In early 2024, threat actors exploited critical vulnerabilities in Ivanti Connect Secure VPN appliances so aggressively that CISA issued an emergency directive ordering federal agencies to disconnect the devices entirely. Not patch them. Disconnect them. That moment should have been a wake-up call: having a VPN isn't enough. How you configure, maintain, and layer it matters more than whether the tunnel exists at all. These VPN best practices are the ones I've seen separate organizations that stay safe from those that end up in an incident response retainer.

Why Most Organizations Get VPN Security Wrong

Here's what actually happens in most mid-size companies I've worked with: someone sets up the VPN appliance during initial deployment, configures split tunneling to save bandwidth, and never touches it again. Three years later, the firmware is six versions behind, the admin credentials are still the defaults, and half the user accounts belong to people who left the company.

The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector tripled year-over-year — and VPN appliances were a leading target. Threat actors don't need sophisticated zero-day exploits when your gateway is running unpatched software with weak credentials.

A VPN is a front door to your network. Treat it like one.

VPN Best Practices That Actually Reduce Risk

1. Patch VPN Appliances Like They're on Fire

I can't overstate this. VPN concentrators sit on the internet-facing edge of your network. When a CVE drops for Cisco ASA, Palo Alto GlobalProtect, Fortinet FortiGate, or any other appliance, you have days — not weeks — before exploitation begins at scale. Build a process to monitor vendor advisories and apply critical patches within 48 hours.

If your change management process can't move that fast, your change management process is a vulnerability.

2. Enforce Multi-Factor Authentication on Every Connection

Credential theft remains one of the most common ways attackers gain VPN access. Stolen usernames and passwords from phishing campaigns, infostealer malware, or credential dumps get tested against VPN portals constantly. Multi-factor authentication stops the vast majority of these attempts cold.

Don't use SMS-based MFA if you can avoid it. SIM-swapping attacks are real and well-documented. Hardware tokens or authenticator apps tied to device attestation are far stronger. If your VPN vendor doesn't support modern MFA, that's a sign you need a different vendor.

3. Kill Split Tunneling for High-Risk Users

Split tunneling lets users route only corporate traffic through the VPN while personal traffic goes direct to the internet. It saves bandwidth. It also means a compromised endpoint can reach both your internal network and attacker-controlled infrastructure simultaneously.

For standard users on managed devices, split tunneling can be acceptable with proper endpoint protection. For administrators, finance teams, and anyone with privileged access, full tunnel is the only defensible choice. The bandwidth cost is worth it.

4. Implement a Kill Switch

A VPN kill switch blocks all internet traffic if the VPN connection drops unexpectedly. Without it, your users' traffic — including credentials, session tokens, and sensitive data — spills onto whatever network they're connected to. Coffee shop Wi-Fi. Hotel networks. Airport hotspots.

Every enterprise VPN client worth using has this feature. Make sure it's enabled by policy, not left as a user option.

5. Segment VPN Access by Role

Not every VPN user needs access to every subnet. An engineer connecting remotely to a development environment doesn't need a route to the finance database. Map VPN access to role-based policies that limit lateral movement.

This is where VPN best practices intersect with zero trust principles. The VPN authenticates the user and establishes the tunnel — but network segmentation and access controls decide what they can actually reach once inside.

6. Log Everything and Actually Review It

VPN logs are gold during incident response and useless if nobody looks at them until after a breach. At minimum, monitor for: connections from unusual geolocations, multiple failed authentication attempts, connections at odd hours, and simultaneous sessions from the same account.

Feed VPN logs into your SIEM. Set up alerts. I've seen organizations detect compromised credentials weeks earlier simply because an analyst noticed a VPN login from Eastern Europe for a user who works in Ohio.

What Are VPN Best Practices for Remote Workers?

For remote and hybrid employees, VPN best practices come down to five essentials: always connect before accessing any corporate resource, keep the VPN client updated, never share VPN credentials, use the kill switch, and report any connection anomalies to IT immediately. Organizations should pair this with endpoint detection and response (EDR) tools on every device that connects.

Training matters here more than most security leaders admit. Your employees need to understand why these rules exist, not just that they exist. Our cybersecurity awareness training program covers exactly this — practical security habits for real-world remote work scenarios, including VPN hygiene.

The Zero Trust Question: Do You Still Need a VPN?

I get this question constantly. The zero trust model — where no user or device is implicitly trusted regardless of network location — has pushed many organizations toward alternatives like secure access service edge (SASE) and zero trust network access (ZTNA). These approaches authenticate and authorize each request individually rather than granting broad network access through a tunnel.

Here's my honest take: most organizations aren't ready to eliminate VPNs entirely. Zero trust is a journey, not a switch you flip. In the meantime, a well-configured VPN with strong authentication, proper segmentation, and aggressive patching is still far better than the nothing-or-poorly-configured-something that many companies actually have.

The real danger isn't choosing VPN over ZTNA. It's assuming VPN alone equals security.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. A significant percentage of those breaches involved compromised remote access — VPN credentials sold on dark web marketplaces, unpatched appliances exploited in mass scanning campaigns, or social engineering attacks that tricked employees into handing over login details.

Phishing remains the top delivery mechanism for credential theft targeting VPN access. Attackers send convincing emails that mimic VPN login portals, harvest credentials, and walk right through the front door. Running regular phishing simulations is one of the most effective ways to harden this weak point. Our phishing awareness training for organizations gives your team hands-on experience identifying these attacks before they succeed.

Your VPN Hardening Checklist

  • Firmware and software: Patched to the latest stable version within 48 hours of critical advisories.
  • Authentication: Multi-factor authentication enforced for all users, hardware tokens preferred.
  • Tunneling policy: Full tunnel for privileged users, split tunneling only with EDR on managed devices.
  • Kill switch: Enabled by policy on all endpoints.
  • Access segmentation: Role-based network access controls limiting lateral movement.
  • Logging and monitoring: VPN logs fed to SIEM with alerts on anomalous activity.
  • Account hygiene: Quarterly reviews to disable former employees, inactive accounts, and shared credentials.
  • Security awareness: Regular training and phishing simulations for all VPN users.

The Attacks Won't Wait for Your Next Maintenance Window

CISA's Known Exploited Vulnerabilities Catalog has added dozens of VPN-related CVEs over the past two years. Threat actors scan for vulnerable appliances within hours of public disclosure. Ransomware gangs specifically target VPN gateways as their preferred initial access vector because a single compromised connection can give them a foothold into the entire network.

VPN best practices aren't aspirational goals for a future security roadmap. They're the baseline. If your VPN appliance is unpatched, your users aren't on MFA, and nobody is watching the logs, you're not running a security program — you're running a countdown.

Start with the checklist above. Patch today. Enable MFA this week. Schedule your first phishing simulation this month. The organizations that survive the current threat landscape are the ones that treat these fundamentals as urgent, not optional.