When a VPN for employees does and doesn't help

What is a VPN and what does it actually do?

A VPN builds an encrypted tunnel between your employee's device and a VPN server. From that server the traffic goes on to the internet as if it originated there. For parties watching the local network, such as other guests on a hotel Wi-Fi or a malicious operator of a free hotspot, it becomes hard to see which sites your employee visits or which data they send.

Important to understand: only the segment between device and VPN server is encrypted. What happens after the server is plain internet traffic, with the same risks as without a VPN. The VPN provider itself sits in a position of trust; it sees what happens once the traffic is decrypted. For business use that is a reason not to pick a random consumer VPN, but a service whose jurisdiction and logging policy are known.

When is a VPN useful for employees?

A VPN delivers clear added value on networks you do not control and do not trust. Practical situations where employees benefit are recognisable:

• Public Wi-Fi at stations, airports, hotels and cafés, where unknown third parties watch traffic or set up rogue hotspots.
• Conferences and events, where network traffic is often poorly secured and is explicitly observed for research or demonstrations.
• Working from home over a shared network with housemates or neighbours connecting unknown devices.
• Travelling in countries where local internet is subject to heavy filtering, monitoring or injection.
• Access to internal systems that specifically require a VPN connection for segmentation or compliance reasons.

What a VPN explicitly does not do

The "VPN on, so I'm safe" misconception causes more damage than meaningful use. A VPN offers no protection against the kind of risks that lead to incidents every day:

• Phishing: a VPN does not prevent an employee from entering their password on a fake site.
• Malware: an infected attachment runs through the tunnel just fine.
• Account abuse: stolen credentials work just as well over a VPN.
• Anonymity towards your employer, your bank or services where you log in with personal details anyway.
• Compensation for an insecure browser, missing updates or a forgotten laptop.
• The biggest incidents we have seen in recent years did not come in via an unencrypted hotel network but through a phishing email, a leaked session cookie or an MFA fatigue attack. No tunnel helps with that.

The biggest misconception: "VPN equals safe"

Many employees use a VPN because they associate it with security, without knowing what it actually shields. That comfort is risky when it crowds out other behaviour. Someone who feels safe because the VPN is on clicks suspicious links more readily, uses public Wi-Fi for sensitive actions more easily and postpones updates with the idea that nothing can happen anyway.

In an awareness programme it is more effective to position VPN as one layer among several: one step that belongs to a broader package of MFA, patching, strong passwords and conscious clicking. Without that context you create more false certainty than real improvement.

Personal VPN versus business VPN

The VPNs employees know from home are usually commercial services aimed at consumers: they promise privacy, bypass of geographical blocking and encryption on public Wi-Fi. For business access to internal systems or consistent protection of employees you need a different type of product.

A few points that make the difference for the business choice:

• Jurisdiction and logging policy: the provider operates from a country with clear privacy law and keeps no traffic logs.
• Integration with your identity platform: employees log in with their business account plus MFA, and on departure access is revoked automatically.
• Split tunneling: only relevant traffic goes through the tunnel, so video calls and large downloads do not slow down unnecessarily.
• Always-on configuration: the VPN starts automatically on trusted devices and stays active on unknown networks.
• Management and visibility: the security team sees whether connections work, can enforce policy centrally and investigate problems.
• Free VPNs are almost never sensible for business use. Several free providers have been shown in recent years to resell traffic, inject advertising or be controlled by parties with state-actor links.

What belongs in an awareness programme about this?

VPN use is not a standalone topic; it belongs to the broader message about working on unknown networks. Include it in onboarding as part of the work laptop explanation: when is the VPN on automatically, when does the employee have to enable it manually, and who helps when it does not work. Combine that with clear rules in policy: for what kind of work is VPN mandatory, may the employee use personal VPNs on the work laptop for private use, how do you deal with countries where VPN use is restricted or forbidden.

In a recurring programme it helps not to offer VPN as a separate module but as a concrete action in scenarios: an employee travels to a conference, an employee works from a campsite, an employee logs in from a customer's network. With those stories the technology becomes manageable and it becomes clear that a VPN is one layer alongside conscious clicking, strong authentication and up-to-date software.

Related articles

• How to secure the mobile workplace
• Incident lessons from remote work
• Device security basics
• What is phishing?

Sources

• NCSC NL: advice for safe remote work
• CISA: Using Virtual Private Networks safely
• NIST SP 800-77 Rev. 1: Guide to IPsec VPNs

FAQ

Is a VPN mandatory for remote workers?

It depends on your policy. For work that can only be done through internal systems, a business VPN connection is usually mandatory. For general office work via cloud applications, MFA and strong authentication often work just as well. For consistency we still recommend setting always-on VPN as the default on work laptops.

May an employee use a free VPN for work?

Preferably not. Free VPNs often earn their money by reselling traffic, injecting ads or collecting metadata. For work an employee should use a service chosen and managed by the organisation.

Does a VPN protect against phishing?

No. A VPN encrypts network traffic, but the user still enters their credentials on a website themselves. Against phishing, only human alertness, MFA, passkeys and technology that blocks fake domains help.

When does a VPN actually add something?

On networks you do not control, such as public Wi-Fi, conferences and shared home networks, and when you specifically need to reach internal systems that are only accessible via VPN. In other situations the added value is limited.

What is the difference between a VPN and a proxy?

A proxy forwards traffic for a single application, without full encryption between device and proxy. A VPN encrypts all traffic from the device and focuses on network security rather than application configuration.

Should I use always-on VPN on my work laptop?

For consistency and simplicity that is advisable. It removes the need for the employee to judge for themselves whether the current network is trusted. On trusted office and home networks the configuration may differ via split tunneling.

What alternatives exist to a traditional VPN?

Organisations are increasingly deploying Zero Trust Network Access (ZTNA). Access is granted per application based on user, device posture and context, rather than routing all network traffic through a single tunnel. For specific use cases this is safer and faster than a classic corporate VPN.