In certain instances, we may earn revenue when a reader makes a purchase or completes a form through our pages or on a partner’s website. We adhere to a strict 
Virtual private networks (VPNs) remain a vital part of cybersecurity for small and medium-sized enterprises (SMEs), even in today’s cloud-first and zero-trust environments.
Techopedia spoke with Phil Robinson, Principal Security Consultant and Founder of Prism Infosec, to understand why VPNs still matter, how SMEs can implement them safely, and what future developments to watch.
Key Takeaways
- VPNs remain essential for SMEs to protect sensitive resources and restrict public access to internal systems.
- Off-the-shelf, open-source, and router-based VPN solutions are widely available and vary in deployment complexity.
- Proper setup and maintenance require experienced IT personnel or external support to avoid critical misconfigurations.
- Ongoing governance, secure user onboarding, and periodic testing are vital to keeping VPNs secure over time.
- VPNs continue to play a crucial role in SME cybersecurity strategies, even as zero-trust and cloud-native models gain traction.
- The future of VPNs includes stronger authentication methods, better cloud integration, and adaptation to post-quantum encryption standards.
- Show Full Guide
About Phil Robinson
Principal Security Consultant and Founder, Prism Infosec
Phil Robinson is a cybersecurity expert with over 25 years of experience and the founder of Prism Infosec, a UK-based firm specializing in penetration testing, red teaming, and security consultancy.
He helped form the Council for Registered Ethical Security Testers (CREST), contributed to major security standards like OSSTMM, and holds multiple certifications, including CISSP, CISA, and ChCSP. Phil has advised UK government agencies and frequently speaks on cybersecurity best practices.
The Role of VPNs in SME Cybersecurity
Q: Why, as an SME owner, should having a VPN in place be a priority?
A: A VPN will essentially protect access to information and services. You don’t want your data floating around on the internet if it’s not supposed to be for public consumption.
A typical use case is a content management server, which could have a page on your web server for access to editing options. The best way to protect that is to only allow access through a VPN.
The admin page for a WordPress website is a prime example and could be targeted by attackers using the default guest credentials. A VPN adds a layer of protection and removes content from public access.
If you are an SME owner with remote employees, a VPN is a great way to be able to access resources like a mail server or data on an internal network within a protected, encrypted transport stream.
SME-Friendly VPN Solutions
Q: How do you find a VPN provision that is tailored to your needs?
A: VPNs have been around for years, and so off-the-shelf options have been tried and tested.
You can also use open-source options like OpenVPN and WireGuard and run them on hardware or in the cloud. Some options require additional IT knowledge to install, and it’s a question of resources.
Key Considerations Before Choosing a VPN
Q: What do you need to know about your business before you go shopping for a VPN?
A: A key question is who is going to install and oversee the VPN? Do you have a reasonably experienced IT professional within the business, or are you using an outsourced IT management company?
I think you need someone who has a good level of knowledge and IT management certifications, not someone who has done a bit of ‘playing around’ with VPNs at home.
You need to configure your firewall; allow protocols that you need to enable to determine how a VPN is authenticated and make sure that users are authenticated appropriately into the environment.
You also need to look at how the VPN transports traffic between the outside and the inside. If you make a misconfiguration, then the impact could be catastrophic.
Whether it is you who have created your own VPN server or someone else within the company, I would recommend you get it tested, just to make sure that you’ve got that independent assurance that it’s been set up correctly, and there are no weaknesses that could be compromised by an attack on the internet.
Managing & Maintaining VPNs Effectively
Q: How can you future-proof your purchase decision?
A: Most small businesses don’t have the budget for continuous testing, so you just need to ensure that the VPN is managed appropriately and that there is sufficient governance within the organization to keep everything documented.
Once it’s up and running, it’s all about user management – making sure that the users who have been enrolled on the VPN have been set up properly using a documented method for enrolment, and this is followed up by the IT admin staff.
You could enrol someone without a password or with a weak password, which could leave you open to a brute force attack if no other authentication controls are in place, such as certificates or a hardware/software token.
If there are no huge changes to your system architecture, then you can simply test your VPN annually as part of your normal assurance activities.
The Long-Term Relevance of VPNs for SMEs
Q: In the next five years, will VPNs remain a key component of enterprise cybersecurity strategies?
A: Yes, I believe so. VPNs have got a number of benefits. They’re quick to set up – we can spin up a VPN now in 15 to 30 minutes, and you can enrol users using QR codes now.
With zero trust, there is an argument that VPNs are becoming less of a requirement for the latest architectural patterns, but it is still very important in perimeterised environments. Today, though, businesses use cloud and distributed services, and so it’s not as prevalent to access everything over a VPN. Conditional access components in prevalent cloud services such as Microsoft 365 offer levels of assurance, too.
Many organizations are simply not equipped to set up a different strategy, such as migrating to a complete cloud-based solution or using zero trust, as this can be complicated to set up and requires multiple components. For this reason, for smaller organizations, VPNs will remain a key component of their requirements and strategies for years to come.
Current Best Practices in VPN Authentication
Q: What is the most secure VPN authentication, and do you think this is going to change in the near future?
A: I would say using multiple factors of authentication, such as a hardware key, authenticator code, machine certificate, a biometric element, etc. This includes the integration of VPNs with information stored in TPMs used by services such as Windows Hello, including fingerprint and facial recognition.
We are already seeing an integration of these services into online web-based authentication.
Innovations in VPN for Cloud, IoT & Geofencing
Q: Cloud integration, geofencing, and IoT integration were three hot topics over the past few years in the VPN world. Do you think there is innovation still to be made in these areas?
A: Geofencing is more of a hot topic for the consumer world – people accessing their UK Netflix account when they’re away in the US, for example.
IoT integration is really interesting, but there are processing limitations and power resource limitations for some of the smaller devices.
It is really important, though, to have encrypted data for IoT devices that are doing reporting or for managing firmware updates. It will be interesting to watch how chip designers can support encryption requirements whilst maintaining the core functionality and performance requirements of their devices.
The software is becoming more and more efficient, but will the hardware support this?
In relation to cloud integration, innovation hasn’t stopped. The key will be to ensure that cloud services are integrated seamlessly. Previously, you might have had to spin up your own server and then deploy your own VPN software on it. You might then have to configure the cloud infrastructure around it to support routing.
Next, you have to do the same with on-premise VPN endpoints to allow interaction through the firewall. Now, cloud providers are doing much more. If you can make it seamless on both sides – so that your on-site and cloud functionality can talk and integrate through a VPN tunnel – then that would be a big win.
We need a straightforward means to spin up and deploy VPN services in the cloud that integrates with identity management solutions, such as Microsoft Entra, using streamlined protocols like WireGuard.
Use Cases & Limitations of Decentralized VPNs
Q: Do you think decentralized VPNs will gain more traction?
A: Decentralized services – like ToR and BitTorrent – have been around for a while. They might gain more traction, but most people are using these kinds of services to increase their anonymity over the Internet, sometimes for criminal or other activities.
They could provide a better solution for avoiding geofencing, but the performance of these networks is typically not sufficient for HD/UHD streams.
Preparing VPNs for the Quantum Future
Q: What do you foresee for VPNs in the world of quantum computing?
A: Quantum computing is a huge advancement, but it won’t mean anything new in terms of the balancing act between how strong the encryption is and how powerful your computing resources are.
An algorithm that was acceptable 20 years ago for protecting communications wouldn’t be acceptable now; I’ve got stronger protection and more CPU performance on my phone these days! There are already huge initiatives for developing algorithms that are quantum safe by organizations like NIST in the US and the Post-Quantum Cryptography Alliance.
There are also open-source algorithms that have been released in libraries that are claimed to be quantum-safe. But it’s early days. With any new encryption approach, there are usually weaknesses.
At the moment, though, it’s not many organizations that have access to quantum computing – it is nation states and multi-billion dollar enterprises – so for the majority of companies and typical consumers, it’s not something that’s going to be keeping them awake at the moment.
The Bottom Line
VPNs aren’t going to die out anytime soon. Small businesses rely on these cost-effective, easily deployable tools to secure their systems.
Despite the buzz around zero-trust models and cloud-native security, VPNs still offer simplicity, flexibility, and reliability.
Phil Robinson’s expert advice is a reminder that even basic security measures like VPNs require proper planning, ongoing governance, and informed implementation. With the right approach, SMEs can ensure long-term resilience against evolving threats.
