A VPN is one of those three-letter terms everyone has heard and almost nobody can explain. The short version: it builds a private, encrypted tunnel across the public internet so two points can talk as if they were on the same office network. The longer version is where business owners actually make or lose money - because the VPN that protected your firm in 2015 may be the very thing exposing it now.
What a VPN really does (without the jargon)
Imagine posting a confidential letter. Without a VPN, your data travels the internet on a postcard - anyone handling it along the way can read the address and the message. A VPN seals that postcard inside a locked, opaque envelope and hands the only key to the recipient. That is encryption, and the sealed route it travels is the tunnel.
Two jobs follow from that. First, privacy: people on the same coffee-shop Wi-Fi, or an internet provider in between, cannot read what is inside. Second, reach: a laptop in Leeds can behave as though it is plugged into the server cupboard in your Manchester office, reaching the file share and the line-of-business app as if it were on-site.
The two flavours business owners confuse
People say 'VPN' to mean two completely different products, and mixing them up leads to buying the wrong thing.
- •Remote-access VPN: connects a single person (a home worker, a salesperson in a hotel) back to the office network. This is the one most SMEs mean.
- •Site-to-site VPN: a permanent encrypted link between two offices, so the Birmingham and Bristol branches share one network without leasing an expensive private circuit.
- •Consumer 'privacy' VPN: the kind advertised on podcasts to hide your browsing or watch overseas streaming. Useful for individuals, largely irrelevant to running a business.
Does your business actually need one?
Honestly? It depends on where your data and applications live. If everything your staff use is already in Microsoft 365, Google Workspace or other web apps - each protected by its own login and multi-factor authentication - a traditional VPN may add friction without adding much safety. The web apps are already encrypted end to end.
You almost certainly do still need protected remote access if you run on-premises systems: a file server, an accounting database, a practice-management or CAD application that lives on a box in your building. Staff working from home need a safe way to reach those, and exposing them straight to the internet is asking to be breached.
Where the old VPN model now falls down
The classic VPN was built on a flawed assumption: that once you are inside the tunnel, you are trusted and can roam the whole network. That made sense when the office had a hard perimeter. It is dangerous now, because if one laptop is compromised or one password is phished, the attacker inherits that same broad access - they are inside the castle walls.
This is why many UK firms are shifting from 'connect to the network' towards 'connect to one specific application, and prove who you are every time'. That newer model is called Zero Trust Network Access, and we cover the move in our VPN-to-ZTNA migration guide. You do not have to rip out your VPN tomorrow - but you should know it is no longer the only, or best, answer.
Buying one without regrets
If a remote-access VPN is the right tool for you, the decision usually comes down to what you already own. Most business firewalls - the box that already sits between your office and the internet - include a perfectly good VPN you may be paying for and not using.
- •Turn on multi-factor authentication for the VPN. A username and password alone is no longer acceptable.
- •Limit what each user can reach once connected, rather than granting the whole network by default.
- •Keep the firewall firmware patched - VPN appliances are a favourite target precisely because they face the internet.
- •Size the connection for the slowest link: a tunnel is only as fast as the home broadband at the far end.