VPNs are Critical in a Hybrid Working World - But Without MFA They Are Almost Pointless

The Ingram Micro ransomware attack should be keeping every IT director awake at night, not because a $48 billion distribution giant got breached, but because of how breathtakingly simple the attack vector was. SafePay ransomware didn't need some exotic zero-day exploit or sophisticated social engineering campaign. They walked through the front door of Ingram's Palo Alto Networks GlobalProtect VPN because of what NCC Group's forensic analysis diplomatically called "a simple misconfiguration on the FortiGate firewall, allowing local accounts to be authenticated and bypass the MFA requirement."

Let me translate that from cybersecurity consultant speak: someone forgot to properly configure multi-factor authentication on the VPN, and criminals exploited basic password-based access to destroy a global supply chain.

From my years at NCSC, I've seen this pattern repeat with depressing regularity. Organizations invest millions in sophisticated VPN infrastructure, then undermine the entire security model by treating MFA as optional rather than fundamental. It's like installing a bank vault door but leaving the key in the lock.

The VPN Paradox of Hybrid Working

The pandemic fundamentally changed how we think about network perimeters. Suddenly, the traditional castle-and-moat security model collapsed as millions of employees began working from kitchen tables, coffee shops, and spare bedrooms. VPNs transformed from niche IT tools into business-critical infrastructure overnight.

But here's where it gets interesting from a security architecture perspective: VPNs were originally designed for occasional remote access by technical users who understood the security implications. We've now deployed the same technology as the primary access method for entire workforces, many of whom view security protocols as obstacles to productivity rather than essential protections.

The scale of this transformation is staggering. Pre-2020, most organizations supported perhaps 10-20% remote workers. Today, hybrid working means that 60-80% of knowledge workers regularly access corporate networks through VPN connections. We've essentially moved the front door of every business from a physically secured office to thousands of uncontrolled endpoints scattered across homes, hotels, and public spaces.

This shift fundamentally changes the threat landscape. When Sarah from Accounts connects to the corporate VPN from her home broadband, she's potentially exposing the company network to every device on her domestic network, every piece of malware that might have infected her router, and every family member who might inadvertently compromise her credentials.

Why Basic VPN Security Fails in Practice

The uncomfortable truth about VPN security is that username-and-password authentication was inadequate even when remote access was limited to a handful of technical users. Scaling this approach to entire workforces doesn't just multiply the risk, it transforms it into something qualitatively different.

Consider the mathematics of credential compromise. If you have 20 remote users with a 1% annual probability of credential theft, you face a roughly 18% chance of VPN compromise each year. Scale that to 2,000 users, and you're approaching statistical certainty of credential-based breach within months.

The Ingram Micro attack perfectly illustrates this scaling problem. SafePay didn't need to compromise executive credentials or sophisticated attack vectors. They simply needed one set of valid VPN credentials from any employee, anywhere in the organization. Once inside the VPN tunnel, they had network-level access to begin lateral movement and reconnaissance.

From a technical perspective, VPNs create what security professionals call a "trust boundary problem." The moment an authenticated user connects, the VPN treats their device as trusted and extends network access accordingly. This trust assumption becomes dangerous when authentication relies solely on credentials that can be stolen, guessed, or socially engineered.

The Authentication Failure That Killed a Supply Chain

The specific technical failure at Ingram Micro reveals everything wrong with how organizations approach VPN security. According to the forensic analysis, local accounts could authenticate and bypass MFA requirements due to firewall misconfiguration. This isn't sophisticated attack methodology; it's basic system administration incompetence.

But here's what makes this particularly infuriating: the technology to prevent this attack has existed for over a decade. FIDO2-compliant hardware security keys, certificate-based authentication, and proper conditional access policies could have stopped SafePay at the authentication stage. The attack succeeded not because the defense technology was inadequate, but because it wasn't properly implemented.

The broader lesson extends beyond technical configuration. Organizations often treat VPN security as a binary choice: either you have access or you don't. Modern security architecture requires more nuanced thinking about conditional access, device trust, network segmentation, and continuous authentication.

When I was at NCSC, we consistently emphasized that VPN access should never grant blanket network privileges. Even properly authenticated users should face additional security controls based on device posture, network location, and access patterns. The Ingram attack suggests these principles weren't implemented despite the critical nature of their systems.

Multi-Factor Authentication: The Implementation Gap

The most frustrating aspect of password-based VPN breaches is that the solution is well-understood, widely available, and increasingly affordable. Multi-factor authentication for VPN access isn't experimental technology; it's mature, proven, and supported by every major VPN vendor.

Yet MFA adoption for VPN access remains surprisingly inconsistent. Organizations that wouldn't dream of allowing password-only access to email systems routinely permit credential-based VPN authentication. This inconsistency often stems from the misconception that VPNs provide inherent security through encryption and tunneling protocols.

The reality is that VPN encryption protects data in transit but does nothing to prevent unauthorized access if authentication credentials are compromised. It's like having an armored car with excellent locks but giving copies of the keys to everyone who asks nicely.

From a user experience perspective, modern MFA implementations have eliminated most historical objections to additional authentication factors. Hardware security keys cost £15-50 and provide seamless authentication. Mobile-based authenticators integrate with existing devices. Even SMS-based codes, while not ideal, provide significant security improvements over password-only access.

The business case for VPN MFA is overwhelming. The cost of implementing hardware security keys for an entire workforce typically ranges from £2,000-10,000 for mid-sized organizations. Compare this to the £136 million daily revenue losses Ingram Micro faced during their ransomware attack, and the investment mathematics become rather compelling.

The Technical Architecture That Actually Works

Proper VPN security requires thinking beyond simple authentication improvements toward comprehensive access architecture. The NCSC's guidance on zero-trust networking provides an excellent framework, but implementation requires understanding how different components work together.

Certificate-based authentication represents the gold standard for VPN access control. Rather than relying on credentials that can be stolen or guessed, certificate-based systems use cryptographic certificates that are significantly more difficult to compromise. These certificates can be stored on hardware security keys, smart cards, or trusted platform modules within corporate devices.

Conditional access policies add another critical layer of protection. Even properly authenticated users should face additional verification based on factors like device compliance, network location, and behavioral patterns. If Sarah from Accounts typically connects from Manchester but suddenly authenticates from Romania, additional verification makes sense regardless of credential validity.

Network segmentation ensures that VPN access doesn't grant unlimited internal privileges. Modern implementations use software-defined perimeters to grant access only to specific applications and services based on user roles and business requirements. This approach limits the potential damage from compromised accounts while maintaining user productivity.

Device posture assessment verifies that connecting devices meet security requirements before granting network access. This includes checking for updated operating systems, current antivirus signatures, and compliance with corporate security policies. Non-compliant devices can be granted limited access or redirected to remediation resources.

The Human Factor in VPN Security

The Ingram Micro attack also highlights human factors that purely technical solutions can't address. VPN security often fails because organizations underestimate the behavioural challenges of remote access security.

Employees working from home face different security pressures than office-based workers. Domestic environments rarely provide dedicated workspace security, and family members may inadvertently compromise security through shared devices or networks. The psychological distance from corporate security policies can also reduce compliance motivation.

Password reuse represents a particularly insidious threat to VPN security. Employees who use the same passwords for corporate VPN access and personal services create attack vectors that extend far beyond corporate security controls. When their personal Netflix account gets breached, their corporate VPN access may be compromised simultaneously.

Social engineering attacks targeting remote workers have evolved to exploit VPN access specifically. Attackers impersonate IT support to harvest VPN credentials, create fake Wi-Fi networks to capture authentication attempts, and use phishing campaigns tailored to remote working scenarios.

Training and awareness programs must evolve to address these remote-specific threats. Traditional security awareness training focuses on office-based scenarios that may not translate effectively to home working environments. Organizations need security education that addresses domestic network security, device sharing protocols, and the importance of VPN-specific security practices.

Looking Forward: VPN Security in 2025

The trajectory of VPN security points toward more sophisticated, user-friendly solutions that reduce reliance on human behavior for security outcomes. Hardware security keys are becoming more prevalent and easier to use. Biometric authentication options are expanding. Integration with identity management systems is improving.

But the fundamental principle remains unchanged: VPN access without proper multi-factor authentication is organizational security theatre. It provides the illusion of protection while creating a false sense of security that may actually increase risk by encouraging risky behavior.

The Ingram Micro attack serves as a brutal reminder that basic security hygiene matters more than sophisticated threat detection systems. No amount of advanced monitoring can compensate for authentication systems that can be bypassed with stolen passwords.

For organizations still relying on password-based VPN access, the question isn't whether they'll experience a credential-based breach, but when. The technology exists to prevent these attacks. The business case is overwhelming. The only remaining barrier is organizational commitment to implementing security controls that actually work.

The hybrid working world requires hybrid security thinking. VPNs remain critical infrastructure for remote access, but only when properly secured with multi-factor authentication, conditional access policies, and comprehensive monitoring. Anything less is simply an expensive way to provide attackers with network access while maintaining the illusion of security.

As we learned from Ingram Micro's £136 million daily losses, that illusion can become very expensive very quickly.