Skip to main content

Protect Your Business from Data Theft with a VPN

Media Zero Trust Networking

Could Employees Be Exposing Business Information When Working Remotely?

Employees no longer work only from a desk inside the office.

They may access company systems from:

  • Home
  • Hotels
  • Customer premises
  • Shared workspaces
  • Airports
  • Coffee shops
  • Mobile hotspots
  • Public Wi-Fi networks

This flexibility can improve productivity, but it also creates security risks.

When employees connect from an untrusted network, business information may travel across infrastructure that your organisation does not own or control.

A virtual private network, normally shortened to VPN, can create an encrypted connection between the employee’s device and an approved business network or security service.

This can help protect information from being intercepted while it travels across the internet.

However, a VPN is not a complete cyber security solution.

It cannot protect a business from every type of data theft, phishing email, compromised password or infected computer.

The strongest protection comes from combining a properly configured VPN with secure devices, multifactor authentication, access controls, monitoring and employee training.

What is a VPN?

A VPN creates a protected connection between two points across the internet.

This connection is often described as an encrypted tunnel.

A business VPN may connect:

  • A remote employee to the company network
  • One office to another office
  • A branch location to a data centre
  • A business network to a cloud environment
  • An employee device to a secure internet gateway

Information passing through the VPN is encrypted so it is more difficult for an unauthorised person to read or alter it while it is in transit.

Without a VPN, an employee may connect directly from an untrusted network to business services.

With a VPN, their traffic can be sent through a trusted and controlled connection.

How can data be stolen without a secure connection?

Employees may assume that any Wi-Fi network requiring a password is safe.

That is not always the case.

A public or shared network may be:

  • Poorly configured
  • Monitored by an unauthorised person
  • Using weak security
  • Shared with unknown devices
  • Imitated by a fake access point
  • Compromised without the owner knowing

A criminal may create a wireless network using a convincing name such as:

  • Hotel Guest Wi-Fi
  • Airport Free Wi-Fi
  • Conference Wi-Fi
  • Coffee Shop Guest
  • Free Public Internet

An employee could connect without realising that the network is controlled by an attacker.

The attacker may then attempt to:

  • Observe network activity
  • Redirect the employee to fake websites
  • Capture unencrypted information
  • Interfere with downloads
  • Identify systems being accessed
  • Steal login details through phishing

Modern websites and cloud services normally use encrypted HTTPS connections, which already provide important protection.

A VPN adds another encrypted layer and can help reduce the amount of information visible to the local network.

Benefit 1: Encrypt information in transit

The main benefit of a VPN is encryption.

Encryption changes readable information into a protected format that should be unusable without the correct cryptographic keys.

This can help protect information such as:

  • Login sessions
  • Business application traffic
  • File transfers
  • Remote desktop connections
  • Internal website access
  • Database connections
  • Communication between offices

For example, an employee working from a hotel may need to connect to a server inside the company network.

A VPN can encrypt the connection between the employee’s device and the business firewall.

Someone monitoring the hotel network may be able to see that encrypted communication is taking place, but they should not be able to read the protected business information inside it.

Benefit 2: Protect employees using public Wi-Fi

Public Wi-Fi is convenient but should not automatically be trusted.

Employees may use it when:

  • Travelling
  • Attending events
  • Visiting customers
  • Working from cafés
  • Waiting at airports
  • Staying in hotels

A VPN can reduce the risk of local network users observing or interfering with the employee’s traffic.

Businesses should still give employees clear guidance.

They should be told to:

  • Confirm the correct Wi-Fi network name
  • Avoid unknown wireless networks
  • Use a company mobile hotspot where possible
  • Keep the VPN connected
  • Report certificate and browser warnings
  • Avoid accessing sensitive systems from shared public computers
  • Never disable security tools to make a connection work

A VPN helps protect the connection, but it cannot make an untrusted computer or stolen password safe.

Benefit 3: Provide secure access to internal systems

Some business systems should not be exposed directly to the internet.

These may include:

  • File servers
  • Internal applications
  • Management portals
  • Databases
  • Remote desktop services
  • Network equipment
  • Backup systems

A VPN can provide authorised employees with access to these systems without making them publicly available to everyone online.

The employee connects to the VPN first.

The business can then check their identity and permit access to appropriate internal resources.

This can reduce the attack surface of systems that would otherwise need to accept direct internet connections.

However, VPN access should not automatically give every employee access to the entire company network.

Permissions should be limited according to the employee’s role.

Benefit 4: Secure connections between offices

VPNs are also used to connect business locations.

A site-to-site VPN can create an encrypted connection between:

  • A head office and branch office
  • A warehouse and main office
  • Two company sites
  • An office and hosted data centre
  • A business network and cloud environment

Employees at each location may then access approved systems across the encrypted link.

For example, a branch office may connect to:

  • Central file storage
  • Business applications
  • Telephone systems
  • Authentication services
  • Management platforms

The VPN protects this traffic while it travels between the sites over the internet.

Site-to-site VPNs need careful design.

Incorrect network ranges, firewall rules, encryption settings or routing can create performance and reliability problems.

The configuration should be documented and regularly reviewed.

Benefit 5: Reduce the need to expose Remote Desktop

Remote Desktop can allow employees or engineers to control a Windows computer or server from another location.

Exposing Remote Desktop directly to the internet can create a significant security risk.

Attackers regularly search for remote-access services and attempt to exploit:

  • Weak passwords
  • Reused credentials
  • Unpatched systems
  • Misconfigured accounts

A VPN can allow Remote Desktop to remain unavailable to the public internet.

The user must first establish the secure VPN connection before the Remote Desktop service can be reached.

This creates an additional security boundary.

Remote Desktop should still use:

  • Multifactor authentication where possible
  • Restricted user access
  • Strong passwords
  • Supported systems
  • Security updates
  • Logging and monitoring
  • Account lockout protection

A VPN should not be used to hide an insecure and unsupported server.

Benefit 6: Control which devices can connect

A business VPN can be configured so that only approved users and devices can connect.

Depending on the platform, access controls may consider:

  • Username
  • Password
  • Multifactor authentication
  • Device certificate
  • Operating system
  • Security status
  • Location
  • User group
  • Time of access

This can prevent employees from connecting through any device they choose.

For example, the business may require remote access to come only from a company-managed laptop.

This reduces the risk of confidential information being accessed through a personal computer that:

  • Is shared with family members
  • Does not receive updates
  • Has no business antivirus protection
  • Is already infected with malware
  • Stores files outside company control

The VPN should be part of the organisation’s wider identity and device-management strategy.

Benefit 7: Improve visibility of remote access

A properly managed VPN can produce records showing:

  • Who connected
  • When the connection began
  • Which device was used
  • Where the connection originated
  • How long the session remained active
  • Whether authentication failed

These logs can help the business investigate unusual activity.

For example, warning signs may include:

  • Repeated failed logins
  • Connections from unexpected countries
  • Access outside normal working patterns
  • One account connecting from several locations
  • Former employees attempting to sign in

Logs are useful only when they are retained and reviewed.

An unusual event should trigger investigation rather than simply being stored indefinitely.

Benefit 8: Apply consistent internet security to remote workers

Some VPN configurations send the employee’s internet traffic through the company firewall or a secure cloud service.

This may allow the business to apply protections such as:

  • Malicious website blocking
  • Content filtering
  • Domain-name filtering
  • Threat detection
  • Network logging
  • Download controls

This can create a more consistent level of protection for employees working outside the office.

Without this approach, the employee may receive the full benefit of the company firewall only while physically connected to the office network.

The VPN design must consider performance.

Sending every remote employee’s internet traffic back through the office may:

  • Use significant bandwidth
  • Slow cloud applications
  • Affect Teams calls
  • Create a larger dependency on the office internet connection

A cloud-based secure-access service may be more suitable for organisations with many remote workers.

Benefit 9: Support compliance and customer requirements

Some customers, insurers and regulators may expect businesses to protect sensitive information while it is transmitted.

A VPN can support this requirement by encrypting connections between devices, sites and systems.

It may help the business demonstrate that it has considered:

  • Remote-working risks
  • Secure system access
  • Protection of information in transit
  • Access logging
  • Device restrictions
  • Network security

However, using a VPN does not automatically make an organisation compliant.

The business may still need controls covering:

  • Information stored on devices
  • Access permissions
  • Data retention
  • Backups
  • Incident response
  • Employee training
  • Supplier management
  • Secure deletion

A VPN provides one technical control within a wider security and compliance programme.

Benefit 10: Reduce the risk from insecure home networks

Home networks vary considerably.

An employee’s router may:

  • Use an old password
  • Have outdated firmware
  • Be shared with unsupported devices
  • Include smart home equipment
  • Use weak wireless security
  • Be managed by somebody else

A business cannot normally take complete control of every employee’s home network.

A VPN can protect business traffic between the managed laptop and the approved VPN destination, even when the underlying home network cannot be fully trusted.

The company laptop should still use:

  • A local firewall
  • Endpoint protection
  • Disk encryption
  • Security updates
  • Automatic screen locking
  • Restricted administrator access

The VPN protects network traffic. It does not correct every weakness on the device or home network.

Does Microsoft 365 still need a VPN?

Microsoft 365 services such as Exchange Online, SharePoint, OneDrive and Teams already use encrypted internet connections.

Employees do not normally need a traditional office VPN simply to reach Microsoft 365.

Forcing all Microsoft 365 traffic through the office may sometimes reduce performance, particularly for:

  • Teams meetings
  • OneDrive synchronisation
  • SharePoint
  • Large downloads

Microsoft 365 access may be better protected through controls such as:

  • Multifactor authentication
  • Conditional Access
  • Microsoft Intune
  • Device compliance
  • Microsoft Defender
  • Sign-in risk policies
  • Session controls

A VPN may still be required when the employee needs access to:

The correct solution depends on which systems the employee needs to use.

Is a VPN enough to stop data theft?

No.

A VPN protects information while it travels through the encrypted connection.

It does not automatically protect against:

For example, if an employee enters their Microsoft 365 password into a fake website, the VPN cannot prevent the criminal from using those stolen credentials.

If malware is already running on the laptop, it may be able to steal information before it enters the VPN tunnel or after it has been decrypted.

A VPN is an important control, but it must be combined with other security measures.

A VPN does not encrypt every stored file

VPN encryption normally protects information while it is moving between two points.

It does not automatically encrypt information stored on:

  • A laptop
  • A server
  • A USB drive
  • A mobile phone
  • A cloud application

Businesses should also use storage encryption.

This may include:

  • BitLocker on Windows
  • FileVault on Apple Macs
  • Encrypted mobile devices
  • Encrypted backups
  • Protected USB storage

If a laptop is lost or stolen, disk encryption can help protect the information stored on the device.

The VPN cannot provide that protection once the device is switched off or disconnected.

A VPN does not replace multifactor authentication

VPN accounts should be protected with MFA.

Without MFA, an attacker who steals an employee’s password may be able to connect to the business network.

MFA requires another verification method, such as:

  • An authenticator application
  • A hardware security key
  • A device certificate
  • Biometric verification

This makes the password alone less useful to the attacker.

Unexpected authentication prompts should never be approved.

Employees should report repeated or unexplained MFA requests because they may indicate that somebody is attempting to access the account.

A VPN does not replace endpoint security

Every device connecting through the VPN should have suitable endpoint protection.

This may include:

  • Antivirus
  • Endpoint detection and response
  • Firewall protection
  • Security updates
  • Disk encryption
  • Web protection
  • Device monitoring

A compromised device can use the VPN connection as a route into the business network.

The VPN should therefore not assume that every connected device is safe simply because the user entered the correct password.

Managed devices can be checked for compliance before access is granted.

A VPN can increase risk when configured poorly

A VPN creates a trusted route into business systems.

If it is misconfigured, it can expose the organisation to additional risk.

Common problems include:

  • Weak shared passwords
  • No multifactor authentication
  • Former employees retaining access
  • Unsupported VPN appliances
  • Outdated firmware
  • Excessive network access
  • Shared user accounts
  • No logging
  • Direct access for unmanaged personal devices
  • Old encryption protocols

Internet-facing VPN appliances are attractive targets for attackers.

They should receive security updates promptly and be monitored for suspicious access.

The business should also maintain an accurate record of:

  • VPN users
  • Connected devices
  • Firewall rules
  • Remote networks
  • Authentication methods
  • Software versions
  • What is split tunnelling?

Split tunnelling allows some traffic to use the VPN while other internet traffic connects directly from the employee’s local network.

For example:

Internal business application traffic uses the VPN.
Microsoft Teams and ordinary internet traffic connect directly.

This can reduce the amount of traffic passing through the company network and improve performance.

However, split tunnelling changes the security design.

The employee’s device is connected to both:

  • The company network through the VPN
  • The local network or internet directly

The business should assess whether this is acceptable and ensure endpoint protection remains active.

A full-tunnel VPN sends most or all traffic through the approved VPN service.

This may provide greater central control but can increase bandwidth requirements and dependency on the VPN infrastructure.

Neither option is automatically correct for every organisation.

What is a site-to-site VPN?

A site-to-site VPN connects entire networks rather than individual employees.

It is commonly used when a business has:

  • Multiple offices
  • A warehouse
  • A data centre
  • Hosted servers
  • A cloud network

The firewalls or routers at each location establish the encrypted connection.

Employees normally do not need to start the VPN themselves.

Their devices send approved traffic through the site-to-site link automatically.

The connection should use:

  • Strong modern encryption
  • Clearly defined network ranges
  • Restricted firewall rules
  • Monitoring
  • Matching configuration at both ends

The business should avoid allowing every device at one site unrestricted access to every system at another site.

Network access should be limited to what is required.

What is a remote-access VPN?

A remote-access VPN is used by an individual employee or engineer.

They normally open a VPN application and authenticate before connecting.

The VPN may then provide access to selected business resources.

Remote-access VPNs should include:

  • Individual named accounts
  • MFA
  • Device restrictions
  • Automatic disconnection
  • Access logging
  • Role-based permissions
  • Prompt account removal

Shared VPN accounts make it difficult to identify who connected and should be avoided.

Should a VPN run all the time?

For company-managed laptops, an always-on VPN may provide more consistent protection.

The connection can start automatically when the device connects to the internet.

This reduces reliance on employees remembering to activate it.

An always-on configuration may be useful when the business needs:

  • Continuous secure access
  • Consistent web filtering
  • Remote device management
  • Internal domain connectivity
  • Central network controls

However, it must be designed carefully.

A failed VPN service should not prevent employees from completing all work unless that restriction is intentional.

The business should also consider how employees will:

  • Connect before signing in
  • Access support when the VPN fails
  • Use hotel or public Wi-Fi registration pages
  • Work during an office internet outage
  • VPN vs zero-trust access

Traditional VPNs often provide broad network access after the user connects.

A zero-trust approach attempts to grant access only to the specific application or resource the user requires.

The access decision may consider:

  • User identity
  • Device compliance
  • Location
  • Application
  • Risk level
  • Authentication strength

Zero-trust network access may be suitable where the business wants to reduce broad access to the internal network.

For example, a supplier may need access to one server but should not be able to scan or reach other systems.

A traditional VPN can still support strong security when it is properly restricted.

Businesses should review whether their existing remote-access design gives users more network access than they need.

Should third-party suppliers use your VPN?

External IT providers and software suppliers may require remote access to business systems.

Their access should be treated carefully.

The business should know:

  • Which supplier has access
  • Which people can connect
  • Which systems they can reach
  • Whether MFA is enforced
  • Whether access is permanent
  • Whether activity is logged
  • How access is removed
  • Whether sessions are monitored

Where possible, suppliers should use individual accounts rather than a shared company login.

Access may also be limited to:

  • Approved times
  • Specific devices
  • Particular servers
  • Temporary sessions

A supplier should not receive unrestricted access to the entire network simply because it needs to maintain one application.

How should employees use a VPN securely?

Employees should be trained to:

  • Use only the approved business VPN application.
  • Keep the VPN connected when accessing internal systems.
  • Never share VPN login details.
  • Never approve an unexpected MFA request.
  • Report repeated connection failures.
  • Avoid disabling security tools.
  • Use only approved business devices.
  • Confirm the correct public Wi-Fi network.
  • Report a lost or stolen device immediately.
  • Disconnect when access is no longer required, unless the VPN is configured to remain always on.

Employees should also understand that the VPN icon does not mean every action is safe.

They must still check links, attachments and login pages carefully.

Questions to ask about your business VPN

Businesses should periodically review their VPN and ask:

  • Which employees can connect?
  • Are former users still active?
  • Is MFA required?
  • Are only managed devices allowed?
  • Which systems can each user access?
  • Is the VPN appliance still supported?
  • Is the latest firmware installed?
  • Are modern encryption settings being used?
  • Are connection logs reviewed?
  • Is supplier access restricted?
  • Does the VPN provide too much network access?
  • What happens if the VPN service fails?
  • Is a cloud or zero-trust solution now more suitable?
  • Has the configuration been tested recently?

A VPN installed several years ago may no longer reflect how the business works today.

Signs your VPN may need replacing

Your existing VPN may require review when:

  • Employees regularly report slow connections
  • The firewall or appliance is unsupported
  • MFA is not available
  • Shared accounts are being used
  • Personal devices can connect freely
  • The system does not provide useful logs
  • Remote access requires broad network permissions
  • The VPN fails during busy periods
  • Employees bypass it because it affects performance
  • Nobody knows who originally configured it

Replacing an old VPN is not only a performance project.

It may be an important cyber security improvement.

A wider strategy for preventing data theft

A VPN should form part of a layered security strategy.

Businesses should also consider:

  • Multifactor authentication
  • Microsoft Conditional Access
  • Microsoft Intune
  • Endpoint detection and response
  • Email security
  • Password management
  • Data encryption
  • Secure backups
  • Security awareness training
  • Data-loss prevention
  • Restricted administrator access
  • Security monitoring
  • Incident-response planning

Each control addresses a different risk.

For example:

  • The VPN protects network traffic.
  • Disk encryption protects a lost laptop.
  • MFA helps protect a stolen password.
  • Endpoint security detects malicious activity.
  • Backups support recovery.
  • Employee training reduces phishing risk.

No single product should be expected to protect the entire business.

Is a VPN still important for modern businesses?

Yes, but its purpose should be clearly understood.

A VPN remains valuable when a business needs to:

  • Protect traffic on untrusted networks
  • Connect remote workers to internal systems
  • Connect offices securely
  • Reduce direct internet exposure
  • Control and log remote access
  • Protect connections to private cloud environments

However, businesses that rely mainly on cloud services may use other controls alongside or instead of a traditional office VPN.

The correct solution may combine:

  • Direct access to Microsoft 365
  • Conditional Access
  • Managed and compliant devices
  • Zero-trust application access
  • VPN access for selected legacy systems

The design should support both security and employee productivity.

How can Hamilton Group help?

At Hamilton Group, we help businesses design, secure and manage remote-access and site-to-site VPN solutions.

We can assist with:

  • Business VPN reviews
  • Remote-access VPNs
  • Site-to-site VPNs
  • Firewall configuration
  • Multifactor authentication
  • Secure remote working
  • Network segmentation
  • Supplier access
  • Microsoft Conditional Access
  • Microsoft Intune
  • Endpoint protection
  • Zero-trust access planning
  • VPN monitoring
  • Firewall and firmware updates
  • Cyber security assessments

We can review your current environment and help answer important questions such as:

  • Is our VPN using secure and supported technology?
  • Is multifactor authentication enabled?
  • Can former employees still connect?
  • Are personal devices accessing our network?
  • Does every VPN user have too much access?
  • Are connection attempts monitored?
  • Is the VPN affecting Teams and cloud performance?
  • Are suppliers using shared accounts?
  • Would zero-trust access be more appropriate?
  • What happens if the VPN or main internet connection fails?

At Hamilton Group, we aim to make first contact on IT support requests within 15 minutes.

A secure VPN can help protect your business information while employees work remotely, but it should be properly configured, monitored and supported by wider cyber security controls.

Contact Hamilton Group to discuss a VPN security review or a more secure remote-working solution for your organisation.

Call us on 0330 043 0069 or book an appointment with one of our experts.