittle tunnel. When that tunnel is compromised, everything behind it is exposed.”
Alldridge explains that VPNs now tend to shift risk rather than reduce it—in some cases, even monetizing user data outright. He adds that VPNs violate zero trust’s first rule: Never trust the network. He recommends updated security strategies that recognize the reality of today’s distributed, app-reliant workplace.
“A safer practice is advanced multifactor authentication, strong device identity, decentralized access and zero-trust network access—granting app-level access, not network access,” Alldridge advises. “Protect users by verifying the who, what and health of the device every session, without the shortcuts that quietly increase blast radius.”
Ask Yourself Why You’re Using a VPN
Leonard Kleinman has witnessed firsthand the rise of enterprise VPN use—and the evolution of the associated risks. With over 35 years of experience in the IT and cybersecurity industry, he’s Chief Strategy and Technology Officer for FedCyber, a premier technology and cybersecurity advisory practice with a special focus on the federal government and critical infrastructure sectors. He describes the current state of VPN security in stark detail.
“VPNs face increasing risks, including zero-day exploits, credential theft, enablement of lateral movement through the failure of VPN segmentation, and user dissatisfaction,” Kleinman says. “Additionally, vulnerabilities in outdated or unpatched devices remain heavily exploited.”
The free VPN market, in particular, calls for close scrutiny. Kleinman notes that free VPNs often leak or log user data, and many show nation-state network fingerprints—a detail that should give any security leader pause. For organizations whose employees may be grabbing free VPN tools on personal devices, that’s not a minor risk; it’s a potential intelligence exposure.
So what can organizations do to protect themselves and their employees? Like Alldridge, Kleinman offers a multipronged approach.
“Enforce multifactor authentication, patch aggressively, tighten access controls and audit activity,” Kleinman urges. “Many organizations are shifting to zero-trust network access to eliminate broad implicit trust and better limit lateral movement.”
He also offers advice on reframing the conversation about VPNs in a useful way—counsel that applies to individuals and organizations alike.
“It might pay to ask yourself why you’re using a VPN,” Kleinman says. “Is it for privacy and security, or is it simply to get to a service that is restricted in your geolocation? This can help you determine the right type and use of a VPN.”
Smarter Mobile Security Starts Here
- Treat VPN risk as a structural problem, not a user behavior problem. The issue isn’t that employees choose convenience over security; it’s that VPNs were built for a different digital world, and relying on them leaves organizations exposed by design.
- Never trust the network—verify everything, every session. Confirm the identity, device type and device health of every user at every login, eliminating the broad, implicit access that makes VPN compromises so costly.
- Shift from network-level access to app-level access. Zero-trust network access grants users only what they need to do their jobs, dramatically reducing the blast radius if credentials are stolen or a device is compromised.
- Treat free VPNs as a red flag, not a resource. Nation-state network fingerprints in free VPN tools mean that an employee’s well-intentioned privacy fix could become an intelligence liability for the entire organization.
- Enforce the basics—and enforce them consistently. Multifactor authentication, aggressive patching, tighter access controls and regular activity audits remain among the most effective defenses available.
- Before deploying or endorsing any VPN, clarify its purpose. Asking a simple question—“Why are we using a VPN?”—helps organizations distinguish legitimate use cases from security theater and points toward the right tools for the right situations.
VPNs: A Legacy Tool in a Modern Digital Marketplace
What once served as a practical bridge to the corporate network now often functions as a single point of failure—one that can expose data, enable lateral movement and hand sensitive user information to third parties with misaligned incentives. Increasing expert concerns about VPN risk reflect a mismatch between legacy security models and the realities of modern, mobile, cloud-based work.
While VPNs may not have fully outlived their usefulness, it’s time for security-conscious businesses to prioritize architectures built for how work actually happens today. Zero-trust network access, strong device identity, multifactor authentication and app-level access controls aren’t just safer alternatives to VPNs; they’re the foundation of a security posture that can scale with an increasingly distributed workforce.
